Differences

This shows you the differences between two versions of the page.

--- nndocs:initial [2021/02/26 15:36] – update to-do list naptastic
+++ nndocs:initial [2024/12/05 18:16] (current) – stub out thing naptastic
@@ Line 1: / Line 1: @@
-===== Standard Debian Setup at narf.rocks =====
+===== Naptastic Network Playbook =====
+====Partition drives====
+Partitioning: The most recent rebuild was shark, for which I took Debian's default EFI setup for the 2TB OS drive. I only changed / to BTRFS instead of ext4. Debian installs itself to a subvolume named @root and makes that subvolume the default, so it's ready for snapshotting backups.
-**We want to get to get this completely automated**. The main tool for this will be Preseed files, of which there will be several. "Nuke And Repave" will become a single menu item.
+Add /mnt/snapshots in fstab.
-== Items About Which Nap Gives No Hecks ==
+====Move ~ to a BTRFS subvolume====
+Separate snapshotting the OS from snapshotting your files.
-These are technologies in which I expect never to have interest. Nothing's stopping you though. :-)
+====SSH key for root====
+  mkdir /root/.ssh
+  chmod 700 /root/.ssh
+  curl https://keys.naptastic.com/david/naptastic.pub >> /root/.ssh/authorized_keys
-  * Desktop environments other than MATE
+====Reconfigure SSH====
-  * Distributions other than my favorite at the time, which will probably be Debian until I make my own.
+Configure ssh for a high-numbered port, and not to allow password-based logins. Restart sshd. Verify that 'ssh root@localhost' fails. (You didn't forward your agent, did you?).
-  * OpenStack. Just no. (But I can keep a host aggregate here if it's not too onerous.)
-  * PCI passthrough for "Whole-host virtual machines" and/or multi-seat workstations. (I've sunk enough hours into it; my time needs to go elsewhere now.)
-  * (Nap: Add to this list.)
-== Nap's To-do ==
+====Backups====
+Create /mnt/snapshots. Create an entry in /etc/fstab the same as for / but with "subvol=/":
-I need to put a hard cap on this, and start paring things down. Use the resources I have to make disaster recovery and rapid (re)deployment as easy as possible, and then **get the fuck out of this hobby** because it **SUCKS** and I have dozens of other things I'd rather be doing with my limited time!
+  # / was on /dev/nvme0n1p2 during installation
+  UUID=some-long-string /               btrfs   noatime,nodiratime,subvol=@rootfs 0       0
+  UUID=some-long-string /mnt/snapshots  btrfs   noatime,nodiratime,subvol=/ 0       0
-  * email (:sob:)
+====Install Shorewall====
-    * Break it up into smaller tasks.
+  * customize interfaces, rules, policy...?
-      - receive mail ✓
+  * /etc/default/shorewall
-        - migrate mail ✓
+  * /etc/shorewall/shorewall.conf
-      - SpamAssassin ✓
+  * systemctl enable
-      - dovecot for IMAP ✓
+  * reboot a bunch of times because it's not passing traffic for no reason
-      - configure mail.naptastic.com to send via smarthost @ Digital Ocean
-      - configure DO droplet as a relay
-      - mailman
-        - migrate lists
-      - webmail (preferably something that doesn't suck on mobile, if that exists)
-      - mailman
-  * Failover and fallback! Shorewall should make it pretty easy.
-  * Second nameserver
-  * Update a preseed file (or a script) every time you have to install. Update the /etc repo
-  * s/quirk/@providers/;
-  * fix the PXE environment if that's in any way possible
-  * Make the PHP-based sites easier to replicate
-  * Headless audio
-== Horsey's To-do ==
+====Pick the best mirror====
+If the repo is installed or mounted locally:
+  deb file:///mnt/debian bookworm main contrib non-free non-free-firmware
+  deb-src file:///mnt/debian bookworm main contrib non-free
-  * System monitoring
+If you have to get it via HTTP:
+  deb http://mirror.narf.rocks/debian/ bookworm main contrib non-free non-free-firmware
+  deb-src http://mirror.narf.rocks/debian/ bookworm main contrib non-free non-free-firmware
-== Later or Never ==
+If you have to use public mirrors (RIP):
+  deb http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
+  deb-src http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-  * CUDA (Once GPU math makes sense)
+====Remove crap====
+  apt -y remove update-notifier pulseaudio-module-bluetooth bluez blueman bluez-cups bluez-obexd modemmanager rtkit
-===== Getting Started =====
+====Install extra packages====
+(This is set up so you can triple-click each block you need, copy/paste or middle-paste into your terminal, then press enter at the end and install everything in one transaction.)
-Perform a network install of Debian.
+  apt -y install curl vim whois
-run the naptastic installer if it didn't run as part of the installer:
+Hardware hosts add:
+   smartmontools mdadm qemu-kvm gparted
-  curl https://naptastic.com/initial.sh | /bin/bash
+Desktops:
+   hexchat synaptic terminator fonts-lohit-knda fonts-knda keepassx evolution virt-manager network-manager-gnome
-  # This is not necessary unless the installer failed to do it.
+Audio workstations:
-  mkdir /root/.ssh
+   qjackctl alsa-tools-gui eq10q jalv jamin lilv-utils
-  chmod 700 /root/.ssh
-  curl https://keys.naptastic.com/david/naptastic.pub >> /root/.ssh/authorized_keys
-Configure ssh for a high-numbered port, and not to allow password-based logins. Restart sshd. Verify that 'ssh root@localhost' fails. (You didn't forward your agent, did you?).
+If you plan to compile your own kernel:
+   bison flex libssl-dev ncurses-dev libelf-dev
-== Check out /etc ==
+====Networking====
+===Device Names===
+  ln -s /dev/null /etc/systemd/network/99-default.link
-(You forwarded your agent, right?)
+Here is what a link file looks like for an Ethernet device:
+  $ cat /etc/systemd/network/20-igb0.link
+  #
+  # Remember to `update-initramfs -u` after changing this file!
+  #
+  [Match]
+  MACAddress=b4:2e:99:38:a9:66
+  [Link]
+  Name=emo0
+  MTUBytes=9000
-    git clone git@github.com:naptastic/etc
+  * emoX for ports on the motherboard
-    cp -a etc/* /etc/ # does this actually copy .git? Check to make sure, alright?
+  * enX for (multi-)gigabit stand-up cards
-    cd /etc
+  * ibX for InfiniBand IPoIB devices (these do not need .link files though)
-    git status
+  * mlxX for Mellanox devices in Ethernet mode
-and see where you stand.
+===Port Conventions===
+X is 0-indexed. Port 0 on a stand-up card is the farthest from the motherboard. On a motherboard, it's the left-most port if there's more than one port. I configure ConnectX-3 cards to be InfiniBand on port 0 and Ethernet on port 1, so a system ends up with interfaces named ib0 and mlx1.
-Remember: We play with live ammo. Don't `git rm` something unless you're on a host-specific branch.
+===InfiniBand===
+  * [[infiniband]]
+  * mst* installer
+  * copy production opensm configuration in case you have take over as SM
+  * (what needs to change here for VMs using virtual functions?)
-== Networking ==
+Comment out svcrdma in /etc/rdma/modules/rdma.conf or nfs-kernel-server won't start. I'm not sure what's **actually** needed to make NFS/RDMA work.
-  ln -s /dev/null /etc/systemd/network/99-default.link # the installer does this
+===Ethernet configuration===
+Is a total mess right now. I don't know what I'm doing or how I want to do it.
-check /etc/network/interfaces because the device name is probably wrong there. TODO Fix that on fresh installs kthx
+====Hugepages====
+Useful for databases, PHP, Factorio, and probably other things! Add something like this to /etc/sysctl.conf:
-The answer, somehow, is Netplan; I just don't like that answer much. The answer should be to //remove// layers of complexity, not add them. Just name my devices eth0 and eth1, dammit, or give me control over the naming.
+  vm.nr_hugepages=512
-Some of my systems are using ifupdown, and some I'm not sure how they work, and some don't work right. Linux networking is fucking terrible.
+To make a non-persistent change,
-== Disable TTY screen blanking (Only necessary on Debian Jessie and older) ==
-Add this to ''/etc/rc.local'' above the ''exit 0'' line:
+  sysctl -w vm.nr_hugepages=512
-  sh -c 'setterm -blank 0 -powersave off -powerdown 0 < /dev/console > /dev/console 2>&1'
+Make sure your locked memory limit is equal to or greater than the amount of RAM you're reserving for hugepages.
-===== Options =====
+====Shell profile====
+  * Profile stuff: Bash, Vim, ? Can I automate this? (Of course I can.)
-maybe you feel like it, maybe you don't. idk. **This will be replaced with customized preseed files**.
+====Logging====
+  * disable journald; configure logging for everything.
+  * Make a list of things that need to log
-== For all systems ==
+====Email====
+lol, not yet
-  apt -y remove update-notifier pulseaudio-module-bluetooth bluez blueman bluez-cups bluez-obexd modemmanager rtkit
+====Disable TTY screen blanking====
+I don't know when this is necessary anymore. Add this to ''/etc/rc.local'' above the ''exit 0'' line:
-== For hardware boxes ==
+  sh -c 'setterm -blank 0 -powersave off -powerdown 0 < /dev/console > /dev/console 2>&1'
-  apt -y install smartmontools qemu-kvm gparted
+====Audio workstations====
-== If you are using a graphical desktop environment ==
-(this needs an update: not sure about fonts packages. Also some network-manager-*-gnome packages might be useful depending on what kind of networking you're doing.)
-  apt -y install hexchat synaptic terminator fonts-lohit-knda fonts-knda keepassx evolution virt-manager network-manager-gnome
-== If you plan to do audio work ==
-  apt -y install qjackctl alsa-tools-gui eq10q jalv jamin lilv-utils
   cat >> /etc/pulse/daemon.conf
   default-sample-format = s24le
@@ Line 115: / Line 130: @@
   ^D
-== If you plan to compile your own kernel ==
+More on [[lad]].
-  apt -y install bison flex libssl-dev ncurses-dev