Contents

  1. Overview
    1. Basic data
    2. Hardware
    3. Configuration
    4. BIOS
    5. Admins
  2. Installation of the base system
    1. Partitioning
    2. Network
    3. File systems
    4. Installation sources
    5. User access
    6. Enable hibernation
    7. Mark customized files

Overview

Basic data

Hostname

gs1.fluid.tuwien.ac.at

Model

Supermicro X10SRW-F

Purpose

graphics server

Operating system

debian

Management interface

http://mgs1.fluid.tuwien.ac.at

Authentication options

TU password

Hardware

CPU

Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz (4 cores); Socket: FCLGA2011-3

RAM

32 GiB; up to 256 GB DDR4-2400MHz

Storage

500 GB (/) Samsung SSD 850 EVO 500GB

2 x 2 TB (/home) btrfs-raid1

Graphics card

GeForce GTX 960

Battery type

CR2032

User's manuals for motherboard/BIOS and BMC/IPMI.

Configuration

All customized configuration files are marked by owner or group oswat,
find /etc -user oswat -o -group oswat

BIOS

press DEL to enter BIOS, F11 for boot menu

Admins

Installation of the base system

Debian bookworm (12.0) was installed on the 500 GB SSD, one partition (≈100 MB) for the efi (/boot/efi), the reminder of the disk for root (/), ext4 filesystem. The file systems were labelled, root_fs and home_fs.
While in the debian installer, ssh-server was chosen, no localications, only C and C.utf8.
Install grub2 as bootloader; The kernel efi-stub needs a commandline (root=/dev/sda2 initrd=\EFI\debian\initrd.img), no way to set that from the BIOS.
Had to create an administrative user: oswat, the home directory is /opt/oswat!

Partitioning

/dev/sda

500 GB

/dev/sda1

94 MB

/boot/efi

vfat

/dev/sda2

500 GB

/

ext4

/dev/sdb+c

2 TB

/home

btrfs-raid1

Network

echo gs1 >/etc/hostname

Note, the resolver (Domains=) and NTP-server is set per interface, see below. This keeps the configuration in one file. 

cat >/etc/systemd/network/10-gs1.network <<EOF
[Match]
MACAddress=0c:c4:7a:69:5a:20

[Network]
Description=Static ethernet connection
Address=128.130.169.110/25
Gateway=128.130.169.1
DNS=128.130.4.3
DNS=128.131.4.3
Domains=fluid.tuwien.ac.at
#NTP=tutimeb.tuwien.ac.at tutimec.tuwien.ac.at tutimea.tuwien.ac.at
NTP=128.130.3.131 128.131.2.3 128.130.2.3
EOF

Remove legacy ifupdown, use ntp. 

apt install systemd-resolved systemd-timesyncd
apt purge ifupdown

File systems

apt install btrfs-progs zstd
# create a btrfs-raid1 for data (-d) and medatadata (-m) from /dev/sdb and /dev/sdc
mkfs.btrfs -f -L home_fs -d raid1 -m raid1 /dev/sdb /dev/sdc

cat >>/etc/fstab <<EOF
# / was on /dev/sda2 during installation
LABEL=root_fs   /               ext4    noatime,errors=remount-ro 0       1
# /boot/efi was on /dev/sda1 during installation
UUID=5AA6-2350  /boot/efi       vfat    umask=0077                0       1
LABEL=home_fs   /home           btrfs   compress=zstd             0       2
EOF

Installation sources

cat >/etc/apt/sources.list <<EOF
# Most preferred sources are listed first, see man sources.list(5)

deb http://gd.tuwien.ac.at/opsys/linux/debian bookworm main contrib
deb-src http://gd.tuwien.ac.at/opsys/linux/debian bookworm main contrib

# The fallback solution, if gd.tuwien does not work
deb http://deb.debian.org/debian bookworm main contrib
deb-src http://deb.debian.org/debian bookworm main contrib

deb http://security.debian.org/debian-security bookworm-security main contrib
deb-src http://security.debian.org/debian-security bookworm-security main contrib

# bookworm-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib
deb-src http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib
deb http://deb.debian.org/debian/ bookworm-updates main contrib
deb-src http://deb.debian.org/debian/ bookworm-updates main contrib
EOF

Do not install, by default, recommended packages. 

echo 'APT::Install-Recommends "false";' >/etc/apt/apt.conf.d/90recommended_false

User access

sshd customization

Do not forward the client's locale, since there is only C/POSIX on gs1. Also, there is no sudo, allow root to login. 

echo "PermitRootLogin yes" >/etc/ssh/sshd_config.d/permitrootlogin.conf

apt install patch
patch <<EOF
--- /etc/ssh/sshd_config.orig   2023-04-12 16:19:45.904116844 +0200
+++ /etc/ssh/sshd_config        2023-03-29 10:20:37.697903087 +0200
@@ -109,7 +109,7 @@
 #Banner none

 # Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
+#AcceptEnv LANG LC_*

 # override default of no subsystems
 Subsystem      sftp    /usr/lib/openssh/sftp-server
EOF

Allow all members of E322 to log in

# see https://arthurdejong.org/nss-pam-ldapd/
apt install libnss-ldapd libpam-ldapd nscd

# here is the entire /etc/nslcd.conf file
# some options in the first 20 lines might be set at installation time
cat >/etc/nslcd.conf <<EOF
#
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://dc.intern.tuwien.ac.at

# The search base that will be used for all queries.
base ou=tu,dc=intern,dc=tuwien,dc=ac,dc=at

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=E322_LDAP,ou=interactive,ou=exchange,ou=IT-services,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
bindpw **<confidential>**

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

# Here ends the shipped configuration file, customisation starts ...

base    passwd  ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base    shadow  ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base    group   ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at

# Mappings
filter  passwd  (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map     passwd  uid             sAMAccountName
map     passwd  uidNumber       employeeID
map     passwd  gecos           cn
map     passwd  homeDirectory   "/home/${sAMAccountName}"
map     passwd  loginShell      "/bin/bash"
map     passwd  gidNumber       "2153"


filter  shadow  (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map     shadow  uid             sAMAccountName

filter  group   (cn=E322*)
map     group   userPassword    ""
map     group   gidNumber       objectSid:S-1-5-21-527783839-1561677997-9029855232
EOF

Do not forget to have users have a home directory, 

pam-auth-update mkhomedir
# Installation of libpam-ldapd most probably runs
# pam-auth-update ldap

Enable hibernation

Create a swap file (not a swap partition), enable swap and modify the kernel command line to search for a RAM image.
Use filefrag to get the offset of the swap file.
It is not necessary to modify etc/initramfs-tools/conf.d/resume. 

touch /swap
chmod 600 /swap
dd if=/dev/zero of=/swap bs=1M count=32768
filefrag -v /swap | head
# Use the number in the first row, first column of the "physical offset:" columns.
# This number has two dots appended (here: 202752..).
echo GRUB_CMDLINE_LINUX_DEFAULT=\"resume=PARTLABEL=root_partition resume_offset=202752\" \
    >/etc/default/grub.d/resume.cfg
echo "/swap    swap    swap    defaults    0    0"  >>/etc/fstab

Mark customized files

cd etc
chgrp oswat hostname fstab apt/sources.list apt/apt.conf.d/90recommended_false \
    systemd/network/10-gs1.network sshd_config sshd_config.d/permitrootlogin.conf \
    default/grub.d/resume.cfg
chown oswat nslcd.conf