#language en
#refresh 999999
## nearly two weeks until an update occurs

[[TableOfContents(2)]]

= Overview =

== Basic data ==

|| Hostname || `gs1.fluid.tuwien.ac.at` ||
|| Model || [https://www.supermicro.com/en/products/motherboard/X10SRW-F Supermicro X10SRW-F] ||
|| Purpose || graphics server ||
|| Operating system || debian ||
|| Management interface || http://mgs1.fluid.tuwien.ac.at ||
|| Authentication options || TU password ||

== Hardware ==
|| CPU || [https://ark.intel.com/content/www/us/en/ark/products/82763/intel-xeon-processor-e51620-v3-10m-cache-3-50-ghz.html Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz (4 cores)]; Socket: FCLGA2011-3 ||
|| RAM || 32 GiB; up to 256 GB DDR4-2400MHz ||
|| Storage || 500 GB (/) Samsung SSD 850 EVO 500GB ||
||         || 2 x 2 TB (/home) btrfs-raid1 ||
|| Graphics card || !GeForce GTX 960 ||
|| Battery type || CR2032 ||

User's manuals for [attachment:MNL-1570.pdf motherboard/BIOS] and [attachment:IPMI_Users_Guide.pdf BMC/IPMI].

== Configuration ==
All customized configuration files are marked by owner or group `oswat`,[[BR]]
`find /etc -user oswat -o -group oswat`

== BIOS ==
press DEL to enter BIOS, F11 for boot menu

== Admins ==
 * Thomas Loimer
 * Rudolf Ladner (ZID)
 * Sebastian Boehm (ZID)

= Installation of the base system =

Debian bookworm (12.0) was installed on the 500 GB SSD, one partition (≈100 MB) for the efi (/boot/efi),
the reminder of the disk for root (/), ext4 filesystem.
The file systems were labelled, `root_fs` and `home_fs`.[[BR]]
While in the debian installer, ssh-server was chosen, no localications, only C and C.utf8.[[BR]]
Install grub2 as bootloader; The kernel efi-stub needs a commandline (root=/dev/sda2 initrd=\EFI\debian\initrd.img),
no way to set that from the BIOS.[[BR]]
Had to create an administrative user: oswat, the home directory is `/opt/oswat`!

== Partitioning ==
|| /dev/sda   ||<style="text-align: right;"> 500 GB || || ||
|| /dev/sda1  ||<style="text-align: right;">  94 MB || /boot/efi || vfat ||
|| /dev/sda2  ||<style="text-align: right;"> 500 GB || / || ext4 ||
|| /dev/sdb+c ||<style="text-align: right;"> 2 TB || /home || btrfs-raid1 ||

== Network ==
{{{
echo gs1 >/etc/hostname
}}}

Note, the resolver (Domains=) and NTP-server is set per interface, see below.
This keeps the configuration in one file.
{{{
cat >/etc/systemd/network/10-gs1.network <<EOF
[Match]
MACAddress=0c:c4:7a:69:5a:20

[Network]
Description=Static ethernet connection
Address=128.130.169.110/25
Gateway=128.130.169.1
DNS=128.130.4.3
DNS=128.131.4.3
Domains=fluid.tuwien.ac.at
#NTP=tutimeb.tuwien.ac.at tutimec.tuwien.ac.at tutimea.tuwien.ac.at
NTP=128.130.3.131 128.131.2.3 128.130.2.3
EOF
}}}

Remove legacy ifupdown, use ntp.
{{{
apt install systemd-resolved systemd-timesyncd
apt purge ifupdown
}}}

== File systems ==
{{{
apt install btrfs-progs zstd
# create a btrfs-raid1 for data (-d) and medatadata (-m) from /dev/sdb and /dev/sdc
mkfs.btrfs -f -L home_fs -d raid1 -m raid1 /dev/sdb /dev/sdc

cat >>/etc/fstab <<EOF
# / was on /dev/sda2 during installation
LABEL=root_fs   /               ext4    noatime,errors=remount-ro 0       1
# /boot/efi was on /dev/sda1 during installation
UUID=5AA6-2350  /boot/efi       vfat    umask=0077                0       1
LABEL=home_fs   /home           btrfs   compress=zstd             0       2
EOF
}}}

== Installation sources ==

{{{
cat >/etc/apt/sources.list <<EOF
# Most preferred sources are listed first, see man sources.list(5)

deb http://gd.tuwien.ac.at/opsys/linux/debian bookworm main contrib
deb-src http://gd.tuwien.ac.at/opsys/linux/debian bookworm main contrib

# The fallback solution, if gd.tuwien does not work
deb http://deb.debian.org/debian bookworm main contrib
deb-src http://deb.debian.org/debian bookworm main contrib

deb http://security.debian.org/debian-security bookworm-security main contrib
deb-src http://security.debian.org/debian-security bookworm-security main contrib

# bookworm-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib
deb-src http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib
deb http://deb.debian.org/debian/ bookworm-updates main contrib
deb-src http://deb.debian.org/debian/ bookworm-updates main contrib
EOF
}}}

Do not install, by default, recommended packages.
{{{
echo 'APT::Install-Recommends "false";' >/etc/apt/apt.conf.d/90recommended_false
}}}

== User access ==

=== sshd customization ===
Do not forward the client's locale, since there is only C/POSIX on gs1.
Also, there is no sudo, allow root to login.
{{{
echo "PermitRootLogin yes" >/etc/ssh/sshd_config.d/permitrootlogin.conf

apt install patch
patch <<EOF
--- /etc/ssh/sshd_config.orig	2023-04-12 16:19:45.904116844 +0200
+++ /etc/ssh/sshd_config	2023-03-29 10:20:37.697903087 +0200
@@ -109,7 +109,7 @@
 #Banner none

 # Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
+#AcceptEnv LANG LC_*

 # override default of no subsystems
 Subsystem	sftp	/usr/lib/openssh/sftp-server
EOF
}}}

=== Allow all members of E322 to log in ===

{{{
# see https://arthurdejong.org/nss-pam-ldapd/
apt install libnss-ldapd libpam-ldapd nscd

# here is the entire /etc/nslcd.conf file
# some options in the first 20 lines might be set at installation time
cat >/etc/nslcd.conf <<EOF
#
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://dc.intern.tuwien.ac.at

# The search base that will be used for all queries.
base ou=tu,dc=intern,dc=tuwien,dc=ac,dc=at

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=E322_LDAP,ou=interactive,ou=exchange,ou=IT-services,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
bindpw **<confidential>**

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

# Here ends the shipped configuration file, customisation starts ...

base	passwd	ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base	shadow	ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base	group	ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at

# Mappings
filter	passwd	(memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map	passwd	uid		sAMAccountName
map	passwd	uidNumber	employeeID
map	passwd	gecos		cn
map	passwd	homeDirectory	"/home/${sAMAccountName}"
map	passwd	loginShell	"/bin/bash"
map	passwd	gidNumber	"2153"


filter	shadow	(memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map	shadow	uid		sAMAccountName

filter	group	(cn=E322*)
map	group	userPassword	""
map	group	gidNumber	objectSid:S-1-5-21-527783839-1561677997-9029855232
EOF
}}}

Do not forget to have users have a home directory,
{{{
pam-auth-update mkhomedir
# Installation of libpam-ldapd most probably runs
# pam-auth-update ldap
}}}

== Enable hibernation ==

Create a swap file (not a swap partition), enable swap and
modify the kernel command line to search for a RAM image.[[BR]]
Use `filefrag` to get the offset of the swap file.[[BR]]
It is not necessary to modify `etc/initramfs-tools/conf.d/resume`.
{{{
touch /swap
chmod 600 /swap
dd if=/dev/zero of=/swap bs=1M count=32768
filefrag -v /swap | head
# Use the number in the first row, first column of the "physical offset:" columns.
# This number has two dots appended (here: 202752..).
echo GRUB_CMDLINE_LINUX_DEFAULT=\"resume=PARTLABEL=root_partition resume_offset=202752\" \
    >/etc/default/grub.d/resume.cfg
echo "/swap    swap    swap    defaults    0    0"  >>/etc/fstab
}}}

== Mark customized files ==

{{{
cd etc
chgrp oswat hostname fstab apt/sources.list apt/apt.conf.d/90recommended_false \
    systemd/network/10-gs1.network sshd_config sshd_config.d/permitrootlogin.conf \
    default/grub.d/resume.cfg
chown oswat nslcd.conf
}}}