Add bootstrap scripts for SharkFork

.gitignore

@@ -1,4 +1,8 @@
 forksand-it-manual.pdf
+forksand-it-manual-ebook.pdf
+forksand-it-manual-prepress.pdf
+forksand-it-manual-printer.pdf
+forksand-it-manual-screen.pdf
 *~
 .~lock.*#
 *.aux

source/resources/apps/sharkfork-bootstrap/forksand-sf-001-bootstrap

@@ -0,0 +1,240 @@
+#!/bin/bash
+# forksand-bootstrap-sf-001
+# GPLv3+
+# This script does some initial setup and config
+# Sets up Proxmox.
+
+# Log script
+exec > >(tee /root/bootstrap-sf-001.log) 2>/root/bootstrap-sf-001.err
+
+set -x
+
+# Set locale
+echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
+locale-gen
+update-locale
+
+# XXX Set timezone
+ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
+
+# Set up git for tracking. XXX Ansible... XXX
+apt-get -y install git sudo
+cd /etc
+git init
+chmod og-rwx /etc/.git
+
+cat > /etc/.gitignore <<EOF
+prelink.cache
+*.swp
+ld.so.cache
+adjtime
+blkid.tab
+blkid.tab.old
+mtab
+resolv.conf
+asound.state
+mtab.fuselock
+aliases.db
+EOF
+
+git config --global user.name "Jeff Moe"
+git config --global user.email moe@forksand.com
+cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch sf-001 server.'
+
+# SET UP APT
+#
+cat > /etc/apt/sources.list <<EOF
+deb http://mirrors.kernel.org/debian/ stretch-backports main
+deb http://mirrors.kernel.org/debian/ stretch main
+deb http://mirrors.kernel.org/debian/ stretch-updates main
+deb http://security.debian.org/ stretch/updates main
+EOF
+
+# Make apt use IPv4:
+echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
+
+git add /etc/apt/apt.conf.d/99force-ipv4
+git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
+
+cd /etc ; git add . ; git commit -a -m 'Set up apt.'
+
+# UPGRADE SERVER
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+cd /etc ; git add . ; git commit -a -m 'Update base install'
+
+apt-get -y --download-only install					\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+DEBIAN_FRONTEND=noninteractive apt-get -y 				\
+	-o Dpkg::Options::="--force-confdef"				\
+	-o Dpkg::Options::="--force-confnew"				\
+	install								\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+cd /etc ; git add . ; git commit -a -m 'Install base packages'
+
+# NTP SharkTech. They firewall outside ntp.
+sed -i                                                                                   \
+ -e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g'                \
+ -e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g'                \
+ -e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g'                \
+ -e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g'              \
+ /etc/ntp.conf
+
+cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
+/etc/init.d/ntp restart
+
+# Speed up
+echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
+/etc/init.d/cpufrequtils restart
+cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
+
+# Small user tweaks
+echo :syntax on > ~/.vimrc
+echo :syntax on > /home/jebba/.vimrc
+chown jebba:jebba /home/jebba/.vimrc
+echo export EDITOR=vi >> /root/.bashrc
+
+# XXX Passwordless sudo XXX Ya, probably remove
+sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
+
+adduser jebba sudo
+cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
+
+# SSH config XXX sed cruft
+sed -i  \
+ -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
+ -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
+ /etc/ssh/sshd_config
+
+echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
+
+echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
+
+# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
+#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
+
+# XXX Add admins as only allowed ssh users
+# XXX add user for ansbile
+echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
+
+cd /etc ; git add . ; git commit -a -m 'Set up sshd'
+systemctl restart sshd
+
+# Startup XXX disable unneeded.
+for i in rsync exim4 saned
+do echo $i 
+  /usr/sbin/update-rc.d $i disable
+done
+# XXX KILL THIS, listening on public port (firewalled, but still):
+# tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
+cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
+
+# GRUB
+sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
+sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
+echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
+
+update-grub
+
+cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
+
+# Fix network to come up on boot
+sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
+cd /etc ; git add . ; git commit -a -m 'Auto start network'
+
+# XXX not sure why this is getting installed:
+apt-get -y autoremove
+
+apt-get -y remove os-prober
+
+# Proxmox
+#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
+##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
+#EOF
+cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
+deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
+EOF
+
+# Add Proxmox enterprise key XXX Add key 
+#cat > /etc/apt/auth.conf<<EOF
+#machine enterprise.proxmox.com
+# login pve2s-0000000000
+# password 00000000000000000000000000000000
+#EOF
+
+# XXX crufty add proxmox apt key
+wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
+
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+apt-get -y				 				\
+	install								\
+	ksm-control-daemon						\
+	omping								\
+	proxmox-ve
+
+cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
+apt clean
+
+exit 0
+

source/resources/apps/sharkfork-bootstrap/forksand-sf-002-bootstrap

@@ -0,0 +1,240 @@
+#!/bin/bash
+# forksand-bootstrap-sf-002
+# GPLv3+
+# This script does some initial setup and config
+# Sets up Proxmox.
+
+# Log script
+exec > >(tee /root/bootstrap-sf-002.log) 2>/root/bootstrap-sf-002.err
+
+set -x
+
+# Set locale
+echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
+locale-gen
+update-locale
+
+# XXX Set timezone
+ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
+
+# Set up git for tracking. XXX Ansible... XXX
+apt-get -y install git sudo
+cd /etc
+git init
+chmod og-rwx /etc/.git
+
+cat > /etc/.gitignore <<EOF
+prelink.cache
+*.swp
+ld.so.cache
+adjtime
+blkid.tab
+blkid.tab.old
+mtab
+resolv.conf
+asound.state
+mtab.fuselock
+aliases.db
+EOF
+
+git config --global user.name "Jeff Moe"
+git config --global user.email moe@forksand.com
+cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch sf-002 server.'
+
+# SET UP APT
+#
+cat > /etc/apt/sources.list <<EOF
+deb http://mirrors.kernel.org/debian/ stretch-backports main
+deb http://mirrors.kernel.org/debian/ stretch main
+deb http://mirrors.kernel.org/debian/ stretch-updates main
+deb http://security.debian.org/ stretch/updates main
+EOF
+
+# Make apt use IPv4:
+echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
+
+git add /etc/apt/apt.conf.d/99force-ipv4
+git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
+
+cd /etc ; git add . ; git commit -a -m 'Set up apt.'
+
+# UPGRADE SERVER
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+cd /etc ; git add . ; git commit -a -m 'Update base install'
+
+apt-get -y --download-only install					\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+DEBIAN_FRONTEND=noninteractive apt-get -y 				\
+	-o Dpkg::Options::="--force-confdef"				\
+	-o Dpkg::Options::="--force-confnew"				\
+	install								\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+cd /etc ; git add . ; git commit -a -m 'Install base packages'
+
+# NTP SharkTech. They firewall outside ntp.
+sed -i                                                                                   \
+ -e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g'                \
+ -e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g'                \
+ -e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g'                \
+ -e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g'              \
+ /etc/ntp.conf
+
+cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
+/etc/init.d/ntp restart
+
+# Speed up
+echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
+/etc/init.d/cpufrequtils restart
+cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
+
+# Small user tweaks
+echo :syntax on > ~/.vimrc
+echo :syntax on > /home/jebba/.vimrc
+chown jebba:jebba /home/jebba/.vimrc
+echo export EDITOR=vi >> /root/.bashrc
+
+# XXX Passwordless sudo XXX Ya, probably remove
+sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
+
+adduser jebba sudo
+cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
+
+# SSH config XXX sed cruft
+sed -i  \
+ -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
+ -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
+ /etc/ssh/sshd_config
+
+echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
+
+echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
+
+# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
+#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
+
+# XXX Add admins as only allowed ssh users
+# XXX add user for ansbile
+echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
+
+cd /etc ; git add . ; git commit -a -m 'Set up sshd'
+systemctl restart sshd
+
+# Startup XXX disable unneeded.
+for i in rsync exim4 saned
+do echo $i 
+  /usr/sbin/update-rc.d $i disable
+done
+# XXX KILL THIS, listening on public port (firewalled, but still):
+# tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
+cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
+
+# GRUB
+sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
+sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
+echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
+
+update-grub
+
+cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
+
+# Fix network to come up on boot
+sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
+cd /etc ; git add . ; git commit -a -m 'Auto start network'
+
+# XXX not sure why this is getting installed:
+apt-get -y autoremove
+
+apt-get -y remove os-prober
+
+# Proxmox
+#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
+##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
+#EOF
+cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
+deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
+EOF
+
+# Add Proxmox enterprise key XXX Add key 
+#cat > /etc/apt/auth.conf<<EOF
+#machine enterprise.proxmox.com
+# login pve2s-0000000000
+# password 00000000000000000000000000000000
+#EOF
+
+# XXX crufty add proxmox apt key
+wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
+
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+apt-get -y				 				\
+	install								\
+	ksm-control-daemon						\
+	omping								\
+	proxmox-ve
+
+cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
+apt clean
+
+exit 0
+

source/resources/apps/sharkfork-bootstrap/forksand-sf-003-bootstrap

@@ -0,0 +1,239 @@
+#!/bin/bash
+# forksand-bootstrap-sf-003
+# GPLv3+
+# This script does some initial setup and config
+# Sets up Proxmox.
+
+# Log script
+exec > >(tee /root/bootstrap-sf-003.log) 2>/root/bootstrap-sf-003.err
+
+set -x
+
+# Set locale
+echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
+locale-gen
+update-locale
+
+# XXX Set timezone
+ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
+
+# Set up git for tracking. XXX Ansible... XXX
+apt-get -y install git sudo
+cd /etc
+git init
+chmod og-rwx /etc/.git
+
+cat > /etc/.gitignore <<EOF
+prelink.cache
+*.swp
+ld.so.cache
+adjtime
+blkid.tab
+blkid.tab.old
+mtab
+resolv.conf
+asound.state
+mtab.fuselock
+aliases.db
+EOF
+
+git config --global user.name "Jeff Moe"
+git config --global user.email moe@forksand.com
+cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch sf-003 server.'
+
+# SET UP APT
+#
+cat > /etc/apt/sources.list <<EOF
+deb http://mirrors.kernel.org/debian/ stretch-backports main
+deb http://mirrors.kernel.org/debian/ stretch main
+deb http://mirrors.kernel.org/debian/ stretch-updates main
+deb http://security.debian.org/ stretch/updates main
+EOF
+
+# Make apt use IPv4:
+echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
+
+git add /etc/apt/apt.conf.d/99force-ipv4
+git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
+
+cd /etc ; git add . ; git commit -a -m 'Set up apt.'
+
+# UPGRADE SERVER
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+cd /etc ; git add . ; git commit -a -m 'Update base install'
+
+apt-get -y --download-only install					\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+DEBIAN_FRONTEND=noninteractive apt-get -y 				\
+	-o Dpkg::Options::="--force-confdef"				\
+	-o Dpkg::Options::="--force-confnew"				\
+	install								\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+cd /etc ; git add . ; git commit -a -m 'Install base packages'
+
+# NTP SharkTech. They firewall outside ntp.
+sed -i                                                                                   \
+ -e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g'                \
+ -e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g'                \
+ -e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g'                \
+ -e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g'              \
+ /etc/ntp.conf
+
+cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
+/etc/init.d/ntp restart
+
+# Speed up
+echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
+/etc/init.d/cpufrequtils restart
+cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
+
+# Small user tweaks
+echo :syntax on > ~/.vimrc
+echo :syntax on > /home/jebba/.vimrc
+chown jebba:jebba /home/jebba/.vimrc
+echo export EDITOR=vi >> /root/.bashrc
+
+# XXX Passwordless sudo XXX Ya, probably remove
+sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
+
+adduser jebba sudo
+cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
+
+# SSH config XXX sed cruft
+sed -i  \
+ -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
+ -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
+ /etc/ssh/sshd_config
+
+echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
+
+echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
+
+# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
+#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
+
+# XXX Add admins as only allowed ssh users
+# XXX add user for ansbile
+echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
+
+cd /etc ; git add . ; git commit -a -m 'Set up sshd'
+systemctl restart sshd
+
+# Startup XXX disable unneeded.
+for i in rsync exim4 saned
+do echo $i 
+  /usr/sbin/update-rc.d $i disable
+done
+# XXX KILL THIS, listening on public port (firewalled, but still):
+# tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
+cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
+
+# GRUB
+sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
+sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
+echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
+
+update-grub
+
+cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
+
+# Fix network to come up on boot
+sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
+cd /etc ; git add . ; git commit -a -m 'Auto start network'
+
+# XXX not sure why this is getting installed:
+apt-get -y autoremove
+
+apt-get -y remove os-prober
+
+# Proxmox
+#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
+##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
+#EOF
+cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
+deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
+EOF
+
+# Add Proxmox enterprise key XXX Add key 
+#cat > /etc/apt/auth.conf<<EOF
+#machine enterprise.proxmox.com
+# login pve2s-0000000000
+# password 00000000000000000000000000000000
+#EOF
+
+# XXX crufty add proxmox apt key
+wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
+
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+apt-get -y				 				\
+	install								\
+	ksm-control-daemon						\
+	omping								\
+	proxmox-ve
+
+cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
+apt clean
+
+exit 0

source/resources/apps/sharkfork-bootstrap/forksand-sf-004-bootstrap

@@ -1,16 +1,11 @@
 #!/bin/bash
-# forksand-bootstrap-shark4
+# forksand-bootstrap-sf-004
 # GPLv3+
 # This script does some initial setup and config
 # Sets up Proxmox.
-# IPv6 is left enabled.
-# Firewalling is done through Proxmox.
-# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo.
-
-# XXX set network to auto not hotplug XXX
 
 # Log script
-exec > >(tee /root/bootstrap-shark4.log) 2>/root/bootstrap-shark4.err
+exec > >(tee /root/bootstrap-sf-004.log) 2>/root/bootstrap-sf-004.err
 
 set -x
 
@@ -42,9 +37,9 @@ mtab.fuselock
 aliases.db
 EOF
 
-git config --global user.name "debian"
-git config --global user.email git@localhost
-cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch shark4 server.'
+git config --global user.name "Jeff Moe"
+git config --global user.email moe@forksand.com
+cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch sf-004 server.'
 
 # SET UP APT
 #
@@ -91,6 +86,7 @@ apt-get -y --download-only install					\
 	net-tools							\
 	ntp								\
 	openssh-server							\
+	postfix								\
 	python3								\
 	rsync								\
 	telnet								\
@@ -122,6 +118,7 @@ DEBIAN_FRONTEND=noninteractive apt-get -y 				\
 	net-tools							\
 	ntp								\
 	openssh-server							\
+	postfix								\
 	python3								\
 	rsync								\
 	telnet								\
@@ -131,15 +128,16 @@ DEBIAN_FRONTEND=noninteractive apt-get -y 				\
 
 cd /etc ; git add . ; git commit -a -m 'Install base packages'
 
-# NTP SharkTech
-sed -i											\
-	-e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g'		\
-	-e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g'		\
-	-e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g'		\
-	-e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g'		\
-	/etc/ntp.conf
+# NTP SharkTech. They firewall outside ntp.
+sed -i                                                                                   \
+ -e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g'                \
+ -e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g'                \
+ -e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g'                \
+ -e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g'              \
+ /etc/ntp.conf
 
 cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
+/etc/init.d/ntp restart
 
 # Speed up
 echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
@@ -175,7 +173,7 @@ echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@op
 
 # XXX Add admins as only allowed ssh users
 # XXX add user for ansbile
-echo "AllowUsers jebba" >> /etc/ssh/sshd_config
+echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
 
 cd /etc ; git add . ; git commit -a -m 'Set up sshd'
 systemctl restart sshd
@@ -205,6 +203,8 @@ cd /etc ; git add . ; git commit -a -m 'Auto start network'
 # XXX not sure why this is getting installed:
 apt-get -y autoremove
 
+apt-get -y remove os-prober
+
 # Proxmox
 #cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
 ##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
@@ -230,85 +230,10 @@ DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -
 apt-get -y				 				\
 	install								\
 	ksm-control-daemon						\
+	omping								\
 	proxmox-ve
 
 cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
 apt clean
 
 exit 0
-
-# Run this on workstation:
-# ssh -N -C -L 8007:localhost:8006 shark4
-# firefox https://localhost:8006
-# Login as root user via PAM
-# Set up Enterprise Key
-# Data Center --> Permissions --> Users
-# Add user with Realm Proxmox VE authentication server.
-# Give user root permissions:  Datacenter --> Permissions --> Add --> User permission.
-#   Path: /  User: j   Role: Administrator
-# XXX Or create admin group, add perms to that...
-# Permissions --> Authentication. Set Proxmox VE authentication server to default.
-# 
-# Enable firewall.
-# Datacenter --> shark4 (host) --> Firewall --> Add.
-# Open up for SSH and SSH alt port.
-# Enable firewall for datacenter:
-# Datacenter --> Firewall --> Options --> Firewall --> Yes
-# Enable firewall for shark4:
-# Open up for SSH and SSH alt port.
-# REJECT everything coming in. (then DROP)
-# Reorder to ACCEPT SSH at top
-#
-# Reboot!  shark4 (host) --> Restart
-#
-#
-# XXX
-# Datacenter --> Firewall --> Add.
-# REJECT any in
-#
-# Storage
-# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
-#
-# XXX postfix
-#
-# DNS
-# shark4 (host) --> System --> DNS
-# Add servers:
-# 208.67.222.222 208.67.220.220 37.235.1.174
-#
-# Netwok
-# shark4 (host) --> System --> Network
-# Fix subnet mask, IP in web gui.
-# Create --> Linux Bridge:
-#   vmbr0
-# XXX best way for this server? No subnet.
-#
-source /etc/network/interfaces.d/*
-
-# The loopback network interface
-auto lo
-iface lo inet loopback
-
-# The primary network interface
-auto enp1s0f1
-iface enp1s0f1 inet static
-	address 70.39.103.210/29
-	gateway 70.39.103.209
-	dns-nameservers 208.67.222.222
-	dns-search forksand.com
-
-#
-# rebootz
-#
-# Set up templates
-# Datacenter --> shark4 --> local (shark4) --> Content --> Templates
-# Select Debian. maybe arch, alpine
-
-# XXX TOTAL MEH XXX
-# add this to the workstation:
-# 127.0.0.1	localhost shark3-tun shark4-tun
-# Then use URLs
-# https://shark3-tun:8006
-# https://shark4-tun:8007
-# Or you can only be logged into one at a time.
-# XXX find better workaround