Skip to content

Bare Metal Deployment

Jump to bottom
SkyperTHC edited this page Mar 7, 2023 · 16 revisions

These instructions are for administrators who like to provision a Segfault.net Server Centre (SSC) onto dedicated bare metal server.

This is how we deploy a SSC to a bare metal server.

Option A - SSD & NVME

  • 1x 256 GB /dev/sda (unused). Used for /sf/config and /sec
  • 1x 2 TB /dev/nvme0n1 (boot & root filesystem). Remaining used for swap.
  • 1x 2 TB /dev/nvme1n1 (unused). Used for segfault

Option B - SSD (raid1)

  • 2x 894.25 GB SSD

Setup A & B

Helper functions

addswap()
{
    local dev
    dev=$1

    mkswap "$dev"
    eval FS_$(blkid "${dev}" | cut -f2-2 -d' ')
    echo -e "UUID=${FS_UUID} none swap    sw              0       0" >>/etc/fstab
}

Basic OpSec

ln -s /dev/null .bash_history
passwd # reset password

Remove default crap

systemctl stop pvedaemon
systemctl disable pvedaemon
systemctl stop pveproxy
systemctl disable pveproxy
systemctl stop spiceproxy
systemctl disable spiceproxy
systemctl stop dovecot
systemctl disable dovecot
systemctl stop xinetd
systemctl disable xinetd
systemctl stop apache2
systemctl disable apache2
systemctl stop postfix
systemctl disable postfix
systemctl stop sw-cp-server
systemctl disable sw-cp-server
systemctl stop nginx
systemctl disable nginx
systemctl stop mysql
systemctl disable mysql
systemctl stop bind9
systemctl disable bind9
systemctl stop rpcbind
systemctl stop rpcbind.socket
systemctl disable rpcbind

Install useful crap

apt update
apt install tmux cpu-checker libvirt-daemon-system net-tools dnsmasq-base genisoimage virtinst libosinfo-bin cryptsetup qemu-kvm qemu-utils xfsprogs htop vim

Option A

Boot into Rescue Mode

e2fsck -f /dev/nvme0n1p5
resize2fs /dev/nvme0n1p5 32G # (8388608 * 4k long => 67108864 * 512 blocks)
fdisk /dev/nvme0n1
# - d: delete partition 5
# - n: New partition. Same start and length +67108864. Do not remove signature (when asked)
# - w: save & exit
reboot

Create swap

fdisk /dev/nvme0n1
# - n: New partition 6
# - +512G
# - t -> 6 -> swap: Set type swap on new partition
# - w: write & exit
addswap /dev/nvme0n1p6

Create Filesystem for Segfault:

dev=/dev/nvme1n1
mkfs -t xfs -f  "${dev}"
eval FS_$(blkid "${dev}" | cut -f2-2 -d' ')
echo -e "UUID=${FS_UUID}     /sf    xfs    defaults,nofail,noatime,usrquota,prjquota 1 2" >>/etc/fstab
mount /sf

Create /sf/config (encrypted)

echo LUKSPASSWORD=$(head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 22)
cryptsetup luksFormat /dev/sda
cryptsetup luksOpen /dev/sda sdaluks
fdisk /dev/mapper/sdaluks
# - n: New partition, +1G
# - n: New partition, all the remaining size
# - w: write & exit
partprobe
mkfs -t xfs /dev/mapper/sdaluks1
mkfs -t xfs /dev/mapper/sdaluks2
mkdir -p /sf/config
mkdir /sec
mount -o nofail,noatime /dev/mapper/sdaluks1 /sf/config
mount -o nofail,noatime /dev/mapper/sdaluks2 /sec

Option B

Assuming:

fdisk -l
/dev/sda1            2048    1050623    1048576  512M fd Linux raid autodetect
/dev/sda2         1050624   25626623   24576000 11.7G fd Linux raid autodetect
/dev/sdb1            2048    1050623    1048576  512M fd Linux raid autodetect
/dev/sdb2         1050624   25626623   24576000 11.7G fd Linux raid autodetect

fdisk /dev/sda
# n -> +1G   - new partition (for /sf/config)
# t -> fd    - type to 'Linux raid autodetect'
# n -> +128G - new partition (for swap1)
# t -> swap  - type to 'Linux Swap' 
# n          - all the remaining space
# t -> fd    - type to 'Linux raid autodetect'
# w - save & exit

repeat for fdisk /dev/sdb.

fdisk -l /dev/sda
/dev/sda1            2048    1050623    1048576  512M fd Linux raid autodetect
/dev/sda2         1050624   25626623   24576000 11.7G fd Linux raid autodetect
/dev/sda3        25626624  294062079  268435456  128G 82 Linux swap / Solaris
/dev/sda4       294062080 1875385007 1581322928  754G fd Linux raid autodetect
addswap /dev/sda3
addswap /dev/sdb3
swapon -a
mdadm --create /dev/md2 --level=mirror --raid-devices=2 /dev/sda4 /dev/sdb4
echo LUKSPASSWORD=$(head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 22)
DN=md2
cryptsetup luksFormat /dev/${DN}
cryptsetup luksOpen /dev/${DN} ${DN}luks
fdisk /dev/mapper/${DN}luks
# - n: New partition, +1G
# - n: New partition, all the remaining size
# - w: write & exit
partprobe
mkfs -t xfs /dev/mapper/${DN}luks1
mkfs -t xfs /dev/mapper/${DN}luks2
mkdir /sf
mount -o nofail,noatime /dev/mapper/${DN}luks2 /sf
mkdir /sf/config
mount -o nofail,noatime /dev/mapper/${DN}luks1 /sf/config

Continue reading Installing the SSC.

Join us on Telegram if you have any questions or comments.

Clone this wiki locally