add debian server instructions

infrastructure/graduated/debian/debian.md

@@ -0,0 +1,135 @@
+# Debian
+
+- [Debian](#debian)
+  - [Setup SSH](#setup-ssh)
+  - [Fail2Ban](#fail2ban)
+  - [Automatic Updates](#automatic-updates)
+  - [Extras](#extras)
+
+Note these instructions differentiate between an `operator` and a `server`. The operator can be
+any machine that configure the server. A pipeline, laptop, dedicated server, etc. are all options.
+The server can be its own operator, though that's not recommended since servers should be ephemeral
+and the operator will store information about each server.
+
+## Setup SSH
+
+On the operator:
+
+```bash
+export SSH_HOST=kube
+ssh-keygen -t rsa -b 4096 -C ducoterra@${SSH_HOST}.reeselink.com -f ~/.ssh/id_${SSH_HOST}_rsa
+
+# Note: If you get "too many authentication failures" it's likely because you have too many private
+# keys in your ~/.ssh directory. Use `-o PubkeyAuthentication` to fix it.
+ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_${SSH_HOST}_rsa.pub ducoterra@${SSH_HOST}.reeselink.com
+ssh -i ~/.ssh/id_${SSH_HOST}_rsa -o 'PubkeyAuthentication=yes' ducoterra@${SSH_HOST}.reeselink.com
+```
+
+On the server:
+
+```bash
+# Copy authorized_keys to root
+sudo cp ~/.ssh/authorized_keys /root/.ssh/authorized_keys
+
+# Change your password
+passwd
+
+sudo su -
+echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf
+echo '%sudo    ALL=(ALL)   NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-sudo
+systemctl restart ssh
+```
+
+On the operator:
+
+```bash
+cat <<EOF >> ~/.ssh/config
+
+Host $SSH_HOST
+    Hostname ${SSH_HOST}.reeselink.com
+    User root
+    ProxyCommand none
+    ForwardAgent no
+    ForwardX11 no
+    Port 22
+    KeepAlive yes
+    IdentityFile ~/.ssh/id_${SSH_HOST}_rsa
+EOF
+
+# Test if you can SSH with a password
+ssh -o PubkeyAuthentication=no ducoterra@${SSH_HOST}.reeselink.com
+
+# Test that you can log into the server with ssh config
+ssh $SSH_HOST
+```
+
+## Fail2Ban
+
+On the server:
+
+```bash
+apt update
+apt install -y fail2ban
+```
+
+Edit /etc/fail2ban/jail.d/defaults-debian.conf and add `backend = systemd`
+
+```conf
+[sshd]
+enabled = true
+# Add backend
+backend = systemd
+```
+
+Enable the service
+
+```bash
+systemctl enable fail2ban --now
+```
+
+## Automatic Updates
+
+On the server:
+
+```bash
+apt install -y unattended-upgrades
+
+systemctl enable --now unattended-upgrades.service
+```
+
+## Extras
+
+On the server:
+
+```bash
+# Install glances for system monitoring
+apt install -y glances net-tools vim
+
+# Install zsh with autocomplete and suggestions
+apt install -y zsh zsh-autosuggestions zsh-syntax-highlighting
+
+cat <<EOF > ~/.zshrc
+# Basic settings
+autoload bashcompinit && bashcompinit
+autoload -U compinit; compinit
+zstyle ':completion:*' menu select
+
+# Prompt settings
+autoload -Uz promptinit
+promptinit
+prompt redhat
+PROMPT_EOL_MARK=
+
+# Syntax Highlighting
+source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh
+
+### Custom Commands and Aliases ###
+EOF
+
+chsh -s $(which zsh) && chsh -s $(which zsh) ducoterra
+
+# Cockpit
+apt install -y cockpit
+systemctl enable --now cockpit
+```