moving everything to active or retired vs incubating and graduated

active/os_ubuntu/ubuntu-server-24.04.md

@@ -0,0 +1,145 @@
+# Ubuntu Server
+
+- [Ubuntu Server](#ubuntu-server)
+  - [Setup SSH](#setup-ssh)
+  - [Fail2Ban](#fail2ban)
+  - [Automatic Updates](#automatic-updates)
+  - [Disable Swap](#disable-swap)
+  - [Extras](#extras)
+  - [Troubleshooting](#troubleshooting)
+    - [nmcli device unmanaged](#nmcli-device-unmanaged)
+
+Note these instructions differentiate between an `operator` and a `server`. The operator can be
+any machine that configure the server. A pipeline, laptop, dedicated server, etc. are all options.
+The server can be its own operator, though that's not recommended since servers should be ephemeral
+and the operator will store information about each server.
+
+## Setup SSH
+
+On the operator:
+
+```bash
+export SSH_HOST=kube
+ssh-keygen -t rsa -b 4096 -C ducoterra@${SSH_HOST}.reeselink.com -f ~/.ssh/id_${SSH_HOST}_rsa
+
+# Note: If you get "too many authentication failures" it's likely because you have too many private
+# keys in your ~/.ssh directory. Use `-o PubkeyAuthentication` to fix it.
+ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_${SSH_HOST}_rsa.pub ducoterra@${SSH_HOST}.reeselink.com
+ssh -i ~/.ssh/id_${SSH_HOST}_rsa -o 'PubkeyAuthentication=yes' ducoterra@${SSH_HOST}.reeselink.com
+```
+
+On the server:
+
+```bash
+# Copy authorized_keys to root
+sudo cp ~/.ssh/authorized_keys /root/.ssh/authorized_keys
+
+# Change your password
+passwd
+
+sudo su -
+echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf
+echo '%sudo    ALL=(ALL)   NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-sudo
+systemctl restart ssh
+```
+
+On the operator:
+
+```bash
+cat <<EOF >> ~/.ssh/config
+
+Host $SSH_HOST
+    Hostname ${SSH_HOST}.reeselink.com
+    User root
+    ProxyCommand none
+    ForwardAgent no
+    ForwardX11 no
+    Port 22
+    KeepAlive yes
+    IdentityFile ~/.ssh/id_${SSH_HOST}_rsa
+EOF
+
+# Test if you can SSH with a password
+ssh -o PubkeyAuthentication=no ducoterra@${SSH_HOST}.reeselink.com
+
+# Test that you can log into the server with ssh config
+ssh $SSH_HOST
+```
+
+## Fail2Ban
+
+On the server:
+
+```bash
+apt update
+apt install -y fail2ban
+
+# Setup initial rules
+cat <<EOF > /etc/fail2ban/jail.local
+# Jail configuration additions for local installation
+
+# Adjust the default configuration's default values
+[DEFAULT]
+# Optional enter an trusted IP never to ban
+ignoreip = 2600:1700:1e6c:a81f::0/64
+bantime  = 6600
+backend = auto
+
+# The main configuration file defines all services but
+# deactivates them by default. We have to activate those neeeded
+[sshd]
+enabled = true
+EOF
+
+systemctl enable fail2ban --now
+tail -f /var/log/fail2ban.log
+```
+
+## Automatic Updates
+
+On the server:
+
+```bash
+apt install -y unattended-upgrades
+
+systemctl enable --now unattended-upgrades.service
+```
+
+## Disable Swap
+
+```bash
+swapoff -a
+```
+
+## Extras
+
+On the server:
+
+```bash
+# Install glances for system monitoring
+apt install -y glances net-tools vim tmux
+
+# Cockpit
+apt install -y cockpit
+systemctl enable --now cockpit
+```
+
+## Troubleshooting
+
+### nmcli device unmanaged
+
+Ubuntu installs a config file that sets most devices unmanaged:
+
+/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf:
+
+[keyfile]
+unmanaged-devices=*,except:type:wifi,except:type:gsm,except:type:cdma
+
+To disable this, You can create a blank file with the same name in /etc:
+
+sudo touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
+sudo systemctl restart NetworkManager
+
+Then `nmcli device set <device-name> managed yes`
+
+Then turn on "Connect Automatically" in Cockpit.