These are the steps I copy and paste after a standard Debian install. This also applies to e.g. Raspberry Pi
So I log in via ssh as user houghi and become root with either su – or sudo -i First some update, upgrades and installs. The second line of installs is if there is a GUI. If not, skip it. This is all to be done before the user has done a first login. So I log in via ssh as user houghi and become root with either su – or sudo -i
apt update apt upgrade -y apt install -y imagemagick vim mc htop nmap nfs-common nfs-kernel-server rsync screen iperf3 curl shellcheck apt-transport-https ccze bc lynx jhead fortunes libpam-google-authenticator locate whois dnsutils xinetd rename unattended-upgrades chrony apt install -y vim-gtk3 libavahi-compat-libdnssd1 libqt5core5a libqt5gui5 libqt5network5 libqt5widgets5 gparted grub-customizer xbindkeys wmctrl mssh geeqie update-alternatives --set editor /usr/bin/vim.basic sed -i 's/.*motd/#&/' /etc/pam.d/sshd
Setting up ssh. Only user houghi will be allowed to log in and google authenticator will be active. I have a shared /home directory, otherwise you need to configure 2FA. Look on this page for more info.
cat << _EOF_ >> /etc/ssh/sshd_config PermitRootLogin no AllowUsers houghi _EOF_ echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
Add the data to log in to /home/houghi, so I can log in if /home is not mounted
mount data:/home /tmp cp /tmp/houghi/.googleautenticator /home/houghi/. umount /tmp
Add partitions to fstab. (See that it adds the underscores)
cat << _EOF_ >> /etc/fstab #Added by houghi data:/home /home nfs defaults 0 0 old-small:/data /data nfs defaults 0 0 data:/usr/local /usr/local nfs defaults,ro 0 0 _EOF_
Set up the directories As I have a shared /home directory, I need to have separate .config and .local files. So ,config will be symlinjked to /.BAKHOME/$USER and that will be symlinked to $HOME/.CONFIG/$HOSTNAME/.config. Because the $HOSTNAME id different, the symlink is as well.
mkdir -p /.BAKHOME mkdir -p /data mkdir -p /home/houghi/.CONFIG/$HOSTNAME/.config mkdir -p /home/houghi/.CONFIG/$HOSTNAME/.local ln -s /home/houghi/.CONFIG/$HOSTNAME /.BAKHOME/houghi
Populate the .config files
for DIR in Terminal autostart mc xfce4 do rsync -azxh /home/houghi/.CONFIG/right/.config/${DIR} /home/houghi/.config done
Writing three files for rsync to work.An explanation on rsync will follow.
cat << _EOF_ >> /etc/rsyncd.conf pid file = /run/rsynd.pid lock file = /run/rsyncd.lock log file = /var/log/rsync.log uid = root gid = root read only = true timeout = 300 [root] path = / comment = backup exclude from = /etc/rsyncd.exclude _EOF_
cat << _EOF_ >> /etc/rsyncd.exclude - /dev - /run - /sys - /data - /usr/local - /lost+found - /media - /mnt - /proc - /tmp - /home - /srv _EOF_
echo " # default: off # description: The rsync server is a good addition to an ftp server, as it \ # allows crc checksumming etc. service rsync { disable = no flags = IPv6 socket_type = stream port = 873 wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID } " > /etc/xinetd.d/rsyncd
Password-less login, restarting of services so the user will automagically log in.
dpkg -i /home/houghi/Downloads/synergy_1.10.3.stable_b120+ca35737a_debian_amd64.deb rm /home/houghi/.config/Synergy/Synergy.conf sed -i 's/#autologin-user=/autologin-user=houghi/g' /etc/lightdm/lightdm.conf sed -i 's/#autologin-user-timeout=0/autologin-user-timeout=0/g' /etc/lightdm/lightdm.conf /etc/init.d/xinetd restart service ssh restart init 3 init 5
And that is basically it. Obviously different things need to be done as well.