============================
 CAcert infra01 setup notes
============================

:Author: Jan Dittberner <jandd@cacert.org>
:Version: 0.3
:Date: 2011-04-27

.. header::

  |cacertlogo|

.. |cacertlogo| image:: CAcert-logo-colour.png
  :width: 5cm

.. contents::

initial setup
=============

* update packages using aptitude
* setup apticron to get informed about available updates
* install etckeeper, bash-completion, vim, lxc, bridge-utils,
  debootstrap, ntp, screen, pwgen, ferm, python-apt, python-ipcalc

virtual machine setup
=====================

* create script lxc-setup for lxc container creation (know how from
  http://wiki.debian.org/LXC and /usr/share/doc/lxc)
* initialization file

.. code-block:: ini
  :include: lxc-setup.ini

* example for svn VM

.. code-block:: bash

  sudo ./lxc-setup -n svn -l 8G -i 10.0.0.20 -r `pwgen -s 32 -n 1` \
    -a svn-admin@cacert.org
  sudo lxc-start -n svn -f /etc/lxc/svn.conf -d

* enable forwarding

.. code-block:: bash

  echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/local.conf
  sysctl net.ipv4.ip_forward=1

* setup of firewall rules in ``/etc/ferm/ferm.conf``

  * use aliases for internal and external addresses in header
  * use subchains for hosts
  * host specific rules are put in separate files in ``/etc/ferm/ferm.d/``

  .. code-block:: perl
    :include: ferm.conf

* add ip address of svn vhost to ``/etc/network/interfaces`` in
  ``eth0`` section:

  .. code-block:: text

    iface eth0 inet static
      address 172.16.2.9
      netmask 255.255.255.0
      network 172.16.2.0
      broadcast 172.16.2.255
      gateway 172.16.2.1
      # dns-* options are implemented by the resolvconf package, if installed
      dns-nameservers 172.16.2.1
      dns-search infra.cacert.org
      post-up ip -4 addr add 172.16.2.15 dev eth0
      pre-down ip -4 addr del 172.16.2.15 dev eth0