Update basic install instructions

1 files changed, 100 insertions, 89 deletions

diff --git a/fripost-docs.org b/fripost-docs.org
index b2b1445..1b234f1 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -25,7 +25,7 @@ separate file called "COPYING".
 This is the documentation of the server configuration used by the free e-mail
 association, given here to provide a transparent system.
 
-Debian GNU/Linux lenny is the target system.
+Debian GNU/Linux lenny is the current target system.
 
 The complete documentation is the actual configuration files on the servers.
 This document intends to give a general idea of the setup and be of help if we
@@ -44,16 +44,23 @@ send them to skangas@skangas.se.
 
 * BASIC SETUP -- Checklist after having installed a new Debian GNU/Linux-server
 
-  - Do not install any "tasks" during installation (web server etc.).
-  - If using expert install, you might want to choose to install "Base system".
-  - Make sure to answer "yes" to shadow passwords and MD5.
-  - Disable root account.
+** Basic installation instructions
+
+- Use expert install to maximize fun.
+- Preferably, only install the "Standard system utilities" and "SSH Server" tasks.
+- Make sure to answer "yes" to shadow passwords and MD5.
+- Do disable the root account.
 
 ** Install etckeeper
-   Used to keep track of /etc.  Install ASAP after install!
-   - /etc/etckeeper/etckeeper.conf
+
+Used to keep track of /etc.  Install ASAP after install!
+
+:: /etc/etckeeper/etckeeper.conf
+
      AVOID_COMMIT_BEFORE_INSTALL=1
-   - cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit"
+
+# not needed on squeeze:
+cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit"
 
 ** Uninstall a bunch of unnecessary packages
 
@@ -64,92 +71,97 @@ send them to skangas@skangas.se.
 ** Packages to install
 *** Administrative
 
-    - sudo aptitude install openssh-server molly-guard ntp ntpdate screen
+sudo aptitude install openssh-server molly-guard ntp ntpdate screen
 
-    If the system is on a dynamic IP (e.g. using DHCP):
-
-    - sudo aptitude install resolvconf
+# If the system is on a dynamic IP (e.g. using DHCP):
+sudo aptitude install resolvconf
 
 *** Security
 
-    - sudo aptitude install logcheck syslog-summary harden-servers
-
-    NB: harden-clients conflicts with telnet, which as we know is very handy
-    during configuration.  Therefore, optionally:
+sudo aptitude install logcheck syslog-summary harden-servers
 
-    - sudo aptitude install harden-clients
+# NB: harden-clients conflicts with telnet, which as we know is very handy
+# during configuration.  Therefore, only optionally:
+sudo aptitude install harden-clients
 
 ** Configure sshd
-   First, make sure you have put your private key in ~/.ssh/authorized_keys2
 
-   - /etc/ssh/sshd_config
-:HIDDEN:
-# Add relevant users here
-AllowUsers xx yy zz
+Make sure your private key is in ~/.ssh/authorized_keys2
 
-# Change these settings
-PermitRootLogin no
-PasswordAuthentication no
-X11Forwarding no
-:END:
-   - /etc/init.d/ssh restart
-   
-   Without closing the current connection, try to connect to the server,
-   verifying that you can still connect.
+:: /etc/ssh/sshd_config
 
+    # Add relevant users here
+    AllowUsers xx yy zz
+    
+    # Change these settings
+    PermitRootLogin no
+    PasswordAuthentication no
+    X11Forwarding no
+    
+/etc/init.d/ssh restart
+   
+# Without closing the current connection, try to connect to the server,
+# verifying that you can still connect.
+ 
 ** Configure sudo
-   If you disabled root account during installation, the default account is
-   already in the sudo group.  Otherwise, follow these steps:
 
-   - Add relevant users to the sudo group
-   - EDITOR="emacs" sudo visudo
+# If you disabled root account during installation, the default account is
+# already in the sudo group.  Otherwise, follow these steps:
+
+sudo adduser myuser sudo
+
+sudo EDITOR="emacs" visudo
+
      %sudo ALL= (ALL) ALL
 
 ** Configure logcheck
 
-   - sudo aptitude install logcheck syslog-summary
+sudo aptitude install logcheck syslog-summary
 
-   - /etc/logcheck/logcheck.conf
+:: /etc/logcheck/logcheck.conf
 
      INTRO=0
      SENDMAILTO="skangas@skangas.se"
 
-   - /etc/logcheck/ignore.d.server/ntp
-:HIDDEN:
-- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
-+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
-:END:
-   - /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable]
-:HIDDEN:
-+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
-:END:
-   - /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable]
-:HIDDEN:
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
-:END:
-   - /etc/logcheck/ignore.d.server/ddclient
+:: /etc/logcheck/ignore.d.server/ntp
+
+    - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
+    + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
+    
+:: /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable]
+
+    + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
+
+:: /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable]
+
+    ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
+    ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
+    ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
+    
+/etc/logcheck/ignore.d.server/ddclient
 :HIDDEN:
-+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$
-+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$
-:END:
 
-** Configuring aptitude and friends
+    + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$
+    + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$
+    :END:
 
-   We're going for a setup where we install many security updates automatically
-   using the package "unattended-upgrades".  Automated upgrades are in general
-   not a very good idea, but "unattended-upgrades" takes steps to mitigate the
-   problems with this kind of setup.  Given the Debian security teams track
-   record in recent years we believe the positives outweigh the negatives.
+** Configuring aptitude and friends
 
-   For the situations when unattended-upgrades fails (e.g. when there are
-   configuration changes), we should e-mail the administrator.  We will be using
-   apticron to do this until the version of unattended-upgrades in stable
-   supports mailing when an upgrade fails (the one in unstable does).
+# We're going for a setup where we install many security updates automatically
+# using the package "unattended-upgrades".  Automated upgrades are in general not
+# a very good idea, but "unattended-upgrades" takes steps to mitigate the problems
+# with this kind of setup.  Given the Debian security teams track record in recent
+# years we believe the positives outweigh the negatives.
+# 
+# For the situations when unattended-upgrades fails (e.g. when there are
+# configuration changes), we should e-mail the administrator.  We will be using
+# apticron to do this until the version of unattended-upgrades in stable supports
+# mailing when an upgrade fails (the one in unstable does).
+# 
+sudo aptitude install apticron unattended-upgrades
+
+:: /etc/apt/apt.conf
 
-   - sudo aptitude install apticron unattended-upgrades
-   - /etc/apt/apt.conf
      :CONTENT:
 // Limit download speed
 //Acquire::http::Dl-Limit "70";
@@ -195,31 +207,30 @@ Aptitude
   }
 }
      :END:
-   - /etc/apticron/apticron.conf
-     EMAIL="skangas@skangas.se"
 
-** Reconfigure exim
+:: /etc/apticron/apticron.conf
 
-   - sudo dpkg-reconfigure exim4-config
-:HIDDEN:
-   - select "mail sent by smarthost; no local mail"
-   - hostname:
-     host.example.com
-   - listen on:
-     127.0.0.1
-   - other destinations:
-     [empty]
-   - visible domain name:
-     host.example.com
-   - address of outgoing smarthost
-     smtp.bredband.net [or whatever the ISP uses]
-   - number of DNS queries minimal?
-     no
-   - split configuration?
-     no
-:END:
+     EMAIL="skangas@skangas.se"
 
+** Reconfigure exim
 
+sudo dpkg-reconfigure exim4-config
+
+# - select "mail sent by smarthost; no local mail"
+# - hostname:
+#   host.example.com
+# - listen on:
+#   127.0.0.1
+# - other destinations:
+#   [empty]
+# - visible domain name:
+#   host.example.com
+# - address of outgoing smarthost
+#   smtp.bredband.net [or whatever the ISP uses]
+# - number of DNS queries minimal?
+#   no
+# - split configuration?
+#   no
 
 * NEXT STEPS
 ** Configuring the backup solution