! Whenever I say to edit or copy in a file, if the same file exists before-hand, then move it to .orig. My ssh key policy is to get in using AWK KP, but then switch everything to use my regular key pairs. I'm using current Uplink Labs EBS/lts AMI. UPDATE Uplink Labs has quit. Use images from http://arch-ami-list.drzee.net/ instead Use EC optimized APIs. Per 2023 warning, should not use XEN hypervisors such as t2-micro but use "new Nitro Hypervisor". "Xen Systems such as M4 or C4", plus t2 micro. Adds only one file system: / ext4 8GB ****** UPDATE ****** MOST OF THIS is taken care of automatically by awsUserData.bash See "!!" below for the few things not covered by awsUserData.bash. After install must log in to account 'arch' using SSH keypair you specified. Default sudo allows all users to sudo to root. Must run "pacman -Syy" to make pacman usable. Update packages: pacman --noconfirm -Syu Sequential: [LOCAL=run from local console not the new instance] 0. Use security groups ADMC Basic + UNIX restr., IAM role AmazonSSMRoleFor... 1. Log in as arch with blaineAwskp.pem and exec sudo -i 2. completely replace /etc/hosts file and copy in new, changing hostname 3. create /etc/hostname with FQHN 4. pacman -Syy 5. pacman --noconfirm -Syu 5. pacman --noconfirm -S inetutils nfs-utils 6. hostname FQHN 7. vim /etc/systemd/timesyncd.conf. Add: NTP=169.254.169.123 8. systemctl restart systemd-timesyncd && timedatectl timesync-status 9. ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime 10. hwclock --systohc 11. Comment out ^en_GB line in /etc/locale.gen. 12. locale-gen 13. mv /etc/skel /etc/skel.orig 14. append 2 lines to /etc/fstab: fs-cc5bea4d:/local /usr/local nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 0 0 fs-cc5bea4d:/skel /etc/skel nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 0 0 !!14.5 passwd root !!15. exec shutdown -r now !!16. again: Log in as arch with blaineAwskp.pem and exec sudo -i !!17. cd .ssh; mv -v authorized_keys authorized_keys.orig; cp -v ~arch/.ssh/* . !!18. LOCAL: rsync -avzH -e 'ssh -o "identityfile ~/.ssh/blaineAwskp.rsa"' ~/sharedhome/vmtemplates/admc/root/ root@NEWHOST: !!19. chown -R root:root ~ !!20. LOCAL: Verify can log in as root over port 22: ssh root@NEWHOST hostname !!21. cd /etc/ssh; cp -av ssh_config sshd_config.orig; vim sshd_config WE ALLOW NO PASSWORDS Just add a line: PermitRootLogin no cp sshd_config.orig sshadmind.config; vim sshadmind.config Just add lines: Port 722 AllowUsers root PidFile /run/sshadmind.pid CHANGE 'PasswordAuthentication no' to: #PasswordAuthentication yes !!23. LOCAL: scp -p ~/code-templates/archLinux/sshadmind.service root@NEWHOST:/etc/systemd/system/ !!24. systemctl start sshadmind && systemctl status sshadmind && systemctl enable sshadmind !!25: Verify port 722 access, then add a ~/.ssh/config entry if desired: ssh -p722 root@newhost hostname !!26. systemctl restart sshd LOCAL verify: ssh -i ~/.ssh/blaineAwskp.rsa arch@NEWHOST hostname !!27. . ~/.profile && visudo Double-## the '#includedir /etc/sudoers.d' line. With Arch AMI it's originally @includedir. Comment the %wheel... without NOP De-comment the %wheel...NOP !!28. groupadd -g 1500 blaine useradd -g blaine -G wheel -c 'Blaine Simpson' -m -u 1500 blaine passwd blaine !!29. usermod -L -s /bin/false arch 30. pacman --noconfirm -S parted git 31. pacman --noconfirm -S ... "#" packages in "archLinux-install.txt" 32. AUR installations: speed-test downgrade #groovy4 probably better to just do a manual installation nuttcp 33. standard AUR: https://aur.archlinux.org/snapd.git Become root again and: systemctl enable --now snapd.socket ln -s /var/lib/snapd/snap / # LOG OUT AND BACK IN snap install amazon-ssm-agent --classic snap services amazon-ssm-agent # Can also start/stop/restart X: (LOCAL: log in with switch -X if your ~/.ssh/config prevents X forwarding) 41. Enable X11Forwarding in /etc/ssh/sshd_config and restart daemon 42. pacman --noconfirm -S xorg-server xorg-xauth xorg-xclock chromium or falkon (may also need an xorg font?) (falkon MUCH faster and lighter-weight!) DESKTOP: LOCAL Connect: vncviewer NEWHOST:1 # native VNC ssh -fL 9901:localhost:5901 x sleep 10; vncviewer localhost:9901 # SSH tunnel # can't get krdc client to work 43. pacman --noconfim -S tigervnc lxqt breeze-icons qterminal|mate-terminal gvim chromium|falkon|midori I prefer falkon browser (many dependencies) but mate desktop and mate-terminal. [try other icons] Use ~/sharedhome/vmtemplates/admc/etc_tigervnc/ to /etc/tigervnc/ If using SSH method use "localhost" in *mandatory file; For direct native VNC don't and add the target 5900+x/TCP port(s) to security group to allow access. Copy file ~/sharedhome/code-templates/archLinux/etc_systemd_system_vncserver@.service.d/override.conf at /etc/systemd/system/vncserver@.service.d/override.conf (and 'systemctl daemon-reload' and start and enable). NFS client requires nfs-utils Change security group from the Uplink Labs to one of mine. (Required to mount EFS). I also had to add EFS hostname used in /etc/fstab to /etc/hosts. Need inetutils to run 'hostname'. Then: hostname FQHN Write FQDN to file /etc/hostname Replace OOTB ~root/.ssh/authorized_keys (which doesn't allow root login) with my key(s). Copy in /etc/ssh*d*config files and compare sshd_config to the original. Put /etc/systemd/system/sshadmind.service in place. Start sshadmind and check it then enable it. Restart sshd.service. rsync -in with --exclude /.ssh ~/sharedhome/vmtemplates/admc/root/ to new ~root Immediately after owner/group on ~root or fix rsync filter to omit it (how?). 'export EDITOR=vim' in ~root/.profile (for running visudo). export EDITOR=vim then visudo to allow sudo only to wheel group. and DISABLE the #include line that gives NOPASSWD sudo to user arch without wheel! Localize # ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime # hwclock --systohc Comment out ^en_GB line in /etc/locale.gen. Consider de-commenting ^#de_DE.UTF and '#de_DE ISO' in /etc/locale.gen: locale-gen # locale-gen Populate /etc/hosts like so: 127.0.0.1 localhost ::1 localhost 127.0.1.1 myhostname.localdomain myhostname BEFORE create any accounts, Rename all files (hidden too!) from /etc/skel/* to .orig Rsync in /home/blaine/sharedhome/vmtemplates/admc/etc_skel/* (hidden too!). Until learn to filter out dir /etc/skel itself with rsync, restore its ownerships. !! Until I get it working, copy in /etc/skel/ and /usr/local/ from an EC2 instance !! that has that mounted from NFS. Create personal account, remove group 'wheel' from 'arch' account, disable arch. (N.b. 'usermod -L' not working! Change the shell to /bin/false!) Set up personal account. Leaving no swap for now. If RAM ever all gets used up, consider adding. systemd-networkd is already set up and working. Install all packages marked with # prefix in archLinux-install.txt file Install the AUR packages in same file by git clone the: makepkg --noconfirm -sirc For some damned reason after "pacman -Syy" and "pacman -Fy", -F searches still fail with messages like: error: ec2 database is inconsistent: version mismatch on package linux-hsw-lts AWS CLI: See ~/ec2/a*bash. Use the standard AWS installation instructions, not the AUR installation. Should use Amazon's time server 169.254.169.123 chrony instructions at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html NASTY BUG (don't know if only applies to ec2 or not) In /etc/mkinitcpio.conf in HOOKS, block must be before autodetect (in some cases, apparently). ssm-agent requires snap at this time. Ug! https://snapcraft.io/install/amazon-ssm-agent/arch !! Exim client setup Copy in ~/code-templates/exim/exim-inetClient.conf. Change X to the hostname. Generate a client cert. OPENSSL_CONF=client-openssl.cnf Follow instructions at https://www.golinuxcloud.com/openssl-create-client-server-certificate/ but don't need to specify days, sha, extfile due to the OPENSSL_CONF setting above. See imail.admc.com's /etc/mail/ for example of where to put the files on client (incl *cacert*). On mail.admc.com I think (by virtue of CA trust) just need to monitor /var/log/exim/mainlog and get the ID that needs to be added to exim.conf's REPLAY_FROM_CERTS. Probably need a 'systemctl restart exim' after that. Test by using mailx on new host.