This page is likely more commonly updated than other pages in this wiki, so instructions will likely change the more tips I pick up from redeploying servers.

The usual process of loading the OS image into a virtual machine, and/or creating a bootable disk for installation on bare-metal, has been thoroughly documented in many tutorials out there. Here's one provided by Ubuntu tutorials on Windows. This page is intended to document what generally should come after such an installation.

Set fixed IP route

root:~# dhclient -r  # release
root:~# dhclient

Update the system:

sudo apt update
sudo apt upgrade

Enable firewall

user:~$ sudo vim /etc/ufw/ufw.conf
IPV6=no
user:~$ sudo ufw allow 22/tcp comment "SSH"
user:~$ sudo ufw allow 80/tcp comment "HTTP"
user:~$ sudo ufw allow 443/tcp comment "HTTPS"
user:~$ sudo ufw deny to 224.0.0.1 comment "IGMP snooping"
user:~$ sudo ufw enable

Set timezone to current timezone,

sudo timedatectl set-timezone Asia/Singapore

Copy .bashrc (configuration for subshells) to .bash_profile (configuration for login shells). Note .profile is lower in the priority list.

cp ~/.bashrc ~/.bash_profile

Generate a ballast file:

sudo fallocate -l 1G /ballast.tmp

Add swap if not already provided:

sudo touch /swap.img
sudo fallocate -l 8G /swap.img
sudo chmod 0600 /swap.img
sudo mkswap /swap.img
sudo swapon /swap.img

# Add to /etc/fstab:
# /swap.img none swap sw 0 0

Option of creating either RSA or EDCSA key pairs, the latter is preferred (and also preferably using one of the NIST curves). Consider using a structured way of managing keys, and always add passphrases to protect against key leakage.

ssh-keygen -t ed25519 -C justin-org-machine-datetime-1 -f ~/.ssh/justin-org-machine-datetime-1

Change the permissions of the .ssh directory and .ssh/authorized_keys file to 700 (u+rwx) and 600 (u+rw) respectively.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

If there is a need to add public key to client machines' authorized_keys, use ssh-copy-id.

ssh-copy-id -i ~/.ssh/justin-org-machine-datetime-1 [USER]@[HOST] -o VisualHostKey=yes

Note the use of the VisualHostKey flag above to display the randomart image (ASCII art) of the target SSH server's public key. This is used for easier key comparison to ensure the correct server is targeted. To view the fingerprint on the server:

sudo ssh-keygen -lvf /etc/ssh/ssh_host_ecdsa_key.pub

ssh-add -t 86400 ~/.ssh/justin-org-machine-datetime-1

user:~$ systemctl --user enable --now ssh-agent

More SSH tips:

• https://news.ycombinator.com/item?id=23025756
• https://smallstep.com/blog/ssh-tricks-and-tips/

Where already documented, links to the corresponding pages for each software is non-exhaustively listed here.

1. A partially maintained list of software
2. Python 3 and associated libraries
3. Certbot using Python3 and GoDaddy credentials

First install Samba client with sudo apt install cifs-utils, then update the fstab file to mount the SMB. Note that the samba package on the other hand holds the server.

Example below connects to SMB server as www-data user, by configuring /etc/fstab. Note the common mistake of not specifying file_mode and dir_mode leading to world-readable data:

/etc/credentials/.smbcredentials

user=[SAMBA_USER]
password=[SAMBA_PASSWORD]

Mount the folder once configuration is done, using sudo mount -a. Unmount with sudo umount [MOUNT_POINT]. For other mount types, consider nfs-common and sshfs, e.g. sshfs#USERNAME@HOST:/... /mnt/... fuse identityfile=/home/...,uid=1000,gid=0,defaults,_netdev,allow_other 0 0

Putting stuff in "/etc/fstab" directly results in the system attempting to mount at boot time, which will delay boot when the network share is not available. "autofs" and "automount" have been around to solve this problem, and now as of 2013 or so, systemd itself is able to manage it as well.

Simply add noauto,x-systemd.automount to the mount options and the required "mount" and "automount" services will be created under /run/systemd/generator.

Can be found in /etc/update-motd.d/, with scripts executed in alphabetical order.

If basic folders are not desired, create symbolic links for them:

# Probably can safely delete the rest: Documents, Music, Videos, Templates, Public
user:~$ rmdir Downloads  # Pictures as well for screenshots
user:~$ ln -s Desktop Downloads

Ubuntu runs with two simultaneous authentication systems, linked to past difficulties working with GUI applications using sudo. This eventually branched off into Polkit and sudo²⁾:

• PolKit provides more fine-grained policies for running privileged applications. Usually used by default in Ubuntu, when requesting admin access.
• sudo grants more permissions, though access to binaries can be controlled using sudo policies as well. More longstanding.

Care needs to be taken when switching authentication from user password to root password (the use of root password is more common in other distros). In Ubuntu, both sudo and Polkit policies must be modified³⁾. The ArchWiki is helpful for configuring Polkit in this regard:

# Modify sudo policy
user:~# sudo passwd
user:~$ sudo visudo
...
Defaults targetpw
...
 
# Override polkit authentication policy (for Ubuntu 24)
# Admin rules are loaded in lexographical order, and competes with
# the default rules loaded in /usr/share/polkit-1/rules.d/
user:~$ sudo vim /etc/polkit-1/rules.d/00-admin.conf
polkit.addAdminRule(function(action, subject) {
    return ["unix-user:root"];
});
# Not necessary since rules will be hot-loaded
user:~$ sudo systemctl restart polkit

Local authority configuration alternative

# Modify polkit policy to disable the following line
#AdminIdentities=unix-group:sudo;unix-group:admin
user:~$ sudo vim /etc/polkit-1/localauthority.conf.d/99-local-authority.conf
[Configuration]
AdminIdentities=unix-user:0

Autofs to deal with network dropouts: