{{tag>[hardware apu CentOS USB kickstart]}}
=====PC Engines APU - OpenVPN Access Server=====




====Starting points====
  * OS: CentOS 7.x
  * OpenVPN AS
  * Offline, automated OS install using USB & Kickstart.


====Prerequisites====
  * Download the latest CentOS 7.x minimal install ISO.
  * Download the latest OpenVPN AS package for CentOS 7 64bit.
  * PC Engines APU with one mSATA SSD installed. 
  * Connect the APU's serial console.

====Prepare USB stick====
  * Insert USB stick on another Linux box.
  * If the USB stick was automounted, unmount it now: <code>umount /dev/sdc1</code>
  * Wipe the USB stick (be careful!): <code>wipefs -a /dev/sdc
/dev/sdc: 5 bytes were erased at offset 0x00008001 (iso9660): 43 44 30 30 31
/dev/sdc: 2 bytes were erased at offset 0x000001fe (dos): 55 aa
/dev/sdc: calling ioctl to re-read partition table: Success</code>
  * Create a bootable 256MiB FAT32 partition: <code>parted /dev/sdc mklabel msdos
parted /dev/sdc mkpart primary fat32 1MiB 256MiB
parted /dev/sdc set 1 boot on</code>
  * Create an ext4 partition on the remaining space:<code>parted /dev/sdc mkpart primary ext4 256MiB 100%</code>
  * Format the partitons:<code>mkfs.vfat -n boot /dev/sdc1
mkfs.ext4 -L CentOS7 /dev/sdc2</code>
  * Install syslinux:
    * Copy MBR to USB-stick: <code>dd conv=notrunc bs=440 count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sdc</code>
    * Install syslinux to first partiton:<code>syslinux /dev/sdc1</code>
====Copy files to USB====
  * Mount filesystems:<code>mkdir /mnt/{boot,CentOS7,iso}
mount /dev/sdc1 /mnt/boot
mount /dev/sdc2 /mnt/CentOS7
mount CentOS-7-x86_64-Minimal-1503-01.iso /mnt/iso</code>
  * Copy isolinux to USB:<code>cp /mnt/iso/isolinux/* /mnt/boot</code>
  * Edit syslinux.cfg:<code>cd /mnt/boot
mv isolinux.cfg syslinux.cfg

vi /mnt/boot/syslinux.cfg
label linux
  menu label ^Install CentOS 7 - Kickstart
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:sdb2:/ ks=hd:sdb1:/ks.cfg
</code>
  * Copy ISO file:<code>cp CentOS-7-x86_64-Minimal-1503-01.iso /mnt/CentOS7</code>
  * Copy Kickstart file to USB (/mnt/boot/ks.cfg), please replace sha512 passphrases: <code>####
#### PC Engines APU KickStart installation
####
install
cdrom

network --onboot yes --bootproto dhcp
lang en_US.UTF-8
keyboard --vckeymap=us --xlayouts='us','us'
rootpw --iscrypted <sha512 password hash>
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc Europe/Amsterdam

# Do not clear partitions / MBR on USB-stick!
ignoredisk --drives=sdb

# Set serial console and change disk elevator to noop for SSD.
bootloader --location=mbr --driveorder=sda --append="console=tty0 console=ttyS0,115200 elevator=noop rd_NO_PLYMOUTH"

# Any disks whose formatting is unrecognized are initialized.
zerombr

# Erases all partitions from the system.
clearpart --all --drives=sda --initlabel

# Initialize boot partition.
part /boot --fstype=xfs --size=512 --asprimary

# Create LVM pv and vg.
part pv.01 --size=1000 --grow --asprimary
volgroup vg pv.01

# Create lv's, set discard, noatime and commit time. Leave some space left in the VG for later use.
logvol swap  --vgname=vg --size=512  --name=lv_swap --fstype=swap
logvol /     --vgname=vg --size=4096 --name=lv_root --fstype=xfs
logvol /var  --vgname=vg --size=4096 --name=lv_var  --fstype=xfs
logvol /home --vgname=vg --size=512  --name=lv_home --fstype=xfs

# Create non administrative user
user --name=username --homedir=/home/username --password=<sha512 password hash>

# Reboot after installation.
reboot

# Install minimal, exclude @Base, exclude documentation
%packages --nobase --excludedocs
@Core		#default
openssh-clients #ssh client, key agent, sftp, scp
%end

%post
# Disable SSH root login
/bin/sed -i.bak 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

# Mount /tmp as tmpfs.
systemctl enable tmp.mount

#Add weekly fstrim job
cat << EOF >  /etc/cron.weekly/fstrim
#!/bin/sh
#this script will run weekly, will overwrite log.

trimlog=/var/log/fstrim.log
echo > \$trimlog
for fs in \$(lsblk -o MOUNTPOINT,DISC-MAX,FSTYPE | grep -E '^/.* [1-9]+.* ' | awk '{print \$1}'); do
  printf "\`date\` - \`fstrim -v \$fs\`\n" >>\$trimlog
done
EOF
chmod +x /etc/cron.weekly/fstrim

# Enable LVM to issue discards.
/bin/sed -i.bak 's/issue_discards = 0/issue_discards = 1/g' /etc/lvm/lvm.conf

# Reduce swappiness.
echo "vm.swappiness=1" >> /etc/sysctl.d/swappiness.conf
echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.d/swappiness.conf

# Set chassis name and icon
/bin/hostnamectl set-chassis "server"

# Disable kdump
/bin/systemctl disable kdump

exit 0
%end</code>

====Install the OS===
  * Boot the APU, press F12 and select the USB-stick. Installation will be automatic. Output can be seen on serial console:<code>screen /dev/ttyUSB0 115200</code>

====Configure the OS====
  * Set hostname:<code>hostnamectl set-hostname <your-FQDN></code>
  * Configure networking, firewall.
  * Retrieve latest updates:<code>yum update</code>
  * Install and configure chrony.
  * Configure postfix.
  * Install and configure yum-cron.
  * Install and configure apcupsd (in EPEL7).
  * Install and configure monitoring; check_mk, hddtemp, smartmontools, lm_sensors.
  * Install and configure back-up / restore (Bacula)



====Install and configure OpenVPN AS====
  * Download latest OpenVPN AS package.
  * Install prerequisite package:<code>yum install net-tools</code>
  * Install package:<code>yum install openvpn-as-2.0.20-CentOS7.x86_64.rpm</code>
  * Reconfigure manually:<code>/usr/local/openvpn_as/bin/ovpn-init</code>
  * Add customizations (logo).