pc_engings_apu_openvpn_as
PC Engines APU - OpenVPN Access Server
Starting points
-
OpenVPN AS
Offline, automated
OS install using USB & Kickstart.
Prerequisites
Download the latest CentOS 7.x minimal install ISO.
Download the latest OpenVPN AS package for CentOS 7 64bit.
PC Engines APU with one mSATA SSD installed.
Connect the APU's serial console.
Prepare USB stick
Copy files to USB
Mount filesystems:
mkdir /mnt/{boot,CentOS7,iso}
mount /dev/sdc1 /mnt/boot
mount /dev/sdc2 /mnt/CentOS7
mount CentOS-7-x86_64-Minimal-1503-01.iso /mnt/iso
Copy isolinux to USB:
cp /mnt/iso/isolinux/* /mnt/boot
Edit syslinux.cfg:
cd /mnt/boot
mv isolinux.cfg syslinux.cfg
vi /mnt/boot/syslinux.cfg
label linux
menu label ^Install CentOS 7 - Kickstart
kernel vmlinuz
append initrd=initrd.img inst.stage2=hd:sdb2:/ ks=hd:sdb1:/ks.cfg
Copy ISO file:
cp CentOS-7-x86_64-Minimal-1503-01.iso /mnt/CentOS7
Copy Kickstart file to USB (/mnt/boot/ks.cfg), please replace sha512 passphrases:
####
#### PC Engines APU KickStart installation
####
install
cdrom
network --onboot yes --bootproto dhcp
lang en_US.UTF-8
keyboard --vckeymap=us --xlayouts='us','us'
rootpw --iscrypted <sha512 password hash>
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc Europe/Amsterdam
# Do not clear partitions / MBR on USB-stick!
ignoredisk --drives=sdb
# Set serial console and change disk elevator to noop for SSD.
bootloader --location=mbr --driveorder=sda --append="console=tty0 console=ttyS0,115200 elevator=noop rd_NO_PLYMOUTH"
# Any disks whose formatting is unrecognized are initialized.
zerombr
# Erases all partitions from the system.
clearpart --all --drives=sda --initlabel
# Initialize boot partition.
part /boot --fstype=xfs --size=512 --asprimary
# Create LVM pv and vg.
part pv.01 --size=1000 --grow --asprimary
volgroup vg pv.01
# Create lv's, set discard, noatime and commit time. Leave some space left in the VG for later use.
logvol swap --vgname=vg --size=512 --name=lv_swap --fstype=swap
logvol / --vgname=vg --size=4096 --name=lv_root --fstype=xfs
logvol /var --vgname=vg --size=4096 --name=lv_var --fstype=xfs
logvol /home --vgname=vg --size=512 --name=lv_home --fstype=xfs
# Create non administrative user
user --name=username --homedir=/home/username --password=<sha512 password hash>
# Reboot after installation.
reboot
# Install minimal, exclude @Base, exclude documentation
%packages --nobase --excludedocs
@Core #default
openssh-clients #ssh client, key agent, sftp, scp
%end
%post
# Disable SSH root login
/bin/sed -i.bak 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
# Mount /tmp as tmpfs.
systemctl enable tmp.mount
#Add weekly fstrim job
cat << EOF > /etc/cron.weekly/fstrim
#!/bin/sh
#this script will run weekly, will overwrite log.
trimlog=/var/log/fstrim.log
echo > \$trimlog
for fs in \$(lsblk -o MOUNTPOINT,DISC-MAX,FSTYPE | grep -E '^/.* [1-9]+.* ' | awk '{print \$1}'); do
printf "\`date\` - \`fstrim -v \$fs\`\n" >>\$trimlog
done
EOF
chmod +x /etc/cron.weekly/fstrim
# Enable LVM to issue discards.
/bin/sed -i.bak 's/issue_discards = 0/issue_discards = 1/g' /etc/lvm/lvm.conf
# Reduce swappiness.
echo "vm.swappiness=1" >> /etc/sysctl.d/swappiness.conf
echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.d/swappiness.conf
# Set chassis name and icon
/bin/hostnamectl set-chassis "server"
# Disable kdump
/bin/systemctl disable kdump
exit 0
%end
Install the OS
Boot the APU, press F12 and select the USB-stick. Installation will be automatic. Output can be seen on serial console:
screen /dev/ttyUSB0 115200
Set hostname:
hostnamectl set-hostname <your-FQDN>
Configure networking, firewall.
Retrieve latest updates:
yum update
Install and configure chrony.
Configure postfix.
Install and configure yum-cron.
Install and configure apcupsd (in EPEL7).
Install and configure monitoring; check_mk, hddtemp, smartmontools, lm_sensors.
Install and configure back-up / restore (Bacula)
pc_engings_apu_openvpn_as.txt · Last modified: 2021/10/09 15:14 (external edit)