1.1 - General Ubuntu Setup

Server setup process: Ubuntu 20.04:

English
Update to new Installer
Done (Keyboard)
Done (type of Install)
Done (Internet)
Done (Proxy)
Done (Mirror)
Custom storage layout (Done)

Setup for storage on current system:

rule of thumb: Use Btrfs for data that needs preservation, xfs for partitions that aren't set sizes, ext4 for its journaling
local: remaining xfs /

Done (Storage Configuration)

Setup for user configuration:

Your Name: Rob Castagno
Your server's name: <hostname>
Pick a username <username>
Choose a password: <pass>
Confirm your password: <pass>

Done (User config)

Final bit of setup:

Install OpenSSH server, import github ssh keys
Done (SSH Setup)

Done (Skip snaps)
Reboot Now (remove install drive)

1.2 - Server Hardening

Initial Setup and hardening of Ubuntu Server 20.04:

sudo timedatectl set-timezone America/New_York
sudo apt update && sudo apt upgrade -y
sudo swapoff -a
sudo apt install -y libpam-google-authenticator fail2ban curl apt-transport-https git wget gnupg2 software-properties-common lsb-release ca-certificates uidmap
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Configure Google Authenticator:

google-authenticator
y
<scan QR Code and enter response code>
<Grab emergency codes>
y
y
n
y

Disable Root User: sudo nano /etc/shadow

<Set password to ! to disable an account>

Configure OpenSSH Server: sudo nano /etc/ssh/sshd_config

Port 22222
Protocol 2
AllowUsers <username>
AuthenticationMethods publickey,keyboard-interactive
ChallengeResponseAuthentication yes

KbdInteractiveAuthentication yes

LoginGraceTime 5m
PermitRootLogin no
MaxAuthTries 5
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
KerberosAuthentication no
GSSAPIAuthentication no

Match Address <IP range>/<subnet> User <username>
      AuthenticationMethods publickey
      KbdInteractiveAuthentication no

Match User <username>@*
      AuthenticationMethods publickey,keyboard-interactive
      KbdInteractiveAuthentication yes

#Match User <New account>
#      UsePAMSubsystem yes
#      AuthenticationMethods password
#      PasswordAuthentication yes

Configure PAM: sudo nano /etc/pam.d/sshd

#@include common-auth
...
auth required pam_google_authenticator.so

Configure PAM for new users: sudo nano /etc/pam.d/sshd-newusers

#%PAM-1.0
auth [success=1 default=ignore] pam_succeed_if.so uid >= 1000 quiet
auth required pam_google_authenticator.so
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so

Configure Fail2Ban: sudo nano /etc/fail2ban/jail.local

<change sshd port>

Disable Swapspace: sudo nano /etc/fstab

<comment out swap line>

Restart everything so changes take effect:

sudo reboot

or

sudo systemctl restart sshd

1.3 - Starting the nfs Server

Install nfs server:

sudo apt install nfs-kernel-server -y

Configure the nfs server: sudo nano /etc/exports

/storage  <KUBERNETES_NODE_IP>(rw,sync,no_root_squash,no_subtree_check)

1.4 - Configuring zsh

Install Zsh: sudo apt install zsh -y Go through setup process: zsh My Config:

# The following lines were added by compinstall
zstyle ':completion:*' completer _complete _ignored _correct
zstyle ':completion:*' format 'Completing %d'
zstyle ':completion:*' matcher-list '' 'm:{[:lower:]}={[:upper:]} m:{[:lower:][:upper:]}={[:upper:][:lower:]}' 'r:|[._-]=* r:|=*' 'l:|=* r:|=*'
zstyle ':completion:*' max-errors 2 numeric
zstyle :compinstall filename '/home/pcb298/.zshrc'

autoload -Uz compinit
compinit
# End of lines added by compinstall
# Lines configured by zsh-newuser-install
HISTFILE=~/.histfile
HISTSIZE=9001
SAVEHIST=9001
setopt autocd
bindkey -e
# End of lines configured by zsh-newuser-install

Change shell for root and then for specific user:

sudo -s
chsh -s /bin/zsh root
chsh -s /bin/zsh <user>

Install Oh My Zsh: sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" Install Zsh autosuggestions: git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions Install zsh-syntax-highlighting: git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting Update plugins list: nano .zshrc

plugins=(
    git
    zsh-autosuggestions
    zsh-syntax-highlighting
    )

1.5 - Setting up Starship

install starship: sh -c "$(curl -fsSL https://starship.rs/install.sh)" Add Starship to the bash config: nano ~/.zshrc eval "$(starship init zsh)" Reload the shell source ~/.zshrc Create the starship config: mkdir ~/.config && touch ~/.config/starship.toml Edit the config: nano ~/.config/starship.toml (Use configs provided in Setting up Windows SSH