This is a collection of things to do after installing Ubuntu or most Linux systems actually. Some are just customizations and some are security. While a number of tools are offered as part of the installation, I prefer to get the current set using the package installer.

From the console open Settings->Network

Click on the gear to open the network settings window. Enter the IP address, netmask and gateway. Set the DNS server to: 192.168.86.2

Easiest way to continue is to restart.

sudo apt update
sudo apt upgrade

. /etc/os-release
sudo apt install -t ${VERSION_CODENAME}-backports cockpit

Open URL from a web browser:

 https://<ip address>:9090

Login with the user created on the install. After logging in, do a quick check, switch to administrative access and then open the terminal window.

Cockpit Reference Install Cockpit on Ubuntu

The sshd server needs to be running so that you can login. This is required in order to cut and paste.

sudo /bin/bash
apt install openssh-server putty-tools -y < /dev/null
systemctl start ssh

Continue from an ssh terminal session.

Do this as login user, NOT root.

It might be easier to just do this by manually creating the file and fixing up the permissions.

Create a file for the user in the /etc/sudoers.d directory and add the following line to it. ${USER} matches the user created during the install. This needs to be done by the ordinary user or the steps will create a sudoers.d file for root. Do in two steps because you will be asked to authenticate assuming that this is probably the first sudo command of the session.

cat > ${USER} <<EOF
${USER}    ALL=(ALL) NOPASSWD:ALL
EOF
chmod 440 ${USER}
sudo chown 0:0 ${USER}

sudo mv ${USER} /etc/sudoers.d/${USER}

Give yourself superuser privileges before you continue.

sudo /bin/bash

Add the user to groups adm and sudo

usermod -a -G adm ${SUDO_USER}
usermod -a -G sudo ${SUDO_USER}

Change the login shell on www-data to /bin/bash.

We want to have docker as UID/PID of 1000/1000. The user created on install sits there. We could install the system with the docker user. Will have to look at that next time.

Edit the /etc/passwd and /etc/groups files to move the installed user to 1001/1001 and then change the ownership of the user's home directory.

sed -i s/${SUDO_USER}:x:1000:1000/${SUDO_USER}:x:1001:1001/g /etc/passwd
sed -i s/${SUDO_USER}:x:1000/${SUDO_USER}:x:1001/g /etc/group
chown -R ${SUDO_USER}:${SUDO_USER} /home/${SUDO_USER}

Generally all that is needed is a logout and a login. Sometimes a reboot is the quickest way around an error creating a terminal instance when logging out and back in after making this change. It means that you screwed up the order of doing this.

Install the software and create any directories that will have mounted directories in /nfs and then...

apt install nfs-kernel-server nfs-common -y </dev/null
mkdir /nfs
mkdir -p /nfs/media /nfs/multimedia /nfs/mediaarchive /nfs/public /nfs/tr004
chmod -R 777 /nfs
chown -R nobody:nogroup /nfs

Now mount the directories from the NAS. Add the following lines to /etc/fstab

echo ' ' >>/etc/fstab
echo 'macey.lan:/share/Media              /nfs/media              nfs defaults 0 0' >>/etc/fstab
echo 'macey.lan:/share/Multimedia         /nfs/multimedia         nfs defaults 0 0' >>/etc/fstab
echo 'macey.lan:/share/Media_Archive      /nfs/mediaarchive       nfs defaults 0 0' >>/etc/fstab
echo 'macey.lan:/share/Public             /nfs/public             nfs defaults 0 0' >>/etc/fstab
echo 'macey.lan:/share/TR004              /nfs/tr004              nfs defaults 0 0' >>/etc/fstab
systemctl restart nfs-kernel-server
systemctl daemon-reload
mount -a

This section describes setting up a key file so that you can login with putty without a password. You can skip on down if you already have a key file handy.

This is only required if you have not already done so. See the copy of the authorized-keys file from somewhere.

In the putty application on Windows:

 - Create a new session for the VM
 - Put in the IP and the name for the saved session
 - Under Window, set columns to 135
 - Under Window/Behavior, put the VM name in the Window Title
 - Under Connection/Data put your user into Auto-login
 - Open SSH under connection and select Auth 
 - Browse to your Private Key file
 - Return to Session and Save

Note that a current version of putty (using 0.77) is needed to connect to Ubuntu 22.04. Create an ECDSA key with unless you have one:

 ssh-keygen -t ecdsa -b 521

Install putty tools and generate a ppk key for putty:

 apt install putty-tools dialog
 puttygen keyname -o keyname.ppk

There are two ways to do this. If nfs has been setup and there is a working authorized-keys file it is easiest to copy it in. The below method does work but requires that the lines be edited together to form one long line per entry.

If you are getting the file from a mounted location do this:

mkdir /home/${SUDO_USER}/.ssh
chmod 755 /home/${SUDO_USER}/.ssh
cp /nfs/public/authorized_keys /home/${SUDO_USER}/.ssh
chown ${SUDO_USER}:${SUDO_USER} /home/${SUDO_USER}/.ssh/authorized_keys

Else:

mkdir /home/${SUDO_USER}/.ssh
chmod 755 /home/${SUDO_USER}/.ssh
touch /home/${SUDO_USER}/.ssh/authorized_keys
chmod 664 /home/${SUDO_USER}/.ssh/authorized_keys

Did I not warn you?

cd /home/${SUDO_USER}/.ssh
vi authorized_keys

Comment: "Lynn Oct-2020"
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAvvWjBI6Yl1u5TSloZ6PY9bx7QKFntKP1uZLuTBeTzqZcw43gIqZ2c8d8hlDyTtPyJtph/KjVsMuUu/fLEqV9P/J2vaZLdgwbApR3pzjlulIiQ4GYpGBieFiVsvI+R5oOatGr0EUDUShSddmChsqVRn17Uy/lZFzZ/awo01z/I5Z63HsH+6eh8SE3YtPayrXkse2HyC5t+O3Qo+iXwMOGjmEvWGP2FuFrxH0JOR9kGehhZdVKk0le0ljOEVKgGLmK2x6mbm990a/l9Mf5n2RgUSt05nAP/myLUs8RBasWwJo5IIf4smZCy0EefRvNCrS+fPQkEbWhycQaSMD6S8aHYw==

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrVr+M/SrcFqCXbOfBk1YTMd3gN0P/qfnDlCz5SODRXNWhSzLsSE1Q+I17vv+0hq82aBmyUwRcZOXOodAfFZS1ETn3PTmBPGblUlxdgVEyQmf7JtsjSnyYKkqQ5oiJJDnBxFLihlWBm9bYUk9BA0qRC/jbMLDcLMd2jldDceQh2Q2Gdnv0WnNfs/Ha6WH/COOTo0RfmSHsh1GlC6Vog5xqBTW/wRBreVXTZWqAemQ3qwCGhAkDdsiz26Ao1LZxeY1rStfmyjTJUVMBiqIENq5TKpvxx/3k3Epecqvu1lNc4uTK+RsRo8bGUXSUg5NYKZ8fsJKAWnZ1im1XF6ryVdQtHCZsePjWCVKLI3LdqrsIFiwynh58ud2lxMIJDS3zzCESERTLtsFdbkdL95VarOfNcBLqtJ6S4my/BSHAPOuI9PMhhrZM24aSLYWbX6o6THOi1VvsO7r74TzEkfq3ldlen9nFfOTTnu9ks9Co7ODmQvnea1CVsNb7Fr1IcFL/4nsbU+a73HGnejL+VL0hA/D9L1YFOKJsyABsqI7O8UkJpYnL6+CBJgX72/b5GD6ZK93L4oGj0gGHuYd9IaEY9owGIBeMmCoah+rQCfqRHp1J7h9ret1KfEZSu9lH5t7UvZDQwxbfikOAVKTyfLD7fHL8DbE+dxlRMJ2TLaiJVHgcwQ== lynnmacey@gmail.com

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACVNiuESaiDRzT0SiZNjvZq+HFV2J2jYV4F88TkW6ysqqCmyjwiyg3L2jeGuj0aA11qFF6voiteHT6D7df6wWZfUQDw/F8Wow6gQjrFW8QhrdIlo/fNmn2CNncDoqRx9onXMKz9FYEvU7QqjisXwMZtQ/DH6G0t6bwc+WyRPNXV5pO1AQ== lynn@chico

Comment: "ecdsa-key-20220712 lynn putty"
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHw2zURA2K4DZSknQi73t0pAZv6mCK3LD4o6zw/pHqIZMxFiHmV4vj6nEh7/y21okpkCczCzdpmwFd7Se141GLQ=

You should now have a key file as pointed to in putty and an authorized-keys file in the ~/.ssh directory. Logout and back in if you are in a putty session. It should work without asking for a password. With cockpit, you can just continue.

dpkg-reconfigure --priority=low unattended-upgrades

Accept the "Yes" response.

apt install qemu-guest-agent

apt update -y </dev/null
apt upgrade -y </dev/null
apt install apt-utils curl dbus dialog dnsutils less net-tools rsync ufw wget zip dbus dialog rsync less curl dnsutils apt-utils wget ufw zip postgresql postgresql-contrib putty-tools -y </dev/null

apt install tasksel
tasksel

Select:

- all non-minimal desktop packages 
- LAMP
- Samba
- Audio recording and editing suite
- Large selection of fonts
- 2D/3D creation and editing suite
- Photograph touchup and editing suite
- Publishing applications 
- Video creation and editing suite
- Basic Ubuntu server

This takes a while. I had to run several times selecting some as I went.

The default limits for some system operations are too small. The usual result is system applications complaining to syslog which then fills up the root file system. Do the following to solve this problem:

cat >> /etc/sysctl.conf <<EOF
fs.file-max = 2097152
EOF
sysctl -p

LAMP was installed from tasksel but, I want to replace MySQL with MariaDB and then configure the LAMP stack.

Enable mods that will be needed

a2enmod rewrite
a2enmod headers

Using this tool SSL Labs SSL Server Test should result in an A+ (Whoo Hoo!) rating. The following changes were needed to get past a B+.

Update the /etc/apache2/mods-available/ssl.conf file.

Replace the SSLCipherSuite definition: (Replaced)

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Uncomment:

SSLHonorCipherOrder on

And replace the SSLProtocol definition. (Replaced)

SSLProtocol all -SSLv2 -SSLv3

Modify the file /etc/apache2/mods-available/http2.conf to read in part: (this can now be done by uncommenting lines)

Protocols h2 h2c http/1.1
H2Push on
H2PushPriority * after
H2PushPriority text/css before
H2PushPriority image/jpeg after 32
H2PushPriority image/png after 32
H2PushPriority application/javascript interleaved

Enable the mod and restart aApache2 and php.

a2enmod http2
systemctl restart apache2
systemctl start php8.3-fpm

 sudo apt install mariadb-server
 sudo systemctl status mariadb

Results will vary slightly with the release

● mariadb.service - MariaDB 10.1.47 database server
   Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-11-08 23:41:31 UTC; 1min 4s ago
     Docs: man:mysqld(8)
           https://mariadb.com/kb/en/library/systemd/
 Main PID: 6324 (mysqld)
   Status: "Taking your SQL requests now..."
    Tasks: 27 (limit: 4915)
   CGroup: /system.slice/mariadb.service
           └─6324 /usr/sbin/mysqld

Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: performance_schema
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: Phase 6/7: Checking and upgrading tables
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: Processing databases
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: information_schema
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: performance_schema
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: Phase 7/7: Running 'FLUSH PRIVILEGES'
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: OK
Nov 08 23:41:31 system /etc/mysql/debian-start[6388]: Checking for insecure root accounts.
Nov 08 23:41:31 system /etc/mysql/debian-start[6392]: Triggering myisam-recover for all MyISAM tables and aria-recover f
Nov 08 23:41:31 system systemd[1]: Started MariaDB 10.1.47 database server.

To secure MariaDB server as much as possible, run the post installation script. The script will let you continue without adding a password for the MariaDB root user but it is preferred that the standard one be entered.

sudo mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n] n
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] n
 ... skipping.

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
 ... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] n
 ... skipping.

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
root@system:~#

Note that if this is a system that was previously configured, changing the /etc/mysql entry to the symbolic link is all that is required.

Stop the database engine

systemctl stop mysql

This was for Wenebojo. We are not moving.

Verify that mysql configuration directory in the /data partition exists and contains files:

ls -l /data/etc/mysql

If not, execute the following:

Move the MySQL/Mariadb configuration files:

cd /etc
tar xvf /tmp/xfer mysql
cd /data/etc
tar xvf /tmp/xfer

Replace the /etc/directory with a symbolic link

mv mysql mysql.dist
ln -s /data/etc/mysql mysql

Modify /etc/mysql/mariadb.conf.d/50-server.cnf

Change the bind-address line to this:

bind-address            = 0.0.0.0

slow_query_log_file    = /var/log/mysql/mariadb-slow.log
slow_query_log         = 1 <-need to add
long_query_time        = 1 <- was 10
log_slow_rate_limit    = 1000
log_slow_verbosity     = query_plan
log-queries-not-using-indexes

Edit /etc/mysql/mariadb.conf.d/50-server.cnf and change the datadir definition

datadir                 = /data/db/mysql

systemctl start mysql

apt update
apt install memcached libmemcached-tools
systemctl status memcached
apt install php-memcached
pip install pymemcache

First install dependencies and then Webmin itself. Note that the version is baked into the command.

cd /tmp
apt update
apt install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions unzip nodejs npm

The Webmin repository has not changed since 2011 so it is unlikely to sson.

chmod 666 /etc/apt/sources.list.d/ubuntu.sources
cat >>/etc/apt/sources.list.d/ubuntu.sources <<EOF
deb http://download.webmin.com/download/repository sarge contrib
EOF
chmod 664 /etc/apt/sources.list.d/ubuntu.sources
wget -q -O- http://www.webmin.com/jcameron-key.asc | apt-key add
apt update 
apt install webmin

Digital Ocean has the magic to install a certificate. https://www.digitalocean.com/community/tutorials/how-to-install-webmin-on-ubuntu-20-04

The one is very important! PIA is my VPN provider. This protects against outside snooping. From the browser go here: PIA Linux download page.

After downloading (version number will likely change),

cd ~lynn/Downloads
bash pia-linux-3.3.1-06924.run

as a regular user. After installing it will open a authentication window.

Account information:
Username: p4780415
Password: Topeka123!

Before connecting make the following changes:

Select Panama as the VPN server
Click on the three vertical dots on the upper right.\ and select settings.
General: 
  Select Launch on System Startup and Connect on Launch
Protocols:
 Select WireGuard
Network:
 Select Use Existing DNS
 Select Request Port Forwarding (may not use it but it doesn't hurt)
Privacy:
 Select Advanced Kill Switch (Ok, I am paranoid)

The changes require a reconnect if you connected earlier. Otherwise, close the settings and click on the big connect button on the main page. It will turn green and indicate "CONNECTED" if all is well. You can close the window and sleep at night.

This installs the requisite software to connect to and from the machine with X2go.

X2go

sudo apt install xubuntu-desktop
sudo apt install xubuntu-core
sudo apt install mate-core mate-desktop-environment mate-notification-daemon
sudo apt install x2goserver x2goserver-xsession
sudo apt install x2goclient

Fixup for startup problems.

sudo ln -s /usr/bin/startplasma-x11 /usr/bin/startkde

Notes: Install lightdm at the prompt.

Used to access system from other systems.

Install the package:

sudo apt update
sudo apt install xrdp

Test that xrdp is running

sudo systemctl status xrdp

You should see something like this:

Output
● xrdp.service - xrdp daemon
    Loaded: loaded (/lib/systemd/system/xrdp.service; enabled; vendor preset: enabled)
    Active: active (running) since Fri 2020-05-22 17:36:16 UTC; 4min 41s ago
 ...

By default Xrdp uses the /etc/ssl/private/ssl-cert-snakeoil.key file that is readable only by members of the “ssl-cert” group. Run the following command to add the user to the user and restart:

sudo adduser xrdp ssl-cert  
sudo systemctl restart xrdp

Python2 and python3 are installed as part of the default Ubuntu 20.04 release but verify. Python3 is installed on 24.04 so skip on down to the linking python to python3 below.

sudo apt install python3

This will probably give a response that it is already at the latest version.

python --version

The response here will likely be to display that it is version 2 or, that python is not found. To fix that do the following:

cd /usr/bin
ls -l python*

If python is not symlink to python version 3.12 do this:

sudo rm /usr/bin/python
sudo ln -s /usr/bin/python3.12 /usr/bin/python

For Ubuntu 24.04 it is simply:

cd /usr/bin
ln -s python3.12 python

sudo apt update
sudo apt install python3-pip

The current install creates pip as an identical file to pip3. This may change or, has changed.

sudo ln -s /usr/bin/pip3 /usr/binpip

timedatectl
sudo timedatectl set-timezone America/Los_Angeles

Enable QEMU in the Proxmox Options menu

apt install qemu qemu-guest-agent
systemctl enable qemu-guest-agent
systemctl start qemu-guest-agent

Once started verify its operation by looking at the Proxmox summary page for the server. It will show IP information rather than a message that the guest agent is not running.

In a Proxmox shell session execute the following. Replace 100 with the appropriate VM instance

qm agent 100 ping

If it is not working you will get an error. No response means that it is working.