Base Install (sysinstall)Install the full distribution ("All system sources, binaries and X Window System"). Install the ports collection. Configure the network. Recommended packages: bash cvsup-without-gui (may not be available -- in this case, install later with portinstall) ispell kde mozilla portupgrade rsync screen (if available) sudo Note: If you want each user to have its own personal groups (Linux & Panther style), create the new groups first in sysinstall. Make sure any administrative accounts have group 0 (wheel) membership -- otherwise su will be unavailable. Accounts & Basic SetupEnable serial console: echo "-hD" > /boot.config # "man boot" for details If you didn't enable serial terminal in sysinstall, do it now: echo 'ttyd0 "/usr/libexec/getty std.9600" vt100 on secure' >> /etc/ttys visudo # uncomment full access for %wheel cd /root && ftp http://www.reppep.com/~pepper/freebsd/install/reppep.tgz && tar xzf reppep.tgz && ls -lt reppep # get recommended additions & patches, and unpack as /root/reppep If you have local patches, unpack them too: tar xzf local.tgz && ls -lt reppep patch /etc/ssh/sshd_config /root/reppep/sshd_config.diff Install your custom kernel configuration file in /usr/src/sys/i386/conf (if you have one). cd /etc && cp /root/reppep/make.conf . && cat /root/reppep/rc.conf* >> rc.conf && vi resolv.conf rc.conf make.conf && egrep -v '(^$|^#)' rc.conf | sort | more # put your own customizations in rc.conf.local; make sure no variables are defined twice in rc.conf mkdir -p /usr/sup && cp /root/reppep/cvsupfile /root/reppep/rc.firewall.local /root/reppep/periodic.conf /root/reppep/ntp.conf /etc && cp /root/reppep/refuse /usr/sup && vi /etc/cvsupfile /etc/ntp.conf /usr/sup/refuse mkdir -p ~root/bin ~root/log cd /root/reppep && cp build-world-kernel.sh cvsup.sh /root/bin && chmod u+x /root/bin/*.sh && rehash mkdir -p /var/log/pkgtools && patch /usr/local/etc/pkgtools.conf /root/reppep/pkgtools.conf.diff adduser -C Upgrade Source, Kernel & World (do this periodically)Note: The official recommendation, described at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html, is a bit more involved but safer. If you're not clear on the differences between this procedure and the official one, you should use the Handbook's procedure instead.
Warning: It's easy to break your system, or lock yourself out, when upgrading the kernel or world. Make sure you have console access (PS/2-style or serial) before upgrading.
cvsup.sh # upgrade FreeBSD base (kernel & world) source, and the ports tree; doesn't affect installed ports cd /usr/src && mergemaster -p # mergemaster is potentially time-consuming, so it's nice to do it before taking the system down. build-world-kernel.sh make installkernel shutdown -r now Verify new kernel. shutdown now # single-user cd /usr/src && make installworld mergemaster shutdown -r now Edit any additional configuration files in /etc or /usr/local/etc. Test the network connection and firewall rules (perhaps with ipfw list). Note: If you're using this section to upgrade a running system, rather than configuring a new one, run portupgrade -ai when satisfied with the kernel & world.
Configure BIND(Assuming FreeBSD 5.3+ with BIND 9): cd /var/named/etc/namedb/ && sh make-localhost && vi named.conf && grep named /etc/rc.conf # should see named_enable="YES" vi named.conf # mandatory: configure options & add zones Install any (master) zone files /etc/rc.d/named start && tail -20 /var/log/messages Install Portscd /usr/ports/lang/perl5.8 && make install && rehash && perl --version # use.perl port no longer necessary portupgrade -a ; portversion -l \< # try to upgrade everything -- if this doesn't work, follow the instructions under 20040226 in /usr/ports/UPDATING. portinstall -f www/apache2 postfix imap-uw # force portinstall analog cronolog curl docproj-nojadetex htmldoc lsof lynx-ssl mailman minicom netatalk nmap nut portaudit procmail portaudit smartmontools webmin squirrelmail drac mozilla ntop screen p5-MIME-Base64 p5-Time-HiRes pyzor p5-Mail-SpamAssassin && rehash echo "- -noddp -passwdminlen 6 -loginmaxfail 6 -uamlist uams_dhx.so -advertise_ssh" >> /usr/local/etc/afpd.conf # to actually handle tunnelled ssh, also add something like "- -fqdn me.example.com" vi /etc/pam.d/netatalk: netatalkauthrequiredpam_unix.sotry_first_pass
netatalkaccountrequiredpam_unix.sotry_first_pass
netatalksessionrequiredpam_permit.so
cd /usr/local/etc/rc.d && patch -o netatalk.sh < /root/reppep/netatalk.sh.diff # disable atalk, pap, & nbp (no longer needed as of 2004/12 with RCng) --If desired: configure X (beyond the scope of this document) http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/x-config.html. If and when X is working, you might want to KDE automatically at boot: echo 'ttyv9 "/usr/local/bin/kdm" xterm on secure' >> /etc/ttys, or use KDE with startx: echo exec startkde > ~/.xinitrc # as each user who will use X11 Configure Mailamavisd-new
cd /etc/mail && mv mailer.conf mailer.conf.sendmail && cp /root/reppep/mailer.conf . vi /etc/aliases && newaliases # forward for $myself & root cd /usr/local/etc && cp /root/reppep/procmailrc . && vi procmailrc patch /etc/inetd.conf /root/reppep/inetd.conf.diff && killall -HUP inetd # enables unencrypted imap -- I suggest blocking this in your firewall, which leaves it accessible on 127.0.0.1, if using webmail, and disabling the imap port otherwise echo 'inetd_enable="YES"' >> /etc/rc.conf
echo 'inetd_flags="-wW -C 60"' >> /etc/rc.conf
Already in rc.conf.append: dracd_enable="YES"; add: echo 'rpcbind_enable="YES"' >> /etc/rc.conf
echo localhost > /usr/local/etc/dracd.host
For FreeBSD 5.x: cd /etc/pam.d && patch < /root/reppep/imap.diff && patch < /root/reppep/pop3.diffnetatalk .-- For FreeBSD 4.x: patch /etc/pam.conf /root/reppep/pam.conf.diff vipw && vi /etc/group && mkdir /home/spamd && chown spamd:spamd ~spamd # Create spamd account razor-admin -create && razor-admin -register && pyzor discover # configure razor & pyzor vi /usr/local/etc/mail/spamassassin/local.cf # customize SpamAssassin echo localhost > /usr/local/etc/dracd.host && /usr/local/etc/rc.d/dracd.sh start If using Postfix virtual hosts: vi /etc/mail/virtual && postmap /etc/mail/virtual cd /usr/local/etc/postfix && cat /root/reppep/main.cf.* >> main.cf && vi + /usr/local/etc/postfix/main.cf && postfix stop ; killall sendmail ; postfix check && postfix start && sleep 1 && tail /var/log/maillog cd /usr/ports/mail/imap-uw && make cert && chmod -x /usr/local/certs/imapd.pem # follow prompts If desired: portinstall -f mysql-server # -f to get around the hold in pkgtools.conf Configure Apache & SquirrelMail# Copy config files and build diffs for <http://www.reppep.com/~pepper/freebsd/install>
diff -u source/httpd.conf.php source/httpd.conf > reppep/httpd.conf.diff
diff -u source/httpd.conf source/httpd.conf.local > local/reppep/httpd.conf.diff.local
mkdir -p /var/log/httpd /home/httpd && mv /usr/local/www /home/httpd && mv /home/httpd/data /home/httpd/htdocs && cd /usr/local/etc/apache2 && patch httpd.conf /root/reppep/httpd.conf.diff Either apply a local patch (patch httpd.conf /root/reppep/httpd.conf.diff.local), or vi httpd.conf (set ServerAdmin & ServerName and review security) mkdir -p ssl.crt ssl.key && ln -s /usr/local/certs/imapd.pem ssl.key/server.key && ln -s /usr/local/certs/imapd.pem ssl.crt/server.crt && touch vhost.conf && vi ssl.???/* vhost.conf && apachectl stop && apachectl configtest && apachectl startssl && apachectl fullstatus # remove cert from server.key & key from server.crt apachectl configtest && apachectl graceful cp /usr/local/etc/php.ini-recommended /usr/local/etc/php.ini cd /usr/local/www/squirrelmail && ./configure Test https://$hostname/mail/. Verify SquirrelMail works (it uses unencrypted IMAP to localhost) & telnet $hostname imap fails properly, if blocked by firewall. Add any desired SquirrelMail plugins. webmincd /usr/local/lib/webmin/ && ./setup.sh Visit https://$hostname:10000/ Webmin Configuration: IP Access Control: Configure "Only allow from listed addresses" to 127.0.0.1 & trusted IPs. Webmin Users: Remove unused modules. If mysql-server is installed, configure under Servers. /usr/local/etc/rc.d/webmin.sh stop # use start argument later, to bring up webmin as needed Test Everything!
