 ===== Build a new Ubuntu machine =====

(For ubuntu desktop, not ubuntu server)

=== Generic tasks for all builds ===

  * Build machine (servers generally need only "OpenSSH" for server software).  Good documentation on the general build process can be had at the Ubuntu help website, [[https://help.ubuntu.com/]].  Select the OS release you're working with, and then the cersion (i.e., Desktop, Server, etc).  Installation guidance should be easy to find.  If you're installing Ubuntu Server, the "Ubuntu Server Guide" is the document you should seek.

  * edit /etc/apt/sources.list and replace all occurrences of "us.archive.ubuntu.com" with "ubuntu.cs.wpi.edu" .

  * edit /etc/rsyslog.d/50-default.conf and add these 2 lines to the top of the file, underneath the comments at the top of the file:
<code>
*.*                     @cslog.cs.wpi.edu
</code>

  * edit /etc/systemd/timesyncd.conf and add at the bottom of the file this line:
<code>
NTP=ntp.cs.wpi.edu ntp2.cs.wpi.edu
</code>

  * regulate SSH access by adding the blocks below to /etc/hosts.allow and /etc/hosts.deny, respectively (add the "sshd: 130.215. [...]" lines to /etc/hosts.allow, add the "sshd : all" line to /etc/hosts.deny.

  # hosts.allow:
  sshd : 130.215.     # WPI Campus Net
  sshd : 10.217.      # WPI VPN
  sshd : 127.0.       # Localhost (if needed)
  
  # hosts.deny:
  sshd : ALL          # Reject all other SSH attempts

  * in a root-shell, run these commands to update the package list and install some basic software:

  apt-get update
  apt-get purge cloud-init landscape-common
  apt-get install mbuffer pigz pbzip2 tcsh libpam-passwdqc build-essential
  apt-get dist-upgrade

  * depending on how you did the installation, the "dist-upgrade" may install a lot of stuff.
  * reboot (with the command "sudo reboot")

**You're pretty much done at this point.  Do a last reboot and see if all is well.**

If you're using Ubuntu Desktop, consider the following:

  * system->rpreferences->sound ... select the "no sound" sound scheme.  You will thank yourself.
  * DISABLE printer discovery by editing /etc/avahi/avahi.conf and changing the "domain-name" setting to "cs.wpi.edu" which removed "generic" discovery.
  * disable automatic sleep/suspend on machines that will be used remotely.  Ubuntu desktop 20.04.X (at least) will sleep by default after some relatively short period of time.  The following commands will disabled this:

    sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

  * edit login screen prefs to NOT provide a list of users (see 3 commands below, which must be run from a LOCAL GUI LOGIN SESSION, not via remote SSH etc):

    xhost +SI:localuser:gdm
    sudo su gdm -s /bin/bash
    gsettings set org.gnome.login-screen disable-user-list true

=== Multi-user machine? ===

If you're going to use this machine as a multiuser server you might consider:

   sudo apt-get install build-essential openjdk-7-jdk openjdk-7-jre-headless \
      emacs23 vim alpine finger make texlive eclipse

If you'd like to use KERBEROS to store user passwords on the machine, see our wiki section on [[kerberos_usage]].

Consider disabling printer discovery (detailed above).


== SUDO or ADMIN group membership ==

Strangely, in Ubuntu a user needs to be an "administrator" in order to do certain mundane tasks like joining a wireless network.  If you are building an ubuntu laptop for some other user, **make sure** to give that user an "administrative" account, or you may find yourself receiving an unhappy call from them when they cannot connect their machine to, say, their hotel's wireless network somewhere.

In fact, all PRIMARY users (i.e., owner of a laptop or main user of a desktop) should have this access.  I presume that non-admins cannot do software updates, for instance.

Adding a person to this group can be done in two ways -- using the "User Accounts" section of the system preferences window, or using an editor on /etc/group.  In Ubuntu-12.04 and later, adding a person to the **sudo** group will make them an administrator.  In earlier versions adding them to the "admin" group **should** work, but I would add them to admin, adm, and sudo, just to be safe from that late-night phone call.

=== KVM Server (i.e., a Virtual Machine server)? ===

If you're going ot use KVM then add bridge utils and *perhaps* link aggregation.

   sudo apt-get install qemu-kvm bridge-utils virt-manager virt-viewer virt-top nfs-common

(other packages may be needed but I can't remember them right now)

Setup the network bridge device; see [[virtual_machine_management]] for help getting things going.

Edit /etc/libvirt/qemu.conf, uncomment the "user=root" and "group=root" lines in that file. 

Note well that many/most VM hosts are also NFS Clients (see this page, immediately below), getting disk images from a separate fileserver.

=== KVM Guest (i.e., a VM running inside a KVM Server) ===

Install as little extraneous stuff as possible on VM guests.  VM guests may be exceedingly small--VMs have been made with 4G of disk space and 128M of RAM.

If you'd like to be able to remotely shutdown KVM guests with the **virsh shutdown [vm-name]** command, make sure the VM itself has the **acpid** package installed.  Ubuntu Server does **not** install this package by default, so it should be installed on KVM Guest machines with the following command:

  apt-get install acpid

Consider adding "noatime" to mount points in fstab to avoid unnecessary network traffic.

=== NFS Client? ===

If you plan on mounting directories from an NFS Server on your Ubuntu machine, you'll need to add the package "nfs-common" or you'll get an error when trying to mount the NFS server's disk.

   sudo apt-get install nfs-common

=== Personal machine? ===

If you'd like to play video DVDs, you'll need a package called "ubuntu-restricted-extras" and you will need the decoding package.

   sudo apt-get install ubuntu-restricted-extras
   sudo /usr/share/doc/libdvdread4/install-css.sh

If your personal machine is a LAPTOP or contains confidential information, you should consider encryption of its user data and [[laptop_phone_home_security|installation of a "phone home" script]].

=== Mike Machine? ===

Applications that Mike wants on his personal Ubuntu desktop/laptop:

<code>
apt-get install aptitude build-essential cdparanoia dconf-tools emacs enscript finger gimp \
gnome-shell heirloom-mailx jfsutils k3b lame makepasswd mbuffer mdadm mencoder mosh mplayer \
nmap ntp pigz pipebench rdiff-backup screen sox tagtool tcsh tmux traceroute transcode \
ubuntu-restricted-extras ufraw vm
</code>

When logging on set the default windowing environment to Gnome Classic (no effects).  Use dconf-editor
as described [[http://askubuntu.com/questions/159557/no-way-to-show-seconds-in-gnome-classic-clock|here]] to set the clock
so that the day and month are displayed.

Perhaps also Chromium from google (as opposed to the one in the Ubuntu package collection).

Alter /etc/logrotate.conf so that wtmp is rotated after reachin 5m (or more) instead of rotating it monthly.