# Setting up a new machine

This guides assumes you are on a fresh machine running AlmaLinux 9 or 10, ssh-ed as `root`.
It will show how to install required packages, configure firewalls, lock the server to just SSH and create an `admin` user.

## Installing initial packages

First Update system
```sh
dnf update -y && dnf upgrade -y
```

Then install the neccessary packages

```sh
dnf install -y epel-release firewalld bind-utils git fail2ban neovim
```

`epel-release` is neccessary to get fail2ban and some later dependencies
It stands for "extra packages for enterprise linux".

## Closing the Firewall to anything but SSH

We are gonna close the firewall to anything but SSH for now.
We dont have anything running on the server yet anyway.

```sh
# Enable firewalld
systemctl enable --now firewalld
# This will set the default firewall zone to DROP, which means traffic will get dropped by default.
# Later on you will want to change this to zone=public so you can serve traffic over http/https
firewall-cmd --set-default-zone=drop &&
firewall-cmd --add-service=ssh --permanent &&
firewall-cmd --reload
```

## Unattended upgrades

```sh
dnf install -y dnf-automatic
systemctl enable --now dnf-automatic.timer
```

## Enabling fail2ban

This will keep the masses of bots of trying to SSH / log into our server by banning their ips if they are annoying us.

Create a new jail file at `/etc/fail2ban/jail.local`

```toml
[sshd]
enabled = true
```

Start it

```sh
systemctl enable --now fail2ban
```

## Creating the admin user

To avoid using `root` user we are gonna create a new user with `sudo` privileges and prevent logging into root via `ssh`.

The password for `admin` user is in our Bitwarden.

```sh
adduser admin
passwd admin # Will prompt you for a new password
usermod -aG wheel admin # Give elevated (sudo) privileges to the user
```

### Add the SSH key to `admin` user's authorized keys so you can SSH into it

Switch to `admin` account

```sh
su -i admin
```

Create files and paste your public key

```sh
cd ~ # in case you arent in $HOME dir
mkdir .ssh
nvim .ssh/authorized_keys # paste relevant SSH public keys in here
```

Try opening a new terminal and ssh-ing into `admin` user on the server, it should work.
Be sure this is the case before you lock `root` account out.

### Locking the `root` account

Go back to `root` account now, otherwise you will need to `sudo` the commands below.
The following commands will lock out the root by configuring `/etc/ssh/sshd_config` file.

```sh
sed -i 's/#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
````

If done correctly `root` is no longer available.

### Accessing the `root` account locally thru another account

Even though we went thru the trouble of setting up a dedicated admin user, you can still switch into `root` account by simply executing:

```sh
sudo -i
```

It will prompt you for `admin` password and then log into `root`.