Switch Over Instructions
Server Setup Script
#!/usr/bin/env bash
###############################################################################
# join-domain.sh — Automate hostname + proxy setup, package install,
# security hardening tweaks, AD domain join, SSSD tuning,
# sudoers, optional Docker, optional full upgrade & reboot,
# plus tmux auto‑attach for convenience.
# ---------------------------------------------------------------------------
# CUSTOMISE THE SECTION BELOW IF YOUR ENVIRONMENT CHANGES.
###############################################################################
DOMAIN_FQDN="m21.gov.local"
DOMAIN_NETBIOS="M21"
DC_DNS_IP="172.16.21.161" # Primary DNS (Domain Controller)
DC_HOST_A="mydns-0ic16.m21.gov.local" # Optional extra host record
HTTP_PROXY="http://172.40.4.14:8080/" # Primary proxy (script will add backup later)
ICT_AD_GROUP="MYDNS\\ ICT\\ Staff\\ SG" # Exact AD group for sudo access
###############################################################################
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
###############################################################################
# 0. Helper functions
###############################################################################
install_docker() {
local PROXY="$HTTP_PROXY"
echo -e "\n==============================\n🛠️ Installing Docker Engine\n=============================="
# ---- Proxy drop‑ins for Docker (before install) ----
echo "Configuring proxy for Docker service …"
mkdir -p /etc/systemd/system/docker.service.d
cat >/etc/systemd/system/docker.service.d/http-proxy.conf <<EOF
[Service]
Environment=\"HTTP_PROXY=${PROXY}\"
Environment=\"HTTPS_PROXY=${PROXY}\"
EOF
mkdir -p /etc/docker
cat >/etc/docker/daemon.json <<EOF
{
"proxies": {
"http-proxy": "${PROXY}",
"https-proxy": "${PROXY}"
}
}
EOF
# ---- Install per distro ----
if [[ $OS_ID == "almalinux" && $OS_VER -eq 10 ]]; then
echo "⚠️ Docker CE packages are not yet available for AlmaLinux 10. Skipping installation."
return
fi
if [[ $OS_ID == "almalinux" ]]; then
dnf -y install dnf-plugins-core
dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo
dnf -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
elif [[ $OS_ID == "ubuntu" ]]; then
apt-get -qq update
apt-get -qq -y install ca-certificates curl gnupg lsb-release
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \$(lsb_release -cs) stable" \
> /etc/apt/sources.list.d/docker.list
apt-get -qq update
apt-get -qq -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
fi
systemctl daemon-reload
systemctl enable --now docker
if id -nG "$SUDO_USER" 2>/dev/null | grep -qv docker; then
usermod -aG docker "$SUDO_USER"
echo "Added $SUDO_USER to docker group (log out/in to take effect)."
fi
echo "✅ Docker installed and running."
}
setup_tmux_autoattach() {
echo "Configuring tmux auto‑attach …"
cat >/etc/profile.d/auto_tmux.sh <<'EOF'
# Auto‑attach to a persistent 'main' tmux session on login
if command -v tmux >/dev/null 2>&1; then
if [[ -z "$TMUX" ]] && [[ $- == *i* ]]; then # interactive, not already in tmux
tmux attach -t main || tmux new -s main
fi
fi
EOF
chmod +x /etc/profile.d/auto_tmux.sh
}
apply_security_exceptions() {
# -------------------------------------------------------------------------
# Disable SELinux (AlmaLinux only) and disable host firewall on all hosts
# -------------------------------------------------------------------------
if [[ $OS_ID == "almalinux" ]]; then
echo "Disabling SELinux … (reboot required to take full effect)"
setenforce 0 || true
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
fi
echo "Disabling host firewall …"
if systemctl is-active firewalld &>/dev/null; then
systemctl disable --now firewalld
elif command -v ufw &>/dev/null; then
ufw --force disable || true
fi
}
system_upgrade_and_reboot() {
if [[ $OS_ID == "almalinux" ]]; then
dnf -y update
elif [[ $OS_ID == "ubuntu" ]]; then
apt-get -qq update && apt-get -qq -y full-upgrade
fi
echo "System fully updated. Rebooting now …"
reboot
}
###############################################################################
# 1. Collect minimal interactive input
###############################################################################
read -rp "Service name (e.g. fileserver): " SERVICE
read -rp "AD user (without ent_ prefix): " ADUSER_RAW
read -rsp "AD password for ent_${ADUSER_RAW}: " ADPASSWORD && echo
ADUSER="ent_${ADUSER_RAW}"
HOST_FQDN="${SERVICE}-mydns.${DOMAIN_FQDN,,}"
###############################################################################
# 2. Detect OS
###############################################################################
source /etc/os-release
OS_ID="$ID" # almalinux | ubuntu
OS_VER="${VERSION_ID%%.*}"
echo "Detected OS: $OS_ID $VERSION_ID"
###############################################################################
# 3. Set hostname
###############################################################################
echo "Setting hostname to ${HOST_FQDN} …"
hostnamectl set-hostname "${HOST_FQDN}"
###############################################################################
# 4. Configure proxy for all users (primary + commented backup)
###############################################################################
cat >/etc/environment <<EOF
http_proxy="${HTTP_PROXY}"
https_proxy="${HTTP_PROXY}"
ftp_proxy="${HTTP_PROXY}"
no_proxy="127.0.0.1,localhost,.localdomain,172.30.0.0/20,172.26.21.0/24"
HTTP_PROXY="${HTTP_PROXY}"
HTTPS_PROXY="${HTTP_PROXY}"
FTP_PROXY="${HTTP_PROXY}"
NO_PROXY="127.0.0.1,localhost,.localdomain,172.30.0.0/20,172.26.21.0/24"
# Backup proxy (uncomment to switch)
# http_proxy="http://172.42.4.14:8080/"
# https_proxy="http://172.42.4.14:8080/"
EOF
###############################################################################
# 5. Set fastestmirror (Alma) + core repos
###############################################################################
if [[ $OS_ID == "almalinux" ]]; then
grep -q '^fastestmirror=1' /etc/dnf/dnf.conf || echo 'fastestmirror=1' >> /etc/dnf/dnf.conf
dnf -y config-manager --set-enabled crb
if [[ $OS_VER -eq 10 ]]; then
dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
else
dnf -y install epel-release
fi
fi
###############################################################################
# 6. Install baseline packages
###############################################################################
if [[ $OS_ID == "almalinux" ]]; then
dnf -y install realmd sssd oddjob oddjob-mkhomedir adcli \
samba-common-tools authselect nano curl wget \
htop btop net-tools git zip unzip tar freeipa-client tmux
elif [[ $OS_ID == "ubuntu" ]]; then
apt-get -qq update
apt-get -qq -y install realmd sssd sssd-tools libnss-sss libpam-sss \
adcli samba-common-bin oddjob oddjob-mkhomedir \
packagekit nano curl wget htop btop net-tools \
git zip unzip tar freeipa-client tmux
else
echo "Unsupported OS $OS_ID"; exit 1
fi
###############################################################################
# 7. Apply security exceptions (SELinux, firewall)
###############################################################################
apply_security_exceptions
###############################################################################
# 8. DNS & /etc/hosts
###############################################################################
rm -f /etc/resolv.conf
cat >/etc/resolv.conf <<EOF
search ${DOMAIN_FQDN}
nameserver ${DC_DNS_IP}
EOF
grep -q "${DC_DNS_IP}" /etc/hosts || cat >>/etc/hosts <<EOF
${DC_DNS_IP} ${DOMAIN_FQDN} ${DOMAIN_NETBIOS}
EOF
grep -q "${DC_HOST_A}" /etc/hosts || cat >>/etc/hosts <<EOF
${DC_DNS_IP} ${DC_HOST_A%%.*} ${DC_HOST_A}
EOF
###############################################################################
# 9. Discover and join realm
###############################################################################
realm discover "${DOMAIN_FQDN}" || true
printf "%s" "${ADPASSWORD}" | realm join -U "${ADUSER}@${DOMAIN_NETBIOS}.${DOMAIN_FQDN^^}" "${DOMAIN_FQDN}" --verbose
###############################################################################
# 10. Configure SSSD
###############################################################################
SSSD_CONF=/etc/sssd/sssd.conf
cat >"${SSSD_CONF}" <<EOF
[sssd]
domains = ${DOMAIN_FQDN}
config_file_version = 2
services = nss, pam
[nss]
homedir_substring = /home
[domain/${DOMAIN_FQDN}]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = ${DOMAIN_NETBIOS}.${DOMAIN_FQDN^^}
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = ${DOMAIN_FQDN}
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive
EOF
chmod 600 "${SSSD_CONF}"
if [[ $OS_ID == "almalinux" ]]; then
authselect select sssd with-mkhomedir --force
elif [[ $OS_ID == "ubuntu" ]]; then
pam-auth-update --enable mkhomedir --force
fi
systemctl restart sssd
###############################################################################
# 11. Sudoers for ICT group
###############################################################################
SUDOFILE=/etc/sudoers.d/ict_ad_group
echo "%${ICT_AD_GROUP} ALL=(ALL:ALL) ALL" > "${SUDOFILE}"
chmod 440 "${SUDOFILE}"
visudo -cf "${SUDOFILE}" >/dev/null
###############################################################################
# 12. Optional Docker
###############################################################################
read -rp $'\nWould you like to install Docker? [y/N]: ' INSTALL_DOCKER
if [[ "$INSTALL_DOCKER" =~ ^[Yy]$ ]]; then
install_docker
else
echo "Skipping Docker installation."
fi
###############################################################################
# 13. tmux auto‑attach (always enabled)
###############################################################################
setup_tmux_autoattach
###############################################################################
# 14. Optional full upgrade + reboot
###############################################################################
read -rp $'\nRun a full system upgrade and reboot when complete? [y/N]: ' RUN_UPDATES
if [[ "$RUN_UPDATES" =~ ^[Yy]$ ]]; then
system_upgrade_and_reboot
fi
###############################################################################
# 15. Finish line
###############################################################################
echo -e "\n\033[1;32m✅ Finished — ${HOST_FQDN} is joined to ${DOMAIN_NETBIOS}.\033[0m"
[[ "$INSTALL_DOCKER" =~ ^[Yy]$ && ! ( $OS_ID == "almalinux" && $OS_VER -eq 10 ) ]] && \
echo " Docker installed. Log out/in to use the 'docker' group."
echo " Log out and back in to start tmux auto‑attach, or run 'tmux attach -t main' now."
echo " Verify your AD account with: id ${ADUSER_RAW}"
DISABLE WAYLAND FOR SUPPORT MESH COMPATIBILITY
| 1 | From the initial boot after installation on the login screen |
| 2 | Select your account and go to the bottom right to click the gear icon |
| 3 | Select Gnome on Xorg |
| 4 | Input password to proceed with login |
Open Terminal
sudo -i
nano /etc/gdm/custom.conf| 1 | Go to the line #WaylandEnable=false and Delete the hashtag '#' |
| 2 | To exit: CTRL + 'X' |
| 3 | Select 'Y' for yes |
| 4 | To save: 'enter' key |
sudo dnf update -y
sudo reboot******************************COMPLETED*******************************
CHANGE COMPUTER NAME
| 1 |
Open Terminal PC Name example: MYDNS-IT-C12-L.M21.GOV.LOCAL |
| 2 | sudo hostnamectl set-hostname mydns-it-c12-l.m21.gov.local |
******************************COMPLETED*******************************
TO JOIN THE DOMAIN
Open Terminal
sudo nano /etc/environmentAdd the following line to the file:
http_proxy="http://172.40.4.14:8080/"
https_proxy="http://172.40.4.14:8080/"
ftp_proxy="http://172.40.4.14:8080/"
no_proxy=127.0.0.1,localhost,.localdomain,172.30.0.0/20,172.26.21.0/24
HTTP_PROXY="http://172.40.4.14:8080/"
HTTPS_PROXY="http://172.40.4.14:8080/"
FTP_PROXY="http://172.40.4.14:8080/"
NO_PROXY=127.0.0.1,localhost,.localdomain,172.30.0.0/20,172.26.21.0/24| 1 | To exit: CTRL + 'X' |
| 2 | Select 'Y' for yes |
| 3 |
To save: 'enter' key |
| 4 |
Log out and back in again |
sudo nano /etc/dnf/dnf.confAdd the following line to the file:
fastestmirror=1| 1 | To exit: CTRL + 'X' |
| 2 | Select 'Y' for yes |
| 3 |
To save: 'enter' key |
On Fedora
sudo dnf -y install epel-release && sudo dnf -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools authselect nano curl wget htop btop net-tools git zip unzip tar freeipa-client tmuxOn Ubuntu
sudo apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit nano curl wget htop btop net-tools git zip unzip tar freeipa-client tmuxFix DNS
sudo unlink /etc/resolv.conf
sudo nano /etc/resolv.confInput the IP Address and the Domain Name into file
search m21.gov.local
nameserver 172.16.21.161| 1 | To exit: CTRL + 'X' |
| 2 | Select 'Y' for yes |
| 3 | To save: 'enter' key |
sudo nano /etc/hostsInput the following lines into file
172.16.21.161 m21.gov.local M21.GOV.LOCAL
172.16.21.16 mydns-0ic16.m21.gov.local mydns-0ic16| 1 | To exit: CTRL + 'X' |
| 2 | Select 'Y' for yes |
| 3 | To save: 'enter' key |
sudo realm discover M21.GOV.LOCAL
ping -c 4 M21.GOV.LOCAL| To stop ping: CTRL + 'C' |
sudo realm join -U ent_username@M21.GOV.LOCAL m21.gov.local -vInput Ent Account Password
To ensure that it was successful run the realm join code again and you should see "Already joined to this domain"
******************************COMPLETED*******************************
GROUP POLICY CONFLICT RESOLVE (to login without wifi)
Open Terminal
sudo nano /etc/sssd/sssd.confInput at the end of the file
ad_gpo_access_control = permissiveYour "/etc/sssd/sssd.conf" should look like this. Make all necessary changes or copy and paste this into the file replacing everything. Can use CTRL + K to cut entire lines until the file is empty.
[sssd]
domains = m21.gov.local
config_file_version = 2
services = nss, pam
[nss]
homedir_substring = /home
[domain/m21.gov.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = M21.GOV.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = m21.gov.local
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive
| 1 | To exit: CTRL + 'X' |
| 2 | Select 'Y' for yes |
| 3 | To save: 'enter' key |
On Fedora
sudo authselect select sssd with-mkhomedir
sudo systemctl restart sssdOn Ubuntu
sudo pam-auth-update --enable mkhomedir
sudo systemctl restart sssdOn CentOS 7
sudo authconfig --enablesssdauth --enablesssd --enablemkhomedir --updateall
sudo systemctl restart sssd******************************COMPLETED*******************************
TO MAKE AD ACCOUNT A SUDOER
Open Terminal
sudo nano /etc/sudoers.d/domain_admins| 1 |
Input line : firstname.lastname ALL=(ALL) ALL |
| 2 |
To allow all ICT Staff: %MYDNS\ ICT\ Staff\ SG ALL=(ALL:ALL) ALL |
|
cn=mydns ict staff sg,ou=security groups_m21,ou=mydns,dc=m21,dc=gov,dc=local |
|
| 3 | To exit: CTRL + 'X' |
| 4 | Select 'Y' for yes |
| 5 | To save: 'enter' key |
******************************COMPLETED*******************************
| 1 | Launch the Files app -> OTHER LOCATIONS -> Bottom of window to enter address |
| 2 | Input: smb://172.16.21.16/ |
| 3 | Toggle on REGISTERED USER |
| 4 | Input: YOUR DOMAIN ACCOUNT USERNAME and PASSWORD |
| 5 | Domain: M21.GOV.LOCAL or 172.16.21.161 |
******************************COMPLETED*******************************
TO ADD PRINTER
Open Terminal
HP Printers
dnf search hplip
sudo dnf install hplip hplip-gui -y
hp-setup
hp-setup ‘printer IP Address’| 1 | Select detected printer |
| 2 | Follow next prompt until the end |
XEROX Printers
Open Terminal
wget http://download.support.xerox.com/pub/drivers/CQ8580/drivers/linux/pt_BR/XeroxOfficev5Pkg-Linuxx86_64-5.20.661.4684.rpm
sudo dnf -y localinstall XeroxOfficev5Pkg-Linuxx86_64-5.20.661.4684.rpmNOTE: DO NOT PRINT A TEST PAGE!! Print a regular text document to test
******************************COMPLETED*******************************
TO REPLACE FEDORA LOGO
Download Image and rename as: MYDNS-Logo
| 1 | Go to EXTENSION MANAGER -> SYSTEM EXTENSIONS -> BACKGROUND LOGO |
| 2 | Click on the gear icon to get the background settings |
| 3 |
Go to LOGO -> Filename to attach the MYDNS-Logo.png file -> Filename (dark) to attach the MYDNS-Logo.png file |
| 4 | Scroll down to OPTIONS -> Toggle on Show for all backgrounds |
******************************COMPLETED*******************************
Browse to 172.16.21.16>fileserver2>General>IT FILES>prx and copy the GORTT.pem file to a folder on the local machine.
Adding Certificate File to Local Machine (Ubuntu)
Browse to 172.16.21.16>fileserver2>General>IT FILES>prx and copy the GORTT.pem file to a folder on the local machine.
sudo apt-get install -y ca-certificatesopenssl x509 -in GORTT.pem -out GORTT.crt- Move the ceritficate file to the proper location with the following command:
sudo mv GORTT.crt /usr/local/share/ca-certificates - Update trusted certificates with the following command:
sudo update-ca-certificates
HELPFUL APPS
| 1 |
Extension Manager
flatpak install flathub com.mattjakeman.ExtensionManager |
| 2 | GNOME Tweaks ( sudo dnf install gnome-tweaks ) |
| 3 |
OnlyOffice https://download.onlyoffice.com/install/desktop/editors/linux/onlyoffice-desktopeditors.x86_64.rpm sudo dnf -y localinstall onlyoffice-desktopeditors.x86_64.rpm |
| 4 |
Element
flatpak install flathub im.riot.Riot |
| 5 |
Google Chome (Fedora) wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm sudo dnf -y localinstall google-chrome-stable_current_x86_64.rpm |
| 6 |
Google Chrome (Ubuntu) sudo apt install curl software-properties-common apt-transport-https ca-certificates -y curl -fSsL https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor | sudo tee /usr/share/keyrings/google-chrome.gpg > /dev/null echo deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome.gpg] http://dl.google.com/linux/chrome/deb/ stable main | sudo tee /etc/apt/sources.list.d/google-chrome.list sudo apt update sudo apt -y install google-chrome-stable |
HELPFUL EXTENSIONS
| 1 | Dash to Dock - Displays a dynamic centered Taskbar |
| 2 | Dash to Panel - Displays screen width static Taskbar |
| 3 | Vitals - displays the PC health at the top right |
| 4 | Desktop icons NG (Ding) - display anything saved to desktop |
| 5 | Clipboard History - enables clipboard history tool |
******************************COMPLETED*******************************