add server configurations

fedora_server.md

@@ -0,0 +1,238 @@
+# Fedora Server
+
+- [Fedora Server](#fedora-server)
+  - [First boot](#first-boot)
+  - [Release Upgrade](#release-upgrade)
+  - [Tweaks](#tweaks)
+  - [systemd-cryptenroll](#systemd-cryptenroll)
+  - [Certbot for Cockpit](#certbot-for-cockpit)
+
+## First boot
+
+1. Disable selinux (edit `/etc/selinux/config`)
+2. Disable firewall
+3. Install all updates
+4. Enable automatic security updates
+5. Reboot
+6. Refresh application page
+7. Install Podman application
+8. Install Machines application
+9. Change hostname
+10. Reboot
+11. Grow your root volume to max size
+12. Create a network bridge (bridge0)
+13. Enable metrics in the metrics section
+
+## Release Upgrade
+
+```bash
+dnf upgrade --refresh
+dnf install dnf-plugin-system-upgrade
+dnf system-upgrade download --releasever=39
+dnf system-upgrade reboot
+```
+
+## Tweaks
+
+1. Stop resolvd from listening on port 53
+
+Edit `/etc/systemd/resolved.conf`
+
+```conf
+DNSStubListener=no
+```
+
+2. Install podman-compose
+
+```bash
+dnf install podman-compose
+```
+
+## systemd-cryptenroll
+
+```bash
+dnf install tpm2-tss
+
+# Add decryption key to tpm.
+# For machines where prioritizing a secure boot environment is important we need to
+# specify --tpm2-pcrs=0+7 -- 0 meaning the firmware has not changed and 7 meaning
+# secure boot is enabled
+systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
+
+# Add tpm2-tss to dracut
+# Edit /etc/dracut.conf.d/tpm2.conf
+add_dracutmodules+=" tpm2-tss "
+
+dracut -f
+```
+
+## Certbot for Cockpit
+
+During this process you'll pick one node to act as your manager for your other nodes.
+You'll only need to cert a single node and then it will connect via ssh over your local
+network to the other nodes.
+
+Create an AWS user which will have route53 access. This is required for certbot's route53
+validation.
+
+```bash
+export username=<hostname>
+aws iam create-user --user-name $username
+```
+
+You'll also need a policy which allows the user to modify the selected hosted zone:
+
+(list with `aws route53 list-hosted-zones`)
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "route53:ListHostedZones",
+                "route53:GetChange"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect" : "Allow",
+            "Action" : [
+                "route53:ChangeResourceRecordSets"
+            ],
+            "Resource" : [
+                "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
+            ]
+        }
+    ]
+}
+```
+
+Attach the policy to the user:
+
+```bash
+aws iam attach-user-policy \
+    --user-name $username \
+    --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink
+```
+
+Generate credentials:
+
+```bash
+aws iam create-access-key --user-name $username
+```
+
+On the host machine:
+
+```bash
+sudo su -
+mkdir ~/.aws
+vim ~/.aws/config
+```
+
+```conf
+[profile default]
+region=us-east-2
+```
+
+```bash
+sudo su -
+vim ~/.aws/credentials
+```
+
+```conf
+[default]
+aws_access_key_id=
+aws_secret_access_key=
+```
+
+Install the aws cli v2 on the manager node:
+
+```bash
+sudo su -
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+./aws/install
+```
+
+Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your
+hosted zones.
+
+Now install certbot and acquire a cert using those credentials:
+
+```bash
+sudo su -
+export record=orange.reeselink.com
+dnf install certbot python3-certbot-dns-route53
+certbot certonly --dns-route53 -d $record
+
+cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
+cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
+
+systemctl restart cockpit.service
+```
+
+Test the renewal process with:
+
+```bash
+sudo su -
+export record=orange.reeselink.com
+certbot renew --cert-name $record --dry-run
+mkdir -p /usr/lib/scripts
+```
+
+Create a renewal script in /usr/lib/scripts/certbot-renew.sh
+
+/usr/lib/scripts/certbot-renew.sh
+
+```bash
+#!/bin/bash
+
+/usr/bin/certbot renew --cert-name $record
+/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
+/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
+```
+
+```bash
+:%s/$record/yellow.reeselink.com/g
+
+chmod +x /usr/lib/scripts/certbot-renew.sh
+```
+
+Now create a systemd oneshot service to run the script
+
+/etc/systemd/system/certbot-renew.service
+
+```conf
+[Unit]
+Description=Certbot Renewal
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/scripts/certbot-renew.sh
+```
+
+/etc/systemd/system/certbot-renew.timer
+
+```conf
+[Unit]
+Description=Timer for Certbot Renewal
+
+[Timer]
+OnBootSec=300
+OnUnitActiveSec=1w
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Enable the service
+
+```bash
+systemctl enable --now certbot-renew.timer
+```
+
+Cockpit now has a valid TLS certificate that auto-renews!