add server configurations

2024-01-16 22:58:52 -05:00
parent ee7d919533
commit f25b28aa56
5 changed files with 580 additions and 4 deletions
--- a/arch/base.md
+++ b/arch/base.md
@@ -18,6 +18,7 @@ I have instructions for building a:
    - [Security](#security)
      - [Secure Boot](#secure-boot)
      - [TPM2 LUKS Decryption](#tpm2-luks-decryption)
        - [Re-enroll](#re-enroll)
      - [FIDO2 LUKS Decryption](#fido2-luks-decryption)
      - [Firewall](#firewall)
      - [AppArmor](#apparmor)
@@ -50,6 +51,7 @@ I have instructions for building a:
  - [Apps](#apps)
    - [Firefox](#firefox)
      - [Gnome Extensions](#gnome-extensions)
    - [Avahi (Bonjour)](#avahi-bonjour)
    - [CUPS Printing](#cups-printing)
    - [Yubikey](#yubikey)
  - [Bashrc](#bashrc)
@@ -339,6 +341,13 @@ Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure b
 1. `pacman -S tpm2-tss`
 2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
 ##### Re-enroll
 ```bash
 systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
 systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
 ```
 #### FIDO2 LUKS Decryption
 1. `pacman -S libfido2`
@@ -946,13 +955,31 @@ Choose noto-fonts
 3. dash-to-dock@micxgx.gmail.com
 4. tactile@lundal.io
-### CUPS Printing
+### Avahi (Bonjour)
-1. `sudo pacman -S cups cups-pdf avahi system-config-printer`
+1. `sudo pacman -S avahi`
 2. `sudo vim /etc/nsswitch.conf`
    ```conf
-    hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
+    hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
    ```
 3. `sudo vim /etc/mdns.allow`
    ```conf
    .local.
    .local
    ```
 ### CUPS Printing
 Note: you probably need avahi (see above)
 1. `sudo pacman -S cups cups-pdf system-config-printer`
 2. `sudo vim /etc/nsswitch.conf`
    ```conf
    hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
    ```
 3. `sudo systemctl start cups`
--- a/arch/workstation.md
+++ b/arch/workstation.md
@@ -1,6 +1,9 @@
 # Workstation
 - [Workstation](#workstation)
  - [Framework AMD Notes](#framework-amd-notes)
    - [Wifi](#wifi)
    - [Microcode](#microcode)
  - [Base Tools](#base-tools)
  - [ZSH](#zsh)
    - [Aliases](#aliases)
@@ -31,8 +34,38 @@
  - [AWS CLI](#aws-cli)
  - [NSlookup](#nslookup)
  - [rpi-imager](#rpi-imager)
    - [Install rpi-imager](#install-rpi-imager)
    - [Upgrade rpi-imager](#upgrade-rpi-imager)
  - [qFlipper](#qflipper)
 ## Framework AMD Notes
 ### Wifi
 Install the wireless-regdb to set the regulatory domain to US
 ```bash
 pacman -S wireless-regdb
 ```
 Edit /etc/conf.d/wireless-regdom to set the domain
 ### Microcode
 ```bash
 pacman -S amd-ucode
 ```
 Edit /boot/loader/entries/.conf and add the following:
 ```bash
 title       Arch Linux (Work)
 linux       /vmlinuz-linux
 initrd      /amd-ucode.img
 initrd      /initramfs-linux.img
 options     ...
 ```
 ## Base Tools
 ```bash
@@ -429,7 +462,31 @@ pacman -Syu bind
 sudo pacman -S cmake qt5-base
 ```
-follow install instructions
+### Install rpi-imager
 ```bash
 git clone https://github.com/raspberrypi/rpi-imager.git
 cd rpi-imager
 mkdir -p build
 cd build
 cmake ../src
 make
 sudo make install
 ```
 ### Upgrade rpi-imager
 ```bash
 ```bash
 cd rpi-imager
 git pull
 rm -r build
 mkdir -p build
 cd build
 cmake ../src
 make
 sudo make install
 ```
 ## qFlipper
--- a/fedora_server.md
+++ b/fedora_server.md
@@ -0,0 +1,238 @@
 # Fedora Server
 - [Fedora Server](#fedora-server)
  - [First boot](#first-boot)
  - [Release Upgrade](#release-upgrade)
  - [Tweaks](#tweaks)
  - [systemd-cryptenroll](#systemd-cryptenroll)
  - [Certbot for Cockpit](#certbot-for-cockpit)
 ## First boot
 1. Disable selinux (edit `/etc/selinux/config`)
 2. Disable firewall
 3. Install all updates
 4. Enable automatic security updates
 5. Reboot
 6. Refresh application page
 7. Install Podman application
 8. Install Machines application
 9. Change hostname
 10. Reboot
 11. Grow your root volume to max size
 12. Create a network bridge (bridge0)
 13. Enable metrics in the metrics section
 ## Release Upgrade
 ```bash
 dnf upgrade --refresh
 dnf install dnf-plugin-system-upgrade
 dnf system-upgrade download --releasever=39
 dnf system-upgrade reboot
 ```
 ## Tweaks
 1. Stop resolvd from listening on port 53
 Edit `/etc/systemd/resolved.conf`
 ```conf
 DNSStubListener=no
 ```
 2. Install podman-compose
 ```bash
 dnf install podman-compose
 ```
 ## systemd-cryptenroll
 ```bash
 dnf install tpm2-tss
 # Add decryption key to tpm.
 # For machines where prioritizing a secure boot environment is important we need to
 # specify --tpm2-pcrs=0+7 -- 0 meaning the firmware has not changed and 7 meaning
 # secure boot is enabled
 systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
 # Add tpm2-tss to dracut
 # Edit /etc/dracut.conf.d/tpm2.conf
 add_dracutmodules+=" tpm2-tss "
 dracut -f
 ```
 ## Certbot for Cockpit
 During this process you'll pick one node to act as your manager for your other nodes.
 You'll only need to cert a single node and then it will connect via ssh over your local
 network to the other nodes.
 Create an AWS user which will have route53 access. This is required for certbot's route53
 validation.
 ```bash
 export username=<hostname>
 aws iam create-user --user-name $username
 ```
 You'll also need a policy which allows the user to modify the selected hosted zone:
 (list with `aws route53 list-hosted-zones`)
 ```json
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
            ]
        }
    ]
 }
 ```
 Attach the policy to the user:
 ```bash
 aws iam attach-user-policy \
    --user-name $username \
    --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink
 ```
 Generate credentials:
 ```bash
 aws iam create-access-key --user-name $username
 ```
 On the host machine:
 ```bash
 sudo su -
 mkdir ~/.aws
 vim ~/.aws/config
 ```
 ```conf
 [profile default]
 region=us-east-2
 ```
 ```bash
 sudo su -
 vim ~/.aws/credentials
 ```
 ```conf
 [default]
 aws_access_key_id=
 aws_secret_access_key=
 ```
 Install the aws cli v2 on the manager node:
 ```bash
 sudo su -
 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 unzip awscliv2.zip
 ./aws/install
 ```
 Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your
 hosted zones.
 Now install certbot and acquire a cert using those credentials:
 ```bash
 sudo su -
 export record=orange.reeselink.com
 dnf install certbot python3-certbot-dns-route53
 certbot certonly --dns-route53 -d $record
 cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
 cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
 systemctl restart cockpit.service
 ```
 Test the renewal process with:
 ```bash
 sudo su -
 export record=orange.reeselink.com
 certbot renew --cert-name $record --dry-run
 mkdir -p /usr/lib/scripts
 ```
 Create a renewal script in /usr/lib/scripts/certbot-renew.sh
 /usr/lib/scripts/certbot-renew.sh
 ```bash
 #!/bin/bash
 /usr/bin/certbot renew --cert-name $record
 /usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
 /usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
 ```
 ```bash
 :%s/$record/yellow.reeselink.com/g
 chmod +x /usr/lib/scripts/certbot-renew.sh
 ```
 Now create a systemd oneshot service to run the script
 /etc/systemd/system/certbot-renew.service
 ```conf
 [Unit]
 Description=Certbot Renewal
 [Service]
 Type=oneshot
 ExecStart=/usr/lib/scripts/certbot-renew.sh
 ```
 /etc/systemd/system/certbot-renew.timer
 ```conf
 [Unit]
 Description=Timer for Certbot Renewal
 [Timer]
 OnBootSec=300
 OnUnitActiveSec=1w
 [Install]
 WantedBy=multi-user.target
 ```
 Enable the service
 ```bash
 systemctl enable --now certbot-renew.timer
 ```
 Cockpit now has a valid TLS certificate that auto-renews!
--- a/octopi.md
+++ b/octopi.md
@@ -0,0 +1,81 @@
 # OctoPi Setup
 ## GCode Snippers
 ### After Pause
 ```text
 {% if pause_position.x is not none %}
 ; relative XYZE
 G91
 M83
 ; retract filament of 0.8 mm up, move Z slightly upwards and 
 G1 Z+5 E-0.8 F4500
 ; absolute XYZE
 M82
 G90
 ; move to a safe rest position, adjust as necessary
 G1 X0 Y0
 {% endif %}
 ```
 ### After Resume
 ```text
 {% if pause_position.x is not none %}
 ; relative extruder
 M83
 ; prime nozzle
 G1 E-0.8 F4500
 G1 E0.8 F4500
 G1 E0.8 F4500
 ; absolute E
 M82
 ; absolute XYZ
 G90
 ; reset E
 G92 E{{ pause_position.e }}
 ; WARNING!!! - use M83 or M82(extruder absolute mode) according what your slicer generates
 M83 ; extruder relative mode
 ; move back to pause position XYZ
 G1 X{{ pause_position.x }} Y{{ pause_position.y }} Z{{ pause_position.z }} F4500
 ; reset to feed rate before pause if available
 {% if pause_position.f is not none %}G1 F{{ pause_position.f }}{% endif %}
 {% endif %}
 ```
 ## Plugins
 ## Bed Visualizer
 ```text
 M140 S60 ; starting by heating the bed for nominal mesh accuracy
 M117 Homing all axes ; send message to printer display
 G28      ; home all axes
 M420 S0  ; Turning off bed leveling while probing, if firmware is set
         ; to restore after G28
 M117 Heating the bed ; send message to printer display
 M190 S60 ; waiting until the bed is fully warmed up
 M300 S1000 P500 ; chirp to indicate bed mesh levels is initializing
 M117 Creating the bed mesh levels ; send message to printer display
 M155 S30 ; reduce temperature reporting rate to reduce output pollution
@BEDLEVELVISUALIZER	; tell the plugin to watch for reported mesh
 G29 T	   ; run bilinear probing
 M155 S3  ; reset temperature reporting
 M140 S0 ; cooling down the bed
 M500 ; store mesh in EEPROM
 M300 S440 P200 ; make calibration completed tones
 M300 S660 P250
 M300 S880 P300
 M117 Bed mesh levels completed ; send message to printer display
 ```
--- a/ubuntu_server.md
+++ b/ubuntu_server.md
@@ -0,0 +1,173 @@
 # Ubuntu Server
 ## Certbot for Cockpit
 During this process you'll pick one node to act as your manager for your other nodes.
 You'll only need to cert a single node and then it will connect via ssh over your local
 network to the other nodes.
 Create an AWS user which will have route53 access. This is required for certbot's route53
 validation.
 ```bash
 export username=<hostname>
 aws iam create-user --user-name $username
 ```
 You'll also need a policy which allows the user to modify the selected hosted zone:
 (list with `aws route53 list-hosted-zones`)
 ```json
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
            ]
        }
    ]
 }
 ```
 Attach the policy to the user:
 ```bash
 aws iam attach-user-policy \
    --user-name $username \
    --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink
 ```
 Generate credentials:
 ```bash
 aws iam create-access-key --user-name $username
 ```
 On the host machine:
 ```bash
 sudo su -
 mkdir ~/.aws
 vim ~/.aws/config
 ```
 ```conf
 [profile default]
 region=us-east-2
 ```
 ```bash
 sudo su -
 vim ~/.aws/credentials
 ```
 ```conf
 [default]
 aws_access_key_id=
 aws_secret_access_key=
 ```
 Install the aws cli v2 on the manager node:
 ```bash
 sudo su -
 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 apt update && apt install -y unzip
 unzip awscliv2.zip
 ./aws/install
 ```
 Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your
 hosted zones.
 Now install certbot and acquire a cert using those credentials:
 ```bash
 sudo su -
 export record=orange.reeselink.com
 apt update && apt install -y certbot python3-certbot-dns-route53
 certbot certonly --dns-route53 -d $record
 cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
 cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
 systemctl restart cockpit.service
 ```
 Test the renewal process with:
 ```bash
 sudo su -
 export record=orange.reeselink.com
 certbot renew --cert-name $record --dry-run
 mkdir -p /usr/lib/scripts
 ```
 Create a renewal script in /usr/lib/scripts/certbot-renew.sh
 /usr/lib/scripts/certbot-renew.sh
 ```bash
 #!/bin/bash
 /usr/bin/certbot renew --cert-name $record
 /usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
 /usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
 ```
 ```bash
 :%s/$record/yellow.reeselink.com/g
 chmod +x /usr/lib/scripts/certbot-renew.sh
 ```
 Now create a systemd oneshot service to run the script
 /etc/systemd/system/certbot-renew.service
 ```conf
 [Unit]
 Description=Certbot Renewal
 [Service]
 Type=oneshot
 ExecStart=/usr/lib/scripts/certbot-renew.sh
 ```
 /etc/systemd/system/certbot-renew.timer
 ```conf
 [Unit]
 Description=Timer for Certbot Renewal
 [Timer]
 OnBootSec=300
 OnUnitActiveSec=1w
 [Install]
 WantedBy=multi-user.target
 ```
 Enable the service
 ```bash
 systemctl enable --now certbot-renew.timer
 ```
 Cockpit now has a valid TLS certificate that auto-renews!