server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add server configurations

Browse Source
This commit is contained in:
Reese Wells
2024-01-16 22:58:52 -05:00
parent ee7d919533
commit f25b28aa56
5 changed files with 580 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
arch/base.md
View File

@@ -18,6 +18,7 @@ I have instructions for building a:
- [Security](#security)
- [Secure Boot](#secure-boot)
- [TPM2 LUKS Decryption](#tpm2-luks-decryption)
- [Re-enroll](#re-enroll)
- [FIDO2 LUKS Decryption](#fido2-luks-decryption)
- [Firewall](#firewall)
- [AppArmor](#apparmor)
@@ -50,6 +51,7 @@ I have instructions for building a:
- [Apps](#apps)
- [Firefox](#firefox)
- [Gnome Extensions](#gnome-extensions)
- [Avahi (Bonjour)](#avahi-bonjour)
- [CUPS Printing](#cups-printing)
- [Yubikey](#yubikey)
- [Bashrc](#bashrc)
@@ -339,6 +341,13 @@ Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure b
1. `pacman -S tpm2-tss`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
##### Re-enroll
```bash
systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
```
#### FIDO2 LUKS Decryption
1. `pacman -S libfido2`
@@ -946,13 +955,31 @@ Choose noto-fonts
3. dash-to-dock@micxgx.gmail.com
4. tactile@lundal.io
### CUPS Printing
### Avahi (Bonjour)
1. `sudo pacman -S cups cups-pdf avahi system-config-printer`
1. `sudo pacman -S avahi`
2. `sudo vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
3. `sudo vim /etc/mdns.allow`
```conf
.local.
.local
```
### CUPS Printing
Note: you probably need avahi (see above)
1. `sudo pacman -S cups cups-pdf system-config-printer`
2. `sudo vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
3. `sudo systemctl start cups`

59
arch/workstation.md
View File

@@ -1,6 +1,9 @@
# Workstation
- [Workstation](#workstation)
- [Framework AMD Notes](#framework-amd-notes)
- [Wifi](#wifi)
- [Microcode](#microcode)
- [Base Tools](#base-tools)
- [ZSH](#zsh)
- [Aliases](#aliases)
@@ -31,8 +34,38 @@
- [AWS CLI](#aws-cli)
- [NSlookup](#nslookup)
- [rpi-imager](#rpi-imager)
- [Install rpi-imager](#install-rpi-imager)
- [Upgrade rpi-imager](#upgrade-rpi-imager)
- [qFlipper](#qflipper)
## Framework AMD Notes
### Wifi
Install the wireless-regdb to set the regulatory domain to US
```bash
pacman -S wireless-regdb
```
Edit /etc/conf.d/wireless-regdom to set the domain
### Microcode
```bash
pacman -S amd-ucode
```
Edit /boot/loader/entries/.conf and add the following:
```bash
title Arch Linux (Work)
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options ...
```
## Base Tools
```bash
@@ -429,7 +462,31 @@ pacman -Syu bind
sudo pacman -S cmake qt5-base
```
follow install instructions
### Install rpi-imager
```bash
git clone https://github.com/raspberrypi/rpi-imager.git
cd rpi-imager
mkdir -p build
cd build
cmake ../src
make
sudo make install
```
### Upgrade rpi-imager
```bash
```bash
cd rpi-imager
git pull
rm -r build
mkdir -p build
cd build
cmake ../src
make
sudo make install
```
## qFlipper

238
fedora_server.md Normal file
View File

@@ -0,0 +1,238 @@
# Fedora Server
- [Fedora Server](#fedora-server)
- [First boot](#first-boot)
- [Release Upgrade](#release-upgrade)
- [Tweaks](#tweaks)
- [systemd-cryptenroll](#systemd-cryptenroll)
- [Certbot for Cockpit](#certbot-for-cockpit)
## First boot
1. Disable selinux (edit `/etc/selinux/config`)
2. Disable firewall
3. Install all updates
4. Enable automatic security updates
5. Reboot
6. Refresh application page
7. Install Podman application
8. Install Machines application
9. Change hostname
10. Reboot
11. Grow your root volume to max size
12. Create a network bridge (bridge0)
13. Enable metrics in the metrics section
## Release Upgrade
```bash
dnf upgrade --refresh
dnf install dnf-plugin-system-upgrade
dnf system-upgrade download --releasever=39
dnf system-upgrade reboot
```
## Tweaks
1. Stop resolvd from listening on port 53
Edit `/etc/systemd/resolved.conf`
```conf
DNSStubListener=no
```
2. Install podman-compose
```bash
dnf install podman-compose
```
## systemd-cryptenroll
```bash
dnf install tpm2-tss
# Add decryption key to tpm.
# For machines where prioritizing a secure boot environment is important we need to
# specify --tpm2-pcrs=0+7 -- 0 meaning the firmware has not changed and 7 meaning
# secure boot is enabled
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
# Add tpm2-tss to dracut
# Edit /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "
dracut -f
```
## Certbot for Cockpit
During this process you'll pick one node to act as your manager for your other nodes.
You'll only need to cert a single node and then it will connect via ssh over your local
network to the other nodes.
Create an AWS user which will have route53 access. This is required for certbot's route53
validation.
```bash
export username=<hostname>
aws iam create-user --user-name $username
```
You'll also need a policy which allows the user to modify the selected hosted zone:
(list with `aws route53 list-hosted-zones`)
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:GetChange"
],
"Resource": [
"*"
]
},
{
"Effect" : "Allow",
"Action" : [
"route53:ChangeResourceRecordSets"
],
"Resource" : [
"arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
]
}
]
}
```
Attach the policy to the user:
```bash
aws iam attach-user-policy \
--user-name $username \
--policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink
```
Generate credentials:
```bash
aws iam create-access-key --user-name $username
```
On the host machine:
```bash
sudo su -
mkdir ~/.aws
vim ~/.aws/config
```
```conf
[profile default]
region=us-east-2
```
```bash
sudo su -
vim ~/.aws/credentials
```
```conf
[default]
aws_access_key_id=
aws_secret_access_key=
```
Install the aws cli v2 on the manager node:
```bash
sudo su -
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install
```
Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your
hosted zones.
Now install certbot and acquire a cert using those credentials:
```bash
sudo su -
export record=orange.reeselink.com
dnf install certbot python3-certbot-dns-route53
certbot certonly --dns-route53 -d $record
cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
systemctl restart cockpit.service
```
Test the renewal process with:
```bash
sudo su -
export record=orange.reeselink.com
certbot renew --cert-name $record --dry-run
mkdir -p /usr/lib/scripts
```
Create a renewal script in /usr/lib/scripts/certbot-renew.sh
/usr/lib/scripts/certbot-renew.sh
```bash
#!/bin/bash
/usr/bin/certbot renew --cert-name $record
/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
```
```bash
:%s/$record/yellow.reeselink.com/g
chmod +x /usr/lib/scripts/certbot-renew.sh
```
Now create a systemd oneshot service to run the script
/etc/systemd/system/certbot-renew.service
```conf
[Unit]
Description=Certbot Renewal
[Service]
Type=oneshot
ExecStart=/usr/lib/scripts/certbot-renew.sh
```
/etc/systemd/system/certbot-renew.timer
```conf
[Unit]
Description=Timer for Certbot Renewal
[Timer]
OnBootSec=300
OnUnitActiveSec=1w
[Install]
WantedBy=multi-user.target
```
Enable the service
```bash
systemctl enable --now certbot-renew.timer
```
Cockpit now has a valid TLS certificate that auto-renews!

81
octopi.md Normal file
View File

@@ -0,0 +1,81 @@
# OctoPi Setup
## GCode Snippers
### After Pause
```text
{% if pause_position.x is not none %}
; relative XYZE
G91
M83
; retract filament of 0.8 mm up, move Z slightly upwards and
G1 Z+5 E-0.8 F4500
; absolute XYZE
M82
G90
; move to a safe rest position, adjust as necessary
G1 X0 Y0
{% endif %}
```
### After Resume
```text
{% if pause_position.x is not none %}
; relative extruder
M83
; prime nozzle
G1 E-0.8 F4500
G1 E0.8 F4500
G1 E0.8 F4500
; absolute E
M82
; absolute XYZ
G90
; reset E
G92 E{{ pause_position.e }}
; WARNING!!! - use M83 or M82(extruder absolute mode) according what your slicer generates
M83 ; extruder relative mode
; move back to pause position XYZ
G1 X{{ pause_position.x }} Y{{ pause_position.y }} Z{{ pause_position.z }} F4500
; reset to feed rate before pause if available
{% if pause_position.f is not none %}G1 F{{ pause_position.f }}{% endif %}
{% endif %}
```
## Plugins
## Bed Visualizer
```text
M140 S60 ; starting by heating the bed for nominal mesh accuracy
M117 Homing all axes ; send message to printer display
G28 ; home all axes
M420 S0 ; Turning off bed leveling while probing, if firmware is set
; to restore after G28
M117 Heating the bed ; send message to printer display
M190 S60 ; waiting until the bed is fully warmed up
M300 S1000 P500 ; chirp to indicate bed mesh levels is initializing
M117 Creating the bed mesh levels ; send message to printer display
M155 S30 ; reduce temperature reporting rate to reduce output pollution
@BEDLEVELVISUALIZER ; tell the plugin to watch for reported mesh
G29 T ; run bilinear probing
M155 S3 ; reset temperature reporting
M140 S0 ; cooling down the bed
M500 ; store mesh in EEPROM
M300 S440 P200 ; make calibration completed tones
M300 S660 P250
M300 S880 P300
M117 Bed mesh levels completed ; send message to printer display
```

173
ubuntu_server.md Normal file
View File

@@ -0,0 +1,173 @@
# Ubuntu Server
## Certbot for Cockpit
During this process you'll pick one node to act as your manager for your other nodes.
You'll only need to cert a single node and then it will connect via ssh over your local
network to the other nodes.
Create an AWS user which will have route53 access. This is required for certbot's route53
validation.
```bash
export username=<hostname>
aws iam create-user --user-name $username
```
You'll also need a policy which allows the user to modify the selected hosted zone:
(list with `aws route53 list-hosted-zones`)
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:GetChange"
],
"Resource": [
"*"
]
},
{
"Effect" : "Allow",
"Action" : [
"route53:ChangeResourceRecordSets"
],
"Resource" : [
"arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
]
}
]
}
```
Attach the policy to the user:
```bash
aws iam attach-user-policy \
--user-name $username \
--policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink
```
Generate credentials:
```bash
aws iam create-access-key --user-name $username
```
On the host machine:
```bash
sudo su -
mkdir ~/.aws
vim ~/.aws/config
```
```conf
[profile default]
region=us-east-2
```
```bash
sudo su -
vim ~/.aws/credentials
```
```conf
[default]
aws_access_key_id=
aws_secret_access_key=
```
Install the aws cli v2 on the manager node:
```bash
sudo su -
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
apt update && apt install -y unzip
unzip awscliv2.zip
./aws/install
```
Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your
hosted zones.
Now install certbot and acquire a cert using those credentials:
```bash
sudo su -
export record=orange.reeselink.com
apt update && apt install -y certbot python3-certbot-dns-route53
certbot certonly --dns-route53 -d $record
cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
systemctl restart cockpit.service
```
Test the renewal process with:
```bash
sudo su -
export record=orange.reeselink.com
certbot renew --cert-name $record --dry-run
mkdir -p /usr/lib/scripts
```
Create a renewal script in /usr/lib/scripts/certbot-renew.sh
/usr/lib/scripts/certbot-renew.sh
```bash
#!/bin/bash
/usr/bin/certbot renew --cert-name $record
/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
```
```bash
:%s/$record/yellow.reeselink.com/g
chmod +x /usr/lib/scripts/certbot-renew.sh
```
Now create a systemd oneshot service to run the script
/etc/systemd/system/certbot-renew.service
```conf
[Unit]
Description=Certbot Renewal
[Service]
Type=oneshot
ExecStart=/usr/lib/scripts/certbot-renew.sh
```
/etc/systemd/system/certbot-renew.timer
```conf
[Unit]
Description=Timer for Certbot Renewal
[Timer]
OnBootSec=300
OnUnitActiveSec=1w
[Install]
WantedBy=multi-user.target
```
Enable the service
```bash
systemctl enable --now certbot-renew.timer
```
Cockpit now has a valid TLS certificate that auto-renews!