server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
d88554cc4ca7b2c6467202273a1cca07c413d171
Workstation/framework_fedora.md
ducoterra 0d00fbdfa0 Add TPM cryptenroll instructions 
Add instructions for using tpm2 and fido2 to unlock a drive in linux.
Also include systemd service for auto-enrolling the key after a hardware
change.
2023-06-28 09:04:10 -04:00

772 lines
19 KiB
Markdown
Raw Blame History

# Fedora on the Framework
Mostly stolen from https://mutschler.eu/linux/install-guides/fedora-post-install/
## Dual Boot with Fingerprint Scanner Issues
https://community.frame.work/t/fingerprint-scanner-compatibility-with-linux-ubuntu-fedora-etc/1501/206
## Revert Kernel (if needed)
With koji
```bash
sudo dnf install koji
mkdir /tmp/kernel-download
cd /tmp/kernel-download
koji search build kernel-6.0.12*
koji download-build --arch=x86_64 kernel-6.0.12-300.fc37
sudo dnf install ./*.rpm
```
```bash
# Find the kernels you have installed
sudo rpm -qa kernel
# List available kernels
sudo ls /boot | grep vmlinuz
# Revert to a previous kernel
sudo grubby --set-default /boot/vmlinuz-5.14.10-300.fc35.x86_64
```
## Make DNF Fast
```bash
echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
echo 'max_parallel_downloads=10' | sudo tee -a /etc/dnf/dnf.conf
echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf
cat /etc/dnf/dnf.conf
```
## Set Hostname
```bash
hostnamectl set-hostname ducolaptop
```
## BTRFS
Make sure you enable fstrim
```bash
sudo systemctl enable fstrim.timer
```
If you mount your disk at /mnt/btr_pool you can see the usage for each volume with:
```bash
btrfs filesystem du -s /mnt/btr_pool/*
```
## Install updates
```bash
sudo dnf upgrade --refresh
sudo dnf check
sudo dnf autoremove
sudo fwupdmgr get-devices
sudo fwupdmgr refresh --force
sudo fwupdmgr get-updates
sudo fwupdmgr update
sudo reboot now
```
## Install Fish
```bash
sudo dnf install -y fish util-linux-user
chsh -s /usr/bin/fish
```
```bash
mkdir -p /home/$USER/.local/bin
set -Ua fish_user_paths /home/$USER/.local/bin
```
## ISCSI
```bash
# Add a new target to your list of nodes
iscsiadm --mode node \
--targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \
--portal driveripper.reeselink.com:3260 \
-o new
# Login to the target
iscsiadm -m node \
--targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \
-p driveripper.reeselink.com:3260 \
--login
iscsiadm -m node --loginall all
# Mount at boot
vim /etc/iscsi/nodes/iqn.2022-02.freenas.dnet:manjaro-backup/10.1.2.200,3260,1
(/var/lib/iscsi/nodes/iqn.2022-02.freenas.dnet:manjaro-backup/10.1.2.200,3260,1/default) on fedora
node.startup = automatic
# Log out of all sessions
iscsiadm -m node -u
```
## Gnome Tweaks
1. Fonts -> Monospace Text -> Fira Code Regular
2. Keyboard & Mouse -> Acceleration Profile -> Flat
3. Keyboard & Mouse -> Mouse Click Emulation -> Fingers
4. Top Bar -> Activities Overview Hot Corner -> Off
5. Top Bar -> Battery Percentage -> On
6. Top Bar -> Clock -> Weekday -> On
7. Top Bar -> Clock -> Seconds -> On
8. Windows -> Center New Windows -> On
## Extensions
1. Another Window Session Manager by 5q0Fw
Restores windows on shutdown/reboot. Can be configured to automatically save the last
state before restart. Pair this with "restore session" in firefox/chrome and you've
got yourself a really good mac hibernate equivalent.
2. Dash to Dock by michele_g
Make the dock behave like macos. Hide when it would cover a window. Show when the mouse
hovers over the bottom of the screen. Add some sane default shortcuts. Etc.
3. Tactile by lundal
Power-user tiling! Behaves like Windows Power Toys FancyZones.
4. Vitals by corecoding
Adds quick-glance stats about your system to the menu bar. Use to monitor CPU usage,
memory availability, network speed, battery wattage, etc.
## Flatpack
```bash
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak update
```
## Snap
```bash
sudo dnf install -y snapd
sudo ln -s /var/lib/snapd/snap /snap # for classic snap support
ln -s /var/lib/snapd/desktop/applications ~/.local/share/applications/snap # make apps show up in gnome
sudo reboot now
```
## AppImage Launcher
Download RPM from https://github.com/TheAssassin/AppImageLauncher/releases/tag/v2.2.0
## Ansible
```bash
ansible-playbook --ask-become-pass ansible/framework_fedora.yml
```
## BTRBK
### Create Encrypted Drive
```bash
# Create an encrypted drive
sudo cryptsetup luksFormat /dev/sdb1
# LUKS Disk Encryption can use up to 8 key slots to store passwords. We can use these keys to auto mount LUKS device.
# cryptsetup luksDump /dev/sda
# Create a lukskeys
mkdir -p /home/ducoterra/.lukskeys
# Generate key
dd if=/dev/random bs=32 count=1 of=/home/ducoterra/.lukskeys/btr_backup
# Change key mode
chmod 600 /home/ducoterra/.lukskeys
# Luks add a key
sudo cryptsetup luksAddKey /dev/sda /home/ducoterra/.lukskeys/btr_backup
# Get UUID of disk with
sudo blkid /dev/sda1
# Add key to crypttab
echo 'btr_backup UUID=1d7ce570-e695-47a0-9dda-5f14b5b20e21 /home/ducoterra/.lukskeys/btr_backup luks' >> /etc/crypttab
# Create read-only backup mount point
sudo btrfs sub create /mnt/btr_backup
sudo btrfs property set /mnt/btr_backup ro true
# Add to fstab
echo '/dev/mapper/btr_backup /mnt/btr_backup btrfs x-systemd.device-timeout=0,x-gvfs-show,x-gvfs-name=btr_backup,ssd,nofail,noatime,discard=async,compress=zstd 0 0' >> /etc/fstab
# mount
sudo cryptsetup luksOpen /dev/disk/by-uuid/1d7ce570-e695-47a0-9dda-5f14b5b20e21 backup0 --key-file=/home/ducoterra/.lukskeys/backup0
# close (or fix issues)
sudo cryptsetup luksClose backup0
```
### Backup Disks
Backup disks will respect the following naming convention:
brand_size_purpose_year_month
So for a backup drive you would create:
`wd_4tb_backup_2023_01`
Or for an archive drive:
`samsung_1tb_archive_2023_01`
#### Disk Health
`smartctl -a /dev/sda`
### Create BTRBK Config
`sudo vim /etc/btrbk/btrbk.conf`
```conf
snapshot_create ondemand
snapshot_preserve_min 2d
snapshot_preserve 14d
snapshot_dir snapshots
target_preserve_min no
target_preserve 20d 10w *m
volume /mnt/btr_pool
target /mnt/btr_backup
subvolume root
subvolume home
```
### Create Systemd Timer
`sudo vim /etc/systemd/system/btrbk.service`
```conf
[Unit]
Description=Runs btrbk with config file at /etc/btrbk/btrbk.conf
[Service]
ExecStart=btrbk -c /etc/btrbk/btrbk.conf -v run
```
`sudo vim /etc/systemd/system/btrbk.timer`
```conf
[Unit]
Description=Run btrbk every hour
[Timer]
OnCalendar=hourly
AccuracySec=10min
Persistent=true
Unit=btrbk.service
[Install]
WantedBy=timers.target
```
### Test, Start and Enable service
Test your service:the available storage space on our NAS to the iSCSI target and the other half
```bash
sudo btrbk -c /etc/btrbk/btrbk.conf -v run
```
Enable your service:
```bash
sudo systemctl start btrbk.timer
sudo systemctl enable btrbk.timer
```
### Minecraft
1. You can find extra java versions at /etc/alternatives
2. You need to `dnf install xrandr` to launch any modpacks
3. You can create a desktop icon by putting this at ~/.local/share/applications/*.desktop:
```conf
[Desktop Entry]
Type=Application
Version=1.0
Name=Minecraft
Comment=Minecraft Launcher
Path=/home/ducoterra/Applications
Exec=minecraft-launcher
Icon=/home/ducoterra/Icons/minecraft-launcher.png
Terminal=false
Categories=Games;
```
### Firewall CMD
1. Enable firewall
```bash
systemctl start firewall-cmd
systemctl enable firewall-cmd
```
2. Set default behavior to drop everything
```bash
firewall-cmd --set-default-zone=drop
systemctl reload firewall-cmd
```
### Resources
Network monitoring: https://linuxconfig.org/how-to-monitor-network-activity-on-a-linux-system
## Backups
### Full system backup
In the event you need to restore your system from a disaster do the following:
1. Reinstall fedora via a live image
2. After install, disk should be mounted at /mnt/sysimage
3. Copy the new fstab and crypttab to somewhere safe
4. rsync -av [etc, home, opt, root, usr, var]
5. `mount /dev/Y /mnt/sysimage/boot`
6. `mount /dev/Z /mnt/sysimage/boot/efi`
7. `mount --bind /dev /mnt/sysimage/dev`
8. `mount --bind /proc /mnt/sysimage/proc`
9. `mount --bind /sys /mnt/sysimage/sys`
10. `chroot /mnt/sysimage`
11. Edit fstab and crypttab so they match the new partitions
12. Update /etc/default/grub to match the new luks uuid
13. grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
14. reboot
## Libvirt
### Snapshots on secure-boot VMs
```bash
# list snapshots
qemu-img snapshot -l win10.qcow2
# create a snapshot
qemu-img snapshot -c 1-welcome win10.qcow2
# restore a snapshot
qemu-img snapshot -a 1-welcome win10.qcow2
```
### Connecting to Truenas via virt-manager
You should be able to use the following custom URL:
```text
qemu+ssh://root@driveripper.reeserelease.com/system?socket=/run/truenas_libvirt/libvirt-sock
```
This assumes the correct socket path from `/etc/libvirt/libvirtd.conf` and ability to log in as the root user via ssh.
## bluetooth
### Airpods
Edit: /etc/bluetooth/main.conf
Set ControllerMode = bredr
restart bluetooth service
connect airpods
comment line out
restart bluetooth service again
## ZRAM
Edit /etc/systemd/zram-generator.conf
```conf
[zram0]
zram-size = min(ram / 2, 16384)
compression-algorithm = lzo-rle
options =
writeback-device = /dev/zvol/tarta-zoot/swap-writeback
```
## TPM LUKS
### Automatic Disk Decryption with TPM2
https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95
```bash
# Add decryption key to tpm.
# For machines where prioritizing a secure boot environment is important we need to
# specify --tpm2-pcrs=0+7 -- 0 meaning the firmware has not changed and 7 meaning
# secure boot is enabled
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7
# For machines where prioritizing auto-unlock is more important (think desktop PCs where
# you might sell or give away the drive at the end of its life) You can leave tpm2-pcrs
# empty with the understanding that an attacker could modify the boot environment and
# your disk will automatically unlock.
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=""
# Add tpm2 configuration option to /etc/crypttab
luks-$UUID UUID=disk-$UUID none tpm2-device=auto,discard
# Add tpm2-tss to dracut
# Edit /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "
dracut -f
```
### Automatic Disk Decryption with Fido2
```bash
# Add decryption key to fido device.
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=fido2 --fido2-device=auto
# Add tpm2 configuration option to /etc/crypttab
luks-$UUID UUID=disk-$UUID none fido2-device=auto,discard
# Add fido2 to dracut
# Edit /etc/dracut.conf.d/fido2.conf
add_dracutmodules+=" fido2 "
dracut -f
```
### Re-enroll on boot
After booting and unlocking your drive you can set up a systemd service to automatically
re-enroll your keys so you don't have to remember to run "systemd-cryptenroll" every
time something changes.
1. Generate a 64+ character random password with the generator of your choosing
2. `cryptsetup luksAddKey /dev/nvme0n1p3` paste in your password when it asks for it
3. vim /etc/systemd/system/systemd-cryptenroll-tpm2-autoenroll.service
```conf
[Unit]
Description=Automatically runs systemd-cryptenroll on login
[Service]
Type=oneshot
ExecStart=/usr/bin/systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7
Environment=PASSWORD='PUT GENERATED PASSWORD HERE'
[Install]
WantedBy=multi-user.target
```
4. `systemctl enable systemd-cryptenroll-tpm2-autoenroll`
## Firefox GPU Rendering
https://community.frame.work/t/linux-battery-life-tuning/6665
```bash
dnf install intel-media-driver intel-gpu-tools
```
Type in about:config in the address bar and hit enter.
Set media.rdd-ffmpeg.enabled, media.ffmpeg.vaapi.enabled and media.navigator.mediadatadecoder_vpx_enabled to true.
Close and reopen your browser
Run the command sudo intel_gpu_top, play a 4k video and check whether the Video section is above 0.00%
## Gnome Software Updates (packagekitd and software)
To prevent Gnome Shell from starting Software open Settings->Search and disable Software from there.
Disable auto-updates
```bash
sudo systemctl disable packagekit
sudo systemctl stop packagekit
dconf write /org/gnome/software/allow-updates false
dconf write /org/gnome/software/download-updates false
```
## Battery Life
```bash
grubby --args="nvme.noacpi=1" --update-kernel=ALL
```
Enable automatic power profile switching on AC/Battery
1. `sudo mkdir /lib/udev/power-profiles`
1. `sudo vim /lib/udev/power-profiles/power-saver`
```bash
powerprofilesctl set power-saver
```
1. `sudo chmod +x /lib/udev/power-profiles/power-saver`
1. `sudo vim /lib/udev/power-profiles/performance`
```bash
powerprofilesctl set performance
```
1. `sudo chmod +x /lib/udev/power-profiles/performance`
sudo vim /etc/udev/rules.d/10-power.rules
```bash
SUBSYSTEM=="power_supply", ATTR{online}=="0", RUN+="/bin/bash /lib/udev/power-profiles/power-saver"
SUBSYSTEM=="power_supply", ATTR{online}=="1", RUN+="/bin/bash /lib/udev/power-profiles/performance"
```
~~Calibrate with powertop~~
Powertop causes connection issues with USB while the computer is plugged in. Do not
recommend.
```bash
sudo dnf install powertop
# This will take a while
sudo powertop --calibrate
sudo powertop
```
~~Install and enable tlp~~
TLP seems to limit maximum performance. I'm leaving it here for posterity.
Stick with powertop and power profiles daemon.
```bash
sudo systemctl stop power-profiles-daemon.service
sudo systemctl disable power-profiles-daemon.service
sudo systemctl mask power-profiles-daemon.service
sudo dnf install tlp
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket
sudo systemctl enable tlp.service --now
sudo systemctl status tlp.service
```
### Simple Battery Monitoring App
alarm charge_full_design device power subsystem voltage_min_design
capacity charge_now hwmon2 present technology voltage_now
capacity_level current_now manufacturer serial_number type
charge_full cycle_count model_name status uevent
```bash
sudo mkdir /etc/battery_monitor
sudo vim /etc/battery_monitor/battery_monitor.sh
```
```bash
#!/bin/bash
CSV_LOCATION="/home/ducoterra/data"
CSV_NAME="battery_monitor.csv"
BATTERY_DATA_LOCATION="/sys/class/power_supply/BAT1"
if [ ! -f $CSV_LOCATION/$CSV_NAME ];
then
mkdir -p $CSV_LOCATION;
echo "time,percent,charge_now,charge_full,voltage_now,current_now,cycle_count,status" > $CSV_LOCATION/$CSV_NAME
chown -R ducoterra:ducoterra $CSV_LOCATION
fi
time=$(date --iso-8601=seconds)
percent=$(cat $BATTERY_DATA_LOCATION/capacity)
charge_now=$(cat $BATTERY_DATA_LOCATION/charge_now)
charge_full=$(cat $BATTERY_DATA_LOCATION/charge_full)
voltage_now=$(cat $BATTERY_DATA_LOCATION/voltage_now)
current_now=$(cat $BATTERY_DATA_LOCATION/current_now)
cycle_count=$(cat $BATTERY_DATA_LOCATION/cycle_count)
status=$(cat $BATTERY_DATA_LOCATION/status)
echo "$time,$percent,$charge_now,$charge_full,$voltage_now,$current_now,$cycle_count,$status" >> $CSV_LOCATION/$CSV_NAME
```
`sudo vim /etc/systemd/system/battery_monitor.service`
```conf
[Unit]
Description=Records the current battery level
[Service]
Type=oneshot
ExecStart=/bin/bash /etc/battery_monitor/battery_monitor.sh
[Install]
WantedBy=multi-user.target
```
`sudo vim /etc/systemd/system/battery_monitor.timer`
```conf
[Unit]
Description=Run battery_monitor every 15 seconds
[Timer]
OnCalendar=*:*:0,15,30,45
AccuracySec=10sec
Persistent=true
Unit=battery_monitor.service
[Install]
WantedBy=timers.target
```
`sudo systemctl start battery_monitor.timer`
## Turn Off Fingerprint When Laptop Lid Closed
To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is reopened, we will use acpid to bind to the button/lid.* event to a custom script that will stop and mask the fprintd service on lid close, and unmask and start the fprintd service on lid open.
We also check that the HDMI cable is connected by testing the contents of /sys/class/drm/card0-HDMI-A-1/status.
Follow the steps below:
1. Create a .locks file in your home dir: `mkdir ~/.locks`
1. Create file /etc/acpi/laptop-lid.sh with the following contents:
```bash
#!/bin/bash
lock=/home/ducoterra/.locks/fprint-disabled.lock
if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
# This is used to detect if a display is connected.
# For USB C displayport use:
# grep -Fxq connected /sys/class/drm/card1-DP-2/status
# For hdmi use:
# grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
then
touch "$lock"
systemctl stop fprintd
systemctl mask fprintd
elif [ -f "$lock" ]
then
systemctl unmask fprintd
systemctl start fprintd
rm -f "$lock"
fi
```
2. Make the file executable with
`chmod +x /etc/acpi/laptop-lid.sh`
3. Create file /etc/acpi/events/laptop-lid with the following contents:
```bash
event=button/lid.*
action=/etc/acpi/laptop-lid.sh
```
4. Restart the acpid service with:
`sudo service acpid restart`
Now the fingerprint will be used only when the lid is open.
In order to restore the correct state of the fprintd service if you disconnect/reconnect while the laptop is off, you may call the above script from a systemd init file. The steps to do this are the following:
1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents:
```bash
[Unit]
Description=Laptop Lid
After=suspend.target
[Service]
ExecStart=/etc/acpi/laptop-lid.sh
[Install]
WantedBy=multi-user.target
WantedBy=suspend.target
```
2. Reload the systemd config files with
`sudo systemctl daemon-reload`
3. Start the service with
`sudo systemctl start laptop-lid.service`
4. Enable the service so that it starts automatically on boot
`sudo systemctl enable laptop-lid.service`
Now the status should be correct even after connecting/disconnecting when the computer is off.
## Wifi Connection
Check wifi connection information
```bash
iw wlp170s0 info
```
Edit connection info (for example, force 5GHz)
```bash
nm-connection-editor
```
See what firmware is being loaded
```bash
sudo dmesg | grep firmware
```
All firmware is kept in /usr/lib/firmware
AX210 wifi firmware is named iwlwifi-ty-a0-gf-a0-*, version 59 is confirmed working with wifi 6e.
## Power Button Behavior
The power button is controlled from 2 locations:
1. DCONF (or gnoem settings) at `gnome.settings-daemon.plugins.power`
2. ACPI at /etc/acpi/events/powerconf
The powerconf acpi configuration will execute at the same time the gnome settings do.
This can lead to situations where the gnome settings say "suspend" but the acpi settings
say "shutdown". On waking up your laptop it will immediately shutdown.
The solution is to comment out everything in /etc/acpi/events/powerconf and rely on the
gnome settings **OR** set the gnome settings to "nothing" and edit
`/etc/acpi/actions/power.sh` with the behavior you expect. Either way you should pick
one to control power button behavior.
## Install ffmpegthumbnailer, remove totem
totem-thumbnailer crashes all the time and isn't as good as ffmpeg's thumbnailer.
What's more, totem video player ("Videos" by default on gnome) is not as good as vlc
and doesn't work very well for anything more than basic video playback.
```bash
sudo dnf remove totem
sudo dnf install ffmpegthumbnailer
```
## Add compatibility for HEIC to mogrify
```bash
sudo dnf install libheic-freeworld
```
Reference in New Issue View Git Blame Copy Permalink