4.9 KiB
Fedora Server
First boot
- Disable selinux (edit
/etc/selinux/config) - Disable firewall
- Install all updates
- Enable automatic security updates
- Reboot
- Refresh application page
- Install Podman application
- Install Machines application
- Change hostname
- Reboot
- Grow your root volume to max size
- Create a network bridge (bridge0)
- Enable metrics in the metrics section
Release Upgrade
dnf upgrade --refresh
dnf install dnf-plugin-system-upgrade
dnf system-upgrade download --releasever=39
dnf system-upgrade reboot
Tweaks
- Stop resolvd from listening on port 53
Edit /etc/systemd/resolved.conf
DNSStubListener=no
- Install podman-compose
dnf install podman-compose
systemd-cryptenroll
dnf install tpm2-tss
# Add decryption key to tpm.
# For machines where prioritizing a secure boot environment is important we need to
# specify --tpm2-pcrs=0+7 -- 0 meaning the firmware has not changed and 7 meaning
# secure boot is enabled
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=""
# Add tpm2-tss to dracut
# Edit /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "
dracut -f
Certbot for Cockpit
During this process you'll pick one node to act as your manager for your other nodes. You'll only need to cert a single node and then it will connect via ssh over your local network to the other nodes.
Create an AWS user which will have route53 access. This is required for certbot's route53 validation.
export username=<hostname>
aws iam create-user --user-name $username
You'll also need a policy which allows the user to modify the selected hosted zone:
(list with aws route53 list-hosted-zones)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:GetChange"
],
"Resource": [
"*"
]
},
{
"Effect" : "Allow",
"Action" : [
"route53:ChangeResourceRecordSets"
],
"Resource" : [
"arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
]
}
]
}
Attach the policy to the user:
aws iam attach-user-policy \
--user-name $username \
--policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink
Generate credentials:
aws iam create-access-key --user-name $username
On the host machine:
sudo su -
mkdir ~/.aws
vim ~/.aws/config
[profile default]
region=us-east-2
sudo su -
vim ~/.aws/credentials
[default]
aws_access_key_id=
aws_secret_access_key=
Install the aws cli v2 on the manager node:
sudo su -
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install
Test your credentials with aws route53 list-hosted-zones. You should see as list of your
hosted zones.
Now install certbot and acquire a cert using those credentials:
sudo su -
export record=orange.reeselink.com
dnf install certbot python3-certbot-dns-route53
certbot certonly --dns-route53 -d $record
cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
systemctl restart cockpit.service
Test the renewal process with:
sudo su -
export record=orange.reeselink.com
certbot renew --cert-name $record --dry-run
mkdir -p /usr/lib/scripts
Create a renewal script in /usr/lib/scripts/certbot-renew.sh
/usr/lib/scripts/certbot-renew.sh
#!/bin/bash
/usr/bin/certbot renew --cert-name $record
/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
:%s/$record/yellow.reeselink.com/g
chmod +x /usr/lib/scripts/certbot-renew.sh
Now create a systemd oneshot service to run the script
/etc/systemd/system/certbot-renew.service
[Unit]
Description=Certbot Renewal
[Service]
Type=oneshot
ExecStart=/usr/lib/scripts/certbot-renew.sh
/etc/systemd/system/certbot-renew.timer
[Unit]
Description=Timer for Certbot Renewal
[Timer]
OnBootSec=300
OnUnitActiveSec=1w
[Install]
WantedBy=multi-user.target
Enable the service
systemctl enable --now certbot-renew.timer
Cockpit now has a valid TLS certificate that auto-renews!
Backups
# Create an LVM snapshot
lvcreate -L 1GB -s -n test /dev/fedora_orange/root