Workstation/fedora_server.md

# Fedora Server

- [Fedora Server](#fedora-server)
  - [First boot](#first-boot)
  - [Release Upgrade](#release-upgrade)
  - [Tweaks](#tweaks)
  - [systemd-cryptenroll](#systemd-cryptenroll)
  - [Certbot for Cockpit](#certbot-for-cockpit)
  - [Backups](#backups)

## First boot

1. Disable selinux (edit `/etc/selinux/config`)
2. Disable firewall
3. Install all updates
4. Enable automatic security updates
5. Reboot
6. Refresh application page
7. Install Podman application
8. Install Machines application
9. Change hostname
10. Reboot
11. Grow your root volume to max size
12. Create a network bridge (bridge0)
13. Enable metrics in the metrics section

## Release Upgrade

```bash
dnf upgrade --refresh
dnf install dnf-plugin-system-upgrade
dnf system-upgrade download --releasever=39
dnf system-upgrade reboot
```

## Tweaks

1. Stop resolvd from listening on port 53

Edit `/etc/systemd/resolved.conf`

```conf
DNSStubListener=no
```

2. Install podman-compose

```bash
dnf install podman-compose
```

## systemd-cryptenroll

```bash
dnf install tpm2-tss

# Add decryption key to tpm.
# For machines where prioritizing a secure boot environment is important we need to
# specify --tpm2-pcrs=0+7 -- 0 meaning the firmware has not changed and 7 meaning
# secure boot is enabled
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=""

# Add tpm2-tss to dracut
# Edit /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "

dracut -f
```

## Certbot for Cockpit

During this process you'll pick one node to act as your manager for your other nodes.
You'll only need to cert a single node and then it will connect via ssh over your local
network to the other nodes.

Create an AWS user which will have route53 access. This is required for certbot's route53
validation.

```bash
export username=<hostname>
aws iam create-user --user-name $username
```

You'll also need a policy which allows the user to modify the selected hosted zone:

(list with `aws route53 list-hosted-zones`)

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18"
            ]
        }
    ]
}
```

Attach the policy to the user:

```bash
aws iam attach-user-policy \
    --user-name $username \
    --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink
```

Generate credentials:

```bash
aws iam create-access-key --user-name $username
```

On the host machine:

```bash
sudo su -
mkdir ~/.aws
vim ~/.aws/config
```

```conf
[profile default]
region=us-east-2
```

```bash
sudo su -
vim ~/.aws/credentials
```

```conf
[default]
aws_access_key_id=
aws_secret_access_key=
```

Install the aws cli v2 on the manager node:

```bash
sudo su -
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install
```

Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your
hosted zones.

Now install certbot and acquire a cert using those credentials:

```bash
sudo su -
export record=orange.reeselink.com
dnf install certbot python3-certbot-dns-route53
certbot certonly --dns-route53 -d $record

cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key

systemctl restart cockpit.service
```

Test the renewal process with:

```bash
sudo su -
export record=orange.reeselink.com
certbot renew --cert-name $record --dry-run
mkdir -p /usr/lib/scripts
```

Create a renewal script in /usr/lib/scripts/certbot-renew.sh

/usr/lib/scripts/certbot-renew.sh

```bash
#!/bin/bash

/usr/bin/certbot renew --cert-name $record
/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
```

```bash
:%s/$record/yellow.reeselink.com/g

chmod +x /usr/lib/scripts/certbot-renew.sh
```

Now create a systemd oneshot service to run the script

/etc/systemd/system/certbot-renew.service

```conf
[Unit]
Description=Certbot Renewal

[Service]
Type=oneshot
ExecStart=/usr/lib/scripts/certbot-renew.sh
```

/etc/systemd/system/certbot-renew.timer

```conf
[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=1w

[Install]
WantedBy=multi-user.target
```

Enable the service

```bash
systemctl enable --now certbot-renew.timer
```

Cockpit now has a valid TLS certificate that auto-renews!

## Backups

```bash
# Create an LVM snapshot
lvcreate -L 1GB -s -n test /dev/fedora_orange/root
```