clean up templates

2025-11-20 06:57:11 -05:00
parent 7305e3a35b
commit 270e86bfd0
2 changed files with 39 additions and 317 deletions
--- a/templates/os/foobar.md
+++ b/templates/os/foobar.md
@@ -8,15 +8,15 @@ installing the OS onto.
 - [Foobar](#foobar)
  - [Installation](#installation)
  - [Network](#network)
-    - [Firewalld Configuration](#firewalld-configuration)
+    - [Firewall](#firewall)
    - [Setup SSH](#setup-ssh)
-    - [Fail2Ban](#fail2ban)
+    - [Enable IPv6](#enable-ipv6)
    - [Set eui64 on network interface](#set-eui64-on-network-interface)
    - [Set up Network Bridge](#set-up-network-bridge)
  - [Storage](#storage)
-    - [BTRFS Parent Volumes](#btrfs-parent-volumes)
+    - [Volumes](#volumes)
-    - [BTRFS Snapshots](#btrfs-snapshots)
+    - [Snapshots](#snapshots)
-    - [BTRFS Maintenance](#btrfs-maintenance)
+    - [Maintenance](#maintenance)
    - [Backups](#backups)
    - [TPM2 Luks Decryption](#tpm2-luks-decryption)
  - [Users](#users)
    - [Change your password](#change-your-password)
@@ -25,16 +25,8 @@ installing the OS onto.
  - [Monitoring](#monitoring)
    - [Disk Usage](#disk-usage)
    - [Disk Wear](#disk-wear)
  - [Backups](#backups)
    - [Downgrading Kernel](#downgrading-kernel)
  - [Apps](#apps)
    - [Package Manager](#package-manager)
    - [Install and Enable Cockpit](#install-and-enable-cockpit)
  - [Install and Enable Virtualization](#install-and-enable-virtualization)
  - [Install and Enable Containers](#install-and-enable-containers)
  - [Troubleshooting](#troubleshooting)
    - [Disable Swap](#disable-swap)
    - [Disable Selinux](#disable-selinux)
 ## Installation
@@ -57,355 +49,85 @@ installing the OS onto.
 ## Network
-### Firewalld Configuration
+### Firewall
-Set the default firewalld zone to `public`
+Allow SSH
 ```bash
-# Note, you probably don't have to do this. Check Cockpit Network -> Firewall
+# Your firewall command here
 # firewall-cmd --set-default-zone=public
 ```
 Firewalld will be on and blocking by default. You can check the zone and allowed ports with:
 ```bash
 firewall-cmd --zone=public --list-ports
 firewall-cmd --zone=public --list-services
 ```
 Allow Cockpit with
 ```bash
 firewall-cmd --permanent --zone=public --add-port=9090/tcp
 firewall-cmd --reload
 ```
 ### Setup SSH
-See [README](/README.md#ssh-key-generation)
+Install SSH
 ### Fail2Ban
 On the server:
 ```bash
-# Run tmux session
+# Steps to install SSH server
 tmux
 dnf install -y fail2ban
 # Setup initial rules
 cat <<EOF > /etc/fail2ban/jail.local
 # Jail configuration additions for local installation
 # Adjust the default configuration's default values
 [DEFAULT]
 # Optional enter an trusted IP never to ban
 # ignoreip = 2600:1700:1e6c:a81f::0/64
 bantime  = 6600
 backend = auto
 # The main configuration file defines all services but
 # deactivates them by default. We have to activate those neeeded
 [sshd]
 enabled = true
 EOF
 systemctl enable fail2ban --now
 # OPTIONAL: follow logs
 tail -f /var/log/fail2ban.log
 ```
-Checking, banning, unbanning
+### Enable IPv6
-```bash
+1. Disable privacy
-# See banned clients
+2. Enable eui64 addressing
 fail2ban-client banned
 # See jails (sshd should be one of them)
 fail2ban-client status
 # Unban a client from the sshd jail
 fail2ban-client set sshd unbanip <IP address>
 ```
 ### Set eui64 on network interface
 Ensures consistent mac-based IPv6 address.
 ```bash
 nmcli connection modify Wired\ connection\ 1 ipv6.addr-gen-mode eui64
 ```
 ### Set up Network Bridge
-Networking -> Add bridge -> add network interface and save
+Create a network bridge for VMs
 ```bash
 nmcli connection modify bridge0 ipv6.addr-gen-mode eui64
 ```
 ## Storage
-### BTRFS Parent Volumes
+### Volumes
-In `/etc/fstab`, add the parent volumes for your disks mounted with subvolid=5 at `/btrfs` so you can see
+Create volumes for `/home`, `/var`, `/var/log`, `/tmp`, etc.
 all subvolumes.
-```conf
+### Snapshots
 UUID=64beedac-c0c9-48bf-a3ae-7707df6ebc97 /btrfs/3dserver-root    btrfs   subvolid=5,compress=zstd:1,x-systemd.device-timeout=0 0 0
 UUID=3c76b83f-7547-4c18-b08f-9e7902022b8d /btrfs/3dserver-data    btrfs   subvolid=5,compress=zstd:1,x-systemd.device-timeout=0 0 0
 ```
-```bash
+If supported, set up automated snapshots to keep a history of your data.
 systemctl daemon-reload
 mount -a --mkdir
 ```
-### BTRFS Snapshots
+### Maintenance
-<https://en.opensuse.org/openSUSE:Snapper_Tutorial>
+If supported, set up scrub and check jobs to ensure data integrity.
-<http://snapper.io/manpages/snapper-configs.html>
+### Backups
-We'll be using snapper, a tool for automating and controlling snapshot behavior.
+Set up regular backups via a supported tool like Borg.
 ```bash
 dnf install snapper dnf-plugin-snapper
 # Allow selinux management
 semanage permissive -a snapperd_t
 # Note, if you mess something up you can run snapper -c root delete-config to delete
 # System configs are stored in /etc/sysconfig/snapper as well as /etc/snapper
 snapper -c root create-config /
 snapper -c data create-config /path/to/other/data
 # Enable automatic snapshots
 systemctl enable --now snapper-timeline.timer
 # Enable automatic cleanup
 systemctl enable --now snapper-cleanup.timer
 # Enable snapshots on boot
 systemctl enable --now snapper-boot.timer
 # List snapshots
 snapper -c root list
 # Create snapshot manually
 snapper -c root create --description "test snapshot"
 # Delete first snapshot
 snapper -c root delete 1
 ```
 Note - you probably don't want to keep yearly snapshots.
 Edit `/etc/snapper/configs/root` and change `TIMELINE_LIMIT_YEARLY=` to `0`.
 ### BTRFS Maintenance
 ```bash
 # Start a scrub in the foreground (-B) at /
 btrfs scrub start -B /
 ```
 ### TPM2 Luks Decryption
-Mostly taken from here:
+If you want automatic decryption via TPM2, set it up here.
 <https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95>
 PCR reference for `--tpm2-pcrs` args
 ```text
 0: System firmware executable
 2: Kernel
 4: Bootloader
 7: Secure boot state
 8: Cmdline
 9: Initrd
 ```
 Note, if your threat vector is people trying to get data off your old disks after throwing them
 away, you can set `--tpm2-pcrs=""`. Someone could gain access to your encrypted partition if they
 can access your machine physically by manipulating the boot parameters but you're guaranteed to
 unlock despite updates and upgrades.
 Basic commands:
 ```bash
 # Run tmux session
 tmux
 # Show tpm2 devices
 systemd-cryptenroll --tpm2-device=list
 # Show crypto luks block devices
 blkid -t TYPE=crypto_LUKS
 # Enroll the tpm2 device with systemd-cryptenroll
 systemd-cryptenroll /dev/nvme0n1p3 --tpm2-device=auto --tpm2-pcrs=""
 ####################
 ##### OPTIONAL #####
 ####################
 # If you have lots of devices to decrypt (like a btrfs raid array), use these commands.
 # Get all crypto luks partitions
 blkid | grep crypto_LUKS
 # List them all space-separated and drop the '/dev'
 LUKS_DEVS="nvme0n1p4 nvme1n1p1 nvme2n1p1 nvme3n1p1 nvme5n1p1 nvme4n1p1 nvme6n1p1"
 # Check that your list is good
 for dev in $LUKS_DEVS; do echo will enroll /dev/$dev; done
 # Enroll
 for dev in $LUKS_DEVS; do \
 echo "Enrolling /dev/$dev"; \
 systemd-cryptenroll /dev/$dev --tpm2-device=auto --tpm2-pcrs=""; \
 done
 ########################
 ##### END OPTIONAL #####
 ########################
 # Append to command line args
 echo "add_dracutmodules+=\" tpm2-tss \"" | tee /etc/dracut.conf.d/tpm2.conf
 dracut -f
 ```
 Finally, `vim /etc/default/grub` and add `rd.luks.options=tpm2-device=auto` to GRUB_CMDLINE_LINUX
 ```bash
 # Update Grub
 grub2-mkconfig -o /boot/grub2/grub.cfg
 reboot
 # Cross your fingers that you don't have to go type in the password manually.
 # Yes, 60 full seconds is too long. Go type your password in.
 ```
 If you need to reenroll for some reason:
 ```bash
 # Reenroll
 systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=""
 ```
 ## Users
 ### Change your password
-In Cockpit navigate to Accounts -> user -> Set password
+Change the default user's password.
 ## Updates
 Describe what needs updated regularly and how to update it.
 ### Automatic Updates
-In Cockpit navigate to software updates -> automatic updates -> install -> security updates only
+Set up automatic updates or security patches.
 ## Monitoring
-In Cockpit: Overview -> View metrics and history -> Install PCP Support -> Metrics settings -> Turn on Collect Metrics
+Set up a monitoring service for resources or uptime.
 ### Disk Usage
-TODO
+Set up disk usage monitoring.
 ### Disk Wear
-TODO
+Set up physical disk wear monitoring for SSDs if applicable.
 ## Backups
 See [borg.md](/active/systemd_borg/borg.md)
 ### Downgrading Kernel
 ```bash
 dnf install koji
 # Note: format is kernel-version.fedora-version
 cd $(mktemp -d) && koji download-build --arch=x86_64 --arch=noarch kernel-6.11.3-300.fc41 && dnf install ./*
 reboot
 ```
 ## Apps
-### Package Manager
+Document any recommended apps here.
-Configure dnf to use the fastest mirror:
+If your package manager requires specific configuration, put it here.
 ```bash
 echo 'fastestmirror=1' >> /etc/dnf/dnf.conf
 dnf clean all
 dnf update --refresh -y
 # libdnf5 is required for ansible to work
 dnf install -y glances tmux vim python3-libdnf5
 ```
 ### Install and Enable Cockpit
 <https://cockpit-project.org/running>
 ```bash
 dnf install cockpit
 systemctl enable --now cockpit.socket
 firewall-cmd --add-service=cockpit
 firewall-cmd --add-service=cockpit --permanent
 ```
 ## Install and Enable Virtualization
 Don't forget to add a btrfs subvolume for `/var/lib/libvirt`
 ```bash
 # Since we already created our /btrfs mountpoint, this volume will show up automatically
 # at /btrfs/libvirt
 btrfs sub create /btrfs/libvirt
 ```
 Now create an fstab entry that mounts the volume at /var/lib/libvirt
 ```bash
 UUID=... /var/lib/libvirt    btrfs   subvol=libvirt,compress=zstd:1,x-systemd.device-timeout=0 0 0
 ```
 Mount the libvirt volume:
 ```bash
 systemctl daemon-reload
 mount -a --mkdir
 # Check that the mount was successful. This will print something if our mount worked.
 mount | grep -i /var/lib/libvirt
 ```
 Create a snapshot schedule for libvirt.
 ```bash
 snapper -c libvirt create-config /var/lib/libvirt
 # Don't forget to edit "YEARLY" at /etc/snapper/configs/libvirt
 ```
 Install and enable the virtualization service.
 ```bash
 dnf group install --with-optional virtualization
 systemctl enable --now libvirtd
 ```
 Install the cockpit machines application.
 ## Install and Enable Containers
 ## Troubleshooting
-### Disable Swap
+Any troubleshooting recommendations for common issues.
 ```bash
 swapoff -a
 zramctl --reset /dev/zram0
 dnf -y remove zram-generator-defaults
 ```
 ### Disable Selinux
 By default selinux will be enforcing. You can set it to permissive with
 ```bash
 setenforce 0
 ```
 And then make it permanent by editing `/etc/selinux/config` and inserting `SELINUX=permissive`.
--- a/templates/software/foobar.md
+++ b/templates/software/foobar.md
@@ -11,7 +11,7 @@
 ## Setup foobar Project
-1. Copy and rename this folder to active/systemd_foobar
+1. Copy and rename this folder to active/software_foobar
 2. Find and replace foobar with the name of the service
 3. Write the foobar.service spec
 4. (OPTIONAL) Write the foobar.timer spec
@@ -33,16 +33,16 @@
 ansible-playbook \
 -i ansible/inventory.yaml \
 -l podman \
-active/systemd_foobar/install_foobar.yaml \
+active/software_foobar/install_foobar.yaml \
-e "@active/systemd_foobar/vars.yaml" \
+-e "@active/software_foobar/vars.yaml" \
-e "@active/systemd_foobar/secrets/vars.yaml"
+-e "@active/software_foobar/secrets/vars.yaml"
 ```
 ## Upgrade foobar
 ## Backup foobar
-Follow the [Borg Backup instructions](/active/systemd_borg/borg.md#set-up-a-client-for-backup)
+Follow the [Borg Backup instructions](/active/software_borg/borg.md#set-up-a-client-for-backup)
 ## Restore foobar