services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

add tpm2 luks decryption instructions for fedora kinoite

Browse Source
This commit is contained in:
Reese Wells
2025-03-12 16:41:19 -04:00
parent ecf66a5fb2
commit 34fad5846f
1 changed files with 51 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
infrastructure/graduated/fedora/fedora-kinoite.md
View File

@@ -1,16 +1,57 @@
# Fedora Kinoite # Fedora Kinoite
- [Fedora Kinoite](#fedora-kinoite) - [Fedora Kinoite](#fedora-kinoite)
- [TPM2 Luks Decryption](#tpm2-luks-decryption)
- [Podman](#podman) - [Podman](#podman)
- [Autostarting services with quadlets](#autostarting-services-with-quadlets) - [Autostarting services with quadlets](#autostarting-services-with-quadlets)
- [rpm-ostree](#rpm-ostree) - [rpm-ostree](#rpm-ostree)
- [Git, Vim, etc](#git-vim-etc) - [Git, Vim, etc](#git-vim-etc)
- [Libvirt, Qemu, KVM](#libvirt-qemu-kvm) - [Libvirt, Qemu, KVM](#libvirt-qemu-kvm)
- [Docker Compose and Docker Buildkit with Rootless Podman](#docker-compose-and-docker-buildkit-with-rootless-podman)
- [Network](#network) - [Network](#network)
- [Hostname](#hostname) - [Hostname](#hostname)
- [VLAN Setup with nmcli](#vlan-setup-with-nmcli) - [VLAN Setup with nmcli](#vlan-setup-with-nmcli)
## TPM2 Luks Decryption
Mostly taken from here:
<https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95>
PCR reference for `--tpm2-pcrs` args
```text
0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd
```
Basic commands:
```bash
# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list
# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS
# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3
# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9
# Append to command line args
rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto
```
When you update you'll need to reenroll. Add this to your ~/.bashrc
```bash
# LUKS TPM2 commands
alias tpm2-reenroll='sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9'
```
## Podman ## Podman
Since you'll be using podman for most container-based services, you'll want to set the Since you'll be using podman for most container-based services, you'll want to set the
@@ -52,6 +93,15 @@ systemctl --user start ollama
## rpm-ostree ## rpm-ostree
Note: if you don't need them, remove extra repos
I removed:
1. rpmfusion-nonfree-steam.repo
2. rpmfusion-nonfree-nvidia-driver.repo
3. google-chrome.repo
4. _copr\:copr.fedorainfracloud.org\:phracek\:PyCharm.repo
```bash ```bash
# Search for available packages # Search for available packages
rpm-ostree search git rpm-ostree search git
@@ -81,20 +131,6 @@ rpm-ostree install virt-manager libvirt
systemctl enable --now libvirtd systemctl enable --now libvirtd
``` ```
### Docker Compose and Docker Buildkit with Rootless Podman
Allows you to use podman with full docker-compose compatibility.
<https://emersion.fr/blog/2025/using-podman-compose-and-buildkit/>
```bash
rpm-ostree install docker-compose docker-buildx
reboot
systemctl --user enable --now podman.socket
docker context create podman --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
docker context use podman
```
## Network ## Network
### Hostname ### Hostname