init
This commit is contained in:
ducoterra
123
FedoraServer.md
Normal file
123
FedoraServer.md
Normal file
@@ -0,0 +1,123 @@
|
||||
# Fedora Server
|
||||
|
||||
Fedora server is an awesome container hosting OS. It has a lot built in, and setup is pretty
|
||||
quick.
|
||||
|
||||
## Setup
|
||||
|
||||
```bash
|
||||
scp .ssh/authorized_keys containers:~/.ssh/authorized_keys
|
||||
```
|
||||
|
||||
```bash
|
||||
sudo hostnamectl hostname containers
|
||||
sudo dnf install vim
|
||||
sudo vim /etc/ssh/sshd_config
|
||||
sudo systemctl restart sshd
|
||||
```
|
||||
|
||||
## Certbot for Cockpit
|
||||
|
||||
### Initial Setup
|
||||
|
||||
1. Create a "containers" user in AWS. Copy the permissions from Freenas
|
||||
2. Create credentials
|
||||
3. Add your credentials to root
|
||||
4. Install the aws cli v2
|
||||
5. Test your credentials with `aws route53 list-hosted-zones`
|
||||
|
||||
```bash
|
||||
sudo dnf install certbot python3-certbot-dns-route53
|
||||
sudo certbot certonly --dns-route53 -d containers.reeselink.com
|
||||
sudo certbot certonly --dns-route53 -d containers.reeseapps.com
|
||||
|
||||
sudo cp /etc/letsencrypt/live/containers.reeselink.com/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
|
||||
sudo cp /etc/letsencrypt/live/containers.reeselink.com/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
|
||||
|
||||
sudo cp /etc/letsencrypt/live/containers.reeseapps.com/fullchain.pem /etc/cockpit/ws-certs.d/60-letsencrypt.cert
|
||||
sudo cp /etc/letsencrypt/live/containers.reeseapps.com/privkey.pem /etc/cockpit/ws-certs.d/60-letsencrypt.key
|
||||
|
||||
```
|
||||
|
||||
Test the renewal process with:
|
||||
|
||||
```bash
|
||||
sudo certbot renew --cert-name containers.reeselink.com --dry-run
|
||||
```
|
||||
|
||||
### Renewal
|
||||
|
||||
Create a renewal script in /usr/lib/scripts/certbot-renew.sh
|
||||
|
||||
/usr/lib/scripts/certbot-renew.sh (chmod +x)
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
|
||||
/usr/bin/certbot renew --cert-name containers.reeselink.com
|
||||
cp /etc/letsencrypt/live/containers.reeselink.com/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
|
||||
cp /etc/letsencrypt/live/containers.reeselink.com/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
|
||||
```
|
||||
|
||||
Now create a systemd oneshot service to run the script
|
||||
|
||||
/etc/systemd/system/certbot-renew.service
|
||||
|
||||
```conf
|
||||
[Unit]
|
||||
Description=Certbot Renewal
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/lib/scripts/certbot-renew.sh
|
||||
```
|
||||
|
||||
/etc/systemd/system/certbot-renew.timer
|
||||
|
||||
```conf
|
||||
[Unit]
|
||||
Description=Timer for Certbot Renewal
|
||||
|
||||
[Timer]
|
||||
OnBootSec=300
|
||||
OnUnitActiveSec=1w
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
Enable the service
|
||||
|
||||
```bash
|
||||
systemctl enable --now certbot-renew.timer
|
||||
```
|
||||
|
||||
### Disable FirewallD
|
||||
|
||||
Firewalld conflicts with k3s. Disable it from the UI.
|
||||
|
||||
## Disable SELinux
|
||||
|
||||
SELinux interferes with ISCSI mounts. Disable it by editing `/etc/selinux/config`
|
||||
|
||||
```bash
|
||||
SELINUX=permissive
|
||||
```
|
||||
|
||||
### Allow ISCSI
|
||||
|
||||
```bash
|
||||
# Install the following system packages
|
||||
sudo dnf install -y lsscsi iscsi-initiator-utils sg3_utils device-mapper-multipath
|
||||
|
||||
# Enable multipathing
|
||||
sudo mpathconf --enable --with_multipathd y
|
||||
|
||||
# Ensure that iscsid and multipathd are running
|
||||
sudo systemctl enable iscsid multipathd
|
||||
sudo systemctl start iscsid multipathd
|
||||
|
||||
# Start and enable iscsi
|
||||
sudo systemctl enable iscsi
|
||||
sudo systemctl start iscsi
|
||||
```
|
||||
Reference in New Issue
Block a user