From 3f2ac1559154d0002a4ca062c922df499c291688 Mon Sep 17 00:00:00 2001 From: ducoterra Date: Fri, 6 Feb 2026 20:13:46 -0500 Subject: [PATCH] add power profiles and koji to fedora server --- active/os_fedora/fedora-server.md | 757 +++++++++++++++++++++++++++++- 1 file changed, 747 insertions(+), 10 deletions(-) diff --git a/active/os_fedora/fedora-server.md b/active/os_fedora/fedora-server.md index f3a9732..63415a5 100644 --- a/active/os_fedora/fedora-server.md +++ b/active/os_fedora/fedora-server.md @@ -2,9 +2,9 @@ - [Fedora Server](#fedora-server) - [Installation](#installation) - - [Power Profiles with Tuned](#power-profiles-with-tuned) - [Setup SSH](#setup-ssh) - [DNF](#dnf) + - [Power Profiles with Tuned](#power-profiles-with-tuned) - [Fail2Ban](#fail2ban) - [BTRFS Parent Volumes](#btrfs-parent-volumes) - [BTRFS Snapshots](#btrfs-snapshots) @@ -48,6 +48,42 @@ - [Chroot into a mounted disk](#chroot-into-a-mounted-disk) - [Resize Last Partition to Fill Available Space](#resize-last-partition-to-fill-available-space) - [LUKS performance](#luks-performance) + - [Set up firewall](#set-up-firewall) + - [Dual Boot with Fingerprint Scanner Issues](#dual-boot-with-fingerprint-scanner-issues) + - [Revert Kernel (if needed)](#revert-kernel-if-needed) + - [Reverting linux-firmware](#reverting-linux-firmware) + - [Make DNF Fast](#make-dnf-fast) + - [Install Useful Packages](#install-useful-packages) + - [Set Hostname](#set-hostname) + - [Install updates](#install-updates) + - [Extensions](#extensions) + - [Gnome Tweaks](#gnome-tweaks) + - [Flatpack](#flatpack) + - [Snap](#snap) + - [AppImage Launcher](#appimage-launcher) + - [Backups](#backups-1) + - [Create Encrypted Drive](#create-encrypted-drive) + - [Backup Disks](#backup-disks) + - [Disk Health](#disk-health) + - [Create BTRBK Config](#create-btrbk-config) + - [Create Systemd Timer](#create-systemd-timer) + - [Test, Start and Enable service](#test-start-and-enable-service) + - [Restore](#restore) + - [Firewall CMD](#firewall-cmd) + - [Bluetooth](#bluetooth) + - [Airpods](#airpods) + - [ZRAM](#zram) + - [Automatic Disk Decryption with TPM2](#automatic-disk-decryption-with-tpm2) + - [Firefox GPU Rendering](#firefox-gpu-rendering) + - [Gnome Software Updates (packagekitd and software)](#gnome-software-updates-packagekitd-and-software) + - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed) + - [Power Button Behavior](#power-button-behavior) + - [Discord](#discord) + - [Discord sharing not working](#discord-sharing-not-working) + - [Minecraft](#minecraft) + - [Sound Devices](#sound-devices) + - [Install ffmpegthumbnailer, remove totem](#install-ffmpegthumbnailer-remove-totem) + - [Add compatibility for HEIC to mogrify](#add-compatibility-for-heic-to-mogrify) @@ -75,12 +111,6 @@ and the operator will store information about each server. 5. Take note of the ipv4 and ipv6 address. Update any DNS records at this time. 6. Install and reboot -## Power Profiles with Tuned - -1. `dnf install tuned` -2. `systemctl enable --now tuned` -3. `tuned-adm profile virtual-host` - ## Setup SSH See [README](/README.md#ssh-setup) @@ -94,9 +124,15 @@ echo 'fastestmirror=1' >> /etc/dnf/dnf.conf dnf clean all dnf update --refresh -y # libdnf5 is required for ansible to work -dnf install -y glances tmux vim python3-libdnf5 +dnf install -y git glances tmux vim python3-libdnf5 borgbackup tpm2-tools ``` +## Power Profiles with Tuned + +1. `dnf install tuned` +2. `systemctl enable --now tuned` +3. `tuned-adm profile virtual-host` + ## Fail2Ban On the server: @@ -167,15 +203,16 @@ mount -a --mkdir We'll be using snapper, a tool for automating and controlling snapshot behavior. ```bash -dnf install snapper dnf-plugin-snapper +dnf install -y snapper dnf-plugin-snapper # Allow selinux management semanage permissive -a snapperd_t # Note, if you mess something up you can run snapper -c root delete-config to delete # System configs are stored in /etc/sysconfig/snapper as well as /etc/snapper +snapper -c boot create-config /boot snapper -c root create-config / -snapper -c data create-config /path/to/other/data +snapper -c home create-config /home # Enable automatic snapshots systemctl enable --now snapper-timeline.timer @@ -747,3 +784,703 @@ Which will tell you how fast you can theoretically write/read to encrypted drive The default encryption used by most modern operating systems is AES-XTS. You can see your system's cipher and key with `cryptsetup luksDump /dev/nvme0n1p1 | grep -i cipher` + +## Set up firewall + +sudo vim /etc/firewalld/firewalld.conf + +```conf +LogDenied=all +``` + +```bash +# Restart and reload the firewalld service +sudo systemctl restart firewalld.service + +# List all available firewalld zones and what they do +sudo firewall-cmd --list-all-zones + +# Set the default firewall zone to public +sudo firewall-cmd --set-default-zone public + +# Open a port temporarily +sudo firewall-cmd --add-port=25565/tcp +``` + +Monitor blocked traffic + +```bash +sudo journalctl -f | grep -i REJECT + +sudo journalctl -f | grep -i DROP +``` + +## Dual Boot with Fingerprint Scanner Issues + + + +The script below will clear the existing fingerprints from the internal +storage. + +```bash +#! /usr/bin/python3 + +import gi +gi.require_version('FPrint', '2.0') +from gi.repository import FPrint + +ctx = FPrint.Context() + +for dev in ctx.get_devices(): + print(dev) + print(dev.get_driver()) + print(dev.props.device_id); + + dev.open_sync() + + dev.clear_storage_sync() + print("All prints deleted.") + + dev.close_sync() +``` + +## Revert Kernel (if needed) + +With koji + +```bash +# Install koji (if you don't have it) +sudo dnf install -y koji + +# Search for the desired kernel version +koji search build kernel-6.18.3* + +# Create a temporary directory to store the donwloaded kernel packages +sudo -i +mkdir /root/kernel-download-6.18.3 +cd /root/kernel-download-6.18.3 + +# Download the kernel packages +koji download-build --arch=x86_64 kernel-6.18.3-200.fc43 +rm -f *debug*.rpm +rm -f *uki*.rpm +# Install all downloaded rpms +dnf install ./*.rpm + +reboot +``` + +If you need to revert to previously installed kernels: + +```bash +# Find the kernels you have installed +rpm -qa kernel + +# List available kernels +ls /boot | grep vmlinuz + +# Revert to a previous kernel +grubby --set-default /boot/vmlinuz-6.18.3... +``` + +This might throw errors when updating to newer kernels (file not found) + +To restore back to the original kernel: + +```bash +# If this directory exists, it's the problem +ls -d "/boot/efi/$(cat /etc/machine-id)" + +# Move that directory out of the way +mv "/boot/efi/$(cat /etc/machine-id)" "/boot/efi/$(cat /etc/machine-id)_disabled" + +# Reinstall the new kernel +dnf reinstall 'kernel*-0:6.18.8*' +``` + +## Reverting linux-firmware + +```bash +sudo -i +mkdir -p /root/linux-firmware-downgrade +cd /root/linux-firmware-downgrade + +wget -r -np -nd -A '*.rpm' https://kojipkgs.fedoraproject.org/packages/linux-firmware/20251111/1.fc43/noarch/ + +dnf install ./*.rpm +dracut -f --kver 6.18.3... + +reboot +``` + +## Make DNF Fast + +```bash +echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf +echo 'max_parallel_downloads=10' | sudo tee -a /etc/dnf/dnf.conf +echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf +``` + +/etc/dnf/dnf.conf + +```conf +[main] +gpgcheck=1 +installonly_limit=3 +clean_requirements_on_remove=True +best=False +skip_if_unavailable=True +fastestmirror=1 +max_parallel_downloads=10 +deltarpm=true +``` + +## Install Useful Packages + +```bash +sudo dnf install vim +``` + +## Set Hostname + +```bash +hostnamectl set-hostname ducolaptop +``` + +## Install updates + +```bash +sudo dnf upgrade --refresh +sudo dnf check +sudo dnf autoremove +sudo fwupdmgr get-devices +sudo fwupdmgr refresh --force +sudo fwupdmgr get-updates +sudo fwupdmgr update +sudo reboot now +``` + +## Extensions + +```bash +sudo dnf install -y gnome-extensions-app gnome-tweaks +sudo dnf install -y gnome-shell-extension-appindicator +``` + +1. Another Window Session Manager by 5q0Fw + + Restores windows on shutdown/reboot. Can be configured to automatically + save the last state before restart. Pair this with "restore session" in + firefox/chrome and you've got yourself a really good mac hibernate + equivalent. + +2. Dash to Dock by michele_g + + Make the dock behave like macos. Hide when it would cover a window. Show + when the mouse hovers over the bottom of the screen. Add some sane default + shortcuts. Etc. + +3. Tactile by lundal + + Power-user tiling! Behaves like Windows Power Toys FancyZones. + +4. Vitals by corecoding + + Adds quick-glance stats about your system to the menu bar. Use to monitor + CPU usage, memory availability, network speed, battery wattage, etc. + +## Gnome Tweaks + +1. Fonts -> Monospace Text -> Fira Code Regular +2. Keyboard & Mouse -> Acceleration Profile -> Flat +3. Keyboard & Mouse -> Mouse Click Emulation -> Fingers +4. Top Bar -> Activities Overview Hot Corner -> Off +5. Top Bar -> Battery Percentage -> On +6. Top Bar -> Clock -> Weekday -> On +7. Top Bar -> Clock -> Seconds -> On +8. Windows -> Center New Windows -> On + +## Flatpack + +```bash +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak update +``` + +## Snap + +```bash +sudo dnf install -y snapd +sudo ln -s /var/lib/snapd/snap /snap # for classic snap support +ln -s /var/lib/snapd/desktop/applications ~/.local/share/applications/snap # make apps show up in gnome +sudo reboot now +``` + +## AppImage Launcher + +Download RPM from + + +## Backups + +### Create Encrypted Drive + +```bash +# Create an encrypted drive +sudo cryptsetup luksFormat /dev/sdb1 + +# LUKS Disk Encryption can use up to 8 key slots to store passwords. We can use these keys to auto mount LUKS device. +# cryptsetup luksDump /dev/sda + +# Create a lukskeys +mkdir -p /home/ducoterra/.lukskeys + +# Generate key +dd if=/dev/random bs=32 count=1 of=/home/ducoterra/.lukskeys/btr_backup + +# Change key mode +chmod 600 /home/ducoterra/.lukskeys + +# Luks add a key +sudo cryptsetup luksAddKey /dev/sda /home/ducoterra/.lukskeys/btr_backup + +# Get UUID of disk with +sudo blkid /dev/sda1 + +# Add key to crypttab +echo 'btr_backup UUID=1d7ce570-e695-47a0-9dda-5f14b5b20e21 /home/ducoterra/.lukskeys/btr_backup luks' >> /etc/crypttab + +# Create read-only backup mount point +sudo btrfs sub create /mnt/btr_backup +sudo btrfs property set /mnt/btr_backup ro true + +# Add to fstab +echo '/dev/mapper/btr_backup /mnt/btr_backup btrfs x-systemd.device-timeout=0,x-gvfs-show,x-gvfs-name=btr_backup,ssd,nofail,noatime,discard=async,compress=zstd 0 0' >> /etc/fstab + +# mount +sudo cryptsetup luksOpen /dev/disk/by-uuid/1d7ce570-e695-47a0-9dda-5f14b5b20e21 backup0 --key-file=/home/ducoterra/.lukskeys/backup0 + +# close (or fix issues) +sudo cryptsetup luksClose backup0 +``` + +### Backup Disks + +Backup disks will respect the following naming convention: + +brand_size_purpose_year_month + +So for a backup drive you would create: + +`wd_4tb_backup_2023_01` + +Or for an archive drive: + +`samsung_1tb_archive_2023_01` + +#### Disk Health + +`smartctl -a /dev/sda` + +### Create BTRBK Config + +`sudo vim /etc/btrbk/btrbk.conf` + +```conf +snapshot_create ondemand +snapshot_preserve_min 2d +snapshot_preserve 14d +snapshot_dir snapshots + +target_preserve_min no +target_preserve 20d 10w *m + +volume /mnt/btr_pool + target /mnt/btr_backup + subvolume root + subvolume home +``` + +### Create Systemd Timer + +`sudo vim /etc/systemd/system/btrbk.service` + +```conf +[Unit] +Description=Runs btrbk with config file at /etc/btrbk/btrbk.conf + +[Service] +ExecStart=btrbk -c /etc/btrbk/btrbk.conf -v run +``` + +`sudo vim /etc/systemd/system/btrbk.timer` + +```conf +[Unit] +Description=Run btrbk every hour + +[Timer] +OnCalendar=hourly +AccuracySec=10min +Persistent=true +Unit=btrbk.service + +[Install] +WantedBy=timers.target +``` + +### Test, Start and Enable service + +Test your service:the available storage space on our NAS to the iSCSI target +and the other half + +```bash +sudo btrbk -c /etc/btrbk/btrbk.conf -v run +``` + +Enable your service: + +```bash +sudo systemctl start btrbk.timer + +sudo systemctl enable btrbk.timer +``` + +### Restore + +In the event you need to restore your system from a disaster do the following: + +1. Reinstall fedora via a live image +2. After install, disk should be mounted at /mnt/sysimage +3. Copy the new fstab and crypttab to somewhere safe +4. rsync -av [etc, home, opt, root, usr, var] +5. `mount /dev/Y /mnt/sysimage/boot` +6. `mount /dev/Z /mnt/sysimage/boot/efi` +7. `mount --bind /dev /mnt/sysimage/dev` +8. `mount --bind /proc /mnt/sysimage/proc` +9. `mount --bind /sys /mnt/sysimage/sys` +10. `chroot /mnt/sysimage` +11. Edit fstab and crypttab so they match the new partitions +12. Update /etc/default/grub to match the new luks uuid +13. grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg +14. reboot + +## Firewall CMD + +1. Enable firewall + + ```bash + systemctl start firewall-cmd + systemctl enable firewall-cmd + ``` + +2. Set default behavior to drop everything + + ```bash + firewall-cmd --set-default-zone=drop + systemctl reload firewall-cmd + ``` + +## Bluetooth + +### Airpods + +Edit: /etc/bluetooth/main.conf Set ControllerMode = bredr + +1. restart bluetooth service +2. connect airpods +3. comment line out +4. restart bluetooth service again + +## ZRAM + +Edit /etc/systemd/zram-generator.conf + +```conf +[zram0] +zram-size = min(ram / 2, 16384) +compression-algorithm = lzo-rle +options = +writeback-device = /dev/zvol/tarta-zoot/swap-writeback +``` + +## Automatic Disk Decryption with TPM2 + +It's a friendlier experience to just encrypt your root partition with tpm and +lunlock your remaining drives with key files stored at /etc/ukskeys. This way +you only need to reregister one key with your tpm and the remaining drives will +be unlocked automatically. + +Add your luks keys to the tpm module and set up boot parameters: + +```bash +# Enroll for the first time +sudo -E systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/nvme1n1p3 + +# Add tpm2 configuration option to /etc/crypttab +# You can get the uuid with lsblk and blkid +luks-d9828faa-2b8c-4184-9e74-9054ae328c6d UUID=d9828faa-2b8c-4184-9e74-9054ae328c6d none tpm2-device=auto,discard + +# Add rd.luks.options=tpm2-device=auto to grub +sudo grubby --args="rd.luks.options=tpm2-device=auto" --update-kernel=ALL + +# Regenerate the boot parameters +sudo dracut -f +``` + +We can configure our system to automatically reenroll the tpm device on boot so +you only need to enter your password on kernel updates. + +```bash +# Create a new random password for your disk +sudo cryptsetup luksAddKey /dev/nvme0n1p3 +``` + +/etc/systemd/system/tpm_luks_cryptenroll.service + +```conf +[Unit] +Description=Automatically runs systemd-cryptenroll on login + +[Service] +Type=oneshot +ExecStart=/usr/bin/systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 --wipe-slot=tpm2 /dev/nvme0n1p3 +# new random password you just created +Environment=PASSWORD= + +[Install] +WantedBy=multi-user.target +``` + +```bash +# Now enable the service +sudo systemctl enable tpm_luks_cryptenroll.service +``` + +## Firefox GPU Rendering + + + +```bash +dnf install intel-media-driver intel-gpu-tools +``` + +Type in about:config in the address bar and hit enter. + +Set media.rdd-ffmpeg.enabled, media.ffmpeg.vaapi.enabled and +media.navigator.mediadatadecoder_vpx_enabled to true. + +Close and reopen your browser + +Run the command sudo intel_gpu_top, play a 4k video and check whether the Video +section is above 0.00% + +## Gnome Software Updates (packagekitd and software) + +To prevent Gnome Shell from starting Software open Settings->Search and disable +Software from there. + +Disable auto-updates + +```bash +sudo systemctl disable packagekit +sudo systemctl stop packagekit + +dconf write /org/gnome/software/allow-updates false +dconf write /org/gnome/software/download-updates false +``` + +## Turn Off Fingerprint When Laptop Lid Closed + +To disable fingerprint authentication when the laptop lid is closed, and +re-enable when it is reopened, we will use acpid to bind to the button/lid.* +event to a custom script that will stop and mask the fprintd service on lid +close, and unmask and start the fprintd service on lid open. + +We also check that the HDMI cable is connected by testing the contents of +/sys/class/drm/card0-HDMI-A-1/status. + +Follow the steps below: + +1. Create a .locks file in your home dir: `mkdir ~/.locks` +2. Create file /etc/acpi/laptop-lid.sh with the following contents: + + ```bash + #!/bin/bash + + lock=/home/ducoterra/.locks/fprint-disabled.lock + + if grep -Fq closed /proc/acpi/button/lid/LID0/state # && + # This is used to detect if a display is connected. + # For USB C displayport use: + # grep -Fxq connected /sys/class/drm/card1-DP-2/status + # For hdmi use: + # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status + then + touch "$lock" + systemctl stop fprintd + systemctl mask fprintd + elif [ -f "$lock" ] + then + systemctl unmask fprintd + systemctl start fprintd + rm -f "$lock" + fi + ``` + +3. Make the file executable with + + `chmod +x /etc/acpi/laptop-lid.sh` + +4. Create file /etc/acpi/events/laptop-lid with the following contents: + + ```bash + event=button/lid.* + action=/etc/acpi/laptop-lid.sh + ``` + +5. Restart the acpid service with: + + `sudo service acpid restart` + +Now the fingerprint will be used only when the lid is open. + +In order to restore the correct state of the fprintd service if you +disconnect/reconnect while the laptop is off, you may call the above script +from a systemd init file. The steps to do this are the following: + +1. Create a file named /etc/systemd/system/laptop-lid.service with the + following contents: + + ```bash + [Unit] + Description=Laptop Lid + After=suspend.target + + [Service] + ExecStart=/etc/acpi/laptop-lid.sh + + [Install] + WantedBy=multi-user.target + WantedBy=suspend.target + ``` + +2. Reload the systemd config files with + + `sudo systemctl daemon-reload` + +3. Start the service with + + `sudo systemctl start laptop-lid.service` + +4. Enable the service so that it starts automatically on boot + + `sudo systemctl enable laptop-lid.service` + +Now the status should be correct even after connecting/disconnecting when the +computer is off. + +## Power Button Behavior + +The power button is controlled from 2 locations: + +1. DCONF (or gnoem settings) at `gnome.settings-daemon.plugins.power` +2. ACPI at /etc/acpi/events/powerconf + +The powerconf acpi configuration will execute at the same time the gnome settings do. +This can lead to situations where the gnome settings say "suspend" but the acpi settings +say "shutdown". On waking up your laptop it will immediately shutdown. + +The solution is to comment out everything in /etc/acpi/events/powerconf and rely on the +gnome settings **OR** set the gnome settings to "nothing" and edit +`/etc/acpi/actions/power.sh` with the behavior you expect. Either way you should pick +one to control power button behavior. + +## Discord + +vim ~/.local/share/applications/Discord.desktop + +```conf +[Desktop Entry] +Encoding=UTF-8 +Name=Discord +Exec=/home/ducoterra/Applications/Discord/Discord +Icon=/home/ducoterra/Applications/Discord/discord.png +Type=Application +Categories=Communication; +``` + +### Discord sharing not working + +THIS IS PROBABLY A PER-APP THING + +Likely the thing you're trying to share doesn't work, it's not wayland's fault. + +If you're trying to share firefox - download the firefox binary and dnf +uninstall the other one. For whatever reason the preinstalled binary doesn't +like screen share. You can use the following: + +~/.local/share/applications/firefox.desktop + +```conf +[Desktop Entry] +Encoding=UTF-8 +Name=Firefox +Exec=/home/ducoterra/Applications/firefox/firefox-bin +Icon=/home/ducoterra/.icons/firefox.svg +Type=Application +Categories=Browser; +``` + +## Minecraft + +1. You can find extra java versions at /etc/alternatives +2. You need to `dnf install xrandr` to launch any modpacks +3. You can create a desktop icon by putting this at + ~/.local/share/applications/*.desktop: + +```conf +[Desktop Entry] +Type=Application +Version=1.0 +Name=Minecraft +Comment=Minecraft Launcher +Path=/home/ducoterra/Applications +Exec=minecraft-launcher +Icon=/home/ducoterra/Icons/minecraft-launcher.png +Terminal=false +Categories=Games; +``` + +## Sound Devices + +If you want to disable a specific device or tell Fedora not to use a specific device +as output or input (looking at you yeti microphone, you're not a speaker), you can +install pulse audio control for much more fine-tuned... control. + +Setting your speakers to analog output seems to work best for a USB dac if it has +a separate volume knob since this ties the volume knob on the dac to the internal +volume of your computer. + +Setting your mic to analog input works just fine on a yeti usb mic. + +```bash +sudo dnf install pavucontrol +``` + +## Install ffmpegthumbnailer, remove totem + +totem-thumbnailer crashes all the time and isn't as good as ffmpeg's thumbnailer. +What's more, totem video player ("Videos" by default on gnome) is not as good as vlc +and doesn't work very well for anything more than basic video playback. + +```bash +sudo dnf remove totem +sudo dnf install ffmpegthumbnailer +``` + +## Add compatibility for HEIC to mogrify + +```bash +sudo dnf install libheic-freeworld +```