add power profiles and koji to fedora server

2026-02-06 20:13:46 -05:00
parent 2559aebd5d
commit 3f2ac15591
1 changed files with 747 additions and 10 deletions
--- a/active/os_fedora/fedora-server.md
+++ b/active/os_fedora/fedora-server.md
@@ -2,9 +2,9 @@
 - [Fedora Server](#fedora-server)
  - [Installation](#installation)
  - [Power Profiles with Tuned](#power-profiles-with-tuned)
  - [Setup SSH](#setup-ssh)
  - [DNF](#dnf)
  - [Power Profiles with Tuned](#power-profiles-with-tuned)
  - [Fail2Ban](#fail2ban)
  - [BTRFS Parent Volumes](#btrfs-parent-volumes)
  - [BTRFS Snapshots](#btrfs-snapshots)
@@ -48,6 +48,42 @@
    - [Chroot into a mounted disk](#chroot-into-a-mounted-disk)
    - [Resize Last Partition to Fill Available Space](#resize-last-partition-to-fill-available-space)
    - [LUKS performance](#luks-performance)
  - [Set up firewall](#set-up-firewall)
  - [Dual Boot with Fingerprint Scanner Issues](#dual-boot-with-fingerprint-scanner-issues)
  - [Revert Kernel (if needed)](#revert-kernel-if-needed)
  - [Reverting linux-firmware](#reverting-linux-firmware)
  - [Make DNF Fast](#make-dnf-fast)
  - [Install Useful Packages](#install-useful-packages)
  - [Set Hostname](#set-hostname)
  - [Install updates](#install-updates)
  - [Extensions](#extensions)
  - [Gnome Tweaks](#gnome-tweaks)
  - [Flatpack](#flatpack)
  - [Snap](#snap)
  - [AppImage Launcher](#appimage-launcher)
  - [Backups](#backups-1)
    - [Create Encrypted Drive](#create-encrypted-drive)
    - [Backup Disks](#backup-disks)
      - [Disk Health](#disk-health)
    - [Create BTRBK Config](#create-btrbk-config)
    - [Create Systemd Timer](#create-systemd-timer)
    - [Test, Start and Enable service](#test-start-and-enable-service)
    - [Restore](#restore)
  - [Firewall CMD](#firewall-cmd)
  - [Bluetooth](#bluetooth)
    - [Airpods](#airpods)
  - [ZRAM](#zram)
  - [Automatic Disk Decryption with TPM2](#automatic-disk-decryption-with-tpm2)
  - [Firefox GPU Rendering](#firefox-gpu-rendering)
  - [Gnome Software Updates (packagekitd and software)](#gnome-software-updates-packagekitd-and-software)
  - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
  - [Power Button Behavior](#power-button-behavior)
  - [Discord](#discord)
    - [Discord sharing not working](#discord-sharing-not-working)
  - [Minecraft](#minecraft)
  - [Sound Devices](#sound-devices)
  - [Install ffmpegthumbnailer, remove totem](#install-ffmpegthumbnailer-remove-totem)
  - [Add compatibility for HEIC to mogrify](#add-compatibility-for-heic-to-mogrify)
 <https://docs.fedoraproject.org/en-US/fedora-server/installation/postinstallation-tasks/#_manage_system_updates>
@@ -75,12 +111,6 @@ and the operator will store information about each server.
 5. Take note of the ipv4 and ipv6 address. Update any DNS records at this time.
 6. Install and reboot
 ## Power Profiles with Tuned
 1. `dnf install tuned`
 2. `systemctl enable --now tuned`
 3. `tuned-adm profile virtual-host`
 ## Setup SSH
 See [README](/README.md#ssh-setup)
@@ -94,9 +124,15 @@ echo 'fastestmirror=1' >> /etc/dnf/dnf.conf
 dnf clean all
 dnf update --refresh -y
 # libdnf5 is required for ansible to work
-dnf install -y glances tmux vim python3-libdnf5
+dnf install -y git glances tmux vim python3-libdnf5 borgbackup tpm2-tools
 ```
 ## Power Profiles with Tuned
 1. `dnf install tuned`
 2. `systemctl enable --now tuned`
 3. `tuned-adm profile virtual-host`
 ## Fail2Ban
 On the server:
@@ -167,15 +203,16 @@ mount -a --mkdir
 We'll be using snapper, a tool for automating and controlling snapshot behavior.
 ```bash
-dnf install snapper dnf-plugin-snapper
+dnf install -y snapper dnf-plugin-snapper
 # Allow selinux management
 semanage permissive -a snapperd_t
 # Note, if you mess something up you can run snapper -c root delete-config to delete
 # System configs are stored in /etc/sysconfig/snapper as well as /etc/snapper
 snapper -c boot create-config /boot
 snapper -c root create-config /
-snapper -c data create-config /path/to/other/data
+snapper -c home create-config /home
 # Enable automatic snapshots
 systemctl enable --now snapper-timeline.timer
@@ -747,3 +784,703 @@ Which will tell you how fast you can theoretically write/read to encrypted drive
 The default encryption used by most modern operating systems is AES-XTS.
 You can see your system's cipher and key with `cryptsetup luksDump /dev/nvme0n1p1  | grep -i cipher`
 ## Set up firewall
 sudo vim /etc/firewalld/firewalld.conf
 ```conf
 LogDenied=all
 ```
 ```bash
 # Restart and reload the firewalld service
 sudo systemctl restart firewalld.service
 # List all available firewalld zones and what they do
 sudo firewall-cmd --list-all-zones
 # Set the default firewall zone to public
 sudo firewall-cmd --set-default-zone public
 # Open a port temporarily
 sudo firewall-cmd --add-port=25565/tcp
 ```
 Monitor blocked traffic
 ```bash
 sudo journalctl -f | grep -i REJECT
 sudo journalctl -f | grep -i DROP
 ```
 ## Dual Boot with Fingerprint Scanner Issues
 <https://commuity.frame.work/t/fingerprint-scanner-compatibility-with-linux-ubuntu-fedora-etc/1501/206>
 The script below will clear the existing fingerprints from the internal
 storage.
 ```bash
 #! /usr/bin/python3
 import gi
 gi.require_version('FPrint', '2.0')
 from gi.repository import FPrint
 ctx = FPrint.Context()
 for dev in ctx.get_devices():
    print(dev)
    print(dev.get_driver())
    print(dev.props.device_id);
    dev.open_sync()
    dev.clear_storage_sync()
    print("All prints deleted.")
    dev.close_sync()
 ```
 ## Revert Kernel (if needed)
 With koji
 ```bash
 # Install koji (if you don't have it)
 sudo dnf install -y koji
 # Search for the desired kernel version
 koji search build kernel-6.18.3*
 # Create a temporary directory to store the donwloaded kernel packages
 sudo -i
 mkdir /root/kernel-download-6.18.3
 cd /root/kernel-download-6.18.3
 # Download the kernel packages
 koji download-build --arch=x86_64 kernel-6.18.3-200.fc43
 rm -f *debug*.rpm
 rm -f *uki*.rpm
 # Install all downloaded rpms
 dnf install ./*.rpm
 reboot
 ```
 If you need to revert to previously installed kernels:
 ```bash
 # Find the kernels you have installed
 rpm -qa kernel
 # List available kernels
 ls /boot | grep vmlinuz
 # Revert to a previous kernel
 grubby --set-default /boot/vmlinuz-6.18.3...
 ```
 This might throw errors when updating to newer kernels (file not found)
 To restore back to the original kernel:
 ```bash
 # If this directory exists, it's the problem
 ls -d "/boot/efi/$(cat /etc/machine-id)"
 # Move that directory out of the way
 mv "/boot/efi/$(cat /etc/machine-id)" "/boot/efi/$(cat /etc/machine-id)_disabled"
 # Reinstall the new kernel
 dnf reinstall 'kernel*-0:6.18.8*'
 ```
 ## Reverting linux-firmware
 ```bash
 sudo -i
 mkdir -p /root/linux-firmware-downgrade
 cd /root/linux-firmware-downgrade
 wget -r -np -nd -A '*.rpm' https://kojipkgs.fedoraproject.org/packages/linux-firmware/20251111/1.fc43/noarch/
 dnf install ./*.rpm
 dracut -f --kver 6.18.3...
 reboot
 ```
 ## Make DNF Fast
 ```bash
 echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
 echo 'max_parallel_downloads=10' | sudo tee -a /etc/dnf/dnf.conf
 echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf
 ```
 /etc/dnf/dnf.conf
 ```conf
 [main]
 gpgcheck=1
 installonly_limit=3
 clean_requirements_on_remove=True
 best=False
 skip_if_unavailable=True
 fastestmirror=1
 max_parallel_downloads=10
 deltarpm=true
 ```
 ## Install Useful Packages
 ```bash
 sudo dnf install vim
 ```
 ## Set Hostname
 ```bash
 hostnamectl set-hostname ducolaptop
 ```
 ## Install updates
 ```bash
 sudo dnf upgrade --refresh
 sudo dnf check
 sudo dnf autoremove
 sudo fwupdmgr get-devices
 sudo fwupdmgr refresh --force
 sudo fwupdmgr get-updates
 sudo fwupdmgr update
 sudo reboot now
 ```
 ## Extensions
 ```bash
 sudo dnf install -y gnome-extensions-app gnome-tweaks
 sudo dnf install -y gnome-shell-extension-appindicator
 ```
 1. Another Window Session Manager by 5q0Fw
    Restores windows on shutdown/reboot. Can be configured to automatically
    save the last state before restart. Pair this with "restore session" in
    firefox/chrome and you've got yourself a really good mac hibernate
    equivalent.
 2. Dash to Dock by michele_g
    Make the dock behave like macos. Hide when it would cover a window. Show
    when the mouse hovers over the bottom of the screen. Add some sane default
    shortcuts. Etc.
 3. Tactile by lundal
    Power-user tiling! Behaves like Windows Power Toys FancyZones.
 4. Vitals by corecoding
    Adds quick-glance stats about your system to the menu bar. Use to monitor
    CPU usage, memory availability, network speed, battery wattage, etc.
 ## Gnome Tweaks
 1. Fonts -> Monospace Text -> Fira Code Regular
 2. Keyboard & Mouse -> Acceleration Profile -> Flat
 3. Keyboard & Mouse -> Mouse Click Emulation -> Fingers
 4. Top Bar -> Activities Overview Hot Corner -> Off
 5. Top Bar -> Battery Percentage -> On
 6. Top Bar -> Clock -> Weekday -> On
 7. Top Bar -> Clock -> Seconds -> On
 8. Windows -> Center New Windows -> On
 ## Flatpack
 ```bash
 flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
 flatpak update
 ```
 ## Snap
 ```bash
 sudo dnf install -y snapd
 sudo ln -s /var/lib/snapd/snap /snap # for classic snap support
 ln -s /var/lib/snapd/desktop/applications ~/.local/share/applications/snap # make apps show up in gnome
 sudo reboot now
 ```
 ## AppImage Launcher
 Download RPM from
 <https://github.com/TheAssassin/AppImageLauncher/releases/tag/v2.2.0>
 ## Backups
 ### Create Encrypted Drive
 ```bash
 # Create an encrypted drive
 sudo cryptsetup luksFormat /dev/sdb1
 # LUKS Disk Encryption can use up to 8 key slots to store passwords. We can use these keys to auto mount LUKS device.
 # cryptsetup luksDump /dev/sda
 # Create a lukskeys
 mkdir -p /home/ducoterra/.lukskeys
 # Generate key
 dd if=/dev/random bs=32 count=1 of=/home/ducoterra/.lukskeys/btr_backup
 # Change key mode
 chmod 600 /home/ducoterra/.lukskeys
 # Luks add a key
 sudo cryptsetup luksAddKey /dev/sda /home/ducoterra/.lukskeys/btr_backup
 # Get UUID of disk with
 sudo blkid /dev/sda1
 # Add key to crypttab
 echo 'btr_backup UUID=1d7ce570-e695-47a0-9dda-5f14b5b20e21 /home/ducoterra/.lukskeys/btr_backup luks' >> /etc/crypttab
 # Create read-only backup mount point
 sudo btrfs sub create /mnt/btr_backup
 sudo btrfs property set /mnt/btr_backup ro true
 # Add to fstab
 echo '/dev/mapper/btr_backup /mnt/btr_backup btrfs x-systemd.device-timeout=0,x-gvfs-show,x-gvfs-name=btr_backup,ssd,nofail,noatime,discard=async,compress=zstd 0 0' >> /etc/fstab
 # mount
 sudo cryptsetup luksOpen /dev/disk/by-uuid/1d7ce570-e695-47a0-9dda-5f14b5b20e21 backup0 --key-file=/home/ducoterra/.lukskeys/backup0
 # close (or fix issues)
 sudo cryptsetup luksClose backup0
 ```
 ### Backup Disks
 Backup disks will respect the following naming convention:
 brand_size_purpose_year_month
 So for a backup drive you would create:
 `wd_4tb_backup_2023_01`
 Or for an archive drive:
 `samsung_1tb_archive_2023_01`
 #### Disk Health
 `smartctl -a /dev/sda`
 ### Create BTRBK Config
 `sudo vim /etc/btrbk/btrbk.conf`
 ```conf
 snapshot_create         ondemand
 snapshot_preserve_min   2d
 snapshot_preserve       14d
 snapshot_dir snapshots
 target_preserve_min     no
 target_preserve         20d 10w *m
 volume /mnt/btr_pool
    target       /mnt/btr_backup
    subvolume    root
    subvolume    home
 ```
 ### Create Systemd Timer
 `sudo vim /etc/systemd/system/btrbk.service`
 ```conf
 [Unit]
 Description=Runs btrbk with config file at /etc/btrbk/btrbk.conf
 [Service]
 ExecStart=btrbk -c /etc/btrbk/btrbk.conf -v run
 ```
 `sudo vim /etc/systemd/system/btrbk.timer`
 ```conf
 [Unit]
 Description=Run btrbk every hour
 [Timer]
 OnCalendar=hourly
 AccuracySec=10min
 Persistent=true
 Unit=btrbk.service
 [Install]
 WantedBy=timers.target
 ```
 ### Test, Start and Enable service
 Test your service:the available storage space on our NAS to the iSCSI target
 and the other half
 ```bash
 sudo btrbk -c /etc/btrbk/btrbk.conf -v run
 ```
 Enable your service:
 ```bash
 sudo systemctl start btrbk.timer
 sudo systemctl enable btrbk.timer
 ```
 ### Restore
 In the event you need to restore your system from a disaster do the following:
 1. Reinstall fedora via a live image
 2. After install, disk should be mounted at /mnt/sysimage
 3. Copy the new fstab and crypttab to somewhere safe
 4. rsync -av [etc, home, opt, root, usr, var]
 5. `mount /dev/Y /mnt/sysimage/boot`
 6. `mount /dev/Z /mnt/sysimage/boot/efi`
 7. `mount --bind /dev /mnt/sysimage/dev`
 8. `mount --bind /proc /mnt/sysimage/proc`
 9. `mount --bind /sys /mnt/sysimage/sys`
 10. `chroot /mnt/sysimage`
 11. Edit fstab and crypttab so they match the new partitions
 12. Update /etc/default/grub to match the new luks uuid
 13. grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
 14. reboot
 ## Firewall CMD
 1. Enable firewall
    ```bash
    systemctl start firewall-cmd
    systemctl enable firewall-cmd
    ```
 2. Set default behavior to drop everything
    ```bash
    firewall-cmd --set-default-zone=drop
    systemctl reload firewall-cmd
    ```
 ## Bluetooth
 ### Airpods
 Edit: /etc/bluetooth/main.conf Set ControllerMode = bredr
 1. restart bluetooth service
 2. connect airpods
 3. comment line out
 4. restart bluetooth service again
 ## ZRAM
 Edit /etc/systemd/zram-generator.conf
 ```conf
 [zram0]
 zram-size = min(ram / 2, 16384)
 compression-algorithm = lzo-rle
 options =
 writeback-device = /dev/zvol/tarta-zoot/swap-writeback
 ```
 ## Automatic Disk Decryption with TPM2
 It's a friendlier experience to just encrypt your root partition with tpm and
 lunlock your remaining drives with key files stored at /etc/ukskeys. This way
 you only need to reregister one key with your tpm and the remaining drives will
 be unlocked automatically.
 Add your luks keys to the tpm module and set up boot parameters:
 ```bash
 # Enroll for the first time
 sudo -E systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/nvme1n1p3
 # Add tpm2 configuration option to /etc/crypttab
 # You can get the uuid with lsblk and blkid
 luks-d9828faa-2b8c-4184-9e74-9054ae328c6d UUID=d9828faa-2b8c-4184-9e74-9054ae328c6d none tpm2-device=auto,discard
 # Add rd.luks.options=tpm2-device=auto to grub
 sudo grubby --args="rd.luks.options=tpm2-device=auto" --update-kernel=ALL
 # Regenerate the boot parameters
 sudo dracut -f
 ```
 We can configure our system to automatically reenroll the tpm device on boot so
 you only need to enter your password on kernel updates.
 ```bash
 # Create a new random password for your disk
 sudo cryptsetup luksAddKey /dev/nvme0n1p3
 ```
 /etc/systemd/system/tpm_luks_cryptenroll.service
 ```conf
 [Unit]
 Description=Automatically runs systemd-cryptenroll on login
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 --wipe-slot=tpm2 /dev/nvme0n1p3
 # new random password you just created
 Environment=PASSWORD=
 [Install]
 WantedBy=multi-user.target
 ```
 ```bash
 # Now enable the service
 sudo systemctl enable tpm_luks_cryptenroll.service
 ```
 ## Firefox GPU Rendering
 <https://community.frame.work/t/linux-battery-life-tuning/6665>
 ```bash
 dnf install intel-media-driver intel-gpu-tools
 ```
 Type in about:config in the address bar and hit enter.
 Set media.rdd-ffmpeg.enabled, media.ffmpeg.vaapi.enabled and
 media.navigator.mediadatadecoder_vpx_enabled to true.
 Close and reopen your browser
 Run the command sudo intel_gpu_top, play a 4k video and check whether the Video
 section is above 0.00%
 ## Gnome Software Updates (packagekitd and software)
 To prevent Gnome Shell from starting Software open Settings->Search and disable
 Software from there.
 Disable auto-updates
 ```bash
 sudo systemctl disable packagekit
 sudo systemctl stop packagekit
 dconf write /org/gnome/software/allow-updates false
 dconf write /org/gnome/software/download-updates false
 ```
 ## Turn Off Fingerprint When Laptop Lid Closed
 To disable fingerprint authentication when the laptop lid is closed, and
 re-enable when it is reopened, we will use acpid to bind to the button/lid.*
 event to a custom script that will stop and mask the fprintd service on lid
 close, and unmask and start the fprintd service on lid open.
 We also check that the HDMI cable is connected by testing the contents of
 /sys/class/drm/card0-HDMI-A-1/status.
 Follow the steps below:
 1. Create a .locks file in your home dir: `mkdir ~/.locks`
 2. Create file /etc/acpi/laptop-lid.sh with the following contents:
    ```bash
    #!/bin/bash
    lock=/home/ducoterra/.locks/fprint-disabled.lock
    if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
        # This is used to detect if a display is connected.
        # For USB C displayport use: 
        # grep -Fxq connected /sys/class/drm/card1-DP-2/status
        # For hdmi use:
        # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
    then
        touch "$lock"
        systemctl stop fprintd
        systemctl mask fprintd
    elif [ -f "$lock" ]
    then
        systemctl unmask fprintd
        systemctl start fprintd
        rm -f "$lock"
    fi
    ```
 3. Make the file executable with
    `chmod +x /etc/acpi/laptop-lid.sh`
 4. Create file /etc/acpi/events/laptop-lid with the following contents:
    ```bash
    event=button/lid.*
    action=/etc/acpi/laptop-lid.sh
    ```
 5. Restart the acpid service with:
    `sudo service acpid restart`
 Now the fingerprint will be used only when the lid is open.
 In order to restore the correct state of the fprintd service if you
 disconnect/reconnect while the laptop is off, you may call the above script
 from a systemd init file. The steps to do this are the following:
 1. Create a file named /etc/systemd/system/laptop-lid.service with the
   following contents:
    ```bash
    [Unit]
    Description=Laptop Lid
    After=suspend.target
    [Service]
    ExecStart=/etc/acpi/laptop-lid.sh
    [Install]
    WantedBy=multi-user.target
    WantedBy=suspend.target
    ```
 2. Reload the systemd config files with
    `sudo systemctl daemon-reload`
 3. Start the service with
    `sudo systemctl start laptop-lid.service`
 4. Enable the service so that it starts automatically on boot
    `sudo systemctl enable laptop-lid.service`
 Now the status should be correct even after connecting/disconnecting when the
 computer is off.
 ## Power Button Behavior
 The power button is controlled from 2 locations:
 1. DCONF (or gnoem settings) at `gnome.settings-daemon.plugins.power`
 2. ACPI at /etc/acpi/events/powerconf
 The powerconf acpi configuration will execute at the same time the gnome settings do.
 This can lead to situations where the gnome settings say "suspend" but the acpi settings
 say "shutdown". On waking up your laptop it will immediately shutdown.
 The solution is to comment out everything in /etc/acpi/events/powerconf and rely on the
 gnome settings **OR** set the gnome settings to "nothing" and edit
 `/etc/acpi/actions/power.sh` with the behavior you expect. Either way you should pick
 one to control power button behavior.
 ## Discord
 vim ~/.local/share/applications/Discord.desktop
 ```conf
 [Desktop Entry]
 Encoding=UTF-8
 Name=Discord
 Exec=/home/ducoterra/Applications/Discord/Discord
 Icon=/home/ducoterra/Applications/Discord/discord.png
 Type=Application
 Categories=Communication;
 ```
 ### Discord sharing not working
 THIS IS PROBABLY A PER-APP THING
 Likely the thing you're trying to share doesn't work, it's not wayland's fault.
 If you're trying to share firefox - download the firefox binary and dnf
 uninstall the other one. For whatever reason the preinstalled binary doesn't
 like screen share. You can use the following:
 ~/.local/share/applications/firefox.desktop
 ```conf
 [Desktop Entry]
 Encoding=UTF-8
 Name=Firefox
 Exec=/home/ducoterra/Applications/firefox/firefox-bin
 Icon=/home/ducoterra/.icons/firefox.svg
 Type=Application
 Categories=Browser;
 ```
 ## Minecraft
 1. You can find extra java versions at /etc/alternatives
 2. You need to `dnf install xrandr` to launch any modpacks
 3. You can create a desktop icon by putting this at
   ~/.local/share/applications/*.desktop:
 ```conf
 [Desktop Entry]
 Type=Application
 Version=1.0
 Name=Minecraft
 Comment=Minecraft Launcher
 Path=/home/ducoterra/Applications
 Exec=minecraft-launcher
 Icon=/home/ducoterra/Icons/minecraft-launcher.png
 Terminal=false
 Categories=Games;
 ```
 ## Sound Devices
 If you want to disable a specific device or tell Fedora not to use a specific device
 as output or input (looking at you yeti microphone, you're not a speaker), you can
 install pulse audio control for much more fine-tuned... control.
 Setting your speakers to analog output seems to work best for a USB dac if it has
 a separate volume knob since this ties the volume knob on the dac to the internal
 volume of your computer.
 Setting your mic to analog input works just fine on a yeti usb mic.
 ```bash
 sudo dnf install pavucontrol
 ```
 ## Install ffmpegthumbnailer, remove totem
 totem-thumbnailer crashes all the time and isn't as good as ffmpeg's thumbnailer.
 What's more, totem video player ("Videos" by default on gnome) is not as good as vlc
 and doesn't work very well for anything more than basic video playback.
 ```bash
 sudo dnf remove totem
 sudo dnf install ffmpegthumbnailer
 ```
 ## Add compatibility for HEIC to mogrify
 ```bash
 sudo dnf install libheic-freeworld
 ```