chart fixes and readme edits

FedoraServer.md

@@ -3,22 +3,151 @@
 Fedora server is an awesome container hosting OS. It has a lot built in, and setup is pretty
 quick.
 
-## Setup
+- [Fedora Server](#fedora-server)
+  - [Initialization](#initialization)
+  - [Disable swap](#disable-swap)
+  - [Enable ISCSI](#enable-iscsi)
+  - [Disable Firewalld](#disable-firewalld)
+  - [Set SELinux to Permissive](#set-selinux-to-permissive)
+  - [Install K3S](#install-k3s)
+    - [Database Backups](#database-backups)
+  - [Expanding Root Partition](#expanding-root-partition)
+  - [Optional Steps](#optional-steps)
+    - [Certbot for Cockpit](#certbot-for-cockpit)
+
+## Initialization
+
+1. `dnf install vim pwgen wireguard-tools`
+2. `hostnamectl hostname node1`
+3. Set a static IP through the web interface
+
+## Disable swap
+
+    ```bash
+    swapoff -a
+    dnf remove zram-generator-defaults
+    ```
+
+    mask <systemd-zram-setup@zram0.service>
+
+## Enable ISCSI
 
 ```bash
-scp .ssh/authorized_keys containers:~/.ssh/authorized_keys
+# Install the following system packages
+dnf install -y lsscsi iscsi-initiator-utils sg3_utils device-mapper-multipath
+
+# Enable multipathing
+mpathconf --enable --with_multipathd y
+
+# Ensure that iscsid and multipathd are running
+systemctl enable --now iscsid multipathd
+
+# Test that discovery works
+iscsiadm -m discovery -t st -p democratic-csi-server.reeselink.com
+# Remove them - democratic-csi will populate this
+rm -rf /var/lib/iscsi/nodes/
+
+# Start and enable iscsi
+systemctl enable --now iscsi
 ```
 
-```bash
-sudo hostnamectl hostname containers
-sudo dnf install vim
-sudo vim /etc/ssh/sshd_config
-sudo systemctl restart sshd
-```
+## Disable Firewalld
 
-## Certbot for Cockpit
+<https://docs.k3s.io/advanced#red-hat-enterprise-linux--centos--fedora>
 
-### AWS User
+Disable firewalld. You could add rules for each service but every time you open a port
+from a container you'd need to run a firewalld rule.
+
+You can disable firewalld from the web interface.
+
+## Set SELinux to Permissive
+
+K3S is more than capable of running with SELinux set to enforcing. We won't be doing
+that, however. We'll set it to permissive and you can reenable it once you've added all
+the rules you need to keep your services running.
+
+Set SELinux to permissive by editing `/etc/selinux/config`
+
+    SELINUX=permissive
+
+## Install K3S
+
+<https://docs.k3s.io/installation/requirements>
+
+We're going to be tweaking some installation parameters so if you already have k3s
+installed you can either uninstall it or skip these steps.
+
+This installation disables Traefik, local-storage, and Klipper. We'll replace them with
+our own components.
+
+1. Generate a secure token for each node to use when connecting
+
+    umask 077
+    echo -n $(pwgen 16 4) | sed 's/ /-/g' > token.txt
+
+2. Create the cluster
+
+    export SECRET=$(cat token.txt)
+
+    curl -sfL https://get.k3s.io | K3S_TOKEN=$SECRET sh -s - \
+        "--cluster-init" \
+        "--flannel-backend=wireguard-native" \
+        "--disable" \
+        "traefik" \
+        "--disable" \
+        "local-storage" \
+        "--disable" \
+        "coredns" \
+        "--disable" \
+        "servicelb" \
+        "--cluster-dns" \
+        "10.43.0.10"
+
+3. Join each server node
+
+    export SECRET=$(cat token.txt)
+
+    curl -sfL https://get.k3s.io | K3S_TOKEN=$SECRET sh -s - server \
+        --server https://node1.reeselink.com:6443 \
+        --flannel-backend=wireguard-native \
+        "--disable" \
+        "traefik" \
+        "--disable" \
+        "local-storage" \
+        "--disable" \
+        "coredns" \
+        "--disable" \
+        "servicelb" \
+        "--cluster-dns" \
+        "10.43.0.10"
+
+Now you can change the ownership of (and copy) the k3s.yaml file:
+
+    chown ducoterra /etc/rancher/k3s/k3s.yaml
+
+    scp /etc/rancher/k3s/k3s.yaml ~/.kube/config
+
+Edit ~/.kube/config and change 127.0.0.1 to containers.reeselink.com
+
+### Database Backups
+
+<https://docs.k3s.io/cli/etcd-snapshot>
+
+Note, you must backup `/var/lib/rancher/k3s/server/token`
+and use the contents as the token when restoring the backup as data is encrypted with that token.
+
+## Expanding Root Partition
+
+    lvextend -l +100%FREE fedora
+    xfs_growfs /dev/mapper/fedora-root
+
+## Optional Steps
+
+### Certbot for Cockpit
+
+During this process you'll pick one node to act as your manager for your other nodes.
+You'll only need to cert a single node and then it will connect via ssh over your local
+network to the other nodes.
 
 Create an AWS user which will have route53 access. This is required for certbot's route53
 validation.
@@ -90,24 +219,22 @@ vim ~/.aws/credentials
 
 ```conf
 [default]
-aws_access_key_id=
-aws_secret_access_key=
+aws_access_key_id=<key>
+aws_secret_access_key=<key>
 ```
 
-### Initial Setup
+Install the aws cli v2 on the manager node:
 
-1. Create a "containers" user in AWS. Copy the permissions from Freenas
-2. Create credentials
-3. Add your credentials to root
-4. Install the aws cli v2
+```bash
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+sudo ./aws/install
+```
 
-    ```bash
-    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
-    unzip awscliv2.zip
-    sudo ./aws/install
-    ```
+Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your
+hosted zones.
 
-5. Test your credentials with `aws route53 list-hosted-zones`
+Now install certbot and acquire a cert using those credentials:
 
 ```bash
 sudo dnf install certbot python3-certbot-dns-route53
@@ -119,7 +246,6 @@ sudo cp /etc/letsencrypt/live/containers.reeselink.com/privkey.pem /etc/cockpit/
 
 sudo cp /etc/letsencrypt/live/containers.reeseapps.com/fullchain.pem /etc/cockpit/ws-certs.d/60-letsencrypt.cert
 sudo cp /etc/letsencrypt/live/containers.reeseapps.com/privkey.pem /etc/cockpit/ws-certs.d/60-letsencrypt.key
-
 ```
 
 Test the renewal process with:
@@ -129,8 +255,6 @@ sudo certbot renew --cert-name containers.reeselink.com --dry-run
 sudo certbot renew --cert-name containers.reeseapps.com --dry-run
 ```
 
-### Renewal
-
 Create a renewal script in /usr/lib/scripts/certbot-renew.sh
 
 /usr/lib/scripts/certbot-renew.sh (chmod +x)
@@ -180,32 +304,4 @@ Enable the service
 systemctl enable --now certbot-renew.timer
 ```
 
-### Disable FirewallD
-
-Firewalld conflicts with k3s. Disable it from the UI.
-
-## Disable SELinux
-
-SELinux interferes with ISCSI mounts. Disable it by editing `/etc/selinux/config`
-
-```bash
-SELINUX=permissive
-```
-
-### Allow ISCSI
-
-```bash
-# Install the following system packages
-sudo dnf install -y lsscsi iscsi-initiator-utils sg3_utils device-mapper-multipath
-
-# Enable multipathing
-sudo mpathconf --enable --with_multipathd y
-
-# Ensure that iscsid and multipathd are running
-sudo systemctl enable iscsid multipathd
-sudo systemctl start iscsid multipathd
-
-# Start and enable iscsi
-sudo systemctl enable iscsi
-sudo systemctl start iscsi
-```
+Cockpit now has a valid TLS certificate that auto-renews!