From cb66fb6195ffa848dbd1eddee68d11937a352c9a Mon Sep 17 00:00:00 2001
From: ducoterra <git@ducoterra.net>
Date: Tue, 14 Oct 2025 12:32:57 -0400
Subject: [PATCH] fedora snapper, tuned, and selinux policies

---
 active/os_fedora/fedora-server.md             |  94 ++++++++++++++++--
 active/os_fedora/fedora-software.md           |  70 ++++++++++++-
 active/os_fedora/fedora-workstation.md        |  22 +++-
 active/os_fedora/selinux.md                   |   9 ++
 .../selinux_policies/my-rpcvirtstorage.pp     | Bin 0 -> 1407 bytes
 .../selinux_policies/my-rpcvirtstorage.te     |  16 +++
 6 files changed, 199 insertions(+), 12 deletions(-)
 create mode 100644 active/os_fedora/selinux.md
 create mode 100644 active/os_fedora/selinux_policies/my-rpcvirtstorage.pp
 create mode 100644 active/os_fedora/selinux_policies/my-rpcvirtstorage.te

diff --git a/active/os_fedora/fedora-server.md b/active/os_fedora/fedora-server.md
index dd5e493..4063133 100644
--- a/active/os_fedora/fedora-server.md
+++ b/active/os_fedora/fedora-server.md
@@ -2,23 +2,28 @@
 
 - [Fedora Server](#fedora-server)
   - [Installation](#installation)
+  - [Power Profiles with Tuned](#power-profiles-with-tuned)
   - [Setup SSH](#setup-ssh)
   - [DNF](#dnf)
   - [Fail2Ban](#fail2ban)
   - [BTRFS Parent Volumes](#btrfs-parent-volumes)
   - [BTRFS Snapshots](#btrfs-snapshots)
+    - [Snapper Installation](#snapper-installation)
+    - [Snapper Cleanup](#snapper-cleanup)
   - [BTRFS Maintenance](#btrfs-maintenance)
   - [TPM2 Luks Decryption](#tpm2-luks-decryption)
   - [Change your password](#change-your-password)
   - [Automatic Updates](#automatic-updates)
   - [Monitoring](#monitoring)
+    - [Glances](#glances)
     - [Disk Usage](#disk-usage)
     - [Disk Wear](#disk-wear)
   - [Common Storage Mounts](#common-storage-mounts)
   - [Network Bridge](#network-bridge)
   - [Virtualization](#virtualization)
-    - [Troubleshooting](#troubleshooting)
+    - [Virtualization Troubleshooting](#virtualization-troubleshooting)
     - [QEMU Images](#qemu-images)
+    - [Shared directory with VM Guest](#shared-directory-with-vm-guest)
   - [Firewalld](#firewalld)
   - [Backups](#backups)
     - [Connect to the ISCSI Backup Target](#connect-to-the-iscsi-backup-target)
@@ -28,6 +33,7 @@
       - [Troubleshooting Backup ISCSI Connection](#troubleshooting-backup-iscsi-connection)
     - [Quick Backup](#quick-backup)
     - [Regular Backups with Borg](#regular-backups-with-borg)
+  - [Version Upgrades](#version-upgrades)
   - [Optional Steps](#optional-steps)
     - [Disable Swap](#disable-swap)
     - [Disable Selinux](#disable-selinux)
@@ -37,7 +43,7 @@
     - [LVM Thin Provisioning](#lvm-thin-provisioning)
     - [Set eui64 on network interface](#set-eui64-on-network-interface)
     - [Install and Enable Cockpit](#install-and-enable-cockpit)
-  - [Troubleshooting](#troubleshooting-1)
+  - [Troubleshooting](#troubleshooting)
     - [Cockpit Terminal Unusable or Weird Colors](#cockpit-terminal-unusable-or-weird-colors)
     - [Chroot into a mounted disk](#chroot-into-a-mounted-disk)
     - [Resize Last Partition to Fill Available Space](#resize-last-partition-to-fill-available-space)
@@ -69,6 +75,12 @@ and the operator will store information about each server.
 5. Take note of the ipv4 and ipv6 address. Update any DNS records at this time.
 6. Install and reboot
 
+## Power Profiles with Tuned
+
+1. `dnf install tuned`
+2. `systemctl enable --now tuned`
+3. `tuned-adm profile virtual-host`
+
 ## Setup SSH
 
 See [README](/README.md#ssh-setup)
@@ -150,6 +162,8 @@ mount -a --mkdir
 
 <http://snapper.io/manpages/snapper-configs.html>
 
+### Snapper Installation
+
 We'll be using snapper, a tool for automating and controlling snapshot behavior.
 
 ```bash
@@ -169,13 +183,19 @@ systemctl enable --now snapper-timeline.timer
 systemctl enable --now snapper-cleanup.timer
 # Enable snapshots on boot
 systemctl enable --now snapper-boot.timer
+```
 
+### Snapper Cleanup
+
+```bash
 # List snapshots
 snapper -c root list
 # Create snapshot manually
 snapper -c root create --description "test snapshot"
 # Delete first snapshot
 snapper -c root delete 1
+# Delete snapshots between 655-857
+snapper -c root delete 655-857  
 ```
 
 Note - you probably don't want to keep yearly snapshots.
@@ -184,8 +204,14 @@ Edit `/etc/snapper/configs/root` and change `TIMELINE_LIMIT_YEARLY=` to `0`.
 ## BTRFS Maintenance
 
 ```bash
-# Start a scrub in the foreground (-B) at /
-btrfs scrub start -B /
+# Start a scrub with low impact/priority at / (good for servers)
+btrfs scrub start -c idle /
+
+# Start a scrub in the foreground and monitor
+btrfs scrub start -c idle -B -d /
+
+# Check for errors
+dmesg -T | grep btrfs
 ```
 
 ## TPM2 Luks Decryption
@@ -278,9 +304,30 @@ In Cockpit navigate to software updates -> automatic updates -> install -> secur
 
 In Cockpit: Overview -> View metrics and history -> Install PCP Support -> Metrics settings -> Turn on Collect Metrics
 
+### Glances
+
+```bash
+dnf install -y glances python3-jinja2
+systemctl enable --now glances
+firewall-cmd --permanent --zone=FedoraServer --add-port=61208/tcp
+firewall-cmd --reload
+```
+
 ### Disk Usage
 
-TODO
+```bash
+# Show size of folder exclude snapshots
+du --exclude .snapshots -sh .
+
+# Show size of all files in your current dir
+for folder in $(ls); do du --exclude .snapshots -sh $folder; done
+
+# Calculate all folder sizes in current dir 
+alias {dudir,dud}='du -h --max-depth 1 | sort -h'
+
+# Calculate all file sizes in current dir
+alias {dufile,duf}='ls -lhSr'
+```
 
 ### Disk Wear
 
@@ -343,7 +390,7 @@ systemctl enable --now libvirtd
 
 Install the cockpit machines application.
 
-### Troubleshooting
+### Virtualization Troubleshooting
 
 ```bash
 # Oops, I did this after I installed virtualization
@@ -369,6 +416,12 @@ qemu-img convert -f vmdk -O raw in.vmdk out.img
 qemu-img convert -f qcow2 -O raw in.raw out.img
 ```
 
+### Shared directory with VM Guest
+
+```bash
+mount -t virtiofs [mount tag] [mount point]
+```
+
 ## Firewalld
 
 Set the default firewalld zone to `public`
@@ -381,6 +434,8 @@ Set the default firewalld zone to `public`
 Firewalld will be on and blocking by default. You can check the zone and allowed ports with:
 
 ```bash
+firewall-cmd --get-active-zones
+firewall-cmd --get-default-zone
 firewall-cmd --zone=public --list-ports
 firewall-cmd --zone=public --list-services
 ```
@@ -392,6 +447,21 @@ firewall-cmd --permanent --zone=public --add-port=9090/tcp
 firewall-cmd --reload
 ```
 
+Remove cockpit with
+
+```bash
+firewall-cmd --permanent --zone=public --remove-port=9090/tcp
+```
+
+Add a custom source for a service
+
+```bash
+sudo firewall-cmd --new-zone=home --permanent
+sudo firewall-cmd --zone=home --add-source=10.2.0.0/24 --permanent
+sudo firewall-cmd --zone=home --add-port=10700/tcp --permanent
+sudo firewall-cmd --reload
+```
+
 ## Backups
 
 Note: this assumes you've set up [an iscsi backup disk](/active/os_truenas/truenas.md#iscsi-backup-volumes)
@@ -483,6 +553,18 @@ rsync -av --progress --exclude '.snapshots' /btrfs/yellow/root /btrfs/backup-yel
 
 See [borg.md](/active/systemd_borg/borg.md)
 
+## Version Upgrades
+
+```bash
+# Make sure to be fully up to date first
+dnf upgrade --refresh
+reboot
+
+# Set the releasever to the version you want to upgrade to
+dnf system-upgrade download --releasever=42
+dnf system-upgrade reboot
+```
+
 ## Optional Steps
 
 ### Disable Swap
diff --git a/active/os_fedora/fedora-software.md b/active/os_fedora/fedora-software.md
index b142557..8192d86 100644
--- a/active/os_fedora/fedora-software.md
+++ b/active/os_fedora/fedora-software.md
@@ -56,6 +56,10 @@
   - [Pipenv](#pipenv)
   - [Docker](#docker)
   - [Boxes](#boxes)
+  - [ffmpeg](#ffmpeg)
+    - [AMD GPU VAAPI ffmpeg Acceleration](#amd-gpu-vaapi-ffmpeg-acceleration)
+  - [Containers](#containers)
+  - [XSane](#xsane)
 
 Flatpak installs are from Flathub unless otherwise noted.
 
@@ -87,8 +91,6 @@ sudo dnf install \
   ansible \
   # Terminal multiplexer.
   tmux \
-  # Multimedia player with support for a wide range of codecs and file formats.
-  ffmpeg \
   # Microsoft Windows compatibility layer.
   wine \
   # Archive utility similar to GNU tar, used to package files into single archive files.
@@ -112,7 +114,7 @@ sudo dnf install \
   # Document conversion tool and markup language converter.
   pandoc \
   # Comprehensive LaTeX distribution for high-quality typesetting of documents.
-  texlive-latex \
+  texlive-latex texlive-scheme-full \
   # Generate strong passwords.
   pwgen \
   # Reattach to running processes
@@ -207,6 +209,10 @@ flatpak install com.bitwarden.desktop
 Video player (like VLC but can frame-by-frame in reverse).
 
 ```bash
+# DNF
+dnf install mpv
+
+# Flatpak
 flatpak install io.mpv.Mpv
 ```
 
@@ -643,3 +649,61 @@ Virtualization at its boxiest.
 ```bash
 flatpak install org.gnome.Boxes
 ```
+
+## ffmpeg
+
+- 1080p h264 at 10M is good quality
+
+### AMD GPU VAAPI ffmpeg Acceleration
+
+1. Enable [RPM Fusion](https://docs.fedoraproject.org/en-US/quick-docs/rpmfusion-setup/)
+2. Install [ffmpeg non-free](https://rpmfusion.org/Howto/Multimedia)
+
+```bash
+# Enable RPM Fusion
+sudo dnf install \
+  https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm
+sudo dnf install \
+  https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
+
+# Install ffmpeg non-free
+sudo dnf swap ffmpeg-free ffmpeg --allowerasing
+sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
+sudo dnf swap mesa-va-drivers mesa-va-drivers-freeworld
+sudo dnf swap mesa-vdpau-drivers mesa-vdpau-drivers-freeworld
+sudo dnf swap mesa-va-drivers.i686 mesa-va-drivers-freeworld.i686
+sudo dnf swap mesa-vdpau-drivers.i686 mesa-vdpau-drivers-freeworld.i686
+```
+
+ffmpeg with vaapi
+
+```bash
+ffmpeg \
+-hwaccel vaapi \
+-hwaccel_output_format vaapi \
+-i VID_20250804_120159.mp4 \
+-vf 'format=nv12,hwupload' \
+-vf scale_vaapi=1080:1920 \
+-c:v h264_vaapi \
+-c:a copy \
+-qp 18 \
+VID_20250804_120159_1.mp4
+```
+
+## Containers
+
+In order to enter a shell with systemd-user access via `machinectl`, install systemd-container
+
+```bash
+dnf install -y systemd-container
+```
+
+Then you can run `machinectl shell myuser@` to enter a shell which can execute `systemctl --user` commands.
+
+## XSane
+
+Scan stuff
+
+```bash
+dnf install xsane
+```
diff --git a/active/os_fedora/fedora-workstation.md b/active/os_fedora/fedora-workstation.md
index 2d0103e..cffd70c 100644
--- a/active/os_fedora/fedora-workstation.md
+++ b/active/os_fedora/fedora-workstation.md
@@ -19,6 +19,7 @@
   - [Display](#display)
     - [Scripted Display Modes](#scripted-display-modes)
   - [Fixing generic Wayland icons on task alt tab](#fixing-generic-wayland-icons-on-task-alt-tab)
+  - [Tuned Power Profiles](#tuned-power-profiles)
 
 ## Framework 16 Fixes
 
@@ -103,14 +104,21 @@ toolbox enter
 Set the default firewall to `drop`
 
 ```bash
-firewall-cmd --set-default-zone=drop
-firewall-cmd --reload
+sudo firewall-cmd --set-default-zone=drop
+sudo firewall-cmd --reload
 ```
 
 Allow KDE Connect via 1714-1764 tcp/udp
 
 ```bash
-firewall-cmd --add-port=1714-1764/udp --add-port=1714-1764/tcp --permanent
+# Set source address to allow connections
+sudo firewall-cmd \
+--zone=drop \
+--permanent \
+--add-port=1714-1764/udp \
+--add-port=1714-1764/tcp
+
+sudo firewall-cmd --reload
 ```
 
 You can check if the firewall is working via `nmap` from another machine
@@ -343,3 +351,11 @@ output.eDP-2.scale.1'
 
     Apply the new settings and close the application if it was open. The next
     time you open the application, it should show the correct icon.
+
+## Tuned Power Profiles
+
+Default profiles are in `/usr/lib/tuned/profiles`.
+
+Configuration file is in `/etc/tuned/ppd.conf`.
+
+Used `tuned-adm` CLI to interface with tuned.
diff --git a/active/os_fedora/selinux.md b/active/os_fedora/selinux.md
new file mode 100644
index 0000000..b69779b
--- /dev/null
+++ b/active/os_fedora/selinux.md
@@ -0,0 +1,9 @@
+# Selinux Findings
+
+## Cloning a Virtual Machine
+
+```bash
+cd active/os_fedora/selinux_policies
+sudo ausearch -c 'rpc-virtstorage' --raw | audit2allow -M my-rpcvirtstorage
+sudo semodule -X 300 -i my-rpcvirtstorage.pp
+```
diff --git a/active/os_fedora/selinux_policies/my-rpcvirtstorage.pp b/active/os_fedora/selinux_policies/my-rpcvirtstorage.pp
new file mode 100644
index 0000000000000000000000000000000000000000..b06e66e2f9ae41513f97114ea3ee21363b915195
GIT binary patch
literal 1407
zcmb_c%TB{E5DWzY0*S|kbAJE?f8Yx@IPn2inz#^@M{%4&C4K?%y_{etc+_o>3Iax2
z&w6*fwv%jL-=E($k|cp0iM`1DQ26F@d{xxl)A+i{yV8v$bRq`Xt{8AERxM8bESncT
zw4w3ot=p8~#o4(L8UiWUR!qR>)(B0D((S}p>p~iW-$Pu0?X@&ZXX&IUi?G;^nQ8M_
zJCBk8wO}AG{Gc)wxC~Xz<lbe$dV?hqhK{iI8P+jg@IaEo%W2(%t2#SRz4cvf!@j6_
z8lFU}yViMo*Hq316dpbbEmiL!w?V{fG29el9vi-i#zSFe!1UvCz#K*$-!Ebs$g@88
zHWGtz?Yccg*26?5VJ+6NCgLXAPwGNT9T_nV)@EMkjGDlQQHQS%F#Y&Bz=wUO5lIgd
z8KiwYOUz-cMgC1(%JeXiLI35el7Dh>XMA7ySKzKR{3w<`1xCSGA?>e2@X`0|_mTL_
aLyk6E?NMgI=vUQ~I)#O+J*cyi{DKe0#9p}o

literal 0
HcmV?d00001

diff --git a/active/os_fedora/selinux_policies/my-rpcvirtstorage.te b/active/os_fedora/selinux_policies/my-rpcvirtstorage.te
new file mode 100644
index 0000000..b23a102
--- /dev/null
+++ b/active/os_fedora/selinux_policies/my-rpcvirtstorage.te
@@ -0,0 +1,16 @@
+
+module my-rpcvirtstorage 1.0;
+
+require {
+	type user_home_t;
+	type virtstoraged_t;
+	type qemu_var_run_t;
+	class dir setattr;
+	class capability fowner;
+	class file setattr;
+}
+
+#============= virtstoraged_t ==============
+allow virtstoraged_t qemu_var_run_t:file setattr;
+allow virtstoraged_t self:capability fowner;
+allow virtstoraged_t user_home_t:dir setattr;