services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

moving everything to active or retired vs incubating and graduated
All checks were successful
Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 14s
Details

Browse Source
This commit is contained in:
Reese Wells
2025-04-19 18:46:40 -04:00
parent 6e393d90ee
commit ef9104c796
234 changed files with 456 additions and 244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

501
active/os_fedora/fedora-apps.md Normal file
View File

@@ -0,0 +1,501 @@
# Apps
- [Apps](#apps)
- [Gear Lever](#gear-lever)
- [VSCode](#vscode)
- [DNF](#dnf)
- [rpm-ostree](#rpm-ostree)
- [Flatpak](#flatpak)
- [Bitwarden](#bitwarden)
- [MPV](#mpv)
- [Nextcloud Desktop](#nextcloud-desktop)
- [Nextcloud Talk](#nextcloud-talk)
- [Discord](#discord)
- [Proton Mail](#proton-mail)
- [Gimp](#gimp)
- [Minecraft](#minecraft)
- [Moonlight](#moonlight)
- [Steam](#steam)
- [MangoHud](#mangohud)
- [Raspberry Pi Imager](#raspberry-pi-imager)
- [Fedora Media Writer](#fedora-media-writer)
- [Pods](#pods)
- [Bambu Studio](#bambu-studio)
- [Freecad](#freecad)
- [Eyedropper](#eyedropper)
- [Mingle](#mingle)
- [Obsidian](#obsidian)
- [Dev Toolbox](#dev-toolbox)
- [Junction](#junction)
- [Kdenlive](#kdenlive)
- [The Powder Toy](#the-powder-toy)
- [Pika](#pika)
- [Filezilla](#filezilla)
- [Transmission](#transmission)
- [Frog](#frog)
- [CPU-X](#cpu-x)
- [Ungoogled Chromium](#ungoogled-chromium)
- [Signal](#signal)
- [Remmina](#remmina)
- [Mission Center](#mission-center)
- [Librewolf](#librewolf)
- [Yakuake](#yakuake)
- [Bruno](#bruno)
- [DBeaver](#dbeaver)
- [draw.io](#drawio)
- [GHex](#ghex)
- [KDiskMark](#kdiskmark)
- [Local Send](#local-send)
Flatpak installs are from Flathub unless otherwise noted.
Add flathub with:
```bash
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
```
When prompted, prefer flathub.
## Gear Lever
I would recommend you install Gear Lever to manage App Images:
```bash
flatpak install it.mijorus.gearlever
```
## VSCode
Write code.
### DNF
<https://code.visualstudio.com/docs/setup/linux#_rhel-fedora-and-centos-based-distributions>
### rpm-ostree
This layers vscode on the system and lets you download the latest release without waiting
for flathub to update the flatpak. Offers some advantages over flatpak, like not needing
to use flatseal/other to manage host permissions, but the flatpak install works just fine.
<https://code.visualstudio.com/docs/setup/linux#_installing-rpm-package-manually>
1. Download the rpm
2. sudo rpm-ostree install ./vscode-something-something.rpm
3. Reboot
### Flatpak
```bash
flatpak install com.visualstudio.code
```
Add to settings.json so the host shell is spawned
```json
{
"terminal.integrated.defaultProfile.linux": "bash",
"terminal.integrated.profiles.linux": {
"bash": {
"path": "/app/bin/host-spawn",
"args": ["bash"],
"icon": "terminal-bash",
"overrideName": true
}
}
}
```
Add these keyboard shortcuts to allow forward and back with alt:
```json
[
...
{ "key": "alt+left", "command": "workbench.action.navigateBack" },
{ "key": "alt+right", "command": "workbench.action.navigateForward" },
...
]
```
## Bitwarden
Password manager.
```bash
flatpak install com.bitwarden.desktop
```
## MPV
Video player (like VLC but can frame-by-frame in reverse).
```bash
flatpak install io.mpv.Mpv
```
## Nextcloud Desktop
Sync your files.
```bash
flatpak install com.nextcloud.desktopclient.nextcloud
```
```bash
# Autostart
ln -s ~/.local/share/applications/com.nextcloud.talk.desktop ~/.config/autostart/
```
## Nextcloud Talk
Talk to your friends.
Download nextcloud talk from:
<https://github.com/nextcloud-releases/talk-desktop/releases>
```bash
flatpak install ./Nextcloud.Talk-linux-x64.flatpak
# autostart
ln -s /var/lib/flatpak/exports/share/applications/com.nextcloud.talk.desktop ~/.config/autostart/
```
## Discord
Talk to your enemies.
```bash
flatpak install com.discordapp.Discord
```
## Proton Mail
Talk to your business partners?
```bash
flatpak install me.proton.Mail
```
```bash
# Autostart
ln -s ~/.local/share/applications/me.proton.Mail.desktop ~/.config/autostart/
```
## Gimp
Photoshop for Linux.
```bash
flatpak install org.gimp.GIMP
```
## Minecraft
Mine. Craft.
```bash
flatpak install com.mojang.Minecraft
```
## Moonlight
Mine. Craft. But somewhere else.
```bash
flatpak install com.moonlight_stream.Moonlight
flatpak install flathub org.freedesktop.Platform.GL.default//22.08-extra
```
## Steam
Play games.
```bash
flatpak install com.valvesoftware.Steam
```
## MangoHud
<https://github.com/flightlessmango/MangoHud?tab=readme-ov-file#flatpak>
Pretty Numbers for your Games.
```bash
flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
flatpak override --user --env=MANGOHUD=1 com.valvesoftware.Steam
# Allow flatpak apps to read Mangohud config
flatpak override --user --filesystem=xdg-config/MangoHud:ro
```
Edit `~/.config/MangoHud/MangoHud.conf`
```conf
## pre defined presets
# -1 = default
# 0 = no display
# 1 = fps only
# 2 = horizontal view
# 3 = extended
# 4 = high detailed information
preset=2
## Enable most of the toggleable parameters (currently excludes `histogram`)
# full
```
## Raspberry Pi Imager
Flash your pi.
```bash
flatpak install org.raspberrypi.rpi-imager
```
## Fedora Media Writer
Flash your stick.
```bash
flatpak install org.fedoraproject.MediaWriter
```
## Pods
Remember Docker Desktop? Pods is the new Docker Desktop.
```bash
flatpak install com.github.marhkb.Pods
systemctl --user enable --now podman.socket
```
## Bambu Studio
Benchy benchy benchy benchy
```bash
flatpak install com.bambulab.BambuStudio
```
The config is located at `~/.var/app/com.bambulab.BambuStudio/config/BambuStudio/BambuStudio.conf`
At the very top of the config you can add a pin for a printer permanently with:
(Do this with Bambu Studio closed, it'll overwrite if it's open.)
```json
{
"user_access_code": {
"printer serial number": "access code here"
},
...
}
```
## Freecad
Benchy benchy benchy oh no, I can't do that, this is hard.
Download the AppImage and use [Gear Lever](#apps) to install:
<https://www.freecad.org/downloads.php>
## Eyedropper
Pick a color, any color (from your screen).
```bash
flatpak install com.github.finefindus.eyedropper
```
## Mingle
Create custom emojis.
```bash
flatpak install io.github.halfmexican.Mingle
```
## Obsidian
Show your friends your massive graph
```bash
flatpak install md.obsidian.Obsidian
```
## Dev Toolbox
Format JSON, base64 encode, and color blindness simulator.
```bash
flatpak install me.iepure.devtoolbox
```
## Junction
Choose how to open links you click on
```bash
flatpak install re.sonny.Junction
```
## Kdenlive
Edit videos without Adobe
```bash
flatpak install org.kde.kdenlive
```
## The Powder Toy
I love sandboxes.
```bash
flatpak install uk.co.powdertoy.tpt
```
## Pika
Backup with Borg.
```bash
flatpak install org.gnome.World.PikaBackup
```
## Filezilla
Really easy ftp, ftps, sftp, etc. file transfer.
```bash
flatpak install org.filezillaproject.Filezilla
```
## Transmission
Expand your "ISO" collection.
```bash
flatpak install com.transmissionbt.Transmission
```
## Frog
Extract text, scan QR codes, from images.
```bash
flatpak install com.github.tenderowl.frog
```
## CPU-X
CPU-Z but X this time
```bash
flatpak install io.github.thetumultuousunicornofdarkness.cpu-x
```
## Ungoogled Chromium
Chrom
```bash
flatpak install io.github.ungoogled_software.ungoogled_chromium
```
## Signal
Chat when Nextcloud Talk is down
```bash
flatpak install org.signal.Signal
```
```bash
# Autostart
ln -s ~/.local/share/applications/org.signal.Signal.desktop ~/.config/autostart/
```
## Remmina
REMote desktop IN An app
```bash
flatpak install org.remmina.Remmina
```
## Mission Center
It looks like Windows Task Manager but it plays like "Change Graph to Logical Processors"
```bash
flatpak install io.missioncenter.MissionCenter
```
## Librewolf
Louis Rossmann said to use this instead of Firefox
```bash
flatpak install org.localsend.localsend_app
```
## Yakuake
Drop down terminal when you press `f12`
```bash
flatpak install org.kde.yakuake
```
## Bruno
Remember when postman was good? Remember with Insomnia was good? This one's good for now.
```bash
flatpak install com.usebruno.Bruno
```
## DBeaver
You know you like databases
```bash
flatpak install io.dbeaver.DBeaverCommunity
```
## draw.io
Quickly make shitty diagrams
```bash
flatpak install com.jgraph.drawio.desktop
```
## GHex
Hex view like it's 2005
```bash
flatpak install org.gnome.GHex
```
## KDiskMark
Crystal Disk Mark but, like, k disk mark
```bash
flatpak install io.github.jonmagon.kdiskmark
```
## Local Send
Send anywhere used to be so cool. Unrelated, but I loved that app back in like 2014
```bash
flatpak install org.localsend.localsend_app
```

33
active/os_fedora/fedora-framework16.md Normal file
View File

@@ -0,0 +1,33 @@
# Framework 16 Fixes
- [Framework 16 Fixes](#framework-16-fixes)
- [Wake from Sleep](#wake-from-sleep)
- [Wrong keys pressed in the browser, keyboard occasionally freezes after clicking a field](#wrong-keys-pressed-in-the-browser-keyboard-occasionally-freezes-after-clicking-a-field)
## Wake from Sleep
The keyboard/mouse can be pressed through the lid while in a backpack. Disable them to
prevent wake from sleep.
`/etc/udev/rules.d/69-suspend.rules`
```conf
# Disables all devices except the power button
ACTION=="add", SUBSYSTEM=="acpi", DRIVERS=="button", ATTRS{hid}=="PNP0C0D", ATTR{power/wakeup}="disabled"
ACTION=="add", SUBSYSTEM=="serio", DRIVERS=="atkbd", ATTR{power/wakeup}="disabled"
ACTION=="add", SUBSYSTEM=="i2c", DRIVERS=="i2c_hid_acpi", ATTRS{name}=="PIXA3854:00", ATTR{power/wakeup}="disabled"
ACTION=="add", SUBSYSTEM=="usb", DRIVERS=="usb", ATTR{power/wakeup}="disabled"
```
Reboot
If you want to specifically disable the framework keyboard you can use this:
```conf
# https://askubuntu.com/questions/848698/wake-up-from-suspend-using-usb-device
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0012", RUN+="/bin/sh -c 'echo disabled > /sys$env{DEVPATH}/power/wakeup'"
```
## Wrong keys pressed in the browser, keyboard occasionally freezes after clicking a field
This was caused by a Keychron M3 mini mouse.

164
active/os_fedora/fedora-kinoite.md Normal file
View File

@@ -0,0 +1,164 @@
# Fedora Kinoite
- [Fedora Kinoite](#fedora-kinoite)
- [TPM2 Luks Decryption](#tpm2-luks-decryption)
- [Podman](#podman)
- [Autostarting services with quadlets](#autostarting-services-with-quadlets)
- [rpm-ostree](#rpm-ostree)
- [Git, Vim, etc](#git-vim-etc)
- [Libvirt, Qemu, KVM](#libvirt-qemu-kvm)
- [Network](#network)
- [Hostname](#hostname)
- [VLAN Setup with nmcli](#vlan-setup-with-nmcli)
- [GPU Support in Distrobox](#gpu-support-in-distrobox)
## TPM2 Luks Decryption
Mostly taken from here:
<https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95>
PCR reference for `--tpm2-pcrs` args
```text
0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd
```
Basic commands:
```bash
# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list
# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS
# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3
# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9
# Append to command line args
rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto
```
When you update you'll need to reenroll. Add this to your ~/.bashrc
```bash
# LUKS TPM2 commands
alias tpm2-reenroll='sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9'
```
## Podman
Since you'll be using podman for most container-based services, you'll want to set the
the podman auth file to somewhere persistent, otherwise it'll get deleted every time you
reboot.
Add this to your `.bashrc`:
```bash
# Podman auth file
export REGISTRY_AUTH_FILE=$HOME/.podman-auth.json
```
Source that and then run `podman login` to create the file.
### Autostarting services with quadlets
If you want to run something as your user at boot (like a systemd process, think ollama) you can
create a user quadlets like so:
```bash
# Generate the .container file
podman run --rm ghcr.io/containers/podlet --install --description "Local AI" \
podman run \
-d \
-v ollama:/root/.ollama \
-p 11434:11434 \
--name ollama \
--restart always \
docker.io/ollama/ollama > ~/.config/containers/systemd/ollama.container
# Verify the service (Note the filename:service, this is required! You will get "Failed to prepare filename" without it)
systemd-analyze verify ~/.config/containers/systemd/ollama.container:ollama.service
# Start the service
systemctl --user daemon-reload
systemctl --user start ollama
```
## rpm-ostree
Note: if you don't need them, remove extra repos
I removed:
1. rpmfusion-nonfree-steam.repo
2. rpmfusion-nonfree-nvidia-driver.repo
3. google-chrome.repo
4. _copr\:copr.fedorainfracloud.org\:phracek\:PyCharm.repo
```bash
# Search for available packages
rpm-ostree search git
# Install a package
rpm-ostree install git
# Apply the installed package live
rpm-ostree apply-live
# Check what's been layered
rpm-ostree status
```
### Git, Vim, etc
Some packages are nice to have at the system level.
```bash
rpm-ostree install git vim
```
### Libvirt, Qemu, KVM
```bash
rpm-ostree install virt-manager libvirt
systemctl enable --now libvirtd
```
## Network
### Hostname
```bash
sudo hostnamectl hostname reesework16
```
### VLAN Setup with nmcli
```bash
# VLAN 2
nmcli conn
export NMCLI_DEVICE=enp195s0f4u1u3
nmcli connection add type VLAN con-name $NMCLI_DEVICE.2 dev $NMCLI_DEVICE id 2
```
## GPU Support in Distrobox
Fix for `error="failed to check permission on /dev/kfd: open /dev/kfd: invalid argument"`
```bash
# You have to create the video and render group to /etc/group before you can use it
sudo grep -E '^video:' /usr/lib/group | sudo tee -a /etc/group
sudo grep -E '^render:' /usr/lib/group | sudo tee -a /etc/group
sudo usermod -aG video $USER
sudo usermod -aG render $USER
```
Logout and log back in to adopt new groups.

739
active/os_fedora/fedora-server.md Normal file
View File

@@ -0,0 +1,739 @@
# Fedora Server
- [Fedora Server](#fedora-server)
- [Installation](#installation)
- [Setup SSH](#setup-ssh)
- [DNF](#dnf)
- [Fail2Ban](#fail2ban)
- [BTRFS Parent Volumes](#btrfs-parent-volumes)
- [BTRFS Snapshots](#btrfs-snapshots)
- [TPM2 Luks Decryption](#tpm2-luks-decryption)
- [Change your password](#change-your-password)
- [Automatic Updates](#automatic-updates)
- [Monitoring](#monitoring)
- [Disk Usage](#disk-usage)
- [Disk Wear](#disk-wear)
- [Common Storage Mounts](#common-storage-mounts)
- [Network Bridge](#network-bridge)
- [Virtualization](#virtualization)
- [Troubleshooting](#troubleshooting)
- [QEMU Images](#qemu-images)
- [Firewalld](#firewalld)
- [Backups](#backups)
- [Connect to the ISCSI Backup Target](#connect-to-the-iscsi-backup-target)
- [Connect to Backup Target with Cockpit](#connect-to-backup-target-with-cockpit)
- [Connect to Backup Target with iscsiadm](#connect-to-backup-target-with-iscsiadm)
- [Format backup disk](#format-backup-disk)
- [Troubleshooting Backup ISCSI Connection](#troubleshooting-backup-iscsi-connection)
- [Quick Backup](#quick-backup)
- [Regular Backups with Borg](#regular-backups-with-borg)
- [Optional Steps](#optional-steps)
- [Docker with Podman as Runtime](#docker-with-podman-as-runtime)
- [Vanilla Docker](#vanilla-docker)
- [Extra Software](#extra-software)
- [Disable Swap](#disable-swap)
- [Disable Selinux](#disable-selinux)
- [Downgrading Kernel](#downgrading-kernel)
- [Resize logical volume](#resize-logical-volume)
- [Create XFS LVM](#create-xfs-lvm)
- [LVM Thin Provisioning](#lvm-thin-provisioning)
- [Set eui64 on network interface](#set-eui64-on-network-interface)
- [Install and Enable Cockpit](#install-and-enable-cockpit)
- [Troubleshooting](#troubleshooting-1)
- [Cockpit Terminal Unusable or Weird Colors](#cockpit-terminal-unusable-or-weird-colors)
- [Chroot into a mounted disk](#chroot-into-a-mounted-disk)
- [Resize Last Partition to Fill Available Space](#resize-last-partition-to-fill-available-space)
- [LUKS performance](#luks-performance)
<https://docs.fedoraproject.org/en-US/fedora-server/installation/postinstallation-tasks/#_manage_system_updates>
Note these instructions differentiate between an `operator` and a `server`. The operator can be
any machine that configure the server. A pipeline, laptop, dedicated server, etc. are all options.
The server can be its own operator, though that's not recommended since servers should be ephemeral
and the operator will store information about each server.
## Installation
1. Configure network first
1. Set a hostname
2. Disable ipv6 privacy extensions
2. Software Selection
1. Headless Management
3. User Creation
1. Set a simple password, we'll change it later
4. Disk partitioning
1. Select manual (blivet) partitioning
2. Create a 1GB EFI system partition and mount it at `/boot/efi`
3. Create a 1GB ext4 partition and mount it at `/boot`
4. Create a btrfs volume with the remaining data and name it something unqiue, do not mount it
5. Create a btrfs subvolume called "root" and mount it at `/`
6. Create any other btrfs subvolumes you might need
5. Take note of the ipv4 and ipv6 address. Update any DNS records at this time.
6. Install and reboot
## Setup SSH
In this setup we'll allow ssh to the root user via key and keep the admin user for cockpit.
On the operator:
```bash
export SSH_HOST=kube
ssh-keygen -C ducoterra@${SSH_HOST}.reeselink.com -f ~/.ssh/id_${SSH_HOST}_rsa
# Note: If you get "too many authentication failures" it's likely because you have too many private
# keys in your ~/.ssh directory. Use `-o PubkeyAuthentication` to fix it.
ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_${SSH_HOST}_rsa.pub ducoterra@${SSH_HOST}.reeselink.com
ssh -i ~/.ssh/id_${SSH_HOST}_rsa ducoterra@${SSH_HOST}.reeselink.com
# Copy authorized_keys to root
sudo cp ~/.ssh/authorized_keys /root/.ssh/authorized_keys
exit
cat <<EOF >> ~/.ssh/config
Host ${SSH_HOST}
Hostname ${SSH_HOST}.reeselink.com
User root
Port 22
KeepAlive yes
IdentityFile ~/.ssh/id_${SSH_HOST}_rsa
EOF
ssh ${SSH_HOST}
# Disable password auth
echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf
systemctl restart sshd
# OPTIONAL: Disable sudo password
echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-wheel
exit
# Test if you can SSH with a password
ssh -o PubkeyAuthentication=no ducoterra@${SSH_HOST}.reeselink.com
# Test that you can log into the server with ssh config
ssh $SSH_HOST
```
## DNF
Configure dnf to use the fastest mirror:
```bash
echo 'fastestmirror=1' >> /etc/dnf/dnf.conf
dnf clean all
dnf update --refresh -y
# libdnf5 is required for ansible to work
dnf install -y glances tmux vim python3-libdnf5
```
## Fail2Ban
On the server:
```bash
# Run tmux session
tmux
dnf install -y fail2ban
# Setup initial rules
cat <<EOF > /etc/fail2ban/jail.local
# Jail configuration additions for local installation
# Adjust the default configuration's default values
[DEFAULT]
# Optional enter an trusted IP never to ban
# ignoreip = 2600:1700:1e6c:a81f::0/64
bantime = 6600
backend = auto
# The main configuration file defines all services but
# deactivates them by default. We have to activate those neeeded
[sshd]
enabled = true
EOF
systemctl enable fail2ban --now
# OPTIONAL: follow logs
tail -f /var/log/fail2ban.log
```
Checking, banning, unbanning
```bash
# See banned clients
fail2ban-client banned
# See jails (sshd should be one of them)
fail2ban-client status
# Unban a client from the sshd jail
fail2ban-client set sshd unbanip <IP address>
```
## BTRFS Parent Volumes
In `/etc/fstab`, add the parent volumes for your disks mounted with subvolid=5 at `/btrfs` so you can see
all subvolumes.
```conf
UUID=64beedac-c0c9-48bf-a3ae-7707df6ebc97 /btrfs/3dserver-root btrfs subvolid=5,compress=zstd:1,x-systemd.device-timeout=0 0 0
UUID=3c76b83f-7547-4c18-b08f-9e7902022b8d /btrfs/3dserver-data btrfs subvolid=5,compress=zstd:1,x-systemd.device-timeout=0 0 0
```
```bash
systemctl daemon-reload
mount -a --mkdir
```
## BTRFS Snapshots
<https://en.opensuse.org/openSUSE:Snapper_Tutorial>
<http://snapper.io/manpages/snapper-configs.html>
We'll be using snapper, a tool for automating and controlling snapshot behavior.
```bash
dnf install snapper dnf-plugin-snapper
# Allow selinux management
semanage permissive -a snapperd_t
# Note, if you mess something up you can run snapper -c root delete-config to delete
# System configs are stored in /etc/sysconfig/snapper as well as /etc/snapper
snapper -c root create-config /
snapper -c data create-config /path/to/other/data
# Enable automatic snapshots
systemctl enable --now snapper-timeline.timer
# Enable automatic cleanup
systemctl enable --now snapper-cleanup.timer
# Enable snapshots on boot
systemctl enable --now snapper-boot.timer
# List snapshots
snapper -c root list
# Create snapshot manually
snapper -c root create --description "test snapshot"
# Delete first snapshot
snapper -c root delete 1
```
Note - you probably don't want to keep yearly snapshots.
Edit `/etc/snapper/configs/root` and change `TIMELINE_LIMIT_YEARLY=` to `0`.
## TPM2 Luks Decryption
Mostly taken from here:
<https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95>
PCR reference for `--tpm2-pcrs` args
```text
0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd
```
Note, if your threat vector is people trying to get data off your old disks after throwing them
away, you can set `--tpm2-pcrs=""`. Someone could gain access to your encrypted partition if they
can access your machine physically by manipulating the boot parameters but you're guaranteed to
unlock despite updates and upgrades.
Basic commands:
```bash
# Run tmux session
tmux
# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list
# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS
# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll /dev/nvme0n1p3 --tpm2-device=auto --tpm2-pcrs=""
####################
##### OPTIONAL #####
####################
# If you have lots of devices to decrypt (like a btrfs raid array), use these commands.
# Get all crypto luks partitions
blkid | grep crypto_LUKS
# List them all space-separated and drop the '/dev'
LUKS_DEVS="nvme0n1p4 nvme1n1p1 nvme2n1p1 nvme3n1p1 nvme5n1p1 nvme4n1p1 nvme6n1p1"
# Check that your list is good
for dev in $LUKS_DEVS; do echo will enroll /dev/$dev; done
# Enroll
for dev in $LUKS_DEVS; do \
echo "Enrolling /dev/$dev"; \
systemd-cryptenroll /dev/$dev --tpm2-device=auto --tpm2-pcrs=""; \
done
########################
##### END OPTIONAL #####
########################
# Append to command line args
echo "add_dracutmodules+=\" tpm2-tss \"" | tee /etc/dracut.conf.d/tpm2.conf
dracut -f
```
Finally, `vim /etc/default/grub` and add `rd.luks.options=tpm2-device=auto` to GRUB_CMDLINE_LINUX
```bash
# Update Grub
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
# Cross your fingers that you don't have to go type in the password manually.
# Yes, 60 full seconds is too long. Go type your password in.
```
If you need to reenroll for some reason:
```bash
# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=""
```
## Change your password
In Cockpit navigate to Accounts -> user -> Set password
## Automatic Updates
In Cockpit navigate to software updates -> automatic updates -> install -> security updates only
## Monitoring
In Cockpit: Overview -> View metrics and history -> Install PCP Support -> Metrics settings -> Turn on Collect Metrics
### Disk Usage
TODO
### Disk Wear
TODO
## Common Storage Mounts
Note: mount these before you install the relavant package!
1. For virtual machines: `/var/lib/libvirt`
2. For podman: `/var/lib/containers`
3. For docker: `/var/lib/docker`
## Network Bridge
Networking -> Add bridge -> add network interface and save
```bash
nmcli connection modify bridge0 ipv6.addr-gen-mode eui64
```
## Virtualization
Don't forget to add a btrfs subvolume for `/var/lib/libvirt`
```bash
# Since we already created our /btrfs mountpoint, this volume will show up automatically
# at /btrfs/libvirt
btrfs sub create /btrfs/libvirt
```
Now create an fstab entry that mounts the volume at /var/lib/libvirt
```bash
UUID=... /var/lib/libvirt btrfs subvol=libvirt,compress=zstd:1,x-systemd.device-timeout=0 0 0
```
Mount the libvirt volume:
```bash
systemctl daemon-reload
mount -a --mkdir
# Check that the mount was successful. This will print something if our mount worked.
mount | grep -i /var/lib/libvirt
```
Create a snapshot schedule for libvirt.
```bash
snapper -c libvirt create-config /var/lib/libvirt
# Don't forget to edit "YEARLY" at /etc/snapper/configs/libvirt
```
Install and enable the virtualization service.
```bash
dnf group install --with-optional virtualization
systemctl enable --now libvirtd
```
Install the cockpit machines application.
### Troubleshooting
```bash
# Oops, I did this after I installed virtualization
rsync -av /var/lib/libvirt/ /btrfs/libvirt/
rm -rf /var/lib/libvirt
# Find the path to your btrfs volume
lsblk
mount -o subvol=libvirt /dev/mapper/luks-... /var/lib/libvirtd
```
### QEMU Images
```bash
# Grow an image to 2TB
qemu-img resize nextcloud_aio-fcfgp.qcow2 2T
```
```bash
# Convert OVA to img
qemu-img convert -f vmdk -O raw in.vmdk out.img
# Convert qcow2 to img
qemu-img convert -f qcow2 -O raw in.raw out.img
```
## Firewalld
Set the default firewalld zone to `public`
```bash
# Note, you probably don't have to do this. Check Cockpit Network -> Firewall
# firewall-cmd --set-default-zone=public
```
Firewalld will be on and blocking by default. You can check the zone and allowed ports with:
```bash
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-services
```
Allow Cockpit with
```bash
firewall-cmd --permanent --zone=public --add-port=9090/tcp
firewall-cmd --reload
```
## Backups
Note: this assumes you've set up [an iscsi backup disk](/active/os_truenas/truenas.md#iscsi-backup-volumes)
### Connect to the ISCSI Backup Target
#### Connect to Backup Target with Cockpit
1. Storage -> Hamburger menu -> Add iSCSI portal
2. Type your portal address, username, and password
#### Connect to Backup Target with iscsiadm
<https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/5/html/online_storage_reconfiguration_guide/iscsi-replacements_timeout#iscsi-replacements_timeout>
```bash
# Set username and password for discovered nodes
# Optionally you can add "-T <target name>" to specify which target has the username/password
iscsiadm -m node \
-o update \
-n node.session.auth.username -v username \
-n node.session.auth.password -v password
# Set replacement_timeout to 10 minutes in case server reboots
iscsiadm -m node \
-o update \
-n node.session.timeo.replacement_timeout -v 600
systemctl restart iscsid
# Discover targets
iscsiadm -m discovery -t st -p driveripper.reeselink.com
# Login to all nodes
iscsiadm -m node -l
```
#### Format backup disk
```bash
# list disks
lsblk
# Create partition
fdisk /dev/sdx
# Format partition with btrfs
mkfs.btrfs /dev/sdx1
# Get the UUID
blkid /dev/sdx1
```
Update /etc/fstab with the iscsi disk details.
Note:
- `x-systemd.automount` which only mounts the device when it's accessed.
- `x-systemd.mount-timeout=30` allows a 30 second timeout
- `_netdev` ensures the device won't be mounted until after the network is available
```conf
UUID=... /btrfs/some-name btrfs subvolid=5,compress=zstd:1,x-systemd.automount,x-systemd.mount-timeout=30,_netdev 0 0
```
#### Troubleshooting Backup ISCSI Connection
```bash
# List targets
iscsiadm -m node
# Delete node
iscsiadm -m node -o delete -T iqn.2022-01.com.reeselink:driveripper:iqn.2022-01.com.reeselink:driveripper
# List discovered targets
iscsiadm -m discovery
# Delete from discovery db
iscsiadm -m discoverydb -t sendtargets -p driveripper.reeselink.com -o delete
```
### Quick Backup
```bash
rsync -av --progress --exclude '.snapshots' /btrfs/yellow/root /btrfs/backup-yellow --dry-run
```
### Regular Backups with Borg
See [borg.md](/active/systemd_borg/borg.md)
## Optional Steps
### Docker with Podman as Runtime
Note, you'll need to ssh into the server as the user in order to start the user's systemd session.
```bash
sudo dnf install podman docker docker-compose
sudo loginctl enable-linger 1000 # Or whatever user
systemctl --user enable --now podman.socket
docker context create podman --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
docker context use podman
```
### Vanilla Docker
<https://docs.docker.com/engine/install/fedora/>
```bash
dnf -y install dnf-plugins-core
dnf-3 config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
systemctl enable --now docker
```
### Extra Software
```bash
# Set vim as the default editor
dnf install -y vim-default-editor --allowerasing
# Install glances for system monitoring
dnf install -y glances
# ZSH
dnf install -y zsh
chsh -s $(which zsh) && chsh -s $(which zsh) ducoterra
```
### Disable Swap
```bash
swapoff -a
zramctl --reset /dev/zram0
dnf -y remove zram-generator-defaults
```
### Disable Selinux
By default selinux will be enforcing. You can set it to permissive with
```bash
setenforce 0
```
And then make it permanent by editing `/etc/selinux/config` and inserting `SELINUX=permissive`.
### Downgrading Kernel
```bash
dnf install koji
# Note: format is kernel-version.fedora-version
cd $(mktemp -d) && koji download-build --arch=x86_64 --arch=noarch kernel-6.11.3-300.fc41 && dnf install ./*
reboot
```
### Resize logical volume
```bash
# Replace /dev/sda2 with whatever your disks are
# This assumes xfs
pvresize /dev/sda2
lvextend /dev/mapper/root -l+100%FREE
xfs_growfs -d /dev/mapper/root
```
### Create XFS LVM
<https://www.linuxtechi.com/how-to-create-lvm-partition-in-linux/>
<https://www.golinuxcloud.com/lvcreate-command-in-linux/#How_to_install_lvcreate>
If you get the error "Not creating system devices file due to existing VGs."
Run `vgimportdevices -a` and check `/etc/lvm/devices/system.devices`
1. Create a new partition for the Physical Volume (fdisk)
```bash
# Create the physical volume
pvcreate /dev/vda4
# Create the volume group (vgcreate <vg_name> <pv>)
vgcreate nextcloud_data /dev/vda4
# Create the logical volume (lvcreate -L <Size-of-LV> -n <LV-Name> <VG-Name>)
# Or lvcreate -l 100%FREE
lvcreate -l 100%FREE -n nextcloud_data_vol nextcloud_data
# list the PV, VG, LV
pvs
vgs
lvs
# Format lv
mkfs.btrfs /dev/nextcloud_data/nextcloud_data_vol
```
### LVM Thin Provisioning
<https://linuxconfig.org/introduction-to-lvm-thin-provisioning>
If you get the error "Not creating system devices file due to existing VGs."
Run `vgimportdevices -a` and check `/etc/lvm/devices/system.devices`
Thin provisioning allows you to overprovision your storage drives to make the filesystem
think it has more data than it does.
```bash
# Create the physical volume
pvcreate /dev/vda4
# Create the volume group
vgcreate vg0 /dev/vda4
# Create the thin pool - the volume with real data that will hold our thing volumes with fake data
lvcreate -l 100%FREE -T vg0/thinpool
# Create the thin volumes with fake data
lvcreate -T -V 2T vg0/thinpool -n local-path-provisioner
lvcreate -T -V 2T vg0/thinpool -n docker-data
# Format the fake volumes
mkfs.xfs /dev/mapper/vg0-local--path--provisioner
mkfs.xfs /dev/mapper/vg0-docker--data
```
### Set eui64 on network interface
```bash
nmcli connection modify Wired\ connection\ 1 ipv6.addr-gen-mode eui64
```
### Install and Enable Cockpit
<https://cockpit-project.org/running>
```bash
dnf install cockpit
systemctl enable --now cockpit.socket
firewall-cmd --add-service=cockpit
firewall-cmd --add-service=cockpit --permanent
```
## Troubleshooting
### Cockpit Terminal Unusable or Weird Colors
Make sure you give canvas access to the browser (especially in librewolf)
### Chroot into a mounted disk
This lets you run grub2-mkconfig among other things.
```bash
# Mount root
mount /dev/mapper/vg0-root /mnt
# Mount proc, sys, and dev
mount -t proc /proc proc/
mount --rbind /sys sys/
mount --rbind /dev dev/
# Mount boot and efi
mount /dev/vdb2 /mnt/boot
mount /dev/vdb1 /mnt/boot/efi
chroot /mnt
```
### Resize Last Partition to Fill Available Space
```bash
parted /dev/vdb
# to resize /dev/vdb3 to fill 100% of the disk, for example
resizepart 3 100%
quit
# Resize the physical volume to match the partition
pvresize /dev/vdb3
```
### LUKS performance
```bash
cryptsetup benchmark
```
Should output something like:
```bash
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 1409.1 MiB/s 3627.9 MiB/s
serpent-cbc 128b 146.5 MiB/s 981.4 MiB/s
twofish-cbc 128b 289.8 MiB/s 613.3 MiB/s
aes-cbc 256b 1100.2 MiB/s 3448.2 MiB/s
serpent-cbc 256b 150.3 MiB/s 982.1 MiB/s
twofish-cbc 256b 294.3 MiB/s 590.8 MiB/s
aes-xts 256b 4423.5 MiB/s 4561.2 MiB/s
serpent-xts 256b 874.9 MiB/s 883.7 MiB/s
twofish-xts 256b 557.8 MiB/s 559.4 MiB/s
aes-xts 512b 4551.2 MiB/s 4669.6 MiB/s
serpent-xts 512b 890.8 MiB/s 860.5 MiB/s
twofish-xts 512b 557.5 MiB/s 564.2 MiB/s
```
Which will tell you how fast you can theoretically write/read to encrypted drives.
The default encryption used by most modern operating systems is AES-XTS.
You can see your system's cipher and key with `cryptsetup luksDump /dev/nvme0n1p1 | grep -i cipher`

130
active/os_fedora/fedora.md Normal file
View File

@@ -0,0 +1,130 @@
# Fedora
- [Fedora](#fedora)
- [Framework 16 Fixes](#framework-16-fixes)
- [Wake from Sleep](#wake-from-sleep)
- [Wrong keys pressed in the browser](#wrong-keys-pressed-in-the-browser)
- [Wifi Powersave](#wifi-powersave)
- [Podman](#podman)
- [Autostarting services with quadlets](#autostarting-services-with-quadlets)
- [Network](#network)
- [VLAN Setup with nmcli](#vlan-setup-with-nmcli)
- [ZRAM](#zram)
## Framework 16 Fixes
### Wake from Sleep
The keyboard/mouse can be pressed through the lid while in a backpack. Disable them to
prevent wake from sleep.
`/etc/udev/rules.d/69-suspend.rules`
```conf
ACTION=="add", SUBSYSTEM=="acpi", DRIVERS=="button", ATTRS{hid}=="PNP0C0D", ATTR{power/wakeup}="disabled"
ACTION=="add", SUBSYSTEM=="serio", DRIVERS=="atkbd", ATTR{power/wakeup}="disabled"
ACTION=="add", SUBSYSTEM=="i2c", DRIVERS=="i2c_hid_acpi", ATTRS{name}=="PIXA3854:00", ATTR{power/wakeup}="disabled"
# https://askubuntu.com/questions/848698/wake-up-from-suspend-using-usb-device
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0012", RUN+="/bin/sh -c 'echo disabled > /sys$env{DEVPATH}/power/wakeup'"
```
Reload
```bash
sudo udevadm control --reload-rules && sudo udevadm trigger
```
### Wrong keys pressed in the browser
Sometimes keys will stop working when using search bars or do strange things like move the page around. This seems to be caused by some "alt" keypress combination. Pressing "alt" twice fixes it.
### Wifi Powersave
**NOTE: THIS DOESN'T WORK. IT CAUSES WIFI DISCONNECT AND RECONNECT ISSUES.**
<https://www.networkmanager.dev/docs/api/latest/settings-802-11-wireless.html>
<https://gist.github.com/jcberthon/ea8cfe278998968ba7c5a95344bc8b55>
<https://askubuntu.com/questions/1230525/ubuntu-20-04-network-performance-extremely-slow>
```bash
vim /etc/NetworkManager/conf.d/wifi-powersave-off.conf
```
```conf
[connection]
# Values are 0 (use default), 1 (ignore/don't touch), 2 (disable) or 3 (enable).
wifi.powersave = 2
```
```bash
systemctl restart NetworkManager
```
## Podman
Since you'll be using podman for most container-based services, you'll want to set the
the podman auth file to somewhere persistent, otherwise it'll get deleted every time you
reboot.
Add this to your `.bashrc`:
```bash
# Podman auth file
export REGISTRY_AUTH_FILE=$HOME/.podman-auth.json
```
Source that and then run `podman login` to create the file.
### Autostarting services with quadlets
If you want to run something as your user at boot (like a systemd process, think ollama) you can
create a user quadlets like so:
```bash
# Generate the .container file
podman run --rm ghcr.io/containers/podlet --install --description "Local AI" \
podman run \
-d \
-v ollama:/root/.ollama \
-p 11434:11434 \
--name ollama \
--restart always \
docker.io/ollama/ollama > ~/.config/containers/systemd/ollama.container
# Verify the service (Note the filename:service, this is required! You will get "Failed to prepare filename" without it)
systemd-analyze verify ~/.config/containers/systemd/ollama.container:ollama.service
# Start the service
systemctl --user daemon-reload
systemctl --user start ollama
```
## Network
### VLAN Setup with nmcli
```bash
# VLAN 2
nmcli conn
export NMCLI_DEVICE=enp195s0f4u1u3
nmcli connection add type VLAN con-name $NMCLI_DEVICE.2 dev $NMCLI_DEVICE id 2
```
## ZRAM
Increasing zram size
```bash
# Show existing configuration
zramctl
#
swapoff /dev/zram0
# Reset swap
zramctl -r /dev/zram0
# Set a new size
zramctl --size 4G /dev/zram0
```