checkpoint commit
All checks were successful
Podman DDNS Image / build-and-push-ddns (push) Successful in 1m3s
All checks were successful
Podman DDNS Image / build-and-push-ddns (push) Successful in 1m3s
This commit is contained in:
92
stories/docs/10-fedora_server_admin.md
Normal file
92
stories/docs/10-fedora_server_admin.md
Normal file
@@ -0,0 +1,92 @@
|
||||
# I want to build the perfect homelab server
|
||||
|
||||
Date Written: 02/11/26
|
||||
|
||||
Fedora Version: 43
|
||||
|
||||
## Intro
|
||||
|
||||
And it will run Fedora. Backstory: I ran Truenas for a long time. I started with
|
||||
Freenas, got confused by jails, switched to this new thing called Truenas,
|
||||
learned about ZFS, watched "Apps" come into existence, watched Kubernetes
|
||||
support rise and fall, watched the disaster that was Incus container/VM support
|
||||
and the subsequent "rollback" to traditional VMs, and got really tired of lack
|
||||
of control.
|
||||
|
||||
App backup and restore was never, and still isn't, well supported. Taking
|
||||
snapshots of your apps pool and then sending those snapshots to a backup drive
|
||||
un-hid the ix-systems directory (which would frequently have thousands of
|
||||
snapshots due to Truenas's liberal use of subvolumes and would slow down the UI
|
||||
immensely). App data was intentionally hidden from the user for some reason.
|
||||
Migrating between Docker, then kubernetes, then Incus was never fully planned.
|
||||
The Truenas Charts app market was awesome, but building a Truenas Chart was
|
||||
complex and required duplicating all `values.yaml` configurable parameters into
|
||||
a new yaml file that the UI could use for form-fill. They got rid of Truenas
|
||||
Charts regardless so you just have to hope that your favorite app supporter is
|
||||
comfortable rewriting their app in the new format and supporting some kind of
|
||||
migration strategy. Every six months I would expect some kind of downtime
|
||||
because Truenas would change something critical and it would inevitably impact
|
||||
my workflow.
|
||||
|
||||
So, if I'm going to be subject to the whims of a changing platform anyway (given
|
||||
Truenas is supposed to be based on Debian, aka the *stable* choice), and if I'm
|
||||
going to suffer breaking changes every 6 months no matter what I choose, then I
|
||||
may as well have the latest and greatest via a rolling kernel distro.
|
||||
|
||||
So why not Arch? Simply: SELinux. SELinux is currently not officially supported
|
||||
in Arch linux. Plus Fedora Server comes with a lot built in that I like.
|
||||
Cockpit, Firewalld, Podman, SELinux, OSBuild, and RPM support all work out of
|
||||
the box. These are, imo, the "bare bones" requirements for a server exposed to
|
||||
the internet that will run homelab services.
|
||||
|
||||
So let's get started configuring an awesome Fedora server to keep your data safe
|
||||
and run your Homelab services with minimal downtime.
|
||||
|
||||
## Installation
|
||||
|
||||
When installing Fedora from the ISO, take some time at the installation menu to
|
||||
configure some basics.
|
||||
|
||||
Don't worry about RAID for now, we can convert a single disk into a RAID 1 array
|
||||
later.
|
||||
|
||||
If you don't have an SSH key already, generate one for yourself so you can log into the server. On your local machine:
|
||||
|
||||
```bash
|
||||
# Generate the key
|
||||
# Save it to the default location (~/.ssh/id_ed25519)
|
||||
# Please please please encrypt it with a password. Something memorable. Write it down. Friends don't let friends have naked SSH keys.
|
||||
ssh-keygen -t ed25519
|
||||
```
|
||||
|
||||
1. Configure the network
|
||||
1. Set a hostname
|
||||
2. Disable ipv6 privacy extensions
|
||||
2. Configure software selection
|
||||
1. Choose anything you'd like preinstalled
|
||||
3. Create a non-root user
|
||||
1. Set a simple password for easy login, we'll change it later
|
||||
4. Configure your disk partitioning
|
||||
1. Select manual (blivet) partitioning
|
||||
2. Create a 1GB EFI system partition and mount it at `/boot/efi`
|
||||
3. Create a 1GB btrfs partition and mount it at `/boot`
|
||||
4. Create an encrypted btrfs volume with the remaining data and name it something unique, do not mount it
|
||||
5. Create a btrfs subvolume called "root" and mount it at `/`
|
||||
6. Create a btrfs subvolume called "home" and mount it at `/home`
|
||||
7. Create any other btrfs subvolumes you might need (`/var`, for example)
|
||||
5. Take note of the ipv4 and ipv6 address. Update any DNS records at this time.
|
||||
6. Install and reboot
|
||||
|
||||
## Configuration
|
||||
|
||||
Once your server boots up we'll follow a basic playbook:
|
||||
|
||||
1. Change your password
|
||||
2. Configure automatic decryption for your encrypted drives at boot with TPM2
|
||||
3. Configure the package manager and apply updates
|
||||
4. Secure SSH with Fail2Ban
|
||||
5. Install Snapper for automatic snapshots to prevent accidental file deletion
|
||||
6. Install BorgBackup for automatic backups
|
||||
7. Install VM support
|
||||
8. Build some images
|
||||
9. Run some VMs
|
||||
Reference in New Issue
Block a user