add volumes to graphite podman

add reptyr and netcat to arch distoolbox
add tpm2 luks decryption instructions for fedora kinoite
2025-03-12 16:41:56 -04:00 · 2025-03-12 16:41:40 -04:00 · 2025-03-12 16:41:19 -04:00
4 changed files with 65 additions and 24 deletions
--- a/infrastructure/graduated/distoolbox/arch-toolbox.containerfile
+++ b/infrastructure/graduated/distoolbox/arch-toolbox.containerfile
@@ -104,7 +104,9 @@ RUN pacman -S --noconfirm \
  # Fonts, so you never have to think about them again
  noto-fonts noto-fonts-cjk noto-fonts-emoji noto-fonts-extra \
  # Reattach to running processes
-  reptyr
+  reptyr \
+  # Netcat, for basic tcp/udp operations
+  openbsd-netcat

 ########################
 #####  Extra Apps  #####
@@ -154,8 +156,5 @@ RUN curl -L https://ollama.com/download/ollama-linux-amd64-rocm.tgz -o ollama-li
    rm ollama-linux-amd64-rocm.tgz

 # Set up ollama-server and ollama-kill scripts
-RUN mkdir /usr/local/bin/tbox-ollama
-COPY arch-toolbox-supporting-files/ollama-serve /usr/local/bin/tbox-ollama/ollama-serve
-COPY arch-toolbox-supporting-files/ollama-serve /usr/local/bin/tbox-ollama/ollama-kill
-COPY arch-toolbox-supporting-files/ollama-serve /usr/local/bin/tbox-ollama/ollama-log
-RUN chmod -R +x /usr/local/bin/tbox-ollama
+COPY arch-toolbox-supporting-files/ollama-* /usr/local/bin/
+RUN chmod -R +x /usr/local/bin
--- a/infrastructure/graduated/fedora/fedora-kinoite.md
+++ b/infrastructure/graduated/fedora/fedora-kinoite.md
@@ -1,16 +1,57 @@
 # Fedora Kinoite

 - [Fedora Kinoite](#fedora-kinoite)
+  - [TPM2 Luks Decryption](#tpm2-luks-decryption)
  - [Podman](#podman)
    - [Autostarting services with quadlets](#autostarting-services-with-quadlets)
  - [rpm-ostree](#rpm-ostree)
    - [Git, Vim, etc](#git-vim-etc)
    - [Libvirt, Qemu, KVM](#libvirt-qemu-kvm)
-    - [Docker Compose and Docker Buildkit with Rootless Podman](#docker-compose-and-docker-buildkit-with-rootless-podman)
  - [Network](#network)
    - [Hostname](#hostname)
    - [VLAN Setup with nmcli](#vlan-setup-with-nmcli)

+## TPM2 Luks Decryption
+
+Mostly taken from here:
+<https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95>
+
+PCR reference for `--tpm2-pcrs` args
+
+```text
+0: System firmware executable
+2: Kernel
+4: Bootloader
+7: Secure boot state
+8: Cmdline
+9: Initrd
+```
+
+Basic commands:
+
+```bash
+# Show tpm2 devices
+systemd-cryptenroll --tpm2-device=list
+# Show crypto luks block devices
+blkid -t TYPE=crypto_LUKS
+
+# Enroll the tpm2 device with systemd-cryptenroll
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3
+
+# Reenroll
+systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9
+
+# Append to command line args
+rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto
+```
+
+When you update you'll need to reenroll. Add this to your ~/.bashrc
+
+```bash
+# LUKS TPM2 commands
+alias tpm2-reenroll='sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9'
+```
+
 ## Podman

 Since you'll be using podman for most container-based services, you'll want to set the
@@ -52,6 +93,15 @@ systemctl --user start ollama

 ## rpm-ostree

+Note: if you don't need them, remove extra repos
+
+I removed:
+
+1. rpmfusion-nonfree-steam.repo
+2. rpmfusion-nonfree-nvidia-driver.repo
+3. google-chrome.repo
+4. _copr\:copr.fedorainfracloud.org\:phracek\:PyCharm.repo
+
 ```bash
 # Search for available packages
 rpm-ostree search git
@@ -81,20 +131,6 @@ rpm-ostree install virt-manager libvirt
 systemctl enable --now libvirtd
 ```

-### Docker Compose and Docker Buildkit with Rootless Podman
-
-Allows you to use podman with full docker-compose compatibility.
-
-<https://emersion.fr/blog/2025/using-podman-compose-and-buildkit/>
-
-```bash
-rpm-ostree install docker-compose docker-buildx
-reboot
-systemctl --user enable --now podman.socket
-docker context create podman --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
-docker context use podman
-```
-
 ## Network

 ### Hostname
--- a/podman/incubating/graphite/graphite.container
+++ b/podman/incubating/graphite/graphite.container
@@ -6,11 +6,14 @@ Description=Graphite
 ContainerName=graphite
 Image=ghcr.io/deniszh/graphite-statsd
 Network=systemd-graphite
-PublishPort=127.0.0.1:8080:80
+PublishPort=8080:80
 PublishPort=2003-2004:2003-2004
 PublishPort=2023-2024:2023-2024
 PublishPort=8125:8125/udp
 PublishPort=8126:8126
+Volume=graphite_configs:/opt/graphite/conf
+Volume=graphite_data:/opt/graphite/storage
+Volume=graphite_statsd_config:/opt/statsd/config

 [Service]
 Restart=always
--- a/podman/incubating/graphite/graphite.md
+++ b/podman/incubating/graphite/graphite.md
@@ -20,6 +20,9 @@ podman run \
 -p 2023-2024:2023-2024 \
 -p 8125:8125/udp \
 -p 8126:8126 \
+-v graphite_configs:/opt/graphite/conf \
+-v graphite_data:/opt/graphite/storage \
+-v graphite_statsd_config:/opt/statsd/config \
 ghcr.io/deniszh/graphite-statsd > podman/incubating/graphite/graphite.container
 ```

@@ -31,6 +34,6 @@ scp podman/incubating/graphite/graphite.network $PODMAN_SERVER:/etc/containers/s
 scp podman/incubating/graphite/graphite.container $PODMAN_SERVER:/etc/containers/systemd/

 ssh $PODMAN_SERVER systemctl daemon-reload
-ssh $PODMAN_SERVER systemctl enable --now graphite.network
-ssh $PODMAN_SERVER systemctl enable --now graphite.service
+ssh $PODMAN_SERVER systemctl start graphite.network
+ssh $PODMAN_SERVER systemctl start graphite.service
 ```
Author	SHA1	Message	Date
ducoterra	2fbdde303a	add volumes to graphite podman All checks were successful Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 45m21s Details	2025-03-12 16:41:56 -04:00
ducoterra	7479bcd493	add reptyr and netcat to arch distoolbox	2025-03-12 16:41:40 -04:00
ducoterra	34fad5846f	add tpm2 luks decryption instructions for fedora kinoite	2025-03-12 16:41:19 -04:00