# Fedora Server

Fedora server is an awesome container hosting OS. It has a lot built in, and setup is pretty
quick.

## Setup

```bash
scp .ssh/authorized_keys containers:~/.ssh/authorized_keys
```

```bash
sudo hostnamectl hostname containers
sudo dnf install vim
sudo vim /etc/ssh/sshd_config
sudo systemctl restart sshd
```

## Certbot for Cockpit

### Initial Setup

1. Create a "containers" user in AWS. Copy the permissions from Freenas
2. Create credentials
3. Add your credentials to root
4. Install the aws cli v2
5. Test your credentials with `aws route53 list-hosted-zones`

```bash
sudo dnf install certbot python3-certbot-dns-route53
sudo certbot certonly --dns-route53 -d containers.reeselink.com
sudo certbot certonly --dns-route53 -d containers.reeseapps.com

sudo cp /etc/letsencrypt/live/containers.reeselink.com/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
sudo cp /etc/letsencrypt/live/containers.reeselink.com/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key

sudo cp /etc/letsencrypt/live/containers.reeseapps.com/fullchain.pem /etc/cockpit/ws-certs.d/60-letsencrypt.cert
sudo cp /etc/letsencrypt/live/containers.reeseapps.com/privkey.pem /etc/cockpit/ws-certs.d/60-letsencrypt.key

```

Test the renewal process with:

```bash
sudo certbot renew --cert-name containers.reeselink.com --dry-run
```

### Renewal

Create a renewal script in /usr/lib/scripts/certbot-renew.sh

/usr/lib/scripts/certbot-renew.sh (chmod +x)

```bash
#!/bin/bash

/usr/bin/certbot renew --cert-name containers.reeselink.com
cp /etc/letsencrypt/live/containers.reeselink.com/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
cp /etc/letsencrypt/live/containers.reeselink.com/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key
```

Now create a systemd oneshot service to run the script

/etc/systemd/system/certbot-renew.service

```conf
[Unit]
Description=Certbot Renewal

[Service]
Type=oneshot
ExecStart=/usr/lib/scripts/certbot-renew.sh
```

/etc/systemd/system/certbot-renew.timer

```conf
[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=1w

[Install]
WantedBy=multi-user.target
```

Enable the service

```bash
systemctl enable --now certbot-renew.timer
```

### Disable FirewallD

Firewalld conflicts with k3s. Disable it from the UI.

## Disable SELinux

SELinux interferes with ISCSI mounts. Disable it by editing `/etc/selinux/config`

```bash
SELINUX=permissive
```

### Allow ISCSI

```bash
# Install the following system packages
sudo dnf install -y lsscsi iscsi-initiator-utils sg3_utils device-mapper-multipath

# Enable multipathing
sudo mpathconf --enable --with_multipathd y

# Ensure that iscsid and multipathd are running
sudo systemctl enable iscsid multipathd
sudo systemctl start iscsid multipathd

# Start and enable iscsi
sudo systemctl enable iscsi
sudo systemctl start iscsi
```