# Fedora Kinoite

- [Fedora Kinoite](#fedora-kinoite)
  - [TPM2 Luks Decryption](#tpm2-luks-decryption)
  - [Podman](#podman)
    - [Docker Compose and Docker Buildkit with Rootless Podman](#docker-compose-and-docker-buildkit-with-rootless-podman)
  - [rpm-ostree](#rpm-ostree)
    - [Git, Vim, etc](#git-vim-etc)
    - [Libvirt, Qemu, KVM](#libvirt-qemu-kvm)
    - [ROCM](#rocm)
    - [Ollama](#ollama)
  - [Network](#network)
    - [Hostname](#hostname)
    - [VLAN Setup with nmcli](#vlan-setup-with-nmcli)
  - [GPU Support in Distrobox](#gpu-support-in-distrobox)
  - [Automatic Display Switching](#automatic-display-switching)

## TPM2 Luks Decryption

Mostly taken from here:
<https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95>

PCR reference for `--tpm2-pcrs` args

```text
0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd
```

Basic commands:

```bash
# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list
# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS

# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3

# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9

# Append to command line args
rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto
```

When you update you'll need to reenroll. Add this to your ~/.bashrc

```bash
# LUKS TPM2 commands
alias tpm2-reenroll='sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9'
```

## Podman

Since you'll be using podman for most container-based services, you'll want to set the
the podman auth file to somewhere persistent, otherwise it'll get deleted every time you
reboot.

Add this to your `.bashrc`:

```bash
# Podman auth file
export REGISTRY_AUTH_FILE=$HOME/.podman-auth.json
```

Source that and then run `podman login` to create the file.

### Docker Compose and Docker Buildkit with Rootless Podman

Allows you to use podman with full docker-compose compatibility.

<https://emersion.fr/blog/2025/using-podman-compose-and-buildkit/>

```bash
rpm-ostree install docker-compose docker-buildx
reboot
systemctl --user enable --now podman.socket
docker context create podman --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
docker context use podman

### Autostarting services with quadlets

If you want to run something as your user at boot (like a systemd process, think ollama) you can
create a user quadlets like so:

```bash
# Generate the .container file
podman run --rm ghcr.io/containers/podlet --install --description "Local AI" \
  podman run \
  -d \
  -v ollama:/root/.ollama \
  -p 11434:11434 \
  --name ollama \
  --restart always \
  docker.io/ollama/ollama > ~/.config/containers/systemd/ollama.container

# Verify the service (Note the filename:service, this is required! You will get "Failed to prepare filename" without it)
systemd-analyze verify ~/.config/containers/systemd/ollama.container:ollama.service

# Start the service
systemctl --user daemon-reload
systemctl --user start ollama
```

## rpm-ostree

Note: if you don't need them, remove extra repos

I removed:

1. rpmfusion-nonfree-steam.repo
2. rpmfusion-nonfree-nvidia-driver.repo
3. google-chrome.repo
4. _copr\:copr.fedorainfracloud.org\:phracek\:PyCharm.repo

```bash
# Search for available packages
rpm-ostree search git

# Install a package
rpm-ostree install git

# Apply the installed package live
rpm-ostree apply-live

# Check what's been layered
rpm-ostree status
```

### Git, Vim, etc

Some packages are nice to have at the system level.

```bash
rpm-ostree install git vim
```

### Libvirt, Qemu, KVM

```bash
rpm-ostree install virt-manager libvirt
systemctl enable --now libvirtd
```

### ROCM

Credit to:
<https://medium.com/@seancheo/running-generative-ai-on-amd-in-fedora-40-28aa3bebb187>

Here are most of the ROCM packages that you'll need.

Fedora is currently working on a ROCM meta package here:
<https://packages.fedoraproject.org/pkgs/rocm/rocm/>

```bash
rpm-ostree install \
hipblas-devel \
hipblaslt-devel \
hipcc \
hipcc-libomp-devel \
hipcub-devel \
hipfft-devel \
hipfort-devel \
hiprand-devel \
hiprt-devel \
hipsolver-devel \
hipsparse-devel \
rocalution-devel \
rocblas-devel \
rocfft-devel \
rocm-clang-devel \
rocm-clang-tools-extra-devel \
rocm-cmake \
rocm-comgr-devel \
rocm-core-devel \
rocm-hip-devel \
rocm-libc++-devel \
rocm-libc++-static \
rocm-llvm-devel \
rocm-omp-devel \
rocm-runtime-devel \
rocm-rpp-devel \
rocm-smi-devel \
rocminfo \
rocdecode-devel \
rocjpeg-devel \
rocprim-devel \
rocrand-devel \
rocsolver-devel \
rocsparse-devel \
rocthrust-devel \
roctracer-devel \
miopen
```

### Ollama

<https://ollama.com/download>

Run the installation script as normal. Make sure you have the [ROCM](#rocm) drivers installed
for GPU acceleration. The script *should* automatically pull the ROCM drivers after installing
the base packages. If not, you should install them manually.

For starting ollama as a service, follow the link below with one exception.

<https://github.com/ollama/ollama/blob/main/docs/linux.md#adding-ollama-as-a-startup-service-recommended>

```bash
# Change the recommended home dir to /var/home/ollama
sudo useradd -r -s /bin/false -U -m -d /var/home/ollama ollama
```

## Network

### Hostname

```bash
sudo hostnamectl hostname reesework16
```

### VLAN Setup with nmcli

```bash
# VLAN 2
nmcli conn
export NMCLI_DEVICE=enp195s0f4u1u3
nmcli connection add type VLAN con-name $NMCLI_DEVICE.2 dev $NMCLI_DEVICE id 2
```

## GPU Support in Distrobox

Fix for `error="failed to check permission on /dev/kfd: open /dev/kfd: invalid argument"`

```bash
# You have to create the video and render group to /etc/group before you can use it
sudo grep -E '^video:' /usr/lib/group | sudo tee -a /etc/group
sudo grep -E '^render:' /usr/lib/group | sudo tee -a /etc/group
sudo usermod -aG video $USER
sudo usermod -aG render $USER
```

Logout and log back in to adopt new groups.

## Automatic Display Switching

```bash
# List displays
# Builtin: eDP-2
# Roku: DP-13
# Lenovo: DP-11
kscreen-doctor -o

# Put the builtin display back to normal
kscreen-doctor \
output.eDP-2.enable \
output.eDP-2.position.0,0 \
output.eDP-2.primary \
output.eDP-2.mode.2560x1600@165 \
output.eDP-2.scale.1.25

# Show on Roku TV and Monitor
kscreen-doctor \
output.DP-11.enable \
output.DP-11.position.0,0 \
output.DP-11.mode.2560x1440@60 \
output.DP-11.scale.1 \
output.DP-13.enable \
output.DP-13.position.0,0 \
output.DP-13.mode.2560x1440@100 \
output.DP-13.scale.1 \
output.DP-13.primary \
output.eDP-2.disable

# Show only on the roku TV
kscreen-doctor \
output.DP-11.enable \
output.DP-11.position.0,0 \
output.DP-11.primary \
output.DP-11.mode.3840x2160@60 \
output.DP-11.scale.2 \
output.DP-13.disable \
output.eDP-2.disable

# Mirror the builtin display to the roku tv
kscreen-doctor \
output.DP-11.enable \
output.DP-11.position.0,0 \
output.DP-11.primary \
output.DP-11.mode.3840x2160@60 \
output.DP-11.scale.2 \
output.eDP-2.enable \
output.eDP-2.mode.1920x1080@60 \
output.eDP-2.scale.1 \
output.eDP-2.position.0,0
```