# Fedora Server - [Fedora Server](#fedora-server) - [Installation](#installation) - [Setup SSH](#setup-ssh) - [DNF](#dnf) - [Power Profiles with Tuned](#power-profiles-with-tuned) - [Fail2Ban](#fail2ban) - [BTRFS Parent Volumes](#btrfs-parent-volumes) - [BTRFS Snapshots](#btrfs-snapshots) - [Snapper Installation](#snapper-installation) - [Snapper Cleanup](#snapper-cleanup) - [BTRFS Maintenance](#btrfs-maintenance) - [TPM2 Luks Decryption](#tpm2-luks-decryption) - [Change your password](#change-your-password) - [Automatic Updates](#automatic-updates) - [Monitoring](#monitoring) - [Glances](#glances) - [Disk Usage](#disk-usage) - [Disk Wear](#disk-wear) - [Common Storage Mounts](#common-storage-mounts) - [Network Bridge](#network-bridge) - [Virtualization](#virtualization) - [Virtualization Troubleshooting](#virtualization-troubleshooting) - [QEMU Images](#qemu-images) - [Shared directory with VM Guest](#shared-directory-with-vm-guest) - [Firewalld](#firewalld) - [Backups](#backups) - [Connect to the ISCSI Backup Target](#connect-to-the-iscsi-backup-target) - [Connect to Backup Target with Cockpit](#connect-to-backup-target-with-cockpit) - [Connect to Backup Target with iscsiadm](#connect-to-backup-target-with-iscsiadm) - [Format backup disk](#format-backup-disk) - [Troubleshooting Backup ISCSI Connection](#troubleshooting-backup-iscsi-connection) - [Quick Backup](#quick-backup) - [Regular Backups with Borg](#regular-backups-with-borg) - [Version Upgrades](#version-upgrades) - [Optional Steps](#optional-steps) - [Disable Swap](#disable-swap) - [Disable Selinux](#disable-selinux) - [Downgrading Kernel](#downgrading-kernel) - [Resize logical volume](#resize-logical-volume) - [Create XFS LVM](#create-xfs-lvm) - [LVM Thin Provisioning](#lvm-thin-provisioning) - [Set eui64 on network interface](#set-eui64-on-network-interface) - [Install and Enable Cockpit](#install-and-enable-cockpit) - [Troubleshooting](#troubleshooting) - [Cockpit Terminal Unusable or Weird Colors](#cockpit-terminal-unusable-or-weird-colors) - [Chroot into a mounted disk](#chroot-into-a-mounted-disk) - [Resize Last Partition to Fill Available Space](#resize-last-partition-to-fill-available-space) - [LUKS performance](#luks-performance) - [Set up firewall](#set-up-firewall) - [Dual Boot with Fingerprint Scanner Issues](#dual-boot-with-fingerprint-scanner-issues) - [Revert Kernel (if needed)](#revert-kernel-if-needed) - [Reverting linux-firmware](#reverting-linux-firmware) - [Make DNF Fast](#make-dnf-fast) - [Install Useful Packages](#install-useful-packages) - [Set Hostname](#set-hostname) - [Install updates](#install-updates) - [Extensions](#extensions) - [Gnome Tweaks](#gnome-tweaks) - [Flatpack](#flatpack) - [Snap](#snap) - [AppImage Launcher](#appimage-launcher) - [Backups](#backups-1) - [Create Encrypted Drive](#create-encrypted-drive) - [Backup Disks](#backup-disks) - [Disk Health](#disk-health) - [Create BTRBK Config](#create-btrbk-config) - [Create Systemd Timer](#create-systemd-timer) - [Test, Start and Enable service](#test-start-and-enable-service) - [Restore](#restore) - [Firewall CMD](#firewall-cmd) - [Bluetooth](#bluetooth) - [Airpods](#airpods) - [ZRAM](#zram) - [Automatic Disk Decryption with TPM2](#automatic-disk-decryption-with-tpm2) - [Firefox GPU Rendering](#firefox-gpu-rendering) - [Gnome Software Updates (packagekitd and software)](#gnome-software-updates-packagekitd-and-software) - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed) - [Power Button Behavior](#power-button-behavior) - [Discord](#discord) - [Discord sharing not working](#discord-sharing-not-working) - [Minecraft](#minecraft) - [Sound Devices](#sound-devices) - [Install ffmpegthumbnailer, remove totem](#install-ffmpegthumbnailer-remove-totem) - [Add compatibility for HEIC to mogrify](#add-compatibility-for-heic-to-mogrify) Note these instructions differentiate between an `operator` and a `server`. The operator can be any machine that configure the server. A pipeline, laptop, dedicated server, etc. are all options. The server can be its own operator, though that's not recommended since servers should be ephemeral and the operator will store information about each server. ## Installation 1. Configure network first 1. Set a hostname 2. Disable ipv6 privacy extensions 2. Software Selection 1. Headless Management 3. User Creation 1. Set a simple password, we'll change it later 4. Disk partitioning 1. Select manual (blivet) partitioning 2. Create a 1GB EFI system partition and mount it at `/boot/efi` 3. Create a 1GB ext4 partition and mount it at `/boot` 4. Create a btrfs volume with the remaining data and name it something unqiue, do not mount it 5. Create a btrfs subvolume called "root" and mount it at `/` 6. Create any other btrfs subvolumes you might need 5. Take note of the ipv4 and ipv6 address. Update any DNS records at this time. 6. Install and reboot ## Setup SSH See [README](/README.md#ssh-setup) ## DNF Configure dnf to use the fastest mirror: ```bash echo 'fastestmirror=1' >> /etc/dnf/dnf.conf dnf clean all dnf update --refresh -y # libdnf5 is required for ansible to work dnf install -y git glances tmux vim python3-libdnf5 borgbackup tpm2-tools ``` ## Power Profiles with Tuned 1. `dnf install tuned` 2. `systemctl enable --now tuned` 3. `tuned-adm profile virtual-host` ## Fail2Ban On the server: ```bash # Run tmux session tmux dnf install -y fail2ban # Setup initial rules cat < /etc/fail2ban/jail.local # Jail configuration additions for local installation # Adjust the default configuration's default values [DEFAULT] # Optional enter an trusted IP never to ban # ignoreip = 2600:1700:1e6c:a81f::0/64 bantime = 6600 backend = auto # The main configuration file defines all services but # deactivates them by default. We have to activate those neeeded [sshd] enabled = true EOF systemctl enable fail2ban --now # OPTIONAL: follow logs tail -f /var/log/fail2ban.log ``` Checking, banning, unbanning ```bash # See banned clients fail2ban-client banned # See jails (sshd should be one of them) fail2ban-client status # Unban a client from the sshd jail fail2ban-client set sshd unbanip ``` ## BTRFS Parent Volumes In `/etc/fstab`, add the parent volumes for your disks mounted with subvolid=5 at `/btrfs` so you can see all subvolumes. ```conf UUID=64beedac-c0c9-48bf-a3ae-7707df6ebc97 /btrfs/3dserver-root btrfs subvolid=5,compress=zstd:1,x-systemd.device-timeout=0 0 0 UUID=3c76b83f-7547-4c18-b08f-9e7902022b8d /btrfs/3dserver-data btrfs subvolid=5,compress=zstd:1,x-systemd.device-timeout=0 0 0 ``` ```bash systemctl daemon-reload mount -a --mkdir ``` ## BTRFS Snapshots ### Snapper Installation We'll be using snapper, a tool for automating and controlling snapshot behavior. ```bash dnf install -y snapper dnf-plugin-snapper # Allow selinux management semanage permissive -a snapperd_t # Note, if you mess something up you can run snapper -c root delete-config to delete # System configs are stored in /etc/sysconfig/snapper as well as /etc/snapper snapper -c boot create-config /boot snapper -c root create-config / snapper -c home create-config /home # Enable automatic snapshots systemctl enable --now snapper-timeline.timer # Enable automatic cleanup systemctl enable --now snapper-cleanup.timer # Enable snapshots on boot systemctl enable --now snapper-boot.timer ``` ### Snapper Cleanup ```bash # List snapshots snapper -c root list # Create snapshot manually snapper -c root create --description "test snapshot" # Delete first snapshot snapper -c root delete 1 # Delete snapshots between 655-857 snapper -c root delete 655-857 ``` Note - you probably don't want to keep yearly snapshots. Edit `/etc/snapper/configs/root` and change `TIMELINE_LIMIT_YEARLY=` to `0`. ## BTRFS Maintenance ```bash # Start a scrub with low impact/priority at / (good for servers) btrfs scrub start -c idle / # Start a scrub in the foreground and monitor btrfs scrub start -c idle -B -d / # Check for errors dmesg -T | grep btrfs ``` ## TPM2 Luks Decryption Mostly taken from here: PCR reference for `--tpm2-pcrs` args ```text 0: System firmware executable 2: Kernel 4: Bootloader 7: Secure boot state 8: Cmdline 9: Initrd ``` Note, if your threat vector is people trying to get data off your old disks after throwing them away, you can set `--tpm2-pcrs=""`. Someone could gain access to your encrypted partition if they can access your machine physically by manipulating the boot parameters but you're guaranteed to unlock despite updates and upgrades. Basic commands: ```bash # Run tmux session tmux # Show tpm2 devices systemd-cryptenroll --tpm2-device=list # Show crypto luks block devices blkid -t TYPE=crypto_LUKS # Enroll the tpm2 device with systemd-cryptenroll systemd-cryptenroll /dev/nvme0n1p3 --tpm2-device=auto --tpm2-pcrs="" #################### ##### OPTIONAL ##### #################### # If you have lots of devices to decrypt (like a btrfs raid array), use these commands. # Get all crypto luks partitions blkid | grep crypto_LUKS # List them all space-separated and drop the '/dev' LUKS_DEVS="nvme0n1p4 nvme1n1p1 nvme2n1p1 nvme3n1p1 nvme5n1p1 nvme4n1p1 nvme6n1p1" # Check that your list is good for dev in $LUKS_DEVS; do echo will enroll /dev/$dev; done # Enroll for dev in $LUKS_DEVS; do \ echo "Enrolling /dev/$dev"; \ systemd-cryptenroll /dev/$dev --tpm2-device=auto --tpm2-pcrs=""; \ done ######################## ##### END OPTIONAL ##### ######################## # Append to command line args echo "add_dracutmodules+=\" tpm2-tss \"" | tee /etc/dracut.conf.d/tpm2.conf dracut -f ``` Finally, `vim /etc/default/grub` and add `rd.luks.options=tpm2-device=auto` to GRUB_CMDLINE_LINUX ```bash # Update Grub grub2-mkconfig -o /boot/grub2/grub.cfg reboot # Cross your fingers that you don't have to go type in the password manually. # Yes, 60 full seconds is too long. Go type your password in. ``` If you need to reenroll for some reason: ```bash # Reenroll systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs="" ``` ## Change your password In Cockpit navigate to Accounts -> user -> Set password ## Automatic Updates In Cockpit navigate to software updates -> automatic updates -> install -> security updates only ## Monitoring In Cockpit: Overview -> View metrics and history -> Install PCP Support -> Metrics settings -> Turn on Collect Metrics ### Glances ```bash dnf install -y glances python3-jinja2 systemctl enable --now glances firewall-cmd --permanent --zone=FedoraServer --add-port=61208/tcp firewall-cmd --reload ``` ### Disk Usage ```bash # Show size of folder exclude snapshots du --exclude .snapshots -sh . # Show size of all files in your current dir for folder in $(ls); do du --exclude .snapshots -sh $folder; done # Calculate all folder sizes in current dir alias {dudir,dud}='du -h --max-depth 1 | sort -h' # Calculate all file sizes in current dir alias {dufile,duf}='ls -lhSr' ``` ### Disk Wear TODO ## Common Storage Mounts Note: mount these before you install the relevant package! 1. For virtual machines: `/var/lib/libvirt` 2. For podman: `/var/lib/containers` 3. For docker: `/var/lib/docker` ## Network Bridge Networking -> Add bridge -> add network interface and save ```bash nmcli connection modify bridge0 ipv6.addr-gen-mode eui64 ``` ## Virtualization Don't forget to add a btrfs subvolume for `/var/lib/libvirt` ```bash # Since we already created our /btrfs mountpoint, this volume will show up automatically # at /btrfs/libvirt btrfs sub create /btrfs/libvirt ``` Now create an fstab entry that mounts the volume at /var/lib/libvirt ```bash UUID=... /var/lib/libvirt btrfs subvol=libvirt,compress=zstd:1,x-systemd.device-timeout=0 0 0 ``` Mount the libvirt volume: ```bash systemctl daemon-reload mount -a --mkdir # Check that the mount was successful. This will print something if our mount worked. mount | grep -i /var/lib/libvirt ``` Create a snapshot schedule for libvirt. ```bash snapper -c libvirt create-config /var/lib/libvirt # Don't forget to edit "YEARLY" at /etc/snapper/configs/libvirt ``` Install and enable the virtualization service. ```bash dnf group install --with-optional virtualization systemctl enable --now libvirtd ``` Install the cockpit machines application. ### Virtualization Troubleshooting ```bash # Oops, I did this after I installed virtualization rsync -av /var/lib/libvirt/ /btrfs/libvirt/ rm -rf /var/lib/libvirt # Find the path to your btrfs volume lsblk mount -o subvol=libvirt /dev/mapper/luks-... /var/lib/libvirtd ``` ### QEMU Images ```bash # Grow an image to 2TB qemu-img resize nextcloud_aio-fcfgp.qcow2 2T ``` ```bash # Convert OVA to img qemu-img convert -f vmdk -O raw in.vmdk out.img # Convert qcow2 to img qemu-img convert -f qcow2 -O raw in.raw out.img ``` ### Shared directory with VM Guest ```bash mount -t virtiofs [mount tag] [mount point] ``` ## Firewalld Set the default firewalld zone to `public` ```bash # Note, you probably don't have to do this. Check Cockpit Network -> Firewall # firewall-cmd --set-default-zone=public ``` Firewalld will be on and blocking by default. You can check the zone and allowed ports with: ```bash firewall-cmd --get-active-zones firewall-cmd --get-default-zone firewall-cmd --zone=public --list-ports firewall-cmd --zone=public --list-services ``` Allow Cockpit with ```bash firewall-cmd --permanent --zone=public --add-port=9090/tcp firewall-cmd --reload ``` Remove cockpit with ```bash firewall-cmd --permanent --zone=public --remove-port=9090/tcp ``` Add a custom source for a service ```bash sudo firewall-cmd --new-zone=home --permanent sudo firewall-cmd --zone=home --add-source=10.2.0.0/24 --permanent sudo firewall-cmd --zone=home --add-port=10700/tcp --permanent sudo firewall-cmd --reload ``` ## Backups Note: this assumes you've set up [an iscsi backup disk](/active/os_truenas/truenas.md#iscsi-backup-volumes) ### Connect to the ISCSI Backup Target #### Connect to Backup Target with Cockpit 1. Storage -> Hamburger menu -> Add iSCSI portal 2. Type your portal address, username, and password #### Connect to Backup Target with iscsiadm ```bash # Set username and password for discovered nodes # Optionally you can add "-T " to specify which target has the username/password iscsiadm -m node \ -o update \ -n node.session.auth.username -v username \ -n node.session.auth.password -v password # Set replacement_timeout to 10 minutes in case server reboots iscsiadm -m node \ -o update \ -n node.session.timeo.replacement_timeout -v 600 systemctl restart iscsid # Discover targets iscsiadm -m discovery -t st -p drivework.reeselink.com # Login to all nodes iscsiadm -m node -l ``` #### Format backup disk ```bash # list disks lsblk # Create partition fdisk /dev/sdx # Format partition with btrfs mkfs.btrfs /dev/sdx1 # Get the UUID blkid /dev/sdx1 ``` Update /etc/fstab with the iscsi disk details. Note: - `x-systemd.automount` which only mounts the device when it's accessed. - `x-systemd.mount-timeout=30` allows a 30 second timeout - `_netdev` ensures the device won't be mounted until after the network is available ```conf UUID=... /btrfs/some-name btrfs subvolid=5,compress=zstd:1,x-systemd.automount,x-systemd.mount-timeout=30,_netdev 0 0 ``` #### Troubleshooting Backup ISCSI Connection ```bash # List targets iscsiadm -m node # Delete node iscsiadm -m node -o delete -T iqn.2022-01.com.reeselink:driveripper:iqn.2022-01.com.reeselink:driveripper # List discovered targets iscsiadm -m discovery # Delete from discovery db iscsiadm -m discoverydb -t sendtargets -p driveripper.reeselink.com -o delete ``` ### Quick Backup ```bash rsync -av --progress --exclude '.snapshots' /btrfs/yellow/root /btrfs/backup-yellow --dry-run ``` ### Regular Backups with Borg See [borg.md](/active/systemd_borg/borg.md) ## Version Upgrades ```bash # Make sure to be fully up to date first dnf upgrade --refresh reboot # Set the releasever to the version you want to upgrade to dnf system-upgrade download --releasever=43 dnf system-upgrade reboot ``` ## Optional Steps ### Disable Swap ```bash swapoff -a zramctl --reset /dev/zram0 dnf -y remove zram-generator-defaults ``` ### Disable Selinux By default selinux will be enforcing. You can set it to permissive with ```bash setenforce 0 ``` And then make it permanent by editing `/etc/selinux/config` and inserting `SELINUX=permissive`. ### Downgrading Kernel ```bash dnf install koji # Note: format is kernel-version.fedora-version cd $(mktemp -d) && koji download-build --arch=x86_64 --arch=noarch kernel-6.11.3-300.fc41 && dnf install ./* reboot ``` ### Resize logical volume ```bash # Replace /dev/sda2 with whatever your disks are # This assumes xfs pvresize /dev/sda2 lvextend /dev/mapper/root -l+100%FREE xfs_growfs -d /dev/mapper/root ``` ### Create XFS LVM If you get the error "Not creating system devices file due to existing VGs." Run `vgimportdevices -a` and check `/etc/lvm/devices/system.devices` 1. Create a new partition for the Physical Volume (fdisk) ```bash # Create the physical volume pvcreate /dev/vda4 # Create the volume group (vgcreate ) vgcreate nextcloud_data /dev/vda4 # Create the logical volume (lvcreate -L -n ) # Or lvcreate -l 100%FREE lvcreate -l 100%FREE -n nextcloud_data_vol nextcloud_data # list the PV, VG, LV pvs vgs lvs # Format lv mkfs.btrfs /dev/nextcloud_data/nextcloud_data_vol ``` ### LVM Thin Provisioning If you get the error "Not creating system devices file due to existing VGs." Run `vgimportdevices -a` and check `/etc/lvm/devices/system.devices` Thin provisioning allows you to overprovision your storage drives to make the filesystem think it has more data than it does. ```bash # Create the physical volume pvcreate /dev/vda4 # Create the volume group vgcreate vg0 /dev/vda4 # Create the thin pool - the volume with real data that will hold our thing volumes with fake data lvcreate -l 100%FREE -T vg0/thinpool # Create the thin volumes with fake data lvcreate -T -V 2T vg0/thinpool -n local-path-provisioner lvcreate -T -V 2T vg0/thinpool -n docker-data # Format the fake volumes mkfs.xfs /dev/mapper/vg0-local--path--provisioner mkfs.xfs /dev/mapper/vg0-docker--data ``` ### Set eui64 on network interface ```bash nmcli connection modify Wired\ connection\ 1 ipv6.addr-gen-mode eui64 nmcli connection modify Wired\ connection\ 1 ipv6.ip6-privacy disabled systemctl restart NetworkManager ``` ### Install and Enable Cockpit ```bash dnf install cockpit systemctl enable --now cockpit.socket firewall-cmd --add-service=cockpit firewall-cmd --add-service=cockpit --permanent ``` ## Troubleshooting ### Cockpit Terminal Unusable or Weird Colors Make sure you give canvas access to the browser (especially in librewolf) ### Chroot into a mounted disk This lets you run grub2-mkconfig among other things. ```bash # Mount root mount /dev/mapper/vg0-root /mnt # Mount proc, sys, and dev mount -t proc /proc proc/ mount --rbind /sys sys/ mount --rbind /dev dev/ # Mount boot and efi mount /dev/vdb2 /mnt/boot mount /dev/vdb1 /mnt/boot/efi chroot /mnt ``` ### Resize Last Partition to Fill Available Space ```bash parted /dev/vdb # to resize /dev/vdb3 to fill 100% of the disk, for example resizepart 3 100% quit # Resize the physical volume to match the partition pvresize /dev/vdb3 ``` ### LUKS performance ```bash cryptsetup benchmark ``` Should output something like: ```bash # Algorithm | Key | Encryption | Decryption aes-cbc 128b 1409.1 MiB/s 3627.9 MiB/s serpent-cbc 128b 146.5 MiB/s 981.4 MiB/s twofish-cbc 128b 289.8 MiB/s 613.3 MiB/s aes-cbc 256b 1100.2 MiB/s 3448.2 MiB/s serpent-cbc 256b 150.3 MiB/s 982.1 MiB/s twofish-cbc 256b 294.3 MiB/s 590.8 MiB/s aes-xts 256b 4423.5 MiB/s 4561.2 MiB/s serpent-xts 256b 874.9 MiB/s 883.7 MiB/s twofish-xts 256b 557.8 MiB/s 559.4 MiB/s aes-xts 512b 4551.2 MiB/s 4669.6 MiB/s serpent-xts 512b 890.8 MiB/s 860.5 MiB/s twofish-xts 512b 557.5 MiB/s 564.2 MiB/s ``` Which will tell you how fast you can theoretically write/read to encrypted drives. The default encryption used by most modern operating systems is AES-XTS. You can see your system's cipher and key with `cryptsetup luksDump /dev/nvme0n1p1 | grep -i cipher` ## Set up firewall sudo vim /etc/firewalld/firewalld.conf ```conf LogDenied=all ``` ```bash # Restart and reload the firewalld service sudo systemctl restart firewalld.service # List all available firewalld zones and what they do sudo firewall-cmd --list-all-zones # Set the default firewall zone to public sudo firewall-cmd --set-default-zone public # Open a port temporarily sudo firewall-cmd --add-port=25565/tcp ``` Monitor blocked traffic ```bash sudo journalctl -f | grep -i REJECT sudo journalctl -f | grep -i DROP ``` ## Dual Boot with Fingerprint Scanner Issues The script below will clear the existing fingerprints from the internal storage. ```bash #! /usr/bin/python3 import gi gi.require_version('FPrint', '2.0') from gi.repository import FPrint ctx = FPrint.Context() for dev in ctx.get_devices(): print(dev) print(dev.get_driver()) print(dev.props.device_id); dev.open_sync() dev.clear_storage_sync() print("All prints deleted.") dev.close_sync() ``` ## Revert Kernel (if needed) With koji ```bash # Install koji (if you don't have it) sudo dnf install -y koji # Search for the desired kernel version koji search build kernel-6.18.3* # Create a temporary directory to store the donwloaded kernel packages sudo -i mkdir /root/kernel-download-6.18.3 cd /root/kernel-download-6.18.3 # Download the kernel packages koji download-build --arch=x86_64 kernel-6.18.3-200.fc43 rm -f *debug*.rpm rm -f *uki*.rpm # Install all downloaded rpms dnf install ./*.rpm reboot ``` If you need to revert to previously installed kernels: ```bash # Find the kernels you have installed rpm -qa kernel # List available kernels ls /boot | grep vmlinuz # Revert to a previous kernel grubby --set-default /boot/vmlinuz-6.18.3... ``` This might throw errors when updating to newer kernels (file not found) To restore back to the original kernel: ```bash # If this directory exists, it's the problem ls -d "/boot/efi/$(cat /etc/machine-id)" # Move that directory out of the way mv "/boot/efi/$(cat /etc/machine-id)" "/boot/efi/$(cat /etc/machine-id)_disabled" # Reinstall the new kernel dnf reinstall 'kernel*-0:6.18.8*' ``` ## Reverting linux-firmware ```bash sudo -i mkdir -p /root/linux-firmware-downgrade cd /root/linux-firmware-downgrade wget -r -np -nd -A '*.rpm' https://kojipkgs.fedoraproject.org/packages/linux-firmware/20251111/1.fc43/noarch/ dnf install ./*.rpm dracut -f --kver 6.18.3... reboot ``` ## Make DNF Fast ```bash echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf echo 'max_parallel_downloads=10' | sudo tee -a /etc/dnf/dnf.conf echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf ``` /etc/dnf/dnf.conf ```conf [main] gpgcheck=1 installonly_limit=3 clean_requirements_on_remove=True best=False skip_if_unavailable=True fastestmirror=1 max_parallel_downloads=10 deltarpm=true ``` ## Install Useful Packages ```bash sudo dnf install vim ``` ## Set Hostname ```bash hostnamectl set-hostname ducolaptop ``` ## Install updates ```bash sudo dnf upgrade --refresh sudo dnf check sudo dnf autoremove sudo fwupdmgr get-devices sudo fwupdmgr refresh --force sudo fwupdmgr get-updates sudo fwupdmgr update sudo reboot now ``` ## Extensions ```bash sudo dnf install -y gnome-extensions-app gnome-tweaks sudo dnf install -y gnome-shell-extension-appindicator ``` 1. Another Window Session Manager by 5q0Fw Restores windows on shutdown/reboot. Can be configured to automatically save the last state before restart. Pair this with "restore session" in firefox/chrome and you've got yourself a really good mac hibernate equivalent. 2. Dash to Dock by michele_g Make the dock behave like macos. Hide when it would cover a window. Show when the mouse hovers over the bottom of the screen. Add some sane default shortcuts. Etc. 3. Tactile by lundal Power-user tiling! Behaves like Windows Power Toys FancyZones. 4. Vitals by corecoding Adds quick-glance stats about your system to the menu bar. Use to monitor CPU usage, memory availability, network speed, battery wattage, etc. ## Gnome Tweaks 1. Fonts -> Monospace Text -> Fira Code Regular 2. Keyboard & Mouse -> Acceleration Profile -> Flat 3. Keyboard & Mouse -> Mouse Click Emulation -> Fingers 4. Top Bar -> Activities Overview Hot Corner -> Off 5. Top Bar -> Battery Percentage -> On 6. Top Bar -> Clock -> Weekday -> On 7. Top Bar -> Clock -> Seconds -> On 8. Windows -> Center New Windows -> On ## Flatpack ```bash flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo flatpak update ``` ## Snap ```bash sudo dnf install -y snapd sudo ln -s /var/lib/snapd/snap /snap # for classic snap support ln -s /var/lib/snapd/desktop/applications ~/.local/share/applications/snap # make apps show up in gnome sudo reboot now ``` ## AppImage Launcher Download RPM from ## Backups ### Create Encrypted Drive ```bash # Create an encrypted drive sudo cryptsetup luksFormat /dev/sdb1 # LUKS Disk Encryption can use up to 8 key slots to store passwords. We can use these keys to auto mount LUKS device. # cryptsetup luksDump /dev/sda # Create a lukskeys mkdir -p /home/ducoterra/.lukskeys # Generate key dd if=/dev/random bs=32 count=1 of=/home/ducoterra/.lukskeys/btr_backup # Change key mode chmod 600 /home/ducoterra/.lukskeys # Luks add a key sudo cryptsetup luksAddKey /dev/sda /home/ducoterra/.lukskeys/btr_backup # Get UUID of disk with sudo blkid /dev/sda1 # Add key to crypttab echo 'btr_backup UUID=1d7ce570-e695-47a0-9dda-5f14b5b20e21 /home/ducoterra/.lukskeys/btr_backup luks' >> /etc/crypttab # Create read-only backup mount point sudo btrfs sub create /mnt/btr_backup sudo btrfs property set /mnt/btr_backup ro true # Add to fstab echo '/dev/mapper/btr_backup /mnt/btr_backup btrfs x-systemd.device-timeout=0,x-gvfs-show,x-gvfs-name=btr_backup,ssd,nofail,noatime,discard=async,compress=zstd 0 0' >> /etc/fstab # mount sudo cryptsetup luksOpen /dev/disk/by-uuid/1d7ce570-e695-47a0-9dda-5f14b5b20e21 backup0 --key-file=/home/ducoterra/.lukskeys/backup0 # close (or fix issues) sudo cryptsetup luksClose backup0 ``` ### Backup Disks Backup disks will respect the following naming convention: brand_size_purpose_year_month So for a backup drive you would create: `wd_4tb_backup_2023_01` Or for an archive drive: `samsung_1tb_archive_2023_01` #### Disk Health `smartctl -a /dev/sda` ### Create BTRBK Config `sudo vim /etc/btrbk/btrbk.conf` ```conf snapshot_create ondemand snapshot_preserve_min 2d snapshot_preserve 14d snapshot_dir snapshots target_preserve_min no target_preserve 20d 10w *m volume /mnt/btr_pool target /mnt/btr_backup subvolume root subvolume home ``` ### Create Systemd Timer `sudo vim /etc/systemd/system/btrbk.service` ```conf [Unit] Description=Runs btrbk with config file at /etc/btrbk/btrbk.conf [Service] ExecStart=btrbk -c /etc/btrbk/btrbk.conf -v run ``` `sudo vim /etc/systemd/system/btrbk.timer` ```conf [Unit] Description=Run btrbk every hour [Timer] OnCalendar=hourly AccuracySec=10min Persistent=true Unit=btrbk.service [Install] WantedBy=timers.target ``` ### Test, Start and Enable service Test your service:the available storage space on our NAS to the iSCSI target and the other half ```bash sudo btrbk -c /etc/btrbk/btrbk.conf -v run ``` Enable your service: ```bash sudo systemctl start btrbk.timer sudo systemctl enable btrbk.timer ``` ### Restore In the event you need to restore your system from a disaster do the following: 1. Reinstall fedora via a live image 2. After install, disk should be mounted at /mnt/sysimage 3. Copy the new fstab and crypttab to somewhere safe 4. rsync -av [etc, home, opt, root, usr, var] 5. `mount /dev/Y /mnt/sysimage/boot` 6. `mount /dev/Z /mnt/sysimage/boot/efi` 7. `mount --bind /dev /mnt/sysimage/dev` 8. `mount --bind /proc /mnt/sysimage/proc` 9. `mount --bind /sys /mnt/sysimage/sys` 10. `chroot /mnt/sysimage` 11. Edit fstab and crypttab so they match the new partitions 12. Update /etc/default/grub to match the new luks uuid 13. grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg 14. reboot ## Firewall CMD 1. Enable firewall ```bash systemctl start firewall-cmd systemctl enable firewall-cmd ``` 2. Set default behavior to drop everything ```bash firewall-cmd --set-default-zone=drop systemctl reload firewall-cmd ``` ## Bluetooth ### Airpods Edit: /etc/bluetooth/main.conf Set ControllerMode = bredr 1. restart bluetooth service 2. connect airpods 3. comment line out 4. restart bluetooth service again ## ZRAM Edit /etc/systemd/zram-generator.conf ```conf [zram0] zram-size = min(ram / 2, 16384) compression-algorithm = lzo-rle options = writeback-device = /dev/zvol/tarta-zoot/swap-writeback ``` ## Automatic Disk Decryption with TPM2 It's a friendlier experience to just encrypt your root partition with tpm and lunlock your remaining drives with key files stored at /etc/ukskeys. This way you only need to reregister one key with your tpm and the remaining drives will be unlocked automatically. Add your luks keys to the tpm module and set up boot parameters: ```bash # Enroll for the first time sudo -E systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/nvme1n1p3 # Add tpm2 configuration option to /etc/crypttab # You can get the uuid with lsblk and blkid luks-d9828faa-2b8c-4184-9e74-9054ae328c6d UUID=d9828faa-2b8c-4184-9e74-9054ae328c6d none tpm2-device=auto,discard # Add rd.luks.options=tpm2-device=auto to grub sudo grubby --args="rd.luks.options=tpm2-device=auto" --update-kernel=ALL # Regenerate the boot parameters sudo dracut -f ``` We can configure our system to automatically reenroll the tpm device on boot so you only need to enter your password on kernel updates. ```bash # Create a new random password for your disk sudo cryptsetup luksAddKey /dev/nvme0n1p3 ``` /etc/systemd/system/tpm_luks_cryptenroll.service ```conf [Unit] Description=Automatically runs systemd-cryptenroll on login [Service] Type=oneshot ExecStart=/usr/bin/systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 --wipe-slot=tpm2 /dev/nvme0n1p3 # new random password you just created Environment=PASSWORD= [Install] WantedBy=multi-user.target ``` ```bash # Now enable the service sudo systemctl enable tpm_luks_cryptenroll.service ``` ## Firefox GPU Rendering ```bash dnf install intel-media-driver intel-gpu-tools ``` Type in about:config in the address bar and hit enter. Set media.rdd-ffmpeg.enabled, media.ffmpeg.vaapi.enabled and media.navigator.mediadatadecoder_vpx_enabled to true. Close and reopen your browser Run the command sudo intel_gpu_top, play a 4k video and check whether the Video section is above 0.00% ## Gnome Software Updates (packagekitd and software) To prevent Gnome Shell from starting Software open Settings->Search and disable Software from there. Disable auto-updates ```bash sudo systemctl disable packagekit sudo systemctl stop packagekit dconf write /org/gnome/software/allow-updates false dconf write /org/gnome/software/download-updates false ``` ## Turn Off Fingerprint When Laptop Lid Closed To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is reopened, we will use acpid to bind to the button/lid.* event to a custom script that will stop and mask the fprintd service on lid close, and unmask and start the fprintd service on lid open. We also check that the HDMI cable is connected by testing the contents of /sys/class/drm/card0-HDMI-A-1/status. Follow the steps below: 1. Create a .locks file in your home dir: `mkdir ~/.locks` 2. Create file /etc/acpi/laptop-lid.sh with the following contents: ```bash #!/bin/bash lock=/home/ducoterra/.locks/fprint-disabled.lock if grep -Fq closed /proc/acpi/button/lid/LID0/state # && # This is used to detect if a display is connected. # For USB C displayport use: # grep -Fxq connected /sys/class/drm/card1-DP-2/status # For hdmi use: # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status then touch "$lock" systemctl stop fprintd systemctl mask fprintd elif [ -f "$lock" ] then systemctl unmask fprintd systemctl start fprintd rm -f "$lock" fi ``` 3. Make the file executable with `chmod +x /etc/acpi/laptop-lid.sh` 4. Create file /etc/acpi/events/laptop-lid with the following contents: ```bash event=button/lid.* action=/etc/acpi/laptop-lid.sh ``` 5. Restart the acpid service with: `sudo service acpid restart` Now the fingerprint will be used only when the lid is open. In order to restore the correct state of the fprintd service if you disconnect/reconnect while the laptop is off, you may call the above script from a systemd init file. The steps to do this are the following: 1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents: ```bash [Unit] Description=Laptop Lid After=suspend.target [Service] ExecStart=/etc/acpi/laptop-lid.sh [Install] WantedBy=multi-user.target WantedBy=suspend.target ``` 2. Reload the systemd config files with `sudo systemctl daemon-reload` 3. Start the service with `sudo systemctl start laptop-lid.service` 4. Enable the service so that it starts automatically on boot `sudo systemctl enable laptop-lid.service` Now the status should be correct even after connecting/disconnecting when the computer is off. ## Power Button Behavior The power button is controlled from 2 locations: 1. DCONF (or gnoem settings) at `gnome.settings-daemon.plugins.power` 2. ACPI at /etc/acpi/events/powerconf The powerconf acpi configuration will execute at the same time the gnome settings do. This can lead to situations where the gnome settings say "suspend" but the acpi settings say "shutdown". On waking up your laptop it will immediately shutdown. The solution is to comment out everything in /etc/acpi/events/powerconf and rely on the gnome settings **OR** set the gnome settings to "nothing" and edit `/etc/acpi/actions/power.sh` with the behavior you expect. Either way you should pick one to control power button behavior. ## Discord vim ~/.local/share/applications/Discord.desktop ```conf [Desktop Entry] Encoding=UTF-8 Name=Discord Exec=/home/ducoterra/Applications/Discord/Discord Icon=/home/ducoterra/Applications/Discord/discord.png Type=Application Categories=Communication; ``` ### Discord sharing not working THIS IS PROBABLY A PER-APP THING Likely the thing you're trying to share doesn't work, it's not wayland's fault. If you're trying to share firefox - download the firefox binary and dnf uninstall the other one. For whatever reason the preinstalled binary doesn't like screen share. You can use the following: ~/.local/share/applications/firefox.desktop ```conf [Desktop Entry] Encoding=UTF-8 Name=Firefox Exec=/home/ducoterra/Applications/firefox/firefox-bin Icon=/home/ducoterra/.icons/firefox.svg Type=Application Categories=Browser; ``` ## Minecraft 1. You can find extra java versions at /etc/alternatives 2. You need to `dnf install xrandr` to launch any modpacks 3. You can create a desktop icon by putting this at ~/.local/share/applications/*.desktop: ```conf [Desktop Entry] Type=Application Version=1.0 Name=Minecraft Comment=Minecraft Launcher Path=/home/ducoterra/Applications Exec=minecraft-launcher Icon=/home/ducoterra/Icons/minecraft-launcher.png Terminal=false Categories=Games; ``` ## Sound Devices If you want to disable a specific device or tell Fedora not to use a specific device as output or input (looking at you yeti microphone, you're not a speaker), you can install pulse audio control for much more fine-tuned... control. Setting your speakers to analog output seems to work best for a USB dac if it has a separate volume knob since this ties the volume knob on the dac to the internal volume of your computer. Setting your mic to analog input works just fine on a yeti usb mic. ```bash sudo dnf install pavucontrol ``` ## Install ffmpegthumbnailer, remove totem totem-thumbnailer crashes all the time and isn't as good as ffmpeg's thumbnailer. What's more, totem video player ("Videos" by default on gnome) is not as good as vlc and doesn't work very well for anything more than basic video playback. ```bash sudo dnf remove totem sudo dnf install ffmpegthumbnailer ``` ## Add compatibility for HEIC to mogrify ```bash sudo dnf install libheic-freeworld ```