# Fedora Server - [Fedora Server](#fedora-server) - [Installation](#installation) - [Setup SSH](#setup-ssh) - [Fail2Ban](#fail2ban) - [Automatic Updates](#automatic-updates) - [Disable Swap](#disable-swap) - [Extras](#extras) Note these instructions differentiate between an `operator` and a `server`. The operator can be any machine that configure the server. A pipeline, laptop, dedicated server, etc. are all options. The server can be its own operator, though that's not recommended since servers should be ephemeral and the operator will store information about each server. ## Installation 1. Make sure to use `custom` disk partitioner and select `btrfs`. 2. Create an administrator. We'll give ssh root access later, but this gives you a cockpit user. 3. Ensure IPV6 connection is set to "eui64". 4. Set hostname ## Setup SSH On the operator: ```bash export SSH_HOST=kube ssh-keygen -t rsa -b 4096 -C ducoterra@"$SSH_HOST".reeselink.com -f ~/.ssh/id_"$SSH_HOST"_rsa # Note: If you get "too many authentication failures" it's likely because you have too many private # keys in your ~/.ssh directory. Use `-o PubkeyAuthentication` to fix it. ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_"$SSH_HOST"_rsa.pub ducoterra@"$SSH_HOST".reeselink.com cat <> ~/.ssh/config Host $SSH_HOST Hostname "$SSH_HOST".reeselink.com User root ProxyCommand none ForwardAgent no ForwardX11 no Port 22 KeepAlive yes IdentityFile ~/.ssh/id_"$SSH_HOST"_rsa EOF ``` On the server: ```bash # Copy authorized_keys to root sudo cp ~/.ssh/authorized_keys /root/.ssh/authorized_keys # Change your password passwd sudo su - echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-wheel ``` On the operator: ```bash # Test if you can SSH with a password ssh -o PubkeyAuthentication=no ducoterra@"$SSH_HOST".reeselink.com # Test that you can log into the server with ssh config ssh $SSH_HOST ``` ## Fail2Ban On the server: ```bash dnf install -y fail2ban # Setup initial rules cat < /etc/fail2ban/jail.local # Jail configuration additions for local installation # Adjust the default configuration's default values [DEFAULT] # Optional enter an trusted IP never to ban ignoreip = 2600:1700:1e6c:a81f::0/64 bantime = 6600 backend = auto # The main configuration file defines all services but # deactivates them by default. We have to activate those neeeded [sshd] enabled = true EOF systemctl enable fail2ban --now tail -f /var/log/fail2ban.log ``` ## Automatic Updates On the server: ```bash dnf install dnf-automatic -y systemctl enable --now dnf-automatic-install.timer ``` ## Disable Swap ```bash swapoff -a zramctl --reset /dev/zram0 dnf -y remove zram-generator-defaults ``` ## Extras On the server: ```bash # Set vim as the default editor dnf install -y vim-default-editor --allowerasing # Install glances for system monitoring dnf install -y glances # Install zsh with autocomplete and suggestions dnf install -y zsh zsh-autosuggestions zsh-syntax-highlighting cat < ~/.zshrc # Basic settings autoload bashcompinit && bashcompinit autoload -U compinit; compinit zstyle ':completion:*' menu select # Prompt settings autoload -Uz promptinit promptinit prompt redhat PROMPT_EOL_MARK= # Syntax Highlighting source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh ### Custom Commands and Aliases ### EOF chsh -s $(which zsh) && chsh -s $(which zsh) ducoterra ```