services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
04629133042a3e335393dab60b2f5af1633f5ebf
homelab/FedoraServer.md

4.6 KiB
Raw Blame History

Fedora Server

Fedora server is an awesome container hosting OS. It has a lot built in, and setup is pretty quick.

Setup

scp .ssh/authorized_keys containers:~/.ssh/authorized_keys

sudo hostnamectl hostname containers
sudo dnf install vim
sudo vim /etc/ssh/sshd_config
sudo systemctl restart sshd

Certbot for Cockpit

AWS User

Create an AWS user which will have route53 access. This is required for certbot's route53 validation.

aws iam create-user --user-name replicator

You'll also need a policy which allows the user to modify the selected hosted zone:

(list with aws route53 list-hosted-zones)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/Z012820733346FJ0U4FUF"
            ]
        }
    ]
}

Attach the policy to the user:

aws iam attach-user-policy \
    --user-name replicator \
    --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeseapps

Generate credentials:

aws iam create-access-key --user-name replicator

On the host machine:

mkdir ~/.aws
vim ~/.aws/config

[profile default]
region=us-east-2

vim ~/.aws/credentials

[default]
aws_access_key_id=
aws_secret_access_key=

Initial Setup

  1. Create a "containers" user in AWS. Copy the permissions from Freenas

  2. Create credentials

  3. Add your credentials to root

  4. Install the aws cli v2

    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

  5. Test your credentials with aws route53 list-hosted-zones

sudo dnf install certbot python3-certbot-dns-route53
sudo certbot certonly --dns-route53 -d containers.reeselink.com
sudo certbot certonly --dns-route53 -d containers.reeseapps.com

sudo cp /etc/letsencrypt/live/containers.reeselink.com/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
sudo cp /etc/letsencrypt/live/containers.reeselink.com/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key

sudo cp /etc/letsencrypt/live/containers.reeseapps.com/fullchain.pem /etc/cockpit/ws-certs.d/60-letsencrypt.cert
sudo cp /etc/letsencrypt/live/containers.reeseapps.com/privkey.pem /etc/cockpit/ws-certs.d/60-letsencrypt.key

Test the renewal process with:

sudo certbot renew --cert-name containers.reeselink.com --dry-run
sudo certbot renew --cert-name containers.reeseapps.com --dry-run

Renewal

Create a renewal script in /usr/lib/scripts/certbot-renew.sh

/usr/lib/scripts/certbot-renew.sh (chmod +x)

#!/bin/bash

/usr/bin/certbot renew --cert-name containers.reeselink.com
/usr/bin/cp -f /etc/letsencrypt/live/containers.reeselink.com/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert
/usr/bin/cp -f /etc/letsencrypt/live/containers.reeselink.com/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key

/usr/bin/certbot renew --cert-name containers.reeseapps.com
/usr/bin/cp -f /etc/letsencrypt/live/containers.reeseapps.com/fullchain.pem /etc/cockpit/ws-certs.d/60-letsencrypt.cert
/usr/bin/cp -f /etc/letsencrypt/live/containers.reeseapps.com/privkey.pem /etc/cockpit/ws-certs.d/60-letsencrypt.key

Now create a systemd oneshot service to run the script

/etc/systemd/system/certbot-renew.service

[Unit]
Description=Certbot Renewal

[Service]
Type=oneshot
ExecStart=/usr/lib/scripts/certbot-renew.sh

/etc/systemd/system/certbot-renew.timer

[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=1w

[Install]
WantedBy=multi-user.target

Enable the service

systemctl enable --now certbot-renew.timer

Disable FirewallD

Firewalld conflicts with k3s. Disable it from the UI.

Disable SELinux

SELinux interferes with ISCSI mounts. Disable it by editing /etc/selinux/config

SELINUX=permissive

Allow ISCSI

# Install the following system packages
sudo dnf install -y lsscsi iscsi-initiator-utils sg3_utils device-mapper-multipath

# Enable multipathing
sudo mpathconf --enable --with_multipathd y

# Ensure that iscsid and multipathd are running
sudo systemctl enable iscsid multipathd
sudo systemctl start iscsid multipathd

# Start and enable iscsi
sudo systemctl enable iscsi
sudo systemctl start iscsi
Reference in New Issue View Git Blame Copy Permalink