services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2fbdde303a3bf92fe608de8ea29f5076aab22db6
homelab/infrastructure/graduated/fedora/fedora-kinoite.md

3.4 KiB
Raw Blame History

Fedora Kinoite

TPM2 Luks Decryption

Mostly taken from here: https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95

PCR reference for --tpm2-pcrs args

0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd

Basic commands:

# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list
# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS

# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3

# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9

# Append to command line args
rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto

When you update you'll need to reenroll. Add this to your ~/.bashrc

# LUKS TPM2 commands
alias tpm2-reenroll='sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9'

Podman

Since you'll be using podman for most container-based services, you'll want to set the the podman auth file to somewhere persistent, otherwise it'll get deleted every time you reboot.

Add this to your .bashrc:

# Podman auth file
export REGISTRY_AUTH_FILE=$HOME/.podman-auth.json

Source that and then run podman login to create the file.

Autostarting services with quadlets

If you want to run something as your user at boot (like a systemd process, think ollama) you can create a user quadlets like so:

# Generate the .container file
podman run --rm ghcr.io/containers/podlet --install --description "Local AI" \
  podman run \
  -d \
  -v ollama:/root/.ollama \
  -p 11434:11434 \
  --name ollama \
  --restart always \
  docker.io/ollama/ollama > ~/.config/containers/systemd/ollama.container

# Verify the service (Note the filename:service, this is required! You will get "Failed to prepare filename" without it)
systemd-analyze verify ~/.config/containers/systemd/ollama.container:ollama.service

# Start the service
systemctl --user daemon-reload
systemctl --user start ollama

rpm-ostree

Note: if you don't need them, remove extra repos

I removed:

  1. rpmfusion-nonfree-steam.repo
  2. rpmfusion-nonfree-nvidia-driver.repo
  3. google-chrome.repo
  4. _copr:copr.fedorainfracloud.org:phracek:PyCharm.repo
# Search for available packages
rpm-ostree search git

# Install a package
rpm-ostree install git

# Apply the installed package live
rpm-ostree apply-live

# Check what's been layered
rpm-ostree status

Git, Vim, etc

Some packages are nice to have at the system level.

rpm-ostree install git vim

Libvirt, Qemu, KVM

rpm-ostree install virt-manager libvirt
systemctl enable --now libvirtd

Network

Hostname

sudo hostnamectl hostname reesework16

VLAN Setup with nmcli

# VLAN 2
nmcli conn
export NMCLI_DEVICE=enp195s0f4u1u3
nmcli connection add type VLAN con-name $NMCLI_DEVICE.2 dev $NMCLI_DEVICE id 2
Reference in New Issue View Git Blame Copy Permalink