services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8ea3fe5fc474a7e462e98173e641a03ae7fc9d4e
homelab/active/os_fedora/fedora-server.md

38 KiB
Raw Blame History

Fedora Server

https://docs.fedoraproject.org/en-US/fedora-server/installation/postinstallation-tasks/#_manage_system_updates

Note these instructions differentiate between an operator and a server. The operator can be any machine that configure the server. A pipeline, laptop, dedicated server, etc. are all options. The server can be its own operator, though that's not recommended since servers should be ephemeral and the operator will store information about each server.

Installation

  1. Configure network first
    1. Set a hostname
    2. Disable ipv6 privacy extensions
  2. Software Selection
    1. Headless Management
  3. User Creation
    1. Set a simple password, we'll change it later
  4. Disk partitioning
    1. Select manual (blivet) partitioning
    2. Create a 1GB EFI system partition and mount it at /boot/efi
    3. Create a 1GB ext4 partition and mount it at /boot
    4. Create a btrfs volume with the remaining data and name it something unqiue, do not mount it
    5. Create a btrfs subvolume called "root" and mount it at /
    6. Create any other btrfs subvolumes you might need
  5. Take note of the ipv4 and ipv6 address. Update any DNS records at this time.
  6. Install and reboot

Setup SSH

See README

DNF

Configure dnf to use the fastest mirror:

echo 'fastestmirror=1' >> /etc/dnf/dnf.conf
dnf clean all
dnf update --refresh -y
# libdnf5 is required for ansible to work
dnf install -y git glances tmux vim python3-libdnf5 borgbackup tpm2-tools

Power Profiles with Tuned

  1. dnf install tuned
  2. systemctl enable --now tuned
  3. tuned-adm profile virtual-host

Fail2Ban

On the server:

# Run tmux session
tmux

dnf install -y fail2ban

# Setup initial rules
cat <<EOF > /etc/fail2ban/jail.local
# Jail configuration additions for local installation

# Adjust the default configuration's default values
[DEFAULT]
# Optional enter an trusted IP never to ban
# ignoreip = 2600:1700:1e6c:a81f::0/64
bantime  = 6600
backend = auto

# The main configuration file defines all services but
# deactivates them by default. We have to activate those neeeded
[sshd]
enabled = true
EOF

systemctl enable fail2ban --now

# OPTIONAL: follow logs
tail -f /var/log/fail2ban.log

Checking, banning, unbanning

# See banned clients
fail2ban-client banned
# See jails (sshd should be one of them)
fail2ban-client status
# Unban a client from the sshd jail
fail2ban-client set sshd unbanip <IP address>

BTRFS Parent Volumes

In /etc/fstab, add the parent volumes for your disks mounted with subvolid=5 at /btrfs so you can see all subvolumes.

UUID=64beedac-c0c9-48bf-a3ae-7707df6ebc97 /btrfs/3dserver-root    btrfs   subvolid=5,compress=zstd:1,x-systemd.device-timeout=0 0 0
UUID=3c76b83f-7547-4c18-b08f-9e7902022b8d /btrfs/3dserver-data    btrfs   subvolid=5,compress=zstd:1,x-systemd.device-timeout=0 0 0

systemctl daemon-reload
mount -a --mkdir

BTRFS Snapshots

https://en.opensuse.org/openSUSE:Snapper_Tutorial

http://snapper.io/manpages/snapper-configs.html

Snapper Installation

We'll be using snapper, a tool for automating and controlling snapshot behavior.

dnf install -y snapper dnf-plugin-snapper

# Allow selinux management
semanage permissive -a snapperd_t

# Note, if you mess something up you can run snapper -c root delete-config to delete
# System configs are stored in /etc/sysconfig/snapper as well as /etc/snapper
snapper -c boot create-config /boot
snapper -c root create-config /
snapper -c home create-config /home

# Enable automatic snapshots
systemctl enable --now snapper-timeline.timer
# Enable automatic cleanup
systemctl enable --now snapper-cleanup.timer
# Enable snapshots on boot
systemctl enable --now snapper-boot.timer

Snapper Cleanup

# List snapshots
snapper -c root list
# Create snapshot manually
snapper -c root create --description "test snapshot"
# Delete first snapshot
snapper -c root delete 1
# Delete snapshots between 655-857
snapper -c root delete 655-857

Note - you probably don't want to keep yearly snapshots. Edit /etc/snapper/configs/root and change TIMELINE_LIMIT_YEARLY= to 0.

BTRFS Maintenance

# Start a scrub with low impact/priority at / (good for servers)
btrfs scrub start -c idle /

# Start a scrub in the foreground and monitor
btrfs scrub start -c idle -B -d /

# Check for errors
dmesg -T | grep btrfs

TPM2 Luks Decryption

Mostly taken from here: https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95

PCR reference for --tpm2-pcrs args

0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd

Note, if your threat vector is people trying to get data off your old disks after throwing them away, you can set --tpm2-pcrs="". Someone could gain access to your encrypted partition if they can access your machine physically by manipulating the boot parameters but you're guaranteed to unlock despite updates and upgrades.

Basic commands:

# Run tmux session
tmux

# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list
# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS

# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll /dev/nvme0n1p3 --tpm2-device=auto --tpm2-pcrs=""

####################
##### OPTIONAL #####
####################
# If you have lots of devices to decrypt (like a btrfs raid array), use these commands.
# Get all crypto luks partitions
blkid | grep crypto_LUKS
# List them all space-separated and drop the '/dev'
LUKS_DEVS="nvme0n1p4 nvme1n1p1 nvme2n1p1 nvme3n1p1 nvme5n1p1 nvme4n1p1 nvme6n1p1"

# Check that your list is good
for dev in $LUKS_DEVS; do echo will enroll /dev/$dev; done

# Enroll
for dev in $LUKS_DEVS; do \
echo "Enrolling /dev/$dev"; \
systemd-cryptenroll /dev/$dev --tpm2-device=auto --tpm2-pcrs=""; \
done
########################
##### END OPTIONAL #####
########################

# Append to command line args
echo "add_dracutmodules+=\" tpm2-tss \"" | tee /etc/dracut.conf.d/tpm2.conf
dracut -f

Finally, vim /etc/default/grub and add rd.luks.options=tpm2-device=auto to GRUB_CMDLINE_LINUX

# Update Grub
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
# Cross your fingers that you don't have to go type in the password manually.
# Yes, 60 full seconds is too long. Go type your password in.

If you need to reenroll for some reason:

# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=""

Change your password

In Cockpit navigate to Accounts -> user -> Set password

Automatic Updates

In Cockpit navigate to software updates -> automatic updates -> install -> security updates only

Monitoring

In Cockpit: Overview -> View metrics and history -> Install PCP Support -> Metrics settings -> Turn on Collect Metrics

Glances

dnf install -y glances python3-jinja2
systemctl enable --now glances
firewall-cmd --permanent --zone=FedoraServer --add-port=61208/tcp
firewall-cmd --reload

Disk Usage

# Show size of folder exclude snapshots
du --exclude .snapshots -sh .

# Show size of all files in your current dir
for folder in $(ls); do du --exclude .snapshots -sh $folder; done

# Calculate all folder sizes in current dir 
alias {dudir,dud}='du -h --max-depth 1 | sort -h'

# Calculate all file sizes in current dir
alias {dufile,duf}='ls -lhSr'

Disk Wear

TODO

Common Storage Mounts

Note: mount these before you install the relevant package!

  1. For virtual machines: /var/lib/libvirt
  2. For podman: /var/lib/containers
  3. For docker: /var/lib/docker

Network Bridge

Networking -> Add bridge -> add network interface and save

nmcli connection modify bridge0 ipv6.addr-gen-mode eui64

Virtualization

Don't forget to add a btrfs subvolume for /var/lib/libvirt

# Since we already created our /btrfs mountpoint, this volume will show up automatically
# at /btrfs/libvirt
btrfs sub create /btrfs/libvirt

Now create an fstab entry that mounts the volume at /var/lib/libvirt

UUID=... /var/lib/libvirt    btrfs   subvol=libvirt,compress=zstd:1,x-systemd.device-timeout=0 0 0

Mount the libvirt volume:

systemctl daemon-reload
mount -a --mkdir
# Check that the mount was successful. This will print something if our mount worked.
mount | grep -i /var/lib/libvirt

Create a snapshot schedule for libvirt.

snapper -c libvirt create-config /var/lib/libvirt
# Don't forget to edit "YEARLY" at /etc/snapper/configs/libvirt

Install and enable the virtualization service.

dnf group install --with-optional virtualization
systemctl enable --now libvirtd

Install the cockpit machines application.

Virtualization Troubleshooting

# Oops, I did this after I installed virtualization
rsync -av /var/lib/libvirt/ /btrfs/libvirt/
rm -rf /var/lib/libvirt
# Find the path to your btrfs volume
lsblk
mount -o subvol=libvirt /dev/mapper/luks-... /var/lib/libvirtd

QEMU Images

# Grow an image to 2TB
qemu-img resize nextcloud_aio-fcfgp.qcow2 2T

# Convert OVA to img
qemu-img convert -f vmdk -O raw in.vmdk out.img

# Convert qcow2 to img
qemu-img convert -f qcow2 -O raw in.raw out.img

Shared directory with VM Guest

mount -t virtiofs [mount tag] [mount point]

Firewalld

Set the default firewalld zone to public

# Note, you probably don't have to do this. Check Cockpit Network -> Firewall
# firewall-cmd --set-default-zone=public

Firewalld will be on and blocking by default. You can check the zone and allowed ports with:

firewall-cmd --get-active-zones
firewall-cmd --get-default-zone
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-services

Allow Cockpit with

firewall-cmd --permanent --zone=public --add-port=9090/tcp
firewall-cmd --reload

Remove cockpit with

firewall-cmd --permanent --zone=public --remove-port=9090/tcp

Add a custom source for a service

sudo firewall-cmd --new-zone=home --permanent
sudo firewall-cmd --zone=home --add-source=10.2.0.0/24 --permanent
sudo firewall-cmd --zone=home --add-port=10700/tcp --permanent
sudo firewall-cmd --reload

Backups

Note: this assumes you've set up an iscsi backup disk

Connect to the ISCSI Backup Target

Connect to Backup Target with Cockpit

  1. Storage -> Hamburger menu -> Add iSCSI portal
  2. Type your portal address, username, and password

Connect to Backup Target with iscsiadm

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/5/html/online_storage_reconfiguration_guide/iscsi-replacements_timeout#iscsi-replacements_timeout

# Set username and password for discovered nodes
# Optionally you can add "-T <target name>" to specify which target has the username/password
iscsiadm -m node \
-o update \
-n node.session.auth.username -v username \
-n node.session.auth.password -v password

# Set replacement_timeout to 10 minutes in case server reboots
iscsiadm -m node \
-o update \
-n node.session.timeo.replacement_timeout -v 600

systemctl restart iscsid

# Discover targets
iscsiadm -m discovery -t st -p drivework.reeselink.com

# Login to all nodes
iscsiadm -m node -l

Format backup disk

# list disks
lsblk

# Create partition
fdisk /dev/sdx

# Format partition with btrfs
mkfs.btrfs /dev/sdx1

# Get the UUID
blkid /dev/sdx1

Update /etc/fstab with the iscsi disk details.

Note:

  • x-systemd.automount which only mounts the device when it's accessed.
  • x-systemd.mount-timeout=30 allows a 30 second timeout
  • _netdev ensures the device won't be mounted until after the network is available
UUID=... /btrfs/some-name    btrfs   subvolid=5,compress=zstd:1,x-systemd.automount,x-systemd.mount-timeout=30,_netdev 0 0

Troubleshooting Backup ISCSI Connection

# List targets
iscsiadm -m node

# Delete node
iscsiadm -m node -o delete -T iqn.2022-01.com.reeselink:driveripper:iqn.2022-01.com.reeselink:driveripper

# List discovered targets
iscsiadm -m discovery

# Delete from discovery db
iscsiadm -m discoverydb -t sendtargets -p driveripper.reeselink.com -o delete

Quick Backup

rsync -av --progress --exclude '.snapshots' /btrfs/yellow/root /btrfs/backup-yellow --dry-run

Regular Backups with Borg

See borg.md

Version Upgrades

# Make sure to be fully up to date first
dnf upgrade --refresh
reboot

# Set the releasever to the version you want to upgrade to
dnf system-upgrade download --releasever=43
dnf system-upgrade reboot

Optional Steps

Disable Swap

swapoff -a
zramctl --reset /dev/zram0
dnf -y remove zram-generator-defaults

Disable Selinux

By default selinux will be enforcing. You can set it to permissive with

setenforce 0

And then make it permanent by editing /etc/selinux/config and inserting SELINUX=permissive.

Downgrading Kernel

dnf install koji

# Note: format is kernel-version.fedora-version
cd $(mktemp -d) && koji download-build --arch=x86_64 --arch=noarch kernel-6.11.3-300.fc41 && dnf install ./*

reboot

Resize logical volume

# Replace /dev/sda2 with whatever your disks are
# This assumes xfs
pvresize /dev/sda2
lvextend /dev/mapper/root -l+100%FREE
xfs_growfs -d /dev/mapper/root

Create XFS LVM

https://www.linuxtechi.com/how-to-create-lvm-partition-in-linux/ https://www.golinuxcloud.com/lvcreate-command-in-linux/#How_to_install_lvcreate

If you get the error "Not creating system devices file due to existing VGs." Run vgimportdevices -a and check /etc/lvm/devices/system.devices

  1. Create a new partition for the Physical Volume (fdisk)
# Create the physical volume 
pvcreate /dev/vda4
# Create the volume group (vgcreate <vg_name>  <pv>)
vgcreate nextcloud_data /dev/vda4
# Create the logical volume (lvcreate -L <Size-of-LV> -n <LV-Name>   <VG-Name>)
# Or lvcreate -l 100%FREE
lvcreate -l 100%FREE -n nextcloud_data_vol nextcloud_data

# list the PV, VG, LV
pvs
vgs
lvs

# Format lv
mkfs.btrfs /dev/nextcloud_data/nextcloud_data_vol

LVM Thin Provisioning

https://linuxconfig.org/introduction-to-lvm-thin-provisioning

If you get the error "Not creating system devices file due to existing VGs." Run vgimportdevices -a and check /etc/lvm/devices/system.devices

Thin provisioning allows you to overprovision your storage drives to make the filesystem think it has more data than it does.

# Create the physical volume
pvcreate /dev/vda4
# Create the volume group
vgcreate vg0 /dev/vda4

# Create the thin pool - the volume with real data that will hold our thing volumes with fake data
lvcreate -l 100%FREE -T vg0/thinpool

# Create the thin volumes with fake data
lvcreate -T -V 2T vg0/thinpool -n local-path-provisioner
lvcreate -T -V 2T vg0/thinpool -n docker-data

# Format the fake volumes
mkfs.xfs /dev/mapper/vg0-local--path--provisioner
mkfs.xfs /dev/mapper/vg0-docker--data

Set eui64 on network interface

nmcli connection modify Wired\ connection\ 1 ipv6.addr-gen-mode eui64
nmcli connection modify Wired\ connection\ 1 ipv6.ip6-privacy disabled
systemctl restart NetworkManager

Install and Enable Cockpit

https://cockpit-project.org/running

dnf install cockpit
systemctl enable --now cockpit.socket
firewall-cmd --add-service=cockpit
firewall-cmd --add-service=cockpit --permanent

Troubleshooting

Cockpit Terminal Unusable or Weird Colors

Make sure you give canvas access to the browser (especially in librewolf)

Chroot into a mounted disk

This lets you run grub2-mkconfig among other things.

# Mount root
mount /dev/mapper/vg0-root /mnt

# Mount proc, sys, and dev
mount -t proc /proc proc/
mount --rbind /sys sys/
mount --rbind /dev dev/

# Mount boot and efi
mount /dev/vdb2 /mnt/boot
mount /dev/vdb1 /mnt/boot/efi

chroot /mnt

Resize Last Partition to Fill Available Space

parted /dev/vdb
# to resize /dev/vdb3 to fill 100% of the disk, for example
resizepart 3 100%
quit
# Resize the physical volume to match the partition
pvresize /dev/vdb3

LUKS performance

cryptsetup benchmark

Should output something like:

#     Algorithm |       Key |      Encryption |      Decryption
        aes-cbc        128b      1409.1 MiB/s      3627.9 MiB/s
    serpent-cbc        128b       146.5 MiB/s       981.4 MiB/s
    twofish-cbc        128b       289.8 MiB/s       613.3 MiB/s
        aes-cbc        256b      1100.2 MiB/s      3448.2 MiB/s
    serpent-cbc        256b       150.3 MiB/s       982.1 MiB/s
    twofish-cbc        256b       294.3 MiB/s       590.8 MiB/s
        aes-xts        256b      4423.5 MiB/s      4561.2 MiB/s
    serpent-xts        256b       874.9 MiB/s       883.7 MiB/s
    twofish-xts        256b       557.8 MiB/s       559.4 MiB/s
        aes-xts        512b      4551.2 MiB/s      4669.6 MiB/s
    serpent-xts        512b       890.8 MiB/s       860.5 MiB/s
    twofish-xts        512b       557.5 MiB/s       564.2 MiB/s

Which will tell you how fast you can theoretically write/read to encrypted drives.

The default encryption used by most modern operating systems is AES-XTS.

You can see your system's cipher and key with cryptsetup luksDump /dev/nvme0n1p1 | grep -i cipher

Set up firewall

sudo vim /etc/firewalld/firewalld.conf

LogDenied=all

# Restart and reload the firewalld service
sudo systemctl restart firewalld.service

# List all available firewalld zones and what they do
sudo firewall-cmd --list-all-zones

# Set the default firewall zone to public
sudo firewall-cmd --set-default-zone public

# Open a port temporarily
sudo firewall-cmd --add-port=25565/tcp

Monitor blocked traffic

sudo journalctl -f | grep -i REJECT

sudo journalctl -f | grep -i DROP

Dual Boot with Fingerprint Scanner Issues

https://commuity.frame.work/t/fingerprint-scanner-compatibility-with-linux-ubuntu-fedora-etc/1501/206

The script below will clear the existing fingerprints from the internal storage.

#! /usr/bin/python3

import gi
gi.require_version('FPrint', '2.0')
from gi.repository import FPrint

ctx = FPrint.Context()

for dev in ctx.get_devices():
    print(dev)
    print(dev.get_driver())
    print(dev.props.device_id);

    dev.open_sync()

    dev.clear_storage_sync()
    print("All prints deleted.")

    dev.close_sync()

Revert Kernel (if needed)

With koji

# Install koji (if you don't have it)
sudo dnf install -y koji

# Search for the desired kernel version
koji search build kernel-6.18.3*

# Create a temporary directory to store the donwloaded kernel packages
sudo -i
mkdir /root/kernel-download-6.18.3
cd /root/kernel-download-6.18.3

# Download the kernel packages
koji download-build --arch=x86_64 kernel-6.18.3-200.fc43
rm -f *debug*.rpm
rm -f *uki*.rpm
# Install all downloaded rpms
dnf install ./*.rpm

reboot

If you need to revert to previously installed kernels:

# Find the kernels you have installed
rpm -qa kernel

# List available kernels
ls /boot | grep vmlinuz

# Revert to a previous kernel
grubby --set-default /boot/vmlinuz-6.18.3...

This might throw errors when updating to newer kernels (file not found)

To restore back to the original kernel:

# If this directory exists, it's the problem
ls -d "/boot/efi/$(cat /etc/machine-id)"

# Move that directory out of the way
mv "/boot/efi/$(cat /etc/machine-id)" "/boot/efi/$(cat /etc/machine-id)_disabled"

# Reinstall the new kernel
dnf reinstall 'kernel*-0:6.18.8*'

Reverting linux-firmware

sudo -i
mkdir -p /root/linux-firmware-downgrade
cd /root/linux-firmware-downgrade

wget -r -np -nd -A '*.rpm' https://kojipkgs.fedoraproject.org/packages/linux-firmware/20251111/1.fc43/noarch/

dnf install ./*.rpm
dracut -f --kver 6.18.3...

reboot

Make DNF Fast

echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
echo 'max_parallel_downloads=10' | sudo tee -a /etc/dnf/dnf.conf
echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf

/etc/dnf/dnf.conf

[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=False
skip_if_unavailable=True
fastestmirror=1
max_parallel_downloads=10
deltarpm=true

Install Useful Packages

sudo dnf install vim

Set Hostname

hostnamectl set-hostname ducolaptop

Install updates

sudo dnf upgrade --refresh
sudo dnf check
sudo dnf autoremove
sudo fwupdmgr get-devices
sudo fwupdmgr refresh --force
sudo fwupdmgr get-updates
sudo fwupdmgr update
sudo reboot now

Extensions

sudo dnf install -y gnome-extensions-app gnome-tweaks
sudo dnf install -y gnome-shell-extension-appindicator

  1. Another Window Session Manager by 5q0Fw

    Restores windows on shutdown/reboot. Can be configured to automatically save the last state before restart. Pair this with "restore session" in firefox/chrome and you've got yourself a really good mac hibernate equivalent.

  2. Dash to Dock by michele_g

    Make the dock behave like macos. Hide when it would cover a window. Show when the mouse hovers over the bottom of the screen. Add some sane default shortcuts. Etc.

  3. Tactile by lundal

    Power-user tiling! Behaves like Windows Power Toys FancyZones.

  4. Vitals by corecoding

    Adds quick-glance stats about your system to the menu bar. Use to monitor CPU usage, memory availability, network speed, battery wattage, etc.

Gnome Tweaks

  1. Fonts -> Monospace Text -> Fira Code Regular
  2. Keyboard & Mouse -> Acceleration Profile -> Flat
  3. Keyboard & Mouse -> Mouse Click Emulation -> Fingers
  4. Top Bar -> Activities Overview Hot Corner -> Off
  5. Top Bar -> Battery Percentage -> On
  6. Top Bar -> Clock -> Weekday -> On
  7. Top Bar -> Clock -> Seconds -> On
  8. Windows -> Center New Windows -> On

Flatpack

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak update

Snap

sudo dnf install -y snapd
sudo ln -s /var/lib/snapd/snap /snap # for classic snap support
ln -s /var/lib/snapd/desktop/applications ~/.local/share/applications/snap # make apps show up in gnome
sudo reboot now

AppImage Launcher

Download RPM from https://github.com/TheAssassin/AppImageLauncher/releases/tag/v2.2.0

Backups

Create Encrypted Drive

# Create an encrypted drive
sudo cryptsetup luksFormat /dev/sdb1

# LUKS Disk Encryption can use up to 8 key slots to store passwords. We can use these keys to auto mount LUKS device.
# cryptsetup luksDump /dev/sda

# Create a lukskeys
mkdir -p /home/ducoterra/.lukskeys

# Generate key
dd if=/dev/random bs=32 count=1 of=/home/ducoterra/.lukskeys/btr_backup

# Change key mode
chmod 600 /home/ducoterra/.lukskeys

# Luks add a key
sudo cryptsetup luksAddKey /dev/sda /home/ducoterra/.lukskeys/btr_backup

# Get UUID of disk with
sudo blkid /dev/sda1

# Add key to crypttab
echo 'btr_backup UUID=1d7ce570-e695-47a0-9dda-5f14b5b20e21 /home/ducoterra/.lukskeys/btr_backup luks' >> /etc/crypttab

# Create read-only backup mount point
sudo btrfs sub create /mnt/btr_backup
sudo btrfs property set /mnt/btr_backup ro true

# Add to fstab
echo '/dev/mapper/btr_backup /mnt/btr_backup btrfs x-systemd.device-timeout=0,x-gvfs-show,x-gvfs-name=btr_backup,ssd,nofail,noatime,discard=async,compress=zstd 0 0' >> /etc/fstab

# mount
sudo cryptsetup luksOpen /dev/disk/by-uuid/1d7ce570-e695-47a0-9dda-5f14b5b20e21 backup0 --key-file=/home/ducoterra/.lukskeys/backup0

# close (or fix issues)
sudo cryptsetup luksClose backup0

Backup Disks

Backup disks will respect the following naming convention:

brand_size_purpose_year_month

So for a backup drive you would create:

wd_4tb_backup_2023_01

Or for an archive drive:

samsung_1tb_archive_2023_01

Disk Health

smartctl -a /dev/sda

Create BTRBK Config

sudo vim /etc/btrbk/btrbk.conf

snapshot_create         ondemand
snapshot_preserve_min   2d
snapshot_preserve       14d
snapshot_dir snapshots

target_preserve_min     no
target_preserve         20d 10w *m

volume /mnt/btr_pool
    target       /mnt/btr_backup
    subvolume    root
    subvolume    home

Create Systemd Timer

sudo vim /etc/systemd/system/btrbk.service

[Unit]
Description=Runs btrbk with config file at /etc/btrbk/btrbk.conf

[Service]
ExecStart=btrbk -c /etc/btrbk/btrbk.conf -v run

sudo vim /etc/systemd/system/btrbk.timer

[Unit]
Description=Run btrbk every hour

[Timer]
OnCalendar=hourly
AccuracySec=10min
Persistent=true
Unit=btrbk.service

[Install]
WantedBy=timers.target

Test, Start and Enable service

Test your service:the available storage space on our NAS to the iSCSI target and the other half

sudo btrbk -c /etc/btrbk/btrbk.conf -v run

Enable your service:

sudo systemctl start btrbk.timer

sudo systemctl enable btrbk.timer

Restore

In the event you need to restore your system from a disaster do the following:

  1. Reinstall fedora via a live image
  2. After install, disk should be mounted at /mnt/sysimage
  3. Copy the new fstab and crypttab to somewhere safe
  4. rsync -av [etc, home, opt, root, usr, var]
  5. mount /dev/Y /mnt/sysimage/boot
  6. mount /dev/Z /mnt/sysimage/boot/efi
  7. mount --bind /dev /mnt/sysimage/dev
  8. mount --bind /proc /mnt/sysimage/proc
  9. mount --bind /sys /mnt/sysimage/sys
  10. chroot /mnt/sysimage
  11. Edit fstab and crypttab so they match the new partitions
  12. Update /etc/default/grub to match the new luks uuid
  13. grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
  14. reboot

Firewall CMD

  1. Enable firewall

    systemctl start firewall-cmd
systemctl enable firewall-cmd

  2. Set default behavior to drop everything

    firewall-cmd --set-default-zone=drop
systemctl reload firewall-cmd

Bluetooth

Airpods

Edit: /etc/bluetooth/main.conf Set ControllerMode = bredr

  1. restart bluetooth service
  2. connect airpods
  3. comment line out
  4. restart bluetooth service again

ZRAM

Edit /etc/systemd/zram-generator.conf

[zram0]
zram-size = min(ram / 2, 16384)
compression-algorithm = lzo-rle
options =
writeback-device = /dev/zvol/tarta-zoot/swap-writeback

Automatic Disk Decryption with TPM2

It's a friendlier experience to just encrypt your root partition with tpm and lunlock your remaining drives with key files stored at /etc/ukskeys. This way you only need to reregister one key with your tpm and the remaining drives will be unlocked automatically.

Add your luks keys to the tpm module and set up boot parameters:

# Enroll for the first time
sudo -E systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/nvme1n1p3

# Add tpm2 configuration option to /etc/crypttab
# You can get the uuid with lsblk and blkid
luks-d9828faa-2b8c-4184-9e74-9054ae328c6d UUID=d9828faa-2b8c-4184-9e74-9054ae328c6d none tpm2-device=auto,discard

# Add rd.luks.options=tpm2-device=auto to grub
sudo grubby --args="rd.luks.options=tpm2-device=auto" --update-kernel=ALL

# Regenerate the boot parameters
sudo dracut -f

We can configure our system to automatically reenroll the tpm device on boot so you only need to enter your password on kernel updates.

# Create a new random password for your disk
sudo cryptsetup luksAddKey /dev/nvme0n1p3

/etc/systemd/system/tpm_luks_cryptenroll.service

[Unit]
Description=Automatically runs systemd-cryptenroll on login

[Service]
Type=oneshot
ExecStart=/usr/bin/systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 --wipe-slot=tpm2 /dev/nvme0n1p3
# new random password you just created
Environment=PASSWORD=

[Install]
WantedBy=multi-user.target

# Now enable the service
sudo systemctl enable tpm_luks_cryptenroll.service

Firefox GPU Rendering

https://community.frame.work/t/linux-battery-life-tuning/6665

dnf install intel-media-driver intel-gpu-tools

Type in about:config in the address bar and hit enter.

Set media.rdd-ffmpeg.enabled, media.ffmpeg.vaapi.enabled and media.navigator.mediadatadecoder_vpx_enabled to true.

Close and reopen your browser

Run the command sudo intel_gpu_top, play a 4k video and check whether the Video section is above 0.00%

Gnome Software Updates (packagekitd and software)

To prevent Gnome Shell from starting Software open Settings->Search and disable Software from there.

Disable auto-updates

sudo systemctl disable packagekit
sudo systemctl stop packagekit

dconf write /org/gnome/software/allow-updates false
dconf write /org/gnome/software/download-updates false

Turn Off Fingerprint When Laptop Lid Closed

To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is reopened, we will use acpid to bind to the button/lid.* event to a custom script that will stop and mask the fprintd service on lid close, and unmask and start the fprintd service on lid open.

We also check that the HDMI cable is connected by testing the contents of /sys/class/drm/card0-HDMI-A-1/status.

Follow the steps below:

  1. Create a .locks file in your home dir: mkdir ~/.locks

  2. Create file /etc/acpi/laptop-lid.sh with the following contents:

    #!/bin/bash

lock=/home/ducoterra/.locks/fprint-disabled.lock

if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
    # This is used to detect if a display is connected.
    # For USB C displayport use: 
    # grep -Fxq connected /sys/class/drm/card1-DP-2/status
    # For hdmi use:
    # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
then
    touch "$lock"
    systemctl stop fprintd
    systemctl mask fprintd
elif [ -f "$lock" ]
then
    systemctl unmask fprintd
    systemctl start fprintd
    rm -f "$lock"
fi

  3. Make the file executable with

    chmod +x /etc/acpi/laptop-lid.sh

  4. Create file /etc/acpi/events/laptop-lid with the following contents:

    event=button/lid.*
action=/etc/acpi/laptop-lid.sh

  5. Restart the acpid service with:

    sudo service acpid restart

Now the fingerprint will be used only when the lid is open.

In order to restore the correct state of the fprintd service if you disconnect/reconnect while the laptop is off, you may call the above script from a systemd init file. The steps to do this are the following:

  1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents:

    [Unit]
Description=Laptop Lid
After=suspend.target

[Service]
ExecStart=/etc/acpi/laptop-lid.sh

[Install]
WantedBy=multi-user.target
WantedBy=suspend.target

  2. Reload the systemd config files with

    sudo systemctl daemon-reload

  3. Start the service with

    sudo systemctl start laptop-lid.service

  4. Enable the service so that it starts automatically on boot

    sudo systemctl enable laptop-lid.service

Now the status should be correct even after connecting/disconnecting when the computer is off.

Power Button Behavior

The power button is controlled from 2 locations:

  1. DCONF (or gnoem settings) at gnome.settings-daemon.plugins.power
  2. ACPI at /etc/acpi/events/powerconf

The powerconf acpi configuration will execute at the same time the gnome settings do. This can lead to situations where the gnome settings say "suspend" but the acpi settings say "shutdown". On waking up your laptop it will immediately shutdown.

The solution is to comment out everything in /etc/acpi/events/powerconf and rely on the gnome settings OR set the gnome settings to "nothing" and edit /etc/acpi/actions/power.sh with the behavior you expect. Either way you should pick one to control power button behavior.

Discord

vim ~/.local/share/applications/Discord.desktop

[Desktop Entry]
Encoding=UTF-8
Name=Discord
Exec=/home/ducoterra/Applications/Discord/Discord
Icon=/home/ducoterra/Applications/Discord/discord.png
Type=Application
Categories=Communication;

Discord sharing not working

THIS IS PROBABLY A PER-APP THING

Likely the thing you're trying to share doesn't work, it's not wayland's fault.

If you're trying to share firefox - download the firefox binary and dnf uninstall the other one. For whatever reason the preinstalled binary doesn't like screen share. You can use the following:

~/.local/share/applications/firefox.desktop

[Desktop Entry]
Encoding=UTF-8
Name=Firefox
Exec=/home/ducoterra/Applications/firefox/firefox-bin
Icon=/home/ducoterra/.icons/firefox.svg
Type=Application
Categories=Browser;

Minecraft

  1. You can find extra java versions at /etc/alternatives
  2. You need to dnf install xrandr to launch any modpacks
  3. You can create a desktop icon by putting this at ~/.local/share/applications/*.desktop:
[Desktop Entry]
Type=Application
Version=1.0
Name=Minecraft
Comment=Minecraft Launcher
Path=/home/ducoterra/Applications
Exec=minecraft-launcher
Icon=/home/ducoterra/Icons/minecraft-launcher.png
Terminal=false
Categories=Games;

Sound Devices

If you want to disable a specific device or tell Fedora not to use a specific device as output or input (looking at you yeti microphone, you're not a speaker), you can install pulse audio control for much more fine-tuned... control.

Setting your speakers to analog output seems to work best for a USB dac if it has a separate volume knob since this ties the volume knob on the dac to the internal volume of your computer.

Setting your mic to analog input works just fine on a yeti usb mic.

sudo dnf install pavucontrol

Install ffmpegthumbnailer, remove totem

totem-thumbnailer crashes all the time and isn't as good as ffmpeg's thumbnailer. What's more, totem video player ("Videos" by default on gnome) is not as good as vlc and doesn't work very well for anything more than basic video playback.

sudo dnf remove totem
sudo dnf install ffmpegthumbnailer

Add compatibility for HEIC to mogrify

sudo dnf install libheic-freeworld
Reference in New Issue View Git Blame Copy Permalink