services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e30db947b00f43ea108ad85faf353e0fc6f52945
homelab/infrastructure/graduated/fedora/fedora-server.md

5.5 KiB
Raw Blame History

Fedora Server

https://docs.fedoraproject.org/en-US/fedora-server/installation/postinstallation-tasks/#_manage_system_updates

Note these instructions differentiate between an operator and a server. The operator can be any machine that configure the server. A pipeline, laptop, dedicated server, etc. are all options. The server can be its own operator, though that's not recommended since servers should be ephemeral and the operator will store information about each server.

Installation

  1. Create an administrator. We'll give ssh root access later, but this gives you a cockpit user.
  2. Ensure IPV6 connection is set to "eui64".
  3. Set hostname

Resize logical volume

# Replace /dev/sda2 with whatever your disks are
# This assumes xfs
pvresize /dev/sda2
lvextend /dev/mapper/root -l+100%FREE
xfs_growfs -d /dev/mapper/root

Setup SSH

On the operator:

export SSH_HOST=kube
ssh-keygen -t rsa -b 4096 -C ducoterra@"$SSH_HOST".reeselink.com -f ~/.ssh/id_"$SSH_HOST"_rsa

# Note: If you get "too many authentication failures" it's likely because you have too many private
# keys in your ~/.ssh directory. Use `-o PubkeyAuthentication` to fix it.
ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_"$SSH_HOST"_rsa.pub ducoterra@"$SSH_HOST".reeselink.com

cat <<EOF >> ~/.ssh/config

Host ${SSH_HOST}
    Hostname ${SSH_HOST}.reeselink.com
    User root
    ProxyCommand none
    ForwardAgent no
    ForwardX11 no
    Port 22
    KeepAlive yes
    IdentityFile ~/.ssh/id_${SSH_HOST}_rsa
EOF

On the server:

# Copy authorized_keys to root
sudo cp ~/.ssh/authorized_keys /root/.ssh/authorized_keys

# Change your password
passwd

sudo su -
echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf
echo '%wheel    ALL=(ALL)   NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-wheel
systemctl restart sshd

On the operator:

# Test if you can SSH with a password
ssh -o PubkeyAuthentication=no ducoterra@${SSH_HOST}.reeselink.com

# Test that you can log into the server with ssh config
ssh $SSH_HOST

DNF

Configure dnf to use the fastest mirror:

echo 'fastestmirror=1' >> /etc/dnf/dnf.conf
dnf clean all
dnf update

Fail2Ban

On the server:

dnf install -y fail2ban

# Setup initial rules
cat <<EOF > /etc/fail2ban/jail.local
# Jail configuration additions for local installation

# Adjust the default configuration's default values
[DEFAULT]
# Optional enter an trusted IP never to ban
# ignoreip = 2600:1700:1e6c:a81f::0/64
bantime  = 6600
backend = auto

# The main configuration file defines all services but
# deactivates them by default. We have to activate those neeeded
[sshd]
enabled = true
EOF

systemctl enable fail2ban --now
tail -f /var/log/fail2ban.log

Automatic Updates

On the server:

dnf install dnf-automatic -y

systemctl enable --now dnf-automatic.timer

Edit the configuration to only do security updates.

Disable Swap

swapoff -a
zramctl --reset /dev/zram0
dnf -y remove zram-generator-defaults

Selinux

By default selinux will be enforcing. You can set it to permissive with

setenforce 0

And then make it permanent by editing /etc/selinux/config and inserting SELINUX=permissive.

Firewalld

Set the default firewalld zone to public

firewall-cmd --set-default-zone=public

Firewalld will be on and blocking by default. You can check the zone and allowed ports with:

firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-services

Allow Cockpit with

firewall-cmd --permanent --zone=public --add-port=9090/tcp
firewall-cmd --reload

Docker with Podman as Runtime

Note, you'll need to ssh into the server as the user in order to start the user's systemd session.

sudo dnf install podman docker docker-compose
sudo loginctl enable-linger 1000 # Or whatever user

systemctl --user enable --now podman.socket
docker context create podman --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
docker context use podman

Extras

On the server:

# Set vim as the default editor
dnf install -y vim-default-editor  --allowerasing

# Install glances for system monitoring
dnf install -y glances

# Install zsh with autocomplete and suggestions
dnf install -y zsh zsh-autosuggestions zsh-syntax-highlighting

cat <<EOF > ~/.zshrc
# History
HISTFILE=~/.zsh_history
HISTSIZE=10000
SAVEHIST=10000
setopt appendhistory

# Basic settings
autoload bashcompinit && bashcompinit
autoload -U compinit; compinit
zstyle ':completion:*' menu select

# Prompt settings
autoload -Uz promptinit
promptinit
prompt redhat
PROMPT_EOL_MARK=

# Syntax Highlighting
source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh

### Custom Commands and Aliases ###
EOF

chsh -s $(which zsh) && chsh -s $(which zsh) ducoterra

Downgrading Kernel

dnf install koji

# Note: format is kernel-version.fedora-version
cd $(mktemp -d) && koji download-build --arch=x86_64 --arch=noarch kernel-6.11.3-300.fc41 && dnf install ./*

reboot
Reference in New Issue View Git Blame Copy Permalink