# Fedora/CentOS/RHEL Setup :::info 李智源, jtkiew ::: Suppose you are on a Fedora/CentOS/RHEL machine preparing for another Fedora machine. All commands in this document requires sudo privilege. ## Pre-installation Stick a flash drive into your current machine. Then, download and install the latest Fedora image into the flash drive with *mediawriter*. ```bash dnf install mediawriter mediawriter & ``` By default, Fedora Workstation doesn't install *cockpit* but installs a graphical shell; the *default* Gnome shell is so much more minimal than that of Ubuntu, Debian, and Arch Linux. Fedora Server installs cockpit by default without a graphical shell. ### Intel AMT http://h10032.www1.hp.com/ctg/Manual/c03975296 ## Installation The installation process is graphical unless you're using a serial console; this has no effect on whether the installed system is graphical or not. 1. Set an admin user (of the *wheel* group), and don't set up the root user. 2. Configure the network. 3. Configure the timezone and NTP. 4. Accept the default partition scheme, and resize partitions after installation. ## Post-installation Unless necessary, remove the home partition and resize the root partition to the fullest. ```bash # unmount the home parition lvextend <volume> -L <size> # lvextend /dev/fedora_fed/root -L +200G xfs_growfs <mount point> # xfs_growfs / # set up /home ``` Disable cockpit and configure firewall. Note that `<public zone>` could be one of `public`, `FedoraServer`, or `FedoraWorkstation`. ```bash systemctl stop cockpit.service cockpit.socket systemctl disable cockpit cockpit.socket # dnf -y remove cockpit firewall-cmd --zone=<publc zone> --remove-service=cockpit # firewall-cmd --zone=<publc zone> --add-service={http,https,dns} # firewall-cmd --zone=<publc zone> --add-port=1053/udp # wireguard firewall-cmd --runtime-to-permanent ``` ### Neovim Install Neovim, and copy the vender-provided config file to the system default location. Don't edit the vender-provided config file, as it will be overwritten after each update. ```bash dnf install neovim mkdir /etc/xdg/nvim cp /usr/share/nvim/sysinit.vim /etc/xdg/nvim/sysinit.vim ``` Append the following content to `/etc/xdg/nvim/sysinit.vim`. ``` syntax on set nu ai set et ts=4 sw=4 set laststatus=0 ruler ``` ### Bash Create the file `/etc/profile.d/aliases.sh` with the following content. One doesn't edit `/etc/profile` nor `/etc/bashrc` for the same reason as `/etc/xdg/nvim/sysinit.vim`. ```bash alias cp='cp -i' alias rm='rm -i' alias mv='mv -i' alias vi=nvim alias vim=nvim alias rvim='nvim -R' export EDITOR=nvim ``` Login again to take effect. ### Sudo To prevent password check for the *wheel* group, change the sudoer file to the following with via *visudo*. :::warning Always change the sudoer file with *visudo*. ::: ``` # %wheel ALL=(ALL) ALL %wheel ALL=(ALL) NOPASSWD: ALL ``` ### SSH Create the file `/etc/ssh/sshd_config.d/00-hardened.conf` with the following content. The `00-` prefix of the config file name is crucial; the system pre-installs `/etc/ssh/sshd_config.d/50-redhat.conf` which would take precedence if its file name precedes ours. ``` LoginGraceTime 2m PermitRootLogin prohibit-password StrictModes yes MaxAuthTries 6 MaxSessions 10 PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no ``` *Reload* the SSH daemon to take effect: ```bash systemctl reload sshd.service ``` ### Wireguard ### Nvidia [rpmfusion](https://rpmfusion.org/Howto/NVIDIA) ```bash dnf install -y \ https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \ https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \ akmod-nvidia \ xorg-x11-drv-nvidia-cuda #optional for cuda/nvdec/nvenc support ``` Check with `modinfo -F version nvidia`; it should **not** output `modinfo: ERROR: Module nvidia not found`. ## Virtualization [FedoraDoc on virtualization](https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-virtualization/) ```bash # dnf groupinfo virtualization # dnf install @virtualization dnf group install --with-optional virtualization systemctl start libvirtd systemctl enable libvirtd ``` To verify that the KVM kernel modules are properly loaded: ```bash lsmod | grep kvm # kvm_amd 114688 0 # kvm 831488 1 kvm_amd ``` ## Webserver setup ### CoreDNS Install the precompiled binary from [here](https://github.com/coredns/coredns/releases/). ```bash cd /tmp curl -LO <url to coredns_<version>_linux_amd64.tgz> tar zxvf coredns_<version>_linux_amd64.tgz install coredns /usr/bin ``` :::success 1. Let `<domain>` = `<host>.<origin>`. 2. `<domain>` should refer to `<host ip>`. 3. In our case, `<dns ip>` = `<host ip>`. ::: Set up its working directory: `mkdir /etc/coredns`. Create the *Corefile* `/etc/coredns/Corefile` with content: ``` .:1053 { whoami } <origin> { bind <dns ip> file <origin>.zone } ``` Create the *zone file* `/etc/coredns/<origin>.zone` with content: ``` $ORIGIN <origin>. $TTL 15 @ IN SOA ns1.<origin>. hostmaster.<origin>. ( 2020121123 ;Serial 7200 ;Refresh 3600 ;Retry 1209600 ;Expire 3600 ;Minimum TTL ) @ IN NS ns1.<origin>. ns1 IN A <dns ip> <host> IN A <host ip> ``` Note that the upper level authoritative DNS must have the following records: ``` ns1.<origin> IN A <dns ip> <origin> IN NS ns1.<origin> ``` Create the *unit file* `/etc/systemd/system/coredns.service` with content: ``` [Unit] Description=CoreDNS server After=network.target [Service] WorkingDirectory=/etc/coredns ExecStart=/usr/bin/coredns Restart=on-failure RestartSec=15s [Install] WantedBy=multi-user.agent ``` Finally, start coredns with `systemctl start coredns`. Test it with `dig @<dns ip> <domain>`. ### Let's Encrypt and Nginx Install nginx and start it. Note that port 80 and an existing domain name is required for passing the Certbot challenge. ```bash dnf install nginx systemctl start nginx ``` Get the certificate. Your private key will be generated in the process. ```bash dnf install snapd ln -s /var/lib/snapd/snap /snap # for --classic confinement snap install core snap refresh core # pedantic dnf remove certbot # pedantic snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot certbot certonly --nginx certbot renew --dry-run # test automatic renewal ``` Create symbolic links to the certificate and private key. ```bash mkdir -p /etc/pki/nginx/private ln -s \ /etc/letsencrypt/live/<domain>/fullchain.pem \ /etc/pki/nginx/server.crt ln -s \ /etc/letsencrypt/live/<domain>/privkey.pem \ /etc/pki/nginx/private/server.key ``` Uncomment the following section in `/etc/nginx/nginx.conf`. ``` server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name _; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers PROFILE=SYSTEM; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } ``` Test config with `nginx -t`, and apply the config with `nginx -s reload`. Then, navigate to `https://<domain>`.