Server Installation

Contents

Preliminaries

Pre-installation

  1. Download the Fedora IoT .iso installer. In the unlikely scenario that your hosting provider offers Fedora IoT images, you can skip until step 4.

  2. Upload and attach the .iso installer to the virtual machine.

  3. Configure the VM for UEFI boot.

Installation

  1. Start the installer.

  2. Disable the root account and create an administrator max.

  3. Partition as follows:

    Index Mount Point Size Type
    1 /boot/efi 500M EFI
    2 /boot 4G ext4
    3 [SWAP] 8G swap
    4 / remaining btrfs
    4.1 /home/ subvol
  4. Install the system.

  5. Reboot into the installed system.

  6. Install your SSH key:

    % ssh-copy-id max@maxchernoff.ca  # From your local machine
    
  7. Log in to the server:

    % ssh max@maxchernoff.ca
    
  8. Enable IPv6:

    $ sudo nmcli connection modify ens3 ipv6.method manual ipv6.addresses 2a0a:4cc0:2000:172::1/64 ipv6.gateway fe80::1
    $ sudo nmcli connection up ens3
    
  9. Reboot.

    $ sudo systemctl reboot
    

Post-installation

  1. Install the needed packages:

    $ sudo rpm-ostree install borgbackup fish git-core htop perl-File-Find python3-pystemd qemu-guest-agent snapper vim
    
  2. Switch shell to fish:

    $ chsh -s /usr/bin/fish
    
  3. Fix /etc/fstab:

    Change the options for / to defaults,compress=zstd:1.

  4. Fix /etc/passwd: If not done, podman will complain about a mismatched home location.

    Change the home for max to /var/home/max.

  5. Disable authselect:

    $ sudo authselect opt-out
    

Downloading the repository

  1. Create the repo user:

    $ sudo useradd --create-home --shell /usr/sbin/nologin repo
    
  2. Switch to the repo user:

    $ sudo -u repo fish
    
  3. Generate a new SSH key:

    % ssh-keygen -t ed25519
    
  4. Add this new key as a single-repo deploy key on GitHub.

  5. Clone the repository:

    % git clone git@github.com:gucci-on-fleek/maxchernoff.ca.git
    

Installing TeX Live

  1. Create the tex user:

    $ sudo useradd --create-home --shell /usr/sbin/nologin tex
    $ sudo loginctl enable-linger tex
    
  2. Switch to the tex user:

    $ sudo -u tex fish
    
  3. Create the necessary directories:

    % mkdir -p ~/texlive  # As the `tex` user
    
  4. Download the installer:

    % cd $(mktemp -d)
    % curl -O 'https://ftp.math.utah.edu/pub/ctan/tex-archive/systems/texlive/tlnet/install-tl-unx.tar.gz'
    % tar xf install-tl-unx.tar.gz
    
  5. Install TeX Live:

    % ./install-tl-*/install-tl \
    >     --repository=https://ftp.math.utah.edu/pub/ctan/tex-archive/systems/texlive/tlnet \
    >     --texdir=/var/home/tex/texlive --scheme=full --paper=letter
    
  6. Download and run the ConTeXt installer:

    % mkdir -p ~/context-installer
    % cd ~/context-installer
    % curl -O 'https://lmtx.pragma-ade.com/install-lmtx/context-linux-64.zip'
    % busybox unzip context-linux-64.zip
    % chmod a+x install.sh
    % ./install.sh
    % ln -s ~/context-installer/tex ~/context
    
  7. Install the ConTeXt modules:

    % cd ~/context
    % ./texmf-linux-64/bin/mtxrun --script install-modules --install --all
    

Web Server

  1. Create the web user:

    $ sudo useradd --create-home --shell /usr/sbin/nologin web
    
  2. Allow the web user to run services:

    $ sudo loginctl enable-linger web
    
  3. Switch to the web user:

    $ sudo -u web fish
    
  4. Add the GitHub webhook shared secret:

    % cat /dev/urandom | head --bytes=21 | base64 | tr -d '\n' \
        | podman secret create webhook_secret -
    
    % podman secret inspect webhook_secret --showsecret
    (then paste into the GitHub webhook secret field)
    
  5. Add the DNS shared secrets:

    • A Podman secret dnscontrol_tsig that looks like

      hmac-sha256:dnscontrol:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
      
    • A file ~web/knot/config/secrets.conf that looks like

      key:
        - id: dnscontrol
          algorithm: hmac-sha256
          secret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
      
      key:
        - id: maxchernoff-he
          algorithm: hmac-sha256
          secret: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
      
      key:
        - id: red-deer
          algorithm: hmac-sha256
          secret: CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=
      
  6. Add the email secrets:

    • A Podman secret overleaf_smtp_password:

      % cat /dev/urandom | head --bytes=21 | base64 | tr -d '\n' \
          | podman secret create overleaf_smtp_password -
      
      % podman secret inspect overleaf_smtp_password --showsecret \
          | podman run --rm -i --entrypoint=/bin/maddy \
              docker.io/foxcpp/maddy hash --hash argon2
      
    • A global service failure file:

      % cat /dev/urandom | head --bytes=21 | base64 \
          | tee ~repo/credentials/server@noreply.maxchernoff.ca \
          | podman run --rm -i --entrypoint=/bin/maddy \
              docker.io/foxcpp/maddy hash --hash argon2
      
    • A file ~web/maddy/config/users.conf that looks like

      overleaf@noreply.maxchernoff.ca: argon2:AAAAAAAAAAAAAAAAAAAAAAAA
      server@noreply.maxchernoff.ca: argon2:BBBBBBBBBBBBBBBBBBBBBBBBBB
      
  7. Reboot to make sure everything starts correctly.

Woodpecker CI

  1. Switch to the web user:

    $ sudo -u web fish
    
  2. Add the Woodpecker server Podman secrets:

    % cat | tr -d '\n' | \ # Paste the secret, Enter, Ctrl+D
    >     podman secret create woodpecker_github_secret -
    % head --bytes=36 /dev/urandom | basenc --z85 | tr -d '\n' | \
    >     tee /dev/stderr | \ # Copy this value for later
    >     podman secret create woodpecker_agent_secret -
    
  3. Create the woodpecker user:

    $ sudo useradd --create-home --shell /usr/sbin/nologin woodpecker
    $ sudo loginctl enable-linger woodpecker
    
  4. Switch to the woodpecker user:

    $ sudo -u woodpecker fish
    
  5. Add the Woodpecker agent Podman secrets:

    % cat | tr -d '\n' | \ # Paste the secret, Enter, Ctrl+D
    >     podman secret create woodpecker_agent_secret -
    

Container Builders

Sometimes there aren't any pre-built containers for the software that you want to run, so we'll need to add a container builder.

  1. Create the builder user:

    $ sudo useradd --create-home --shell /usr/sbin/nologin builder
    $ sudo loginctl enable-linger builder
    
  2. That's pretty much it.

Snapshots

  1. Create subvolumes for the .local and .cache directories for every user:

    $ btrfs subvolume create {.local,.cache}
    
  2. Mount the snapshot directory:

    # /etc/fstab
    # This line was here originally
    UUID={uuid}  /home/            btrfs  subvol={subvol},compress=zstd:1             0  0
    # Add this line
    UUID={uuid}  /home/.snapshots  btrfs  subvol={subvol}/.snapshots,compress=zstd:1  0  0
    
    $ sudo systemctl daemon-reload
    $ sudo mount -av