Contents
Preliminaries
-
This guide is mainly intended for myself in case I ever need to rebuild the server, but I'm making it public in case it's useful to others.
-
I've provided the exact IP addresses and usernames for my server; if you're following along, you'll want to replace these with the appropriate values for your own server.
-
Commands that start with
$
are ran as themax
user on the server, while commands that start with%
are ran as some other user. -
This guide was tested with Fedora IoT versions 40–41.
Pre-installation
-
Download the Fedora IoT
.iso
installer. In the unlikely scenario that your hosting provider offers Fedora IoT images, you can skip until step 4. -
Upload and attach the
.iso
installer to the virtual machine. -
Configure the VM for UEFI boot.
Installation
-
Start the installer.
-
Disable the
root
account and create an administratormax
. -
Partition as follows:
Index Mount Point Size Type 1 /boot/efi
500M EFI 2 /boot
4G ext4 3 [SWAP]
8G swap 4 /
remaining btrfs 4.1 /home/
— subvol -
Install the system.
-
Reboot into the installed system.
-
Install your SSH key:
% ssh-copy-id max@maxchernoff.ca # From your local machine
-
Log in to the server:
% ssh max@maxchernoff.ca
-
Enable IPv6:
$ sudo nmcli connection modify ens3 ipv6.method manual ipv6.addresses 2a0a:4cc0:2000:172::1/64 ipv6.gateway fe80::1 $ sudo nmcli connection up ens3
-
Reboot.
$ sudo systemctl reboot
Post-installation
-
Install the needed packages:
$ sudo rpm-ostree install borgbackup fish git-core htop perl-File-Find python3-pystemd qemu-guest-agent snapper vim
-
Switch shell to
fish
:$ chsh -s /usr/bin/fish
-
Fix
/etc/fstab
:Change the options for
/
todefaults,compress=zstd:1
. -
Fix
/etc/passwd
: If not done,podman
will complain about a mismatched home location.Change the home for
max
to/var/home/max
. -
Disable
authselect
:$ sudo authselect opt-out
Downloading the repository
-
Create the
repo
user:$ sudo useradd --create-home --shell /usr/sbin/nologin repo
-
Switch to the
repo
user:$ sudo -u repo fish
-
Generate a new SSH key:
% ssh-keygen -t ed25519
-
Add this new key as a single-repo deploy key on GitHub.
-
Clone the repository:
% git clone git@github.com:gucci-on-fleek/maxchernoff.ca.git
Installing TeX Live
-
Create the
tex
user:$ sudo useradd --create-home --shell /usr/sbin/nologin tex $ sudo loginctl enable-linger tex
-
Switch to the
tex
user:$ sudo -u tex fish
-
Create the necessary directories:
% mkdir -p ~/texlive # As the `tex` user
-
Download the installer:
% cd $(mktemp -d) % curl -O 'https://ftp.math.utah.edu/pub/ctan/tex-archive/systems/texlive/tlnet/install-tl-unx.tar.gz' % tar xf install-tl-unx.tar.gz
-
Install TeX Live:
% ./install-tl-*/install-tl \ > --repository=https://ftp.math.utah.edu/pub/ctan/tex-archive/systems/texlive/tlnet \ > --texdir=/var/home/tex/texlive --scheme=full --paper=letter
-
Download and run the ConTeXt installer:
% mkdir -p ~/context-installer % cd ~/context-installer % curl -O 'https://lmtx.pragma-ade.com/install-lmtx/context-linux-64.zip' % busybox unzip context-linux-64.zip % chmod a+x install.sh % ./install.sh % ln -s ~/context-installer/tex ~/context
-
Install the ConTeXt modules:
% cd ~/context % ./texmf-linux-64/bin/mtxrun --script install-modules --install --all
Web Server
-
Create the
web
user:$ sudo useradd --create-home --shell /usr/sbin/nologin web
-
Allow the
web
user to run services:$ sudo loginctl enable-linger web
-
Switch to the
web
user:$ sudo -u web fish
-
Add the GitHub webhook shared secret:
% cat /dev/urandom | head --bytes=21 | base64 | tr -d '\n' \ | podman secret create webhook_secret - % podman secret inspect webhook_secret --showsecret (then paste into the GitHub webhook secret field)
-
Add the DNS shared secrets:
-
A Podman secret
dnscontrol_tsig
that looks likehmac-sha256:dnscontrol:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
A file
~web/knot/config/secrets.conf
that looks likekey: - id: dnscontrol algorithm: hmac-sha256 secret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= key: - id: maxchernoff-he algorithm: hmac-sha256 secret: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB= key: - id: red-deer algorithm: hmac-sha256 secret: CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=
-
-
Add the email secrets:
-
A Podman secret
overleaf_smtp_password
:% cat /dev/urandom | head --bytes=21 | base64 | tr -d '\n' \ | podman secret create overleaf_smtp_password - % podman secret inspect overleaf_smtp_password --showsecret \ | podman run --rm -i --entrypoint=/bin/maddy \ docker.io/foxcpp/maddy hash --hash argon2
-
A global service failure file:
% cat /dev/urandom | head --bytes=21 | base64 \ | tee ~repo/credentials/server@noreply.maxchernoff.ca \ | podman run --rm -i --entrypoint=/bin/maddy \ docker.io/foxcpp/maddy hash --hash argon2
-
A file
~web/maddy/config/users.conf
that looks likeoverleaf@noreply.maxchernoff.ca: argon2:AAAAAAAAAAAAAAAAAAAAAAAA server@noreply.maxchernoff.ca: argon2:BBBBBBBBBBBBBBBBBBBBBBBBBB
-
-
Reboot to make sure everything starts correctly.
Woodpecker CI
-
Switch to the
web
user:$ sudo -u web fish
-
Add the Woodpecker server Podman secrets:
% cat | tr -d '\n' | \ # Paste the secret, Enter, Ctrl+D > podman secret create woodpecker_github_secret - % head --bytes=36 /dev/urandom | basenc --z85 | tr -d '\n' | \ > tee /dev/stderr | \ # Copy this value for later > podman secret create woodpecker_agent_secret -
-
Create the
woodpecker
user:$ sudo useradd --create-home --shell /usr/sbin/nologin woodpecker $ sudo loginctl enable-linger woodpecker
-
Switch to the
woodpecker
user:$ sudo -u woodpecker fish
-
Add the Woodpecker agent Podman secrets:
% cat | tr -d '\n' | \ # Paste the secret, Enter, Ctrl+D > podman secret create woodpecker_agent_secret -
Container Builders
Sometimes there aren't any pre-built containers for the software that you want to run, so we'll need to add a container builder.
-
Create the
builder
user:$ sudo useradd --create-home --shell /usr/sbin/nologin builder $ sudo loginctl enable-linger builder
-
That's pretty much it.
Snapshots
-
Create subvolumes for the
.local
and.cache
directories for every user:$ btrfs subvolume create {.local,.cache}
-
Mount the snapshot directory:
# /etc/fstab # This line was here originally UUID={uuid} /home/ btrfs subvol={subvol},compress=zstd:1 0 0 # Add this line UUID={uuid} /home/.snapshots btrfs subvol={subvol}/.snapshots,compress=zstd:1 0 0
$ sudo systemctl daemon-reload $ sudo mount -av