Skip to content

Instantly share code, notes, and snippets.

@Robpol86

Robpol86/Install_Fedora.md

Last active August 22, 2020 02:57
Show Gist options
  • Save Robpol86/6226495 to your computer and use it in GitHub Desktop.
Save Robpol86/6226495 to your computer and use it in GitHub Desktop.
Download ZIP
This is how I setup my Fedora (or RHEL/CentOS) boxes.
Raw
Install_Fedora.md

Fedora Server Setup

Steps updated for Fedora Server 28 64-bit DVD ISO.

Installation Options

  • Software selection: Fedora Custom Operating System
    • No add-ons checked.
  • Network & Host Name: Set Hostname

Install/Update Packages

# If CentOS8:
#   sudo dnf config-manager --set-enabled PowerTools && \
#   sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
sudo dnf -y install \
    bind-utils bzip2 git iftop iotop jq lsof moreutils nmap patch pciutils psmisc pv screen \
    tar tcpdump telnet time unzip vim wget traceroute net-tools sysstat \
&& sudo dnf -y update

Shell/Git

curl -sSf https://raw.githubusercontent.com/Robpol86/dotfiles/master/vimrc |sudo tee -a /etc/vimrc
curl -sSf https://raw.githubusercontent.com/Robpol86/dotfiles/master/bashrc.sh |sudo tee /etc/profile.d/robpol86.sh
curl -sSf https://raw.githubusercontent.com/Robpol86/dotfiles/master/bash_profile.sh |sudo tee -a /etc/profile.d/robpol86.sh
bash -lc _robpol86_run_once

Grub

sudo sed -i 's/ rhgb quiet/ vga=792/g' /etc/default/grub
sudo grub2-mkconfig -o $(sudo find /boot -name grub.cfg)

Grow Root Partition

sudo lvresize -l +100%FREE /dev/fedora*/root && sudo xfs_growfs /

SSH

I Generate SSH keys with:

# Run on the client.
ssh-keygen -t ed25519 -a 100 -C "$(date -u +"%Y-%m-%dT%H:%M:%SZ") $HOSTNAME" -f ~/.ssh/REPLACE_ME

Then:

curl -sSf https://gist.githubusercontent.com/Robpol86/6226495/raw/ssh_authenticator.sh |
    tee /dev/stderr |install -m0755 /dev/stdin ./ssh_authenticator.sh
./ssh_authenticator.sh
vim ~/.ssh/authorized_keys  # Paste public keys.

Outgoing Email

SparkPost has a very generous free tier and is much easier to setup than Gmail SMTP (with the added benefit of not having to store your Google password in clear text on your Linux host). I use this script to configure Postfix on my Linux hosts so I get emails when crons fail or if there are hardware failures.

curl -sSf https://gist.githubusercontent.com/Robpol86/6226495/raw/postfix_sparkpost.sh |
    tee /dev/stderr |install -m0755 /dev/stdin ./postfix_sparkpost.sh
sudo ./postfix_sparkpost.sh

DNF Auto Update

On my non-main Fedora systems I don't mind them installing DNF updates automatically and even rebooting when needed. Below is how I enable this feature and have it run every night at midnight and 10 minutes after boot:

sudo dnf install -y dnf-automatic && \
    sudo sed -i '/^\s*apply_updates = /s/=.*$/= yes/' /etc/dnf/automatic.conf

sudo SYSTEMD_EDITOR=tee systemctl edit dnf-automatic.service << 'EOF'
[Service]
ExecStartPost=/bin/sh -c "uname -r |xargs -I+ grep -Fq + /boot/grub2/grubenv || shutdown -r +5 'dnf-automatic new kernel'"
EOF

sudo SYSTEMD_EDITOR=tee systemctl edit dnf-automatic.timer << EOF
[Timer]
OnBootSec=
OnUnitInactiveSec=
OnBootSec=10m
OnCalendar=*-*-* 00:00:00
RandomizedDelaySec=10m
EOF

sudo systemctl enable --now dnf-automatic.timer
Raw
postfix_sparkpost.sh
#!/bin/bash -eu
# Install and configure Postfix on Fedora systems.
# Have root and running user's mail forwarded to an email address.
RUNNING_USER="${SUDO_USER:-$(whoami)}"
echo 'Create an API key for this host: https://app.sparkpost.com/account/api-keys'
read -rp '=> SparkPost API key (e.g. a12345e90deb4abc1dca21fa10ee2a49012db10e): ' API_KEY
read -rp '=> Sending domain (e.g. your-domain.com): ' FROM_DOMAIN
read -rp "=> Send root and $RUNNING_USER mail to (e.g. [email protected]): " TO_ADDRESS
# Install Postfix.
read -rp '=> Installing Postfix. Press Enter to continue...'
(set -x; dnf install postfix mailx cyrus-sasl{,-plain})
# Configure sender_canonical_map.cf.
FROM_ADDRESS="${HOSTNAME%%.*}@$FROM_DOMAIN"
read -rp "=> Adding $FROM_ADDRESS to sender_canonical_map.cf. Press Enter to continue..."
(set -x; tee -a /etc/postfix/sender_canonical_map.cf <<< "/.+/ $FROM_ADDRESS")
# Configure main.cf.
MAIN_CF=/etc/postfix/main.cf
if [ -e "$MAIN_CF" ]; then
(set -x; cp -v "$MAIN_CF" "$MAIN_CF.$(date +%s).bak")
fi
while IFS= read -r line; do # Comment out existing settings and append new ones at the end.
(
set -x
sed -i "/^${line%% *} =/s/^/#/" "$MAIN_CF"
tee -a "$MAIN_CF" <<< "$line"
)
done << EOF
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:SMTP_Injection:${API_KEY}
relayhost = [smtp.sparkpostmail.com]:587
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
header_size_limit = 4096000
myorigin = ${FROM_ADDRESS##*@}
mydestination = ${FROM_ADDRESS##*@} \$myhostname localhost.\$mydomain localhost
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_map.cf
EOF
# Setup TO_ADDRESS and send test emails.
set -x
tee -a /etc/aliases <<< "root: $TO_ADDRESS"
tee -a /etc/aliases <<< "$RUNNING_USER: $TO_ADDRESS"
newaliases
systemctl enable --now postfix.service
mail -s "Test Email $(date)" "$TO_ADDRESS" <<< "This is a test email."
mail -s "Test Email for Root $(date)" root <<< "This is a test email."
echo Done
Raw
ssh_authenticator.sh
#!/bin/bash -eu
# Install Google Authenticator and configures SSH.
# Warn if running as root.
if [ "$EUID" -eq 0 ]; then
echo '=> !! WARNING: script running as root. Designed for non-root user. !!'
echo '=> Will still work but will configure Authenticator for root user SSH.'
read -rp '=> Press Enter to continue...'
fi
set -x
# Install and configure.
sudo dnf install google-authenticator
PAM=/etc/pam.d/sshd
sudo cp -v "$PAM" "$PAM.$(date +%s).bak"
sudo sed -i 's/^\(auth\s\+\)substack\(\s\+\)password-auth$/\1required\2pam_google_authenticator.so/' "$PAM"
# Configure sshd_config.
CONFIG=/etc/ssh/sshd_config
if [ -e "$CONFIG" ]; then
sudo cp -v "$CONFIG" "$CONFIG.$(date +%s).bak"
fi
while IFS= read -r line; do # Comment out existing settings and append new ones at the end.
sudo sed -i "/^${line%% *} /s/^/#/" "$CONFIG"
sudo tee -a "$CONFIG" <<< "$line"
done << EOF
PermitRootLogin no
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
EOF
# Touch authorized_keys file.
install -m0700 -d ~/.ssh
touch ~/.ssh/authorized_keys && chmod 0600 "$_"
# Generate Google Authenticator config for the user.
google-authenticator -td -w 3 -r 3 -R 30 -Q ANSI -l "${HOSTNAME%%.*}"
# Restart SSH daemon.
sudo systemctl restart sshd
echo Done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment