Provide a well-configured Fedora system, suitable for production usage, via Ansible.
This is used as a base image for selfhosting-labs.
If you want to spin a quick environment up in Vagrant, it is enough to run the following:
bundle install
bundle exec kitchen converge vagrant
bundle exec kitchen verify vagrant
bundle exec kitchen login vagrant
Alternatively, you can do the same using Docker instead:
bundle install
bundle exec kitchen converge docker
bundle exec kitchen verify docker
bundle exec kitchen login docker
Caveat for Docker users: The Docker environment is designed to simulate a virtual machine but does not have quite the same functionality. Certain features are not enabled when running in Docker.
- Create administrator user accounts.
- Security updates are automatically applied.
- DNS configuration.
- Create swap file.
- NTP configuration.
- Tuning.
- Install a bunch of useful utility tools.
- Additional custom tools
A user group admin
is created which is granted sudo access via /etc/sudoers.d/admin
.
To create administrator users you can simply add them to the admins
variable like this:
admins:
- name: <USER NAME>
key: 'ssh-rsa <SSH PUBLIC KEY>'
By default, the users are granted passwordless sudo access. You can change this by setting
admin_passwordless_sudo: false
.
Automatic security updates are provided by dnf-automatic. You can
review the status of the updates by running systemctl status dnf-automatic.timer
.
The job will first run 1 hour after booting, and then every 24 hours after that.
By default, DNS is configured automatically by Network Manager based on DHCP settings.
This role offers optional configuration of DNS to instead use Cloudflare and Google providers.
These providers offer fast, highly available, secure public DNS resolution but you can configure a different set if you have privacy concerns or want to use your own nameservers.
You can also set a search domain, which allows you to resolve non-FQDN hostnames in DNS. This defaults to simply using the host's currently configured domain.
nameservers:
- 1.1.1.1
- 8.8.8.8
- 8.8.4.4
search_domains:
- selfhosting-lab.com
To enable this feature simply set enable_custom_dns: True
.
A swapfile is created at /var/cache/swap
to provide additional swap resource. Although hosts should be configured
appropriately for their workload, it can be good to have a temporary resource that memory can be swapped to.
By default this is sized the same as your memory by looking up the ansible_memory_mb.real.total
variable. You can set
the size to something else by setting swapfile_size
to an amount in MiB.
Using swap is enabled by default but can be turned off by setting enable_swap: False
.
You can also adjust the swappiness of the system by setting swappiness
to a value between 0 and 100. The default
swappiness is 10
which provides good performance, only using swap when necessary.
NTP is provided using the chronyd daemon and should be something you should never have
to manage. By default it synchronises time from the public pool.ntp.org
pool, which should automatically find the best
time server for the host. If for some reason you want to set this manually you can set ntp_pool: pool.ntp.org
.
You can also optionally set your prefered timezone using the appropriate
tz database name for your preferred timezone by setting
timezone: Europe/London
or similar. You may not want to do this if you'd prefer your host to use it's local timezone
that was configured at installation time.
A few opinionated system tweaks are applied to optimise performance. These are applied using the [[Tuned](Tuned project
https://tuned-project.org) profile atomic-guest
.
If, for your specific hardware configuration, you'd like to use an alternative profile you can set tuned_profile
.
A few additional utilities are installed for your convience, primarily for troubleshooting and system visibility.
List of tools installed:
- Bash Completion - Programmable completion for the Bash shell.
- Bind Utils - Collection of utilities for querying DNS.
- cURL - Command-line tool for transferring data with URLs.
- Git - The distributed revision control system.
- htop - Better version of
top
. - htpasswd - Tool to create and update usernames and password for basic authentication.
- iotop -
top
-like utility for disk I/O. - Iperf - Measurement tool for TCP/UDP bandwith performance.
- jq - Command-line JSON processor.
- kexec - Utility to quickly load new kernels.
- lsof - Utility to list open files.
- Ncat - Bidirectional data relay for TCP connections.
- NFS Utils - NFS utilities and supporting clients and daemons.
- Perf - Tool for performance monitoring of the Linux kernel.
- PV (Pipe Viewer) - Nifty tool for monitoring the progress of data through a pipe.
- realmd - Used to interact with and join LDAP realms.
- Socat - Bidirectional data relay for Unix sockets.
- Stress-ng - Stress testing tool
- Tcpdump - Network traffic monitoring tool and packet analyser.
- Tmux - Terminal multiplexer that supports multiple logins on one terminal.
- Vim - Powerful text editor.
- Wget - Tool for retreiving files using HTTP or FTP.
For quality of life, a few custom tools have been added which are installed by default.
shl-reboot
allows you to quickly reboot a system when a new kernel is available, minimising the amount of downtime on
the system. It works using kexec
to swap the kernel out while the system is still running, meaning POST and BIOS
stages of the boot process are skipped. On enterprise-grade hardware this can sometimes save minutes due to extensive
POST checks.
If there is no new kernel, the tool will simply exit with a 1
exit status. If a new kernel is installed but not
currently active the tool will inform you.
You can then reboot the system by running shl-reboot apply
. After sleeping for 3 seconds, the system will reboot.
shl-reload
allows you to restart currently running services which have updates available, minimising the frequency of
reboots required to pick up software updates. It looks at which SystemD units are associated with updated software, and
restarts those units, including SystemD itself. In theory this reduces the frequency at which you need to reboot your
system down to only kernel updates, meaning security updates can be applied more frequently.
You can choose to run the tasks required to reload the system by running shl-reload apply
.
Restarting services can be disruptive, for example restarting active user sessions will kick out currently logged in users, but the impact is minimised to only those services which need updating. It should be treated as a situational alternative to reboots as it cannot guarantee that there will be no impact to services which you rely on, and therefore cannot provide a zero-downtime update process.
The use of this repository will modify your target machine to perform certain outbound connections which may be of concern to more privacy-focused users. In the interest of transparency we'd like to make users fully aware of all endpoints we have added, as you may wish to consider changing these in your own implementation.
All necessary packages are installed using the predefined repositories on the target system, which are assumed to be the official Fedora repositories unless you modify your repolist to use private repositories.
By default NTP and DNS use publicly available endpoints, which you can read more about above in the NTP Configuration and DNS Configuration documentation respectively.
During testing, github.com
is looked up via DNS in order to test the DNS configuration.