Differences

This shows you the differences between two versions of the page.

--- distros:opensuse_tumbleweed_server [2018/12/02 12:39] – [Service] Sean Rhone
+++ distros:opensuse_tumbleweed_server [2019/05/28 08:46] – Sean Rhone
@@ Line 1: / Line 1: @@
+====== Information ======
+  * openSUSE ((https://www.opensuse.org))
+  * Tumbleweed ((https://en.opensuse.org/Portal:Tumbleweed))
+  * Server
+====== Download ======
+===== DVD-x86_64-Current.iso =====
+  * http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-DVD-x86_64-Current.iso
+  http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-DVD-x86_64-Current.iso
+===== Hashes =====
+  * http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-DVD-x86_64-Current.iso.mirrorlist
+====== Installation Notes ======
+  * ''EFI/opensuse/grubx64.efi'' ((EFI file to boot and in the case of Acer laptops, add to SecureBoot trust; doesn't matter if SecureBoot is enabled or not))
+  * XFS, no separate ''/home'', separate ''swap'' partition enlarged to RAM for suspend
+====== HOSTS ======
+  * https://github.com/StevenBlack/hosts/
+  * Using ''Unified hosts + fakenews + gambling''
+  sudo wget -O '/etc/hosts' 'https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts' && sync
+  cat '/etc/hosts' | grep 'Date:'
+  sudo -e '/etc/hosts'
+====== Repositories ======
+===== PackMan Essentials =====
+  * http://packman.inode.at/suse/openSUSE_Tumbleweed/Essentials/
+  * Repository Priority: 98
+  * Provides extended multimedia support
+  * :!: TODO: Doubt this is needed on a server...
+  sudo rpm --import 'http://packman.inode.at/suse/openSUSE_Tumbleweed/Essentials/repodata/repomd.xml.key' && sudo zypper addrepo --check --gpgcheck-strict --refresh --priority '98' --name 'Packman Essentials repository (openSUSE_Tumbleweed)' 'http://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/Essentials' 'packman-essentials'
+====== Software ======
+===== List =====
+  * http://download.opensuse.org/tumbleweed/repo/
+===== Disable USB Source =====
+****
+  sudo zypper modifyrepo --disable --medium-type 'hd'
+===== Update =====
+==== System ====
+****
+  sudo zypper clean --all && sudo zypper refresh --force --services && sudo zypper dist-upgrade --details --allow-downgrade --allow-name-change --allow-arch-change --allow-vendor-change && sync
+==== Firmware ====
+****
+  sudo fwupdmgr refresh && sudo fwupdmgr update --verbose
+===== GNU nano =====
+  * Installs ''nano''
+  * Sets ''VISUAL'' and ''EDITOR'' to ''nano'' via environment variable
+  * Sets ''nowrap'' for current user
+  sudo zypper install 'nano' && export 'VISUAL=nano' && export 'EDITOR=nano' && echo -e 'export VISUAL=nano\nexport EDITOR=nano' | sudo tee '/etc/profile.d/editor-nano.sh' > '/dev/null' && cat '/etc/profile.d/editor-nano.sh' && mkdir -p ~/'.config/nano' && echo 'set nowrap' | tee ~/'.config/nano/nanorc' > '/dev/null' && cat ~/'.config/nano/nanorc'
+===== General =====
+****
+  sudo zypper install p7zip unar aria2 hdparm nano htop wget irqbalance
+===== Keybase =====
+  * https://keybase.io
+  * :!: TODO: Figure out how to do automated bcakups to KBFS
+  keybase
+====== Settings ======
+===== Network =====
+==== DNS ====
+=== UncensoredDNS ===
+  * https://blog.uncensoreddns.org/
+.233.43.71,91.239.100.100
+a01:3a0:53:53::,2001:67c:28a4::
+=== OpenNIC Anycast ===
+  * https://wiki.opennic.org/start#anycast_tier_2_dns_resolvers
+.121.177.177,169.239.202.202
+a05:dfc7:5::53,2a05:dfc7:5::5353
+===== GRUB =====
+==== Other Parameters ====
+  * See [[notes:kernel_parameters|Kernel Parameters]] for other options
+==== blk_mq ====
+****
+  scsi_mod.use_blk_mq=y dm_mod.use_blk_mq=y
+==== Reboot ====
+  * ''efi'' is for UEFI systems
+  * ''pci'' is for Legacy systems and Coreboot with SeaBIOS payload
+  * There are other values possible should either of those not work
+  reboot=pci
+  reboot=efi
+==== PCIe ASPM ====
+****
+  pcie_aspm=force
+==== Blacklist Watchdogs ====
+  * ''iTCO_wdt'' controls watchdog on some Intel platforms
+  * ''sp5100_tco'' controls watchdog on some AMD platforms
+  * ''nowatchdog'' disables both soft and hard generic watchdogs
+  * Apparently this reduces power usage slightly
+  modprobe.blacklist=iTCO_wdt,sp5100_tco nowatchdog
+===== Hostname =====
+  * Change ''x'' to computer name
+  sudo hostnamectl set-hostname 'x'
+===== Keybase =====
+  * :!: Run after initial install
+  * :!: TODO: Might not be needed with CLI Keybase
+  run_keybase
+===== Kernel Options =====
+  * Enables ''kernel.dmesg_restrict'', ''kernel.kptr_restrict'', and ''kernel.sysrq''
+  * Sets ''vm.swappiness'' to ''10''
+  echo -e "kernel.dmesg_restrict = 1\nkernel.kptr_restrict = 1\nkernel.sysrq = 1\nvm.swappiness = 10" | sudo tee '/etc/sysctl.d/99-custom.conf' > '/dev/null' && cat '/etc/sysctl.d/99-custom.conf'
+  cat '/sys/fs/cgroup/memory/memory.swappiness'
+===== Secure Shell =====
+  * See [[Clients:Secure Shell]]
+===== systemd =====
+  * Log data is stored in volatile storage
+  * Max log file sizes of ''50MB''
+  sudo mkdir -p '/etc/systemd/journald.conf.d' && echo -e "[Journal]\nStorage=volatile\nSystemMaxUse=50M\nRuntimeMaxUse=50M" | sudo tee '/etc/systemd/journald.conf.d/logging.conf' > '/dev/null' && cat '/etc/systemd/journald.conf.d/logging.conf'
+===== TRIM =====
+==== Swap ====
+  * Add ''discard'' after ''defaults'' for the ''swap'' mountpoint ((defaults,discard))
+  * According to the ''swapon'' man page, setting this in ''fstab'' is acceptable
+  sudo -e '/etc/fstab'
+  ,discard
+==== Service ====
+****
+  sudo systemctl enable 'fstrim.timer' --now && sudo systemctl start 'fstrim' && sync && sudo systemctl status 'fstrim' -l
+====== Automatic Updates ======
+===== Service =====
+  sudo -e '/etc/systemd/system/suse-up.service'
+<code>
+[Service]
+Type=oneshot
+ExecStartPre='/usr/bin/zypper' clean --all
+ExecStart='/usr/bin/zypper' --non-interactive refresh --force --services
+ExecStart='/usr/bin/zypper' --non-interactive dup --auto-agree-with-licenses
+ExecStartPost='/usr/bin/sync'
+ExecStartPost='/usr/bin/systemctl' reboot</code>
+===== Timer =====
+  * 06:10 Kraityn
+  * 06:20 Alira
+  sudo -e '/etc/systemd/system/suse-up.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'suse-up.timer' --now
+<code>
+[Unit]
+Description=Software Package Maintenance and Updater
+After=network-online.target
+Wants=network-online.target
+[Timer]
+OnCalendar=*-*-* 06:10:00
+Persistent=true
+[Install]
+WantedBy=timers.target</code>
+====== External Backup ======
+===== fstab =====
+  * Expects a drive of some kind with a XFS partition at ''/dev/sdb1''
+  sudo mkdir -p '/mnt/USB' && sudo -e '/etc/fstab'
+<code>
+# USB
+/dev/sdb1 /mnt/USB xfs rw,relatime,attr2,inode64,noquota 0 2</code>
+  sudo mount '/dev/sdb1'
+===== Service =====
+  sudo -e '/etc/systemd/system/backup-external.service' && sudo sed -i 's/CHANGEME/'$USER'/g' '/etc/systemd/system/backup-external.service'
+<code>
+[Service]
+Type=oneshot
+ExecStartPre='/usr/bin/sync'
+ExecStart='/usr/bin/rsync' -r '/home/CHANGEME/backups' '/mnt/USB' --verbose --ignore-existing
+ExecStartPost='/usr/bin/sync'</code>
+===== Timer =====
+  sudo -e '/etc/systemd/system/backup-external.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'backup-external.timer' --now
+<code>
+[Unit]
+Description=Backup Backups to External Device
+[Timer]
+OnCalendar=*-*-* 07:00:00
+Persistent=true
+[Install]
+WantedBy=timers.target</code>
+====== Notable Folders and Commands ======
+===== Zypper =====
+==== Find Orphans ====
+****
+  zypper packages --orphaned
+==== Remove Package and Deps ====
+****
+  sudo zypper remove --clean-deps 'x'
+==== Show Installed Patterns ====
+****
+  sudo zypper patterns --installed-only
+==== Folder ====
+****
+  ls '/etc/zypp/repos.d'
+==== List ====
+****
+  zypper repos --priority
+===== GPG Keys =====
+==== Check Keys ====
+****
+  rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
+==== Remove Keys ====
+****
+  sudo rpm -e x
+===== fstrim =====
+****
+  sudo fstrim -v --all
+===== Show CPU Frequency =====
+  grep 'MHz' '/proc/cpuinfo'
+  watch -n 0.1 grep \'cpu MHz\' '/proc/cpuinfo'
+===== OpenSSL Supported Ciphers =====
+****
+  openssl ciphers -v | awk '{print $2}' | sort | uniq
+===== Partition Information =====
+  * Both commands do the same things
+  df -hT
+  df --human-readable --print-type
+===== Encryption Information =====
+****
+  sudo cryptsetup -v status '/dev/dm-0'
+===== ATA Secure Erase =====
+  * :!: All ''hdparm'' commands below assume actions to be performed on ''/dev/sda''
+==== Preparation ====
+  sudo zypper install 'hdparm' && sync
+  sudo hdparm -I '/dev/sda'
+  systemctl suspend
+==== ATA Secure Erase ====
+<code>sudo blkdiscard --verbose '/dev/sda'</code>
+<code>sudo hdparm --user-master u --security-set-pass 'x' '/dev/sda' && sudo hdparm --user-master u --security-erase-enhanced 'x' '/dev/sda' && sync</code>
+<code>sudo hdparm --user-master u --security-set-pass 'x' '/dev/sda' && sudo hdparm --user-master u --security-erase 'x' '/dev/sda' && sync</code>
+===== NVMe Erase =====
+  * NVMe Erase from the start page lands here and I usually use a Ubuntu LiveUSB to do this, hence the ''apt'' command
+  sudo apt install 'nvme-cli' -y && sync
+  sudo zypper install 'nvme-cli' -y && sync
+  sudo nvme format '/dev/nvme0' --reset --ses='1' --pil='0' --pi='0' --ms='0' && sync
+===== Clean EFI Variables =====
+  * :!: Could potentially cause a firmware brick or other issues with improper EFI implementations, use at own risk ((personally tested fine on several Acer and Dell computers))
+  * Safer way is to use ''efibootmgr'' to remove boot entries individually
+  sudo rm -f '/sys/firmware/efi/efivars/'* || sync && sudo efibootmgr -v
+===== RAID =====
+==== Controller Details ====
+****
+  sudo mdadm --detail-platform
+==== Create Software RAID ====
+  * :?: Came from old notes; I **assume** this worked at some point, but in any case, the syntax looks nice :p
+  sudo mdadm --create '/dev/md0' --name='RAID' --level='0' --raid-devices='3' '/dev/sda' '/dev/sdb' '/dev/sdc' --verbose
+===== Hyper-threading Information =====
+****
+  grep -e "processor" -e "core id" -e "^$" /proc/cpuinfo
+===== Optimal GCC compiler flags =====
+****
+  gcc -v -E -x c -march=native -mtune=native - < /dev/null 2>&1 | grep cc1 | perl -pe 's/ -mno-\S+//g; s/^.* - //g;'
+===== FirewallD =====
+==== List Active Rules ====
+****
+  sudo firewall-cmd --list-all
+==== List Available Services ====
+****
+  sudo firewall-cmd --get-service
+==== Reload ====
+****
+  sudo firewall-cmd --reload
+==== Add/Remove Service ====
+  * Add ''--permanent'' as-needed to allow the rule to persist
+  sudo firewall-cmd --add-service=x
+  sudo firewall-cmd --remove-service=x
+==== Add/Remove Port ====
+  * Add ''--permanent'' as-needed to allow the rule to persist
+  * Change ''tcp'' to ''udp'' as-needed
+  sudo firewall-cmd --add-port=x/tcp
+  sudo firewall-cmd --remove-port=x/tcp
+====== Privacy ======
+===== Clear Terminal History =====
+****
+  history -cw
+===== Create 7z Password Archive =====
+  * Change ''7ZIPNAME'' in ''7ZIPNAME.7z'' to the desired archive name
+  * Change ''PASS'' in ''-pPASS'' to the desired password
+  * Change ''x'' to the file or folder to add to the archive
+za a '7ZIPNAME.7z' -p'PASS' 'x'
+za a 'x.7z' -p'x' 'x'