Phase 12: Maintenance

Automatic Updates (dnf-automatic)

sudo dnf install -y dnf-automatic

# Configure: download and apply security updates
sudo sed -i 's/^apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf
sudo sed -i 's/^upgrade_type = default/upgrade_type = security/' /etc/dnf/automatic.conf

# Enable timer
sudo systemctl enable --now dnf-automatic.timer

# Verify timer
systemctl list-timers | grep dnf

Backup Strategy

KVM Snapshots (from host)

# Create snapshot before major changes
virsh snapshot-create-as rhel9-workstation --name "pre-change-$(date +%Y%m%d)" --description "Before X change"

# List snapshots
virsh snapshot-list rhel9-workstation

Borg Backup (from VM)

# Install Borg
sudo dnf install -y borgbackup || pip install borgbackup

# Initialize repo (adjust path to your backup target)
borg init --encryption=repokey /backup/rhel9-ws

# Create backup
borg create /backup/rhel9-ws::$(date +%Y%m%d-%H%M) \
  /home /etc /data \
  --exclude '/home/*/.cache'

systemd Timers (Practice)

Create a custom systemd timer — this is an RHCSA objective.

# Create service unit
sudo tee /etc/systemd/system/backup-home.service << 'EOF'
[Unit]
Description=Backup home directory

[Service]
Type=oneshot
ExecStart=/usr/bin/tar czf /data/backups/home-$(date +%%Y%%m%%d).tar.gz /home
EOF

# Create timer unit
sudo tee /etc/systemd/system/backup-home.timer << 'EOF'
[Unit]
Description=Daily home backup

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now backup-home.timer

# Verify
systemctl list-timers | grep backup

Certificate Renewal

# Vault SSH cert (8-hour TTL — renew daily)
# From workstation:
vault write -field=signed_key ssh/sign/domus-client \
  public_key=@$HOME/.ssh/id_ed25519_vault.pub \
  valid_principals="evanusmodestus" \
  >| ~/.ssh/id_ed25519_vault-cert.pub

System Health Checks

# Check for failed services
systemctl --failed

# Check SELinux denials
sudo ausearch -m AVC -ts today --raw | wc -l

# Check disk usage
df -hT

# Check LVM status
sudo vgs
sudo lvs

Check	Status
dnf-automatic installed and configured	[ ]
Security updates auto-applied	[ ]
KVM snapshot strategy documented	[ ]
Borg backup initialized	[ ]
Custom systemd timer created	[ ]
Certificate renewal documented	[ ]

Check

Status

dnf-automatic installed and configured

[ ]

Security updates auto-applied

[ ]

KVM snapshot strategy documented

[ ]

Borg backup initialized

[ ]

Custom systemd timer created

[ ]

Certificate renewal documented

[ ]