server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

organize boot/security sections

Browse Source
This commit is contained in:
ducoterra
2023-08-15 23:29:16 -04:00
parent a8d75961cd
commit 2b91795bb4
1 changed files with 203 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

381
arch.md
View File

@@ -4,24 +4,29 @@
- [Arch with Gnome](#arch-with-gnome)
- [Installation](#installation)
- [Preparation](#preparation)
- [Boot](#boot)
- [Security](#security)
- [Secure Boot](#secure-boot)
- [Firewall](#firewall)
- [TPM2 LUKS Decryption](#tpm2-luks-decryption)
- [AppArmor](#apparmor)
- [Firejail](#firejail)
- [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [Post Install](#post-install)
- [Locale](#locale)
- [Gnome](#gnome)
- [Hardware Acceleration](#hardware-acceleration)
- [Firewall](#firewall)
- [Power Management](#power-management)
- [TPM2 LUKS Decryption](#tpm2-luks-decryption)
- [Don't sleep while plugged in](#dont-sleep-while-plugged-in)
- [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [AppArmor](#apparmor)
- [Firejail](#firejail)
- [AppImage Support](#appimage-support)
- [Bluetooth](#bluetooth)
- [Audio](#audio)
- [Firefox](#firefox)
- [RDP Remote Desktop](#rdp-remote-desktop)
- [Virtualization](#virtualization)
- [Arch Guests](#arch-guests)
- [CUPS Printing](#cups-printing)
- [Steam](#steam)
- [XWayland](#xwayland)
@@ -32,7 +37,11 @@
- [ISCSI](#iscsi)
- [Backing up a snapshot](#backing-up-a-snapshot)
- [VSCode](#vscode)
- [Apps](#apps)
- [Iperf](#iperf)
- [Git](#git)
- [Wine](#wine)
- [Spotify](#spotify)
- [Kubectl](#kubectl)
- [Bashrc](#bashrc)
- [Unecessary](#unecessary)
- [Plymouth Background Image](#plymouth-background-image)
@@ -44,6 +53,8 @@
## Installation
### Preparation
Follow most of the instructions here:
<https://wiki.archlinux.org/title/Installation_guide>
@@ -56,8 +67,10 @@ Follow most of the instructions here:
On framework this is done in the UEFI setup page for Security, sub-page
Secure Boot, choose “Erase all Secure Boot Settings.”
6. Boot into the live image
7. Check for network connectivity
### Boot
1. Boot into the live image
2. Check for network connectivity
```bash
# Check for internet
@@ -65,8 +78,8 @@ Follow most of the instructions here:
ping archlinux.org
```
8. `timedatectl` to update system clock
9. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
3. `timedatectl` to update system clock
4. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
```bash
fdisk -l
@@ -77,40 +90,39 @@ Follow most of the instructions here:
- t EFI SYSTEM for /boot
- remaining for /
10. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
11. `cryptsetup luksFormat /dev/vda2`
12. `cryptsetup luksOpen /dev/vda2 root`
13. `mkfs.btrfs /dev/mapper/root` (root partition)
14. Mount the root partition with `mount /mnt`
15. Mount the boot partition with `mount --mkdir /mnt/boot`
16. `pacstrap -K /mnt base linux linux-firmware`
5. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
6. `cryptsetup luksFormat /dev/vda2`
7. `cryptsetup luksOpen /dev/vda2 root`
8. `mkfs.btrfs /dev/mapper/root` (root partition)
9. Mount the root partition with `mount /mnt`
10. Mount the boot partition with `mount --mkdir /mnt/boot`
11. `pacstrap -K /mnt base linux linux-firmware`
12. `genfstab -U /mnt >> /mnt/etc/fstab`
13. `arch-chroot /mnt`
14. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
15. `hwclock --systohc`
16. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
17. `echo 'KEYMAP=us' > /etc/vconsole.conf`
18. `echo 'hostname' > /etc/hostname`
19. `pacman -S sudo vim dhclient dhcpcd bash-completion`
20. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
Note: linux-zen works, linux-hardened breaks appimages
17. `genfstab -U /mnt >> /mnt/etc/fstab`
18. `arch-chroot /mnt`
19. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
20. `hwclock --systohc`
21. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
22. `echo 'KEYMAP=us' > /etc/vconsole.conf`
23. `echo 'hostname' > /etc/hostname`
24. `pacman -S sudo vim gdm gnome dhclient dhcpcd bash-completion tpm2-tss btrfs-progs`
25. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
/etc/mkinitcpio.conf
```conf
HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
```
26. `mkinitcpio -P`
27. Install systemd-boot
21. `mkinitcpio -P`
22. Install systemd-boot
https://wiki.archlinux.org/title/systemd-boot
<https://wiki.archlinux.org/title/systemd-boot>
```bash
bootctl install
```
28. edit your loader.conf with some defaults
23. edit your loader.conf with some defaults
/boot/loader/loader.conf
@@ -121,7 +133,7 @@ Follow most of the instructions here:
editor no
```
29. Create a loader (/usr/share/systemd/bootctl/loader.conf)
24. Create a loader (/usr/share/systemd/bootctl/loader.conf)
/boot/loader/entries/arch.conf
@@ -132,7 +144,7 @@ Follow most of the instructions here:
options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw
```
30. Add a pacman hook for systemd-boot updates
25. Add a pacman hook for systemd-boot updates
/etc/pacman.d/hooks/95-systemd-boot.hook
@@ -148,138 +160,90 @@ Follow most of the instructions here:
Exec = /usr/bin/systemctl restart systemd-boot-update.service
```
31. `cd /root/`
32. `pacman -S efitools`
33. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
34. `pacman -S sbctl`
35. `sbctl create-keys`
36. `sbctl enroll-keys -m`
37. `sbctl status`
38. `sbctl verify`
39. `sbctl sign -s /boot/vmlinuz-linux`
40. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
41. `sbctl status`
42. `sudo systemctl enable gdm`
43. `useradd ducoterra`
44. `passwd ducoterra`
45. `groupadd sudo`
46. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
47. `usermod -aG sudo ducoterra`
48. `usermod -aG wheel ducoterra`
49. `mkdir /home/ducoterra`
50. `chown ducoterra:ducoterra /home/ducoterra`
51. `exit`
52. `reboot`
Don't forget to enable secure boot. Don't forget to add a trusted boot loader.
There is a pacman hook which will automatically sign new binaries on update.
## Post Install
### Locale
Set up locale with correct information (required for certain binaries like minecraft-launcher)
1. `vim /etc/locale.gen`
26. `useradd ducoterra`
27. `passwd ducoterra`
28. `groupadd sudo`
29. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
30. `usermod -aG sudo ducoterra`
31. `usermod -aG wheel ducoterra`
32. `mkdir /home/ducoterra`
33. `chown ducoterra:ducoterra /home/ducoterra`
34. `vim /etc/locale.gen`
Uncomment the line:
en_US.UTF-8 UTF-8
2. `sudo locale-gen`
35. `locale-gen`
36. `exit`
37. `reboot`
### Hardware Acceleration
### Security
(This helps enable hardware encoding/decoding for steam streaming)
#### Secure Boot
Intel
1. `pacman -S efitools`
2. `cd /root/`
3. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
4. `pacman -S sbctl`
5. `sbctl create-keys`
6. `sbctl enroll-keys -m`
7. `sbctl status`
8. `sbctl verify`
9. `sbctl sign -s /boot/vmlinuz-linux`
10. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
11. `sbctl status`
```bash
sudo pacman -S libva-utils intel-media-driver
vainfo
```
Don't forget to enable secure boot. Don't forget to add a trusted boot loader.
There is a pacman hook which will automatically sign new binaries on update.
AMD
```bash
sudo pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu
```
### Firewall
#### Firewall
```bash
sudo pacman -S ufw
sudo ufw enable
```
### Power Management
1. For laptops install `tlp`
```bash
sudo pacman -S tlp tlp-rdw
sudo systemctl enable --now tlp
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket
```
2. Then configure it with the following settings (optional)
/etc/tlp.conf
```conf
# I've seen some issues with usb autosuspend
USB_AUTOSUSPEND=0
# Restore bluetooth/wifi state on reboot
# Otherwise it defaults to on
RESTORE_DEVICE_STATE_ON_STARTUP=1
# Disable wifi when plugged in
# You might not want this for continuity - eg. you're copying a file to a network
# share over wifi - plugging in will cancel the copy with this option enabled.
DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
# Re-enable wifi when unplugged.
DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
```
3. For desktops install cpupower
```bash
sudo pacman -S cpupower
systemctl enable --now cpupower
```
Temporarily set power profile with `cpupower frequency-set -g performance`
Edit /etc/default/cpupower
```conf
governor='performance'
```
### TPM2 LUKS Decryption
#### TPM2 LUKS Decryption
Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
1. `pacman -S tpm2-tss`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
### Don't sleep while plugged in
#### AppArmor
This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock
will prevent it from waking up.
1. `sudo pacman -S apparmor`
2. `sudo systemctl enable --now apparmor`
3. `sudo systemctl enable --now auditd`
4. Add the correct kernel parameters
/etc/systemd/logind.conf
/boot/loaders/entries/arch.conf
```conf
...
HandleLidSwitchExternalPower=lock
HandleLidSwitchDocked=ignore
...
```
```conf
title Arch Linux
...
options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
```
### Fingerprint Reader Support
#### Firejail
#### Setup
Firejail launches supported applications in a sandboxed environment where it limits access
to system files and resources.
For example:
- Firefox will not be able to access more than a small subset of your home directory.
- VSCode will not be able to acces ~/.config/autostart.
1. `sudo pacman -S firejail`
2. `sudo firecfg`
3. `firecfg --fix`
4. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
#### Fingerprint Reader Support
##### Setup
1. `sudo pacman -S fprintd`
2. `sudo systemctl enable --now fprintd`
@@ -292,7 +256,7 @@ HandleLidSwitchDocked=ignore
auth sufficient pam_fprintd.so
```
#### Turn Off Fingerprint When Laptop Lid Closed
##### Turn Off Fingerprint When Laptop Lid Closed
To disable fingerprint authentication when the laptop lid is closed, and
re-enable when it is reopened, we will use acpid to bind to the button/lid.*
@@ -369,34 +333,87 @@ runs our script on wake.
Now the status should be correct even after connecting/disconnecting when the computer is off.
### AppArmor
## Post Install
1. `sudo pacman -S apparmor`
2. `sudo systemctl enable --now apparmor`
3. `sudo systemctl enable --now auditd`
4. Add the correct kernel parameters
### Gnome
/boot/loaders/entries/arch.conf
1. `pacman -S gdm gnome`
2. `sudo systemctl enable gdm`
```conf
title Arch Linux
...
options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
### Hardware Acceleration
(This helps enable hardware encoding/decoding for steam streaming)
Intel
```bash
sudo pacman -S libva-utils intel-media-driver
vainfo
```
AMD
```bash
sudo pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu
```
### Power Management
1. For laptops install `tlp`
```bash
sudo pacman -S tlp tlp-rdw
sudo systemctl enable --now tlp
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket
```
### Firejail
2. Then configure it with the following settings (optional)
Firejail launches supported applications in a sandboxed environment where it limits access
to system files and resources.
/etc/tlp.conf
For example:
```conf
# I've seen some issues with usb autosuspend
USB_AUTOSUSPEND=0
# Restore bluetooth/wifi state on reboot
# Otherwise it defaults to on
RESTORE_DEVICE_STATE_ON_STARTUP=1
# Disable wifi when plugged in
# You might not want this for continuity - eg. you're copying a file to a network
# share over wifi - plugging in will cancel the copy with this option enabled.
DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
# Re-enable wifi when unplugged.
DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
```
- Firefox will not be able to access more than a small subset of your home directory.
- VSCode will not be able to acces ~/.config/autostart.
3. For desktops install cpupower
1. `sudo pacman -S firejail`
2. `sudo firecfg`
3. `firecfg --fix`
```bash
sudo pacman -S cpupower
systemctl enable --now cpupower
```
Temporarily set power profile with `cpupower frequency-set -g performance`
Edit /etc/default/cpupower
```conf
governor='performance'
```
### Don't sleep while plugged in
This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock
will prevent it from waking up.
/etc/systemd/logind.conf
```conf
...
HandleLidSwitchExternalPower=lock
HandleLidSwitchDocked=ignore
...
```
### AppImage Support
@@ -427,7 +444,7 @@ Also chmod +x before running.
Without pipewire-pulse the audio level/device will reset every reboot.
1. `sudo pacman -S pipewire-pulse` (remove conflicting packages)
1. `sudo pacman -S pipewire-pulse` (remove conflicting packages)
### Firefox
@@ -482,7 +499,7 @@ sudo pacman -S firefox gnome-browser-connector
If you get a blank screen when launching a VM check that you've used the correct bios -
either secboot or not secboot. This is the most common problem.
**Arch Guests**
#### Arch Guests
In order to get drivers for spice you'll need the guest spice drivers:
@@ -492,15 +509,15 @@ sudo pacman -S qemu-guest-agent spice-vdagent
### CUPS Printing
12. `sudo pacman -S cups cups-pdf avahi`
14. `sudo vim /etc/nsswitch.conf`
1. `sudo pacman -S cups cups-pdf avahi`
2. `sudo vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
15. `sudo systemctl start cups`
16. `sudo systemctl start avahi-daemon`
3. `sudo systemctl start cups`
4. `sudo systemctl start avahi-daemon`
### Steam
@@ -785,17 +802,25 @@ To install that list of extensions run:
cat vscode_extensions.txt | xargs -L 1 code --install-extension
```
## Apps
### Iperf
| Name | Description |
| ---------------- | ------------------------- |
| base-devel | makepkg requirement |
| kubectl | kubernetes kubectl |
| wine | wine64 emulator |
| steam | steam |
| git | git |
| iperf3 | iperf3 network speedtest |
| spotify-launcher | official spotify launcher |
`pacman -S iperf3`
### Git
`pacman -S git`
### Wine
`pacman -S wine`
### Spotify
`pacman -S spotify-launcher`
### Kubectl
`pacman -S kubectl`
## Bashrc