server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

organize boot/security sections

Browse Source
This commit is contained in:
ducoterra
2023-08-15 23:29:16 -04:00
parent a8d75961cd
commit 2b91795bb4
1 changed files with 203 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

381
arch.md
View File

@@ -4,24 +4,29 @@
- [Arch with Gnome](#arch-with-gnome) - [Arch with Gnome](#arch-with-gnome)
- [Installation](#installation) - [Installation](#installation)
- [Preparation](#preparation)
- [Boot](#boot)
- [Security](#security)
- [Secure Boot](#secure-boot)
- [Firewall](#firewall)
- [TPM2 LUKS Decryption](#tpm2-luks-decryption)
- [AppArmor](#apparmor)
- [Firejail](#firejail)
- [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [Post Install](#post-install) - [Post Install](#post-install)
- [Locale](#locale) - [Gnome](#gnome)
- [Hardware Acceleration](#hardware-acceleration) - [Hardware Acceleration](#hardware-acceleration)
- [Firewall](#firewall)
- [Power Management](#power-management) - [Power Management](#power-management)
- [TPM2 LUKS Decryption](#tpm2-luks-decryption)
- [Don't sleep while plugged in](#dont-sleep-while-plugged-in) - [Don't sleep while plugged in](#dont-sleep-while-plugged-in)
- [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [AppArmor](#apparmor)
- [Firejail](#firejail)
- [AppImage Support](#appimage-support) - [AppImage Support](#appimage-support)
- [Bluetooth](#bluetooth) - [Bluetooth](#bluetooth)
- [Audio](#audio) - [Audio](#audio)
- [Firefox](#firefox) - [Firefox](#firefox)
- [RDP Remote Desktop](#rdp-remote-desktop) - [RDP Remote Desktop](#rdp-remote-desktop)
- [Virtualization](#virtualization) - [Virtualization](#virtualization)
- [Arch Guests](#arch-guests)
- [CUPS Printing](#cups-printing) - [CUPS Printing](#cups-printing)
- [Steam](#steam) - [Steam](#steam)
- [XWayland](#xwayland) - [XWayland](#xwayland)
@@ -32,7 +37,11 @@
- [ISCSI](#iscsi) - [ISCSI](#iscsi)
- [Backing up a snapshot](#backing-up-a-snapshot) - [Backing up a snapshot](#backing-up-a-snapshot)
- [VSCode](#vscode) - [VSCode](#vscode)
- [Apps](#apps) - [Iperf](#iperf)
- [Git](#git)
- [Wine](#wine)
- [Spotify](#spotify)
- [Kubectl](#kubectl)
- [Bashrc](#bashrc) - [Bashrc](#bashrc)
- [Unecessary](#unecessary) - [Unecessary](#unecessary)
- [Plymouth Background Image](#plymouth-background-image) - [Plymouth Background Image](#plymouth-background-image)
@@ -44,6 +53,8 @@
## Installation ## Installation
### Preparation
Follow most of the instructions here: Follow most of the instructions here:
<https://wiki.archlinux.org/title/Installation_guide> <https://wiki.archlinux.org/title/Installation_guide>
@@ -56,8 +67,10 @@ Follow most of the instructions here:
On framework this is done in the UEFI setup page for Security, sub-page On framework this is done in the UEFI setup page for Security, sub-page
Secure Boot, choose “Erase all Secure Boot Settings.” Secure Boot, choose “Erase all Secure Boot Settings.”
6. Boot into the live image ### Boot
7. Check for network connectivity
1. Boot into the live image
2. Check for network connectivity
```bash ```bash
# Check for internet # Check for internet
@@ -65,8 +78,8 @@ Follow most of the instructions here:
ping archlinux.org ping archlinux.org
``` ```
8. `timedatectl` to update system clock 3. `timedatectl` to update system clock
9. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table" 4. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
```bash ```bash
fdisk -l fdisk -l
@@ -77,40 +90,39 @@ Follow most of the instructions here:
- t EFI SYSTEM for /boot - t EFI SYSTEM for /boot
- remaining for / - remaining for /
10. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition) 5. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
11. `cryptsetup luksFormat /dev/vda2` 6. `cryptsetup luksFormat /dev/vda2`
12. `cryptsetup luksOpen /dev/vda2 root` 7. `cryptsetup luksOpen /dev/vda2 root`
13. `mkfs.btrfs /dev/mapper/root` (root partition) 8. `mkfs.btrfs /dev/mapper/root` (root partition)
14. Mount the root partition with `mount /mnt` 9. Mount the root partition with `mount /mnt`
15. Mount the boot partition with `mount --mkdir /mnt/boot` 10. Mount the boot partition with `mount --mkdir /mnt/boot`
16. `pacstrap -K /mnt base linux linux-firmware` 11. `pacstrap -K /mnt base linux linux-firmware`
12. `genfstab -U /mnt >> /mnt/etc/fstab`
13. `arch-chroot /mnt`
14. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
15. `hwclock --systohc`
16. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
17. `echo 'KEYMAP=us' > /etc/vconsole.conf`
18. `echo 'hostname' > /etc/hostname`
19. `pacman -S sudo vim dhclient dhcpcd bash-completion`
20. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
Note: linux-zen works, linux-hardened breaks appimages /etc/mkinitcpio.conf
17. `genfstab -U /mnt >> /mnt/etc/fstab`
18. `arch-chroot /mnt`
19. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
20. `hwclock --systohc`
21. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
22. `echo 'KEYMAP=us' > /etc/vconsole.conf`
23. `echo 'hostname' > /etc/hostname`
24. `pacman -S sudo vim gdm gnome dhclient dhcpcd bash-completion tpm2-tss btrfs-progs`
25. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
```conf ```conf
HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck) HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
``` ```
26. `mkinitcpio -P` 21. `mkinitcpio -P`
27. Install systemd-boot 22. Install systemd-boot
https://wiki.archlinux.org/title/systemd-boot <https://wiki.archlinux.org/title/systemd-boot>
```bash ```bash
bootctl install bootctl install
``` ```
28. edit your loader.conf with some defaults 23. edit your loader.conf with some defaults
/boot/loader/loader.conf /boot/loader/loader.conf
@@ -121,7 +133,7 @@ Follow most of the instructions here:
editor no editor no
``` ```
29. Create a loader (/usr/share/systemd/bootctl/loader.conf) 24. Create a loader (/usr/share/systemd/bootctl/loader.conf)
/boot/loader/entries/arch.conf /boot/loader/entries/arch.conf
@@ -132,7 +144,7 @@ Follow most of the instructions here:
options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw
``` ```
30. Add a pacman hook for systemd-boot updates 25. Add a pacman hook for systemd-boot updates
/etc/pacman.d/hooks/95-systemd-boot.hook /etc/pacman.d/hooks/95-systemd-boot.hook
@@ -148,138 +160,90 @@ Follow most of the instructions here:
Exec = /usr/bin/systemctl restart systemd-boot-update.service Exec = /usr/bin/systemctl restart systemd-boot-update.service
``` ```
31. `cd /root/` 26. `useradd ducoterra`
32. `pacman -S efitools` 27. `passwd ducoterra`
33. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done` 28. `groupadd sudo`
34. `pacman -S sbctl` 29. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
35. `sbctl create-keys` 30. `usermod -aG sudo ducoterra`
36. `sbctl enroll-keys -m` 31. `usermod -aG wheel ducoterra`
37. `sbctl status` 32. `mkdir /home/ducoterra`
38. `sbctl verify` 33. `chown ducoterra:ducoterra /home/ducoterra`
39. `sbctl sign -s /boot/vmlinuz-linux` 34. `vim /etc/locale.gen`
40. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
41. `sbctl status`
42. `sudo systemctl enable gdm`
43. `useradd ducoterra`
44. `passwd ducoterra`
45. `groupadd sudo`
46. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
47. `usermod -aG sudo ducoterra`
48. `usermod -aG wheel ducoterra`
49. `mkdir /home/ducoterra`
50. `chown ducoterra:ducoterra /home/ducoterra`
51. `exit`
52. `reboot`
Don't forget to enable secure boot. Don't forget to add a trusted boot loader.
There is a pacman hook which will automatically sign new binaries on update.
## Post Install
### Locale
Set up locale with correct information (required for certain binaries like minecraft-launcher)
1. `vim /etc/locale.gen`
Uncomment the line: Uncomment the line:
en_US.UTF-8 UTF-8 en_US.UTF-8 UTF-8
2. `sudo locale-gen` 35. `locale-gen`
36. `exit`
37. `reboot`
### Hardware Acceleration ### Security
(This helps enable hardware encoding/decoding for steam streaming) #### Secure Boot
Intel 1. `pacman -S efitools`
2. `cd /root/`
3. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
4. `pacman -S sbctl`
5. `sbctl create-keys`
6. `sbctl enroll-keys -m`
7. `sbctl status`
8. `sbctl verify`
9. `sbctl sign -s /boot/vmlinuz-linux`
10. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
11. `sbctl status`
```bash Don't forget to enable secure boot. Don't forget to add a trusted boot loader.
sudo pacman -S libva-utils intel-media-driver There is a pacman hook which will automatically sign new binaries on update.
vainfo
```
AMD #### Firewall
```bash
sudo pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu
```
### Firewall
```bash ```bash
sudo pacman -S ufw sudo pacman -S ufw
sudo ufw enable sudo ufw enable
``` ```
### Power Management #### TPM2 LUKS Decryption
1. For laptops install `tlp`
```bash
sudo pacman -S tlp tlp-rdw
sudo systemctl enable --now tlp
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket
```
2. Then configure it with the following settings (optional)
/etc/tlp.conf
```conf
# I've seen some issues with usb autosuspend
USB_AUTOSUSPEND=0
# Restore bluetooth/wifi state on reboot
# Otherwise it defaults to on
RESTORE_DEVICE_STATE_ON_STARTUP=1
# Disable wifi when plugged in
# You might not want this for continuity - eg. you're copying a file to a network
# share over wifi - plugging in will cancel the copy with this option enabled.
DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
# Re-enable wifi when unplugged.
DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
```
3. For desktops install cpupower
```bash
sudo pacman -S cpupower
systemctl enable --now cpupower
```
Temporarily set power profile with `cpupower frequency-set -g performance`
Edit /etc/default/cpupower
```conf
governor='performance'
```
### TPM2 LUKS Decryption
Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled. Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
1. `pacman -S tpm2-tss` 1. `pacman -S tpm2-tss`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7` 2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
### Don't sleep while plugged in #### AppArmor
This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock 1. `sudo pacman -S apparmor`
will prevent it from waking up. 2. `sudo systemctl enable --now apparmor`
3. `sudo systemctl enable --now auditd`
4. Add the correct kernel parameters
/etc/systemd/logind.conf /boot/loaders/entries/arch.conf
```conf ```conf
... title Arch Linux
HandleLidSwitchExternalPower=lock ...
HandleLidSwitchDocked=ignore options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
... ```
```
### Fingerprint Reader Support #### Firejail
#### Setup Firejail launches supported applications in a sandboxed environment where it limits access
to system files and resources.
For example:
- Firefox will not be able to access more than a small subset of your home directory.
- VSCode will not be able to acces ~/.config/autostart.
1. `sudo pacman -S firejail`
2. `sudo firecfg`
3. `firecfg --fix`
4. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
#### Fingerprint Reader Support
##### Setup
1. `sudo pacman -S fprintd` 1. `sudo pacman -S fprintd`
2. `sudo systemctl enable --now fprintd` 2. `sudo systemctl enable --now fprintd`
@@ -292,7 +256,7 @@ HandleLidSwitchDocked=ignore
auth sufficient pam_fprintd.so auth sufficient pam_fprintd.so
``` ```
#### Turn Off Fingerprint When Laptop Lid Closed ##### Turn Off Fingerprint When Laptop Lid Closed
To disable fingerprint authentication when the laptop lid is closed, and To disable fingerprint authentication when the laptop lid is closed, and
re-enable when it is reopened, we will use acpid to bind to the button/lid.* re-enable when it is reopened, we will use acpid to bind to the button/lid.*
@@ -369,34 +333,87 @@ runs our script on wake.
Now the status should be correct even after connecting/disconnecting when the computer is off. Now the status should be correct even after connecting/disconnecting when the computer is off.
### AppArmor ## Post Install
1. `sudo pacman -S apparmor` ### Gnome
2. `sudo systemctl enable --now apparmor`
3. `sudo systemctl enable --now auditd`
4. Add the correct kernel parameters
/boot/loaders/entries/arch.conf 1. `pacman -S gdm gnome`
2. `sudo systemctl enable gdm`
```conf ### Hardware Acceleration
title Arch Linux
... (This helps enable hardware encoding/decoding for steam streaming)
options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
Intel
```bash
sudo pacman -S libva-utils intel-media-driver
vainfo
```
AMD
```bash
sudo pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu
```
### Power Management
1. For laptops install `tlp`
```bash
sudo pacman -S tlp tlp-rdw
sudo systemctl enable --now tlp
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket
``` ```
### Firejail 2. Then configure it with the following settings (optional)
Firejail launches supported applications in a sandboxed environment where it limits access /etc/tlp.conf
to system files and resources.
For example: ```conf
# I've seen some issues with usb autosuspend
USB_AUTOSUSPEND=0
# Restore bluetooth/wifi state on reboot
# Otherwise it defaults to on
RESTORE_DEVICE_STATE_ON_STARTUP=1
# Disable wifi when plugged in
# You might not want this for continuity - eg. you're copying a file to a network
# share over wifi - plugging in will cancel the copy with this option enabled.
DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
# Re-enable wifi when unplugged.
DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
```
- Firefox will not be able to access more than a small subset of your home directory. 3. For desktops install cpupower
- VSCode will not be able to acces ~/.config/autostart.
1. `sudo pacman -S firejail` ```bash
2. `sudo firecfg` sudo pacman -S cpupower
3. `firecfg --fix` systemctl enable --now cpupower
```
Temporarily set power profile with `cpupower frequency-set -g performance`
Edit /etc/default/cpupower
```conf
governor='performance'
```
### Don't sleep while plugged in
This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock
will prevent it from waking up.
/etc/systemd/logind.conf
```conf
...
HandleLidSwitchExternalPower=lock
HandleLidSwitchDocked=ignore
...
```
### AppImage Support ### AppImage Support
@@ -427,7 +444,7 @@ Also chmod +x before running.
Without pipewire-pulse the audio level/device will reset every reboot. Without pipewire-pulse the audio level/device will reset every reboot.
1. `sudo pacman -S pipewire-pulse` (remove conflicting packages) 1. `sudo pacman -S pipewire-pulse` (remove conflicting packages)
### Firefox ### Firefox
@@ -482,7 +499,7 @@ sudo pacman -S firefox gnome-browser-connector
If you get a blank screen when launching a VM check that you've used the correct bios - If you get a blank screen when launching a VM check that you've used the correct bios -
either secboot or not secboot. This is the most common problem. either secboot or not secboot. This is the most common problem.
**Arch Guests** #### Arch Guests
In order to get drivers for spice you'll need the guest spice drivers: In order to get drivers for spice you'll need the guest spice drivers:
@@ -492,15 +509,15 @@ sudo pacman -S qemu-guest-agent spice-vdagent
### CUPS Printing ### CUPS Printing
12. `sudo pacman -S cups cups-pdf avahi` 1. `sudo pacman -S cups cups-pdf avahi`
14. `sudo vim /etc/nsswitch.conf` 2. `sudo vim /etc/nsswitch.conf`
```conf ```conf
hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
``` ```
15. `sudo systemctl start cups` 3. `sudo systemctl start cups`
16. `sudo systemctl start avahi-daemon` 4. `sudo systemctl start avahi-daemon`
### Steam ### Steam
@@ -785,17 +802,25 @@ To install that list of extensions run:
cat vscode_extensions.txt | xargs -L 1 code --install-extension cat vscode_extensions.txt | xargs -L 1 code --install-extension
``` ```
## Apps ### Iperf
| Name | Description | `pacman -S iperf3`
| ---------------- | ------------------------- |
| base-devel | makepkg requirement | ### Git
| kubectl | kubernetes kubectl |
| wine | wine64 emulator | `pacman -S git`
| steam | steam |
| git | git | ### Wine
| iperf3 | iperf3 network speedtest |
| spotify-launcher | official spotify launcher | `pacman -S wine`
### Spotify
`pacman -S spotify-launcher`
### Kubectl
`pacman -S kubectl`
## Bashrc ## Bashrc