server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

continue to organize and update arch install

Browse Source
This commit is contained in:
ducoterra
2023-08-16 10:34:45 -04:00
parent 2b91795bb4
commit 5b2caa74f1
4 changed files with 178 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

232
arch.md
View File

@@ -8,21 +8,24 @@
- [Boot](#boot) - [Boot](#boot)
- [Security](#security) - [Security](#security)
- [Secure Boot](#secure-boot) - [Secure Boot](#secure-boot)
- [Firewall](#firewall)
- [TPM2 LUKS Decryption](#tpm2-luks-decryption) - [TPM2 LUKS Decryption](#tpm2-luks-decryption)
- [Firewall](#firewall)
- [AppArmor](#apparmor) - [AppArmor](#apparmor)
- [Firejail](#firejail) - [Firejail](#firejail)
- [Fingerprint Reader Support](#fingerprint-reader-support) - [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup) - [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed) - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [Post Install](#post-install) - [Desktop Environment](#desktop-environment)
- [Gnome](#gnome) - [Gnome](#gnome)
- [Hardware Management](#hardware-management)
- [Hardware Acceleration](#hardware-acceleration) - [Hardware Acceleration](#hardware-acceleration)
- [Power Management](#power-management) - [Power Management](#power-management)
- [Don't sleep while plugged in](#dont-sleep-while-plugged-in) - [Don't sleep while plugged in](#dont-sleep-while-plugged-in)
- [AppImage Support](#appimage-support)
- [Bluetooth](#bluetooth) - [Bluetooth](#bluetooth)
- [Audio](#audio) - [Audio](#audio)
- [Apps](#apps)
- [AppImage Support](#appimage-support)
- [Transmission](#transmission)
- [Firefox](#firefox) - [Firefox](#firefox)
- [RDP Remote Desktop](#rdp-remote-desktop) - [RDP Remote Desktop](#rdp-remote-desktop)
- [Virtualization](#virtualization) - [Virtualization](#virtualization)
@@ -60,12 +63,23 @@ Follow most of the instructions here:
1. Download Arch 1. Download Arch
2. Verify the image 2. Verify the image
3. Create a bootable ISO
4. Disable secureboot (reenable later)
5. Put your machine in setup mode
On framework this is done in the UEFI setup page for Security, sub-page ```bash
Secure Boot, choose “Erase all Secure Boot Settings.” gpg --auto-key-locate clear,wkd -v --locate-external-key pierre@archlinux.org
```
3. Create a bootable ISO
1. If you are booting into a VM, create an ISO with installation files so you don't have to copy-paste:
```bash
sudo pacman -S cdrtools
mkisofs -r -iso-level 4 -l -o /tmp/arch-files.iso ./arch
```
2. If you are booting from a live usb, copy the files in ./arch to the usb drive
4. Disable secureboot (reenable later)
### Boot ### Boot
@@ -79,7 +93,13 @@ Follow most of the instructions here:
``` ```
3. `timedatectl` to update system clock 3. `timedatectl` to update system clock
4. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table" 4. If using a VM, mount the iso with arch conf files
```bash
mount --mkdir /dev/sr1 /media
```
5. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
```bash ```bash
fdisk -l fdisk -l
@@ -90,22 +110,40 @@ Follow most of the instructions here:
- t EFI SYSTEM for /boot - t EFI SYSTEM for /boot
- remaining for / - remaining for /
5. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition) 6. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
6. `cryptsetup luksFormat /dev/vda2` 7. `cryptsetup luksFormat /dev/vda2`
7. `cryptsetup luksOpen /dev/vda2 root` 8. `cryptsetup luksOpen /dev/vda2 root`
8. `mkfs.btrfs /dev/mapper/root` (root partition) 9. `mkfs.btrfs /dev/mapper/root` (root partition)
9. Mount the root partition with `mount /mnt` 10. At this point you can choose how to subvolume your root partition
10. Mount the boot partition with `mount --mkdir /mnt/boot`
11. `pacstrap -K /mnt base linux linux-firmware` ```bash
12. `genfstab -U /mnt >> /mnt/etc/fstab` mount --mkdir -o subvolid=5 /btr_pool
13. `arch-chroot /mnt` btrfs sub create root /btr_pool
14. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime` btrfs sub create home /btr_pool
15. `hwclock --systohc` ...
16. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf` ```
17. `echo 'KEYMAP=us' > /etc/vconsole.conf`
18. `echo 'hostname' > /etc/hostname` 11. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt`
19. `pacman -S sudo vim dhclient dhcpcd bash-completion` 12. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot`
20. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt 13. If on VM: Mount the conf files with `mount --mkdir /dev/sr1 /mnt/media`
14. `pacstrap -K /mnt base linux linux-firmware`
This command might show an error. This is ok, we'll fix it later.
15. `genfstab -U /mnt >> /mnt/etc/fstab`
16. `arch-chroot /mnt`
17. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
18. `hwclock --systohc`
19. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
20. `echo 'KEYMAP=us' > /etc/vconsole.conf`
21. `echo 'hostname' > /etc/hostname`
22. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs`
- dhclient/dhcpcd provides dhcp for network
- bash-completion provides tab complete
- btrfs-progs provides fsck for btrfs
23. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
/etc/mkinitcpio.conf /etc/mkinitcpio.conf
@@ -113,8 +151,8 @@ Follow most of the instructions here:
HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck) HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
``` ```
21. `mkinitcpio -P` 24. `mkinitcpio -P`
22. Install systemd-boot 25. Install systemd-boot
<https://wiki.archlinux.org/title/systemd-boot> <https://wiki.archlinux.org/title/systemd-boot>
@@ -122,7 +160,10 @@ Follow most of the instructions here:
bootctl install bootctl install
``` ```
23. edit your loader.conf with some defaults If this raises an error like "efi partition not found" you probably forgot to format
/mnt/boot as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code).
26. edit your loader.conf with some defaults
/boot/loader/loader.conf /boot/loader/loader.conf
@@ -133,7 +174,7 @@ Follow most of the instructions here:
editor no editor no
``` ```
24. Create a loader (/usr/share/systemd/bootctl/loader.conf) 27. Create a loader (/usr/share/systemd/bootctl/loader.conf for example)
/boot/loader/entries/arch.conf /boot/loader/entries/arch.conf
@@ -144,7 +185,14 @@ Follow most of the instructions here:
options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw
``` ```
25. Add a pacman hook for systemd-boot updates You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut
the excess and copy it into the correct location.
```bash
blkid | grep /dev/vda2 >> /boot/loader/entries.conf
```
28. Add a pacman hook for systemd-boot updates
/etc/pacman.d/hooks/95-systemd-boot.hook /etc/pacman.d/hooks/95-systemd-boot.hook
@@ -160,50 +208,47 @@ Follow most of the instructions here:
Exec = /usr/bin/systemctl restart systemd-boot-update.service Exec = /usr/bin/systemctl restart systemd-boot-update.service
``` ```
26. `useradd ducoterra` 29. `useradd ducoterra`
27. `passwd ducoterra` 30. `passwd ducoterra`
28. `groupadd sudo` 31. `groupadd sudo`
29. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege 32. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
30. `usermod -aG sudo ducoterra` 33. `usermod -aG sudo ducoterra`
31. `usermod -aG wheel ducoterra` 34. `usermod -aG wheel ducoterra`
32. `mkdir /home/ducoterra` 35. `mkdir /home/ducoterra`
33. `chown ducoterra:ducoterra /home/ducoterra` 36. `chown ducoterra:ducoterra /home/ducoterra`
34. `vim /etc/locale.gen` 37. `locale-gen`
38. `systemctl enable dhclient`
Uncomment the line: 39. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
40. `exit`
en_US.UTF-8 UTF-8 41. `reboot`
35. `locale-gen`
36. `exit`
37. `reboot`
### Security ### Security
#### Secure Boot #### Secure Boot
1. `pacman -S efitools` 1. Put your machine in setup mode
2. `cd /root/`
3. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done` On framework this is done in the UEFI setup page for Security, sub-page
4. `pacman -S sbctl` Secure Boot, choose “Erase all Secure Boot Settings.”
2. `pacman -S efitools sbctl`
3. `cd /root/`
4. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
5. `sbctl create-keys` 5. `sbctl create-keys`
6. `sbctl enroll-keys -m` 6. `sbctl enroll-keys -m`
7. `sbctl status` 7. `sbctl status`
8. `sbctl verify` 8. `sbctl verify`
9. `sbctl sign -s /boot/vmlinuz-linux` 9. `sbctl sign -s /boot/vmlinuz-linux`
10. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI` 10. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
11. `sbctl status` 11. `sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi`
12. `sbctl verify`
13. `reboot`
14. Enable secure boot
15. `sbctl status` to check secure boot
16. `bootctl` to check boot loader status
Don't forget to enable secure boot. Don't forget to add a trusted boot loader.
There is a pacman hook which will automatically sign new binaries on update. There is a pacman hook which will automatically sign new binaries on update.
#### Firewall
```bash
sudo pacman -S ufw
sudo ufw enable
```
#### TPM2 LUKS Decryption #### TPM2 LUKS Decryption
Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled. Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
@@ -211,6 +256,13 @@ Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure b
1. `pacman -S tpm2-tss` 1. `pacman -S tpm2-tss`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7` 2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
#### Firewall
```bash
sudo pacman -S ufw
sudo ufw enable
```
#### AppArmor #### AppArmor
1. `sudo pacman -S apparmor` 1. `sudo pacman -S apparmor`
@@ -226,6 +278,8 @@ Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure b
options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1... options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
``` ```
5. `reboot`
#### Firejail #### Firejail
Firejail launches supported applications in a sandboxed environment where it limits access Firejail launches supported applications in a sandboxed environment where it limits access
@@ -240,6 +294,25 @@ For example:
2. `sudo firecfg` 2. `sudo firecfg`
3. `firecfg --fix` 3. `firecfg --fix`
4. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start) 4. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
5. Add a pacman hook to apply firejail on install
/etc/pacman.d/hooks/firejail.hook
```conf
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/share/applications/*.desktop
[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
```
#### Fingerprint Reader Support #### Fingerprint Reader Support
@@ -333,12 +406,19 @@ runs our script on wake.
Now the status should be correct even after connecting/disconnecting when the computer is off. Now the status should be correct even after connecting/disconnecting when the computer is off.
## Post Install ## Desktop Environment
### Gnome ### Gnome
1. `pacman -S gdm gnome` 1. `pacman -S gdm gnome`
2. `sudo systemctl enable gdm`
- choose pipewire-jack
- choose wireplumber
- choose noto-fonts-emoji
2. `sudo systemctl enable --now gdm`
## Hardware Management
### Hardware Acceleration ### Hardware Acceleration
@@ -415,6 +495,19 @@ HandleLidSwitchDocked=ignore
... ...
``` ```
### Bluetooth
1. `sudo pacman -S bluez bluez-utils`
2. `sudo systemctl enable --now bluetooth`
### Audio
Without pipewire-pulse the audio level/device will reset every reboot.
1. `sudo pacman -S pipewire-pulse` (remove conflicting packages)
## Apps
### AppImage Support ### AppImage Support
fuse is required to run most appimages. fuse is required to run most appimages.
@@ -435,16 +528,11 @@ Also chmod +x before running.
Categories=; Categories=;
``` ```
### Bluetooth ### Transmission
1. `sudo pacman -S bluez bluez-utils` ```bash
2. `sudo systemctl enable --now bluetooth` sudo pacman -S gtk4 transmission-gtk
```
### Audio
Without pipewire-pulse the audio level/device will reset every reboot.
1. `sudo pacman -S pipewire-pulse` (remove conflicting packages)
### Firefox ### Firefox
@@ -454,6 +542,8 @@ You'll want firefox and gnome-browser-connector (for gnome extension management)
sudo pacman -S firefox gnome-browser-connector sudo pacman -S firefox gnome-browser-connector
``` ```
Choose noto-free-fonts
### RDP Remote Desktop ### RDP Remote Desktop
1. `sudo pacman -S remmina freerdp` 1. `sudo pacman -S remmina freerdp`

9
arch/95-systemd-boot.hook Normal file
View File

@@ -0,0 +1,9 @@
[Trigger]
Type = Package
Operation = Upgrade
Target = systemd
[Action]
Description = Gracefully upgrading systemd-boot...
When = PostTransaction
Exec = /usr/bin/systemctl restart systemd-boot-update.service

4
arch/arch.conf Normal file
View File

@@ -0,0 +1,4 @@
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options quiet splash rd.luks.name=UUID=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw

4
arch/loader.conf Normal file
View File

@@ -0,0 +1,4 @@
default arch.conf
timeout 4
console-mode max
editor no