continue to organize and update arch install

arch.md

@@ -8,21 +8,24 @@
     - [Boot](#boot)
     - [Security](#security)
       - [Secure Boot](#secure-boot)
-      - [Firewall](#firewall)
       - [TPM2 LUKS Decryption](#tpm2-luks-decryption)
+      - [Firewall](#firewall)
       - [AppArmor](#apparmor)
       - [Firejail](#firejail)
       - [Fingerprint Reader Support](#fingerprint-reader-support)
         - [Setup](#setup)
         - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
-  - [Post Install](#post-install)
+  - [Desktop Environment](#desktop-environment)
     - [Gnome](#gnome)
+  - [Hardware Management](#hardware-management)
     - [Hardware Acceleration](#hardware-acceleration)
     - [Power Management](#power-management)
     - [Don't sleep while plugged in](#dont-sleep-while-plugged-in)
-    - [AppImage Support](#appimage-support)
     - [Bluetooth](#bluetooth)
     - [Audio](#audio)
+  - [Apps](#apps)
+    - [AppImage Support](#appimage-support)
+    - [Transmission](#transmission)
     - [Firefox](#firefox)
     - [RDP Remote Desktop](#rdp-remote-desktop)
     - [Virtualization](#virtualization)
@@ -60,12 +63,23 @@ Follow most of the instructions here:
 
 1. Download Arch
 2. Verify the image
-3. Create a bootable ISO
-4. Disable secureboot (reenable later)
-5. Put your machine in setup mode
 
-    On framework this is done in the UEFI setup page for Security, sub-page
-    Secure Boot, choose “Erase all Secure Boot Settings.”
+    ```bash
+    gpg --auto-key-locate clear,wkd -v --locate-external-key pierre@archlinux.org
+    ```
+
+3. Create a bootable ISO
+
+    1. If you are booting into a VM, create an ISO with installation files so you don't have to copy-paste:
+
+        ```bash
+        sudo pacman -S cdrtools
+        mkisofs -r -iso-level 4 -l -o /tmp/arch-files.iso ./arch
+        ```
+
+    2. If you are booting from a live usb, copy the files in ./arch to the usb drive
+
+4. Disable secureboot (reenable later)
 
 ### Boot
 
@@ -79,7 +93,13 @@ Follow most of the instructions here:
     ```
 
 3. `timedatectl` to update system clock
-4. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
+4. If using a VM, mount the iso with arch conf files
+
+    ```bash
+    mount --mkdir /dev/sr1 /media
+    ```
+
+5. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
 
     ```bash
     fdisk -l
@@ -90,22 +110,40 @@ Follow most of the instructions here:
     - t EFI SYSTEM for /boot
     - remaining for /
 
-5. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
-6. `cryptsetup luksFormat /dev/vda2`
-7. `cryptsetup luksOpen /dev/vda2 root`
-8. `mkfs.btrfs /dev/mapper/root` (root partition)
-9. Mount the root partition with `mount /mnt`
-10. Mount the boot partition with `mount --mkdir /mnt/boot`
-11. `pacstrap -K /mnt base linux linux-firmware`
-12. `genfstab -U /mnt >> /mnt/etc/fstab`
-13. `arch-chroot /mnt`
-14. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
-15. `hwclock --systohc`
-16. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
-17. `echo 'KEYMAP=us' > /etc/vconsole.conf`
-18. `echo 'hostname' > /etc/hostname`
-19. `pacman -S sudo vim dhclient dhcpcd bash-completion`
-20. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
+6. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
+7. `cryptsetup luksFormat /dev/vda2`
+8. `cryptsetup luksOpen /dev/vda2 root`
+9. `mkfs.btrfs /dev/mapper/root` (root partition)
+10. At this point you can choose how to subvolume your root partition
+
+    ```bash
+    mount --mkdir -o subvolid=5 /btr_pool
+    btrfs sub create root /btr_pool
+    btrfs sub create home /btr_pool
+    ...
+    ```
+
+11. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt`
+12. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot`
+13. If on VM: Mount the conf files with `mount --mkdir /dev/sr1 /mnt/media`
+14. `pacstrap -K /mnt base linux linux-firmware`
+
+    This command might show an error. This is ok, we'll fix it later.
+
+15. `genfstab -U /mnt >> /mnt/etc/fstab`
+16. `arch-chroot /mnt`
+17. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
+18. `hwclock --systohc`
+19. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
+20. `echo 'KEYMAP=us' > /etc/vconsole.conf`
+21. `echo 'hostname' > /etc/hostname`
+22. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs`
+
+    - dhclient/dhcpcd provides dhcp for network
+    - bash-completion provides tab complete
+    - btrfs-progs provides fsck for btrfs
+
+23. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
 
     /etc/mkinitcpio.conf
 
@@ -113,8 +151,8 @@ Follow most of the instructions here:
     HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
     ```
 
-21. `mkinitcpio -P`
-22. Install systemd-boot
+24. `mkinitcpio -P`
+25. Install systemd-boot
 
     <https://wiki.archlinux.org/title/systemd-boot>
 
@@ -122,7 +160,10 @@ Follow most of the instructions here:
     bootctl install
     ```
 
-23. edit your loader.conf with some defaults
+    If this raises an error like "efi partition not found" you probably forgot to format
+    /mnt/boot as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code).
+
+26. edit your loader.conf with some defaults
 
     /boot/loader/loader.conf
 
@@ -133,7 +174,7 @@ Follow most of the instructions here:
     editor   no
     ```
 
-24. Create a loader (/usr/share/systemd/bootctl/loader.conf)
+27. Create a loader (/usr/share/systemd/bootctl/loader.conf for example)
 
     /boot/loader/entries/arch.conf
 
@@ -144,7 +185,14 @@ Follow most of the instructions here:
     options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw
     ```
 
-25. Add a pacman hook for systemd-boot updates
+    You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut
+    the excess and copy it into the correct location.
+
+    ```bash
+    blkid | grep /dev/vda2 >> /boot/loader/entries.conf
+    ```
+
+28. Add a pacman hook for systemd-boot updates
 
     /etc/pacman.d/hooks/95-systemd-boot.hook
 
@@ -160,50 +208,47 @@ Follow most of the instructions here:
     Exec = /usr/bin/systemctl restart systemd-boot-update.service
     ```
 
-26. `useradd ducoterra`
-27. `passwd ducoterra`
-28. `groupadd sudo`
-29. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
-30. `usermod -aG sudo ducoterra`
-31. `usermod -aG wheel ducoterra`
-32. `mkdir /home/ducoterra`
-33. `chown ducoterra:ducoterra /home/ducoterra`
-34. `vim /etc/locale.gen`
-
-    Uncomment the line:
-
-    en_US.UTF-8 UTF-8
-
-35. `locale-gen`
-36. `exit`
-37. `reboot`
+29. `useradd ducoterra`
+30. `passwd ducoterra`
+31. `groupadd sudo`
+32. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
+33. `usermod -aG sudo ducoterra`
+34. `usermod -aG wheel ducoterra`
+35. `mkdir /home/ducoterra`
+36. `chown ducoterra:ducoterra /home/ducoterra`
+37. `locale-gen`
+38. `systemctl enable dhclient`
+39. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
+40. `exit`
+41. `reboot`
 
 ### Security
 
 #### Secure Boot
 
-1. `pacman -S efitools`
-2. `cd /root/`
-3. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
-4. `pacman -S sbctl`
+1. Put your machine in setup mode
+
+    On framework this is done in the UEFI setup page for Security, sub-page
+    Secure Boot, choose “Erase all Secure Boot Settings.”
+
+2. `pacman -S efitools sbctl`
+3. `cd /root/`
+4. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
 5. `sbctl create-keys`
 6. `sbctl enroll-keys -m`
 7. `sbctl status`
 8. `sbctl verify`
 9. `sbctl sign -s /boot/vmlinuz-linux`
 10. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
-11. `sbctl status`
+11. `sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi`
+12. `sbctl verify`
+13. `reboot`
+14. Enable secure boot
+15. `sbctl status` to check secure boot
+16. `bootctl` to check boot loader status
 
-Don't forget to enable secure boot. Don't forget to add a trusted boot loader.
 There is a pacman hook which will automatically sign new binaries on update.
 
-#### Firewall
-
-```bash
-sudo pacman -S ufw
-sudo ufw enable
-```
-
 #### TPM2 LUKS Decryption
 
 Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
@@ -211,6 +256,13 @@ Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure b
 1. `pacman -S tpm2-tss`
 2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
 
+#### Firewall
+
+```bash
+sudo pacman -S ufw
+sudo ufw enable
+```
+
 #### AppArmor
 
 1. `sudo pacman -S apparmor`
@@ -226,6 +278,8 @@ Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure b
     options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
     ```
 
+5. `reboot`
+
 #### Firejail
 
 Firejail launches supported applications in a sandboxed environment where it limits access
@@ -240,6 +294,25 @@ For example:
 2. `sudo firecfg`
 3. `firecfg --fix`
 4. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
+5. Add a pacman hook to apply firejail on install
+
+    /etc/pacman.d/hooks/firejail.hook
+
+    ```conf
+    [Trigger]
+    Type = Path
+    Operation = Install
+    Operation = Upgrade
+    Operation = Remove
+    Target = usr/bin/*
+    Target = usr/share/applications/*.desktop
+
+    [Action]
+    Description = Configure symlinks in /usr/local/bin based on firecfg.config...
+    When = PostTransaction
+    Depends = firejail
+    Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
+    ```
 
 #### Fingerprint Reader Support
 
@@ -333,12 +406,19 @@ runs our script on wake.
 
 Now the status should be correct even after connecting/disconnecting when the computer is off.
 
-## Post Install
+## Desktop Environment
 
 ### Gnome
 
 1. `pacman -S gdm gnome`
-2. `sudo systemctl enable gdm`
+
+    - choose pipewire-jack
+    - choose wireplumber
+    - choose noto-fonts-emoji
+
+2. `sudo systemctl enable --now gdm`
+
+## Hardware Management
 
 ### Hardware Acceleration
 
@@ -415,6 +495,19 @@ HandleLidSwitchDocked=ignore
 ...
 ```
 
+### Bluetooth
+
+1. `sudo pacman -S bluez bluez-utils`
+2. `sudo systemctl enable --now bluetooth`
+
+### Audio
+
+Without pipewire-pulse the audio level/device will reset every reboot.
+
+1. `sudo pacman -S pipewire-pulse` (remove conflicting packages)
+
+## Apps
+
 ### AppImage Support
 
 fuse is required to run most appimages.
@@ -435,16 +528,11 @@ Also chmod +x before running.
     Categories=;
     ```
 
-### Bluetooth
+### Transmission
 
-1. `sudo pacman -S bluez bluez-utils`
-2. `sudo systemctl enable --now bluetooth`
-
-### Audio
-
-Without pipewire-pulse the audio level/device will reset every reboot.
-
-1. `sudo pacman -S pipewire-pulse` (remove conflicting packages)
+```bash
+sudo pacman -S gtk4 transmission-gtk
+```
 
 ### Firefox
 
@@ -454,6 +542,8 @@ You'll want firefox and gnome-browser-connector (for gnome extension management)
 sudo pacman -S firefox gnome-browser-connector
 ```
 
+Choose noto-free-fonts
+
 ### RDP Remote Desktop
 
 1. `sudo pacman -S remmina freerdp`

arch/95-systemd-boot.hook

@@ -0,0 +1,9 @@
+[Trigger]
+Type = Package
+Operation = Upgrade
+Target = systemd
+
+[Action]
+Description = Gracefully upgrading systemd-boot...
+When = PostTransaction
+Exec = /usr/bin/systemctl restart systemd-boot-update.service

arch/arch.conf

@@ -0,0 +1,4 @@
+title       Arch Linux
+linux       /vmlinuz-linux
+initrd      /initramfs-linux.img
+options     quiet splash rd.luks.name=UUID=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw

arch/loader.conf

@@ -0,0 +1,4 @@
+default         arch.conf
+timeout         4
+console-mode    max
+editor          no