add objectives, podman, clamav, and other fixes

arch.md

@@ -13,6 +13,7 @@
       - [AppArmor](#apparmor)
         - [Install Apparmor](#install-apparmor)
         - [Custom Profiles](#custom-profiles)
+      - [ClamAV](#clamav)
       - [Chroots](#chroots)
       - [Fingerprint Reader Support](#fingerprint-reader-support)
         - [Setup](#setup)
@@ -26,6 +27,7 @@
     - [Bluetooth](#bluetooth)
     - [Audio](#audio)
   - [Apps](#apps)
+    - [Podman](#podman)
     - [AppImage Support](#appimage-support)
     - [Transmission](#transmission)
     - [Firefox](#firefox)
@@ -142,21 +144,22 @@ Follow most of the instructions here:
 16. `arch-chroot /mnt`
 17. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
 18. `hwclock --systohc`
-19. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
+19. `echo 'LANG=en_US.UTF-8' > /etc/locale.gen`
 20. `echo 'KEYMAP=us' > /etc/vconsole.conf`
 21. `echo 'hostname' > /etc/hostname`
-22. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs`
+22. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth`
 
     - dhclient/dhcpcd provides dhcp for network
     - bash-completion provides tab complete
     - btrfs-progs provides fsck for btrfs
+    - plymouth gives a nice bootloader screen
 
 23. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
 
     /etc/mkinitcpio.conf
 
     ```conf
-    HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
+    HOOKS=(systemd plymouth autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
     ```
 
 24. `mkinitcpio -P`
@@ -200,7 +203,20 @@ Follow most of the instructions here:
     blkid | grep /dev/vda2 >> /boot/loader/entries.conf
     ```
 
-28. Add a pacman hook for systemd-boot updates
+28. `useradd ducoterra`
+29. `passwd ducoterra`
+30. `groupadd sudo`
+31. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
+32. `usermod -aG sudo ducoterra`
+33. `usermod -aG wheel ducoterra`
+34. `mkdir /home/ducoterra`
+35. `chown ducoterra:ducoterra /home/ducoterra`
+36. `locale-gen`
+37. `systemctl enable dhcpcd`
+38. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
+39. `exit`
+40. `reboot`
+41. Add a pacman hook for systemd-boot updates
 
     /etc/pacman.d/hooks/95-systemd-boot.hook
 
@@ -216,20 +232,6 @@ Follow most of the instructions here:
     Exec = /usr/bin/systemctl restart systemd-boot-update.service
     ```
 
-29. `useradd ducoterra`
-30. `passwd ducoterra`
-31. `groupadd sudo`
-32. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
-33. `usermod -aG sudo ducoterra`
-34. `usermod -aG wheel ducoterra`
-35. `mkdir /home/ducoterra`
-36. `chown ducoterra:ducoterra /home/ducoterra`
-37. `locale-gen`
-38. `systemctl enable dhclient`
-39. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
-40. `exit`
-41. `reboot`
-
 ### Security
 
 #### Secure Boot
@@ -354,6 +356,14 @@ Access Modes
     k       - lock
 ```
 
+#### ClamAV
+
+1. `sudo pacman -S clamav`
+2. `sudo freshclam`
+3. `sudo systemctl enable --now clamav-freshclam.service`
+4. `sudo systemctl enable --now clamav-daemon.service`
+5. `clamdscan --multiscan --fdpass /home/ducoterra`
+
 #### Chroots
 
 You can create chroot environments to run firejails or just use for testing purposes.
@@ -558,6 +568,12 @@ Without pipewire-pulse the audio level/device will reset every reboot.
 
 ## Apps
 
+### Podman
+
+1. `sudo pacman -S podman cni-plugins slirp4netns`
+2. `podman pull docker.io/debian:latest`
+3. `podman run -it debian:latest bash`
+
 ### AppImage Support
 
 fuse is required to run most appimages.
@@ -605,7 +621,6 @@ Choose noto-free-fonts
     ```bash
     sudo pacman -S qemu-full libvirt iptables-nft dnsmasq virt-manager qemu-desktop swtpm
     sudo usermod -aG libvirt ducoterra
-    sudo virsh net-autostart default
     ```
 
 2. Edit /etc/libvirt/libvirtd.conf
@@ -618,7 +633,7 @@ Choose noto-free-fonts
     ...
     ```
 
-3. Edit /etc/libvirt/qemu.**conf**
+3. Edit /etc/libvirt/qemu.conf
 
     ```conf
     # Some examples of valid values are:
@@ -634,7 +649,8 @@ Choose noto-free-fonts
     group = "ducoterra"
     ```
 
-4. `systemctl enable --now libvirtd`
+4. `sudo systemctl enable --now libvirtd`
+5. `sudo virsh net-autostart default`
 
 If you get a blank screen when launching a VM check that you've used the correct bios -
 either secboot or not secboot. This is the most common problem.

objectives.md

@@ -0,0 +1,69 @@
+# Objectives
+
+1. To have a secure, private workstation with protection from:
+   1. accidental deletion
+   2. loss
+   3. theft
+   4. remote attacks
+   5. software exploits
+   6. malware
+
+2. To have a secure gaming machine with emphasis on performance
+
+3. To have a secure, private storage server with protection from:
+   1. accidental deletion
+   2. theft
+   3. remote attacks
+   4. software exploits
+   5. malware
+
+4. To have a secure, private hosting solution with emphasis on:
+   1. reliability
+   2. ease-of-backup
+   3. ease-of-restore
+
+## Workstation
+
+<https://wiki.archlinux.org/title/security>
+
+It will use Arch linux.
+
+It must support podman and qemu/kvm.
+
+It will use the standard linux kernel.
+
+1. accidental deletion
+
+    - BTRFS with snapshots
+
+2. loss
+
+    - BTRFS with backups
+
+3. theft
+
+    - luks encryption with tpm2 decryption + secure boot
+
+4. remote attacks
+
+    - UFW firewall
+
+5. software exploits
+
+    - apparmor with custom profiles
+
+6. malware
+
+    - ClamAV with periodic scans
+
+## Gaming
+
+Arch will be used as the starting point with the default linux kernel.
+
+## Storage
+
+Truenas will handle storage with encrypted partitions.
+
+## Hosting
+
+K3S installed on Arch will be the hosting solution starting point.