diff --git a/arch.md b/arch.md index bd21d58..1c31fd2 100644 --- a/arch.md +++ b/arch.md @@ -13,6 +13,7 @@ - [AppArmor](#apparmor) - [Install Apparmor](#install-apparmor) - [Custom Profiles](#custom-profiles) + - [ClamAV](#clamav) - [Chroots](#chroots) - [Fingerprint Reader Support](#fingerprint-reader-support) - [Setup](#setup) @@ -26,6 +27,7 @@ - [Bluetooth](#bluetooth) - [Audio](#audio) - [Apps](#apps) + - [Podman](#podman) - [AppImage Support](#appimage-support) - [Transmission](#transmission) - [Firefox](#firefox) @@ -142,21 +144,22 @@ Follow most of the instructions here: 16. `arch-chroot /mnt` 17. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime` 18. `hwclock --systohc` -19. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf` +19. `echo 'LANG=en_US.UTF-8' > /etc/locale.gen` 20. `echo 'KEYMAP=us' > /etc/vconsole.conf` 21. `echo 'hostname' > /etc/hostname` -22. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs` +22. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth` - dhclient/dhcpcd provides dhcp for network - bash-completion provides tab complete - btrfs-progs provides fsck for btrfs + - plymouth gives a nice bootloader screen 23. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt /etc/mkinitcpio.conf ```conf - HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck) + HOOKS=(systemd plymouth autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck) ``` 24. `mkinitcpio -P` @@ -200,7 +203,20 @@ Follow most of the instructions here: blkid | grep /dev/vda2 >> /boot/loader/entries.conf ``` -28. Add a pacman hook for systemd-boot updates +28. `useradd ducoterra` +29. `passwd ducoterra` +30. `groupadd sudo` +31. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege +32. `usermod -aG sudo ducoterra` +33. `usermod -aG wheel ducoterra` +34. `mkdir /home/ducoterra` +35. `chown ducoterra:ducoterra /home/ducoterra` +36. `locale-gen` +37. `systemctl enable dhcpcd` +38. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent` +39. `exit` +40. `reboot` +41. Add a pacman hook for systemd-boot updates /etc/pacman.d/hooks/95-systemd-boot.hook @@ -216,20 +232,6 @@ Follow most of the instructions here: Exec = /usr/bin/systemctl restart systemd-boot-update.service ``` -29. `useradd ducoterra` -30. `passwd ducoterra` -31. `groupadd sudo` -32. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege -33. `usermod -aG sudo ducoterra` -34. `usermod -aG wheel ducoterra` -35. `mkdir /home/ducoterra` -36. `chown ducoterra:ducoterra /home/ducoterra` -37. `locale-gen` -38. `systemctl enable dhclient` -39. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent` -40. `exit` -41. `reboot` - ### Security #### Secure Boot @@ -354,6 +356,14 @@ Access Modes k - lock ``` +#### ClamAV + +1. `sudo pacman -S clamav` +2. `sudo freshclam` +3. `sudo systemctl enable --now clamav-freshclam.service` +4. `sudo systemctl enable --now clamav-daemon.service` +5. `clamdscan --multiscan --fdpass /home/ducoterra` + #### Chroots You can create chroot environments to run firejails or just use for testing purposes. @@ -558,6 +568,12 @@ Without pipewire-pulse the audio level/device will reset every reboot. ## Apps +### Podman + +1. `sudo pacman -S podman cni-plugins slirp4netns` +2. `podman pull docker.io/debian:latest` +3. `podman run -it debian:latest bash` + ### AppImage Support fuse is required to run most appimages. @@ -605,7 +621,6 @@ Choose noto-free-fonts ```bash sudo pacman -S qemu-full libvirt iptables-nft dnsmasq virt-manager qemu-desktop swtpm sudo usermod -aG libvirt ducoterra - sudo virsh net-autostart default ``` 2. Edit /etc/libvirt/libvirtd.conf @@ -618,7 +633,7 @@ Choose noto-free-fonts ... ``` -3. Edit /etc/libvirt/qemu.**conf** +3. Edit /etc/libvirt/qemu.conf ```conf # Some examples of valid values are: @@ -634,7 +649,8 @@ Choose noto-free-fonts group = "ducoterra" ``` -4. `systemctl enable --now libvirtd` +4. `sudo systemctl enable --now libvirtd` +5. `sudo virsh net-autostart default` If you get a blank screen when launching a VM check that you've used the correct bios - either secboot or not secboot. This is the most common problem. diff --git a/objectives.md b/objectives.md new file mode 100644 index 0000000..ae774de --- /dev/null +++ b/objectives.md @@ -0,0 +1,69 @@ +# Objectives + +1. To have a secure, private workstation with protection from: + 1. accidental deletion + 2. loss + 3. theft + 4. remote attacks + 5. software exploits + 6. malware + +2. To have a secure gaming machine with emphasis on performance + +3. To have a secure, private storage server with protection from: + 1. accidental deletion + 2. theft + 3. remote attacks + 4. software exploits + 5. malware + +4. To have a secure, private hosting solution with emphasis on: + 1. reliability + 2. ease-of-backup + 3. ease-of-restore + +## Workstation + + + +It will use Arch linux. + +It must support podman and qemu/kvm. + +It will use the standard linux kernel. + +1. accidental deletion + + - BTRFS with snapshots + +2. loss + + - BTRFS with backups + +3. theft + + - luks encryption with tpm2 decryption + secure boot + +4. remote attacks + + - UFW firewall + +5. software exploits + + - apparmor with custom profiles + +6. malware + + - ClamAV with periodic scans + +## Gaming + +Arch will be used as the starting point with the default linux kernel. + +## Storage + +Truenas will handle storage with encrypted partitions. + +## Hosting + +K3S installed on Arch will be the hosting solution starting point.