# Arch with Gnome - [Arch with Gnome](#arch-with-gnome) - [Installation](#installation) - [Post Install](#post-install) - [Locale](#locale) - [Hardware Acceleration](#hardware-acceleration) - [Firewall](#firewall) - [Power Management](#power-management) - [TPM2 LUKS Decryption](#tpm2-luks-decryption) - [Don't sleep while plugged in](#dont-sleep-while-plugged-in) - [Fingerprint Reader Support](#fingerprint-reader-support) - [Setup](#setup) - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed) - [AppArmor](#apparmor) - [Firejail](#firejail) - [AppImage Support](#appimage-support) - [Bluetooth](#bluetooth) - [Audio](#audio) - [Firefox](#firefox) - [RDP Remote Desktop](#rdp-remote-desktop) - [Virtualization](#virtualization) - [CUPS Printing](#cups-printing) - [Steam](#steam) - [XWayland](#xwayland) - [Wireguard](#wireguard) - [btrbk](#btrbk) - [Snapshots](#snapshots) - [Backups](#backups) - [ISCSI](#iscsi) - [Backing up a snapshot](#backing-up-a-snapshot) - [VSCode](#vscode) - [Apps](#apps) - [Bashrc](#bashrc) - [Unecessary](#unecessary) - [Plymouth Background Image](#plymouth-background-image) - [Help](#help) - [Update Grub](#update-grub) - [Downgrading Kernel](#downgrading-kernel) ## Installation Follow most of the instructions here: 1. Download Arch 2. Verify the image 3. Create a bootable ISO 4. Disable secureboot (reenable later) 5. Put your machine in setup mode On framework this is done in the UEFI setup page for Security, sub-page Secure Boot, choose “Erase all Secure Boot Settings.” 6. Boot into the live image 7. Check for network connectivity ```bash # Check for internet ip a ping archlinux.org ``` 8. `timedatectl` to update system clock 9. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table" ```bash fdisk -l gdisk /dev/vda ``` - +1G for /boot - t EFI SYSTEM for /boot - remaining for / 10. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition) 11. `cryptsetup luksFormat /dev/vda2` 12. `cryptsetup luksOpen /dev/vda2 root` 13. `mkfs.btrfs /dev/mapper/root` (root partition) 14. Mount the root partition with `mount /mnt` 15. Mount the boot partition with `mount --mkdir /mnt/boot` 16. `pacstrap -K /mnt base linux linux-firmware` Note: linux-zen works, linux-hardened breaks appimages 17. `genfstab -U /mnt >> /mnt/etc/fstab` 18. `arch-chroot /mnt` 19. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime` 20. `hwclock --systohc` 21. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf` 22. `echo 'KEYMAP=us' > /etc/vconsole.conf` 23. `echo 'hostname' > /etc/hostname` 24. `pacman -S sudo vim gdm gnome dhclient dhcpcd bash-completion tpm2-tss btrfs-progs` 25. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt ```conf HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck) ``` 26. `mkinitcpio -P` 27. Install systemd-boot https://wiki.archlinux.org/title/systemd-boot ```bash bootctl install ``` 28. edit your loader.conf with some defaults /boot/loader/loader.conf ```conf default arch.conf timeout 4 console-mode max editor no ``` 29. Create a loader (/usr/share/systemd/bootctl/loader.conf) /boot/loader/entries/arch.conf ```conf title Arch Linux linux /vmlinuz-linux initrd /initramfs-linux.img options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw ``` 30. Add a pacman hook for systemd-boot updates /etc/pacman.d/hooks/95-systemd-boot.hook ```conf [Trigger] Type = Package Operation = Upgrade Target = systemd [Action] Description = Gracefully upgrading systemd-boot... When = PostTransaction Exec = /usr/bin/systemctl restart systemd-boot-update.service ``` 31. `cd /root/` 32. `pacman -S efitools` 33. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done` 34. `pacman -S sbctl` 35. `sbctl create-keys` 36. `sbctl enroll-keys -m` 37. `sbctl status` 38. `sbctl verify` 39. `sbctl sign -s /boot/vmlinuz-linux` 40. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI` 41. `sbctl status` 42. `sudo systemctl enable gdm` 43. `useradd ducoterra` 44. `passwd ducoterra` 45. `groupadd sudo` 46. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege 47. `usermod -aG sudo ducoterra` 48. `usermod -aG wheel ducoterra` 49. `mkdir /home/ducoterra` 50. `chown ducoterra:ducoterra /home/ducoterra` 51. `exit` 52. `reboot` Don't forget to enable secure boot. Don't forget to add a trusted boot loader. There is a pacman hook which will automatically sign new binaries on update. ## Post Install ### Locale Set up locale with correct information (required for certain binaries like minecraft-launcher) 1. `vim /etc/locale.gen` Uncomment the line: en_US.UTF-8 UTF-8 2. `sudo locale-gen` ### Hardware Acceleration (This helps enable hardware encoding/decoding for steam streaming) Intel ```bash sudo pacman -S libva-utils intel-media-driver vainfo ``` AMD ```bash sudo pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu ``` ### Firewall ```bash sudo pacman -S ufw sudo ufw enable ``` ### Power Management 1. For laptops install `tlp` ```bash sudo pacman -S tlp tlp-rdw sudo systemctl enable --now tlp sudo systemctl mask systemd-rfkill.service sudo systemctl mask systemd-rfkill.socket ``` 2. Then configure it with the following settings (optional) /etc/tlp.conf ```conf # I've seen some issues with usb autosuspend USB_AUTOSUSPEND=0 # Restore bluetooth/wifi state on reboot # Otherwise it defaults to on RESTORE_DEVICE_STATE_ON_STARTUP=1 # Disable wifi when plugged in # You might not want this for continuity - eg. you're copying a file to a network # share over wifi - plugging in will cancel the copy with this option enabled. DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan" # Re-enable wifi when unplugged. DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan" ``` 3. For desktops install cpupower ```bash sudo pacman -S cpupower systemctl enable --now cpupower ``` Temporarily set power profile with `cpupower frequency-set -g performance` Edit /etc/default/cpupower ```conf governor='performance' ``` ### TPM2 LUKS Decryption Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled. 1. `pacman -S tpm2-tss` 2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7` ### Don't sleep while plugged in This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock will prevent it from waking up. /etc/systemd/logind.conf ```conf ... HandleLidSwitchExternalPower=lock HandleLidSwitchDocked=ignore ... ``` ### Fingerprint Reader Support #### Setup 1. `sudo pacman -S fprintd` 2. `sudo systemctl enable --now fprintd` 3. Enable fingerprint terminal login but prompt for password first (enter switches to prompt for fingerprint) /etc/pam.d/sudo ```conf # fingerprint auth auth sufficient pam_fprintd.so ``` #### Turn Off Fingerprint When Laptop Lid Closed To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is reopened, we will use acpid to bind to the button/lid.* event to a custom script that will comment out fprintd auth in /etc/pam.d/sudo. Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See and . 1. `pacman -S acpid` and then `systemctl enable --now acpid` 2. Create file /etc/acpi/laptop-lid.sh with the following contents: ```bash #!/bin/bash if grep -Fq closed /proc/acpi/button/lid/LID0/state # && # This is used to detect if a display is connected. # For USB C displayport use: # grep -Fxq connected /sys/class/drm/card1-DP-2/status # For hdmi use: # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status then # comment out fprintd sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo else # uncomment fprintd sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo fi ``` 3. Make the file executable with `chmod +x /etc/acpi/laptop-lid.sh` 4. Create file /etc/acpi/events/laptop-lid with the following contents: ```bash event=button/lid.* action=/etc/acpi/laptop-lid.sh ``` 5. Restart the acpid service with: `systemctl restart acpid` Now the fingerprint will be used only when the lid is open. In order to ensure the correct state after suspend we need a service file which runs our script on wake. 1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents: ```bash [Unit] Description=Laptop Lid After=suspend.target [Service] ExecStart=/etc/acpi/laptop-lid.sh [Install] WantedBy=multi-user.target WantedBy=suspend.target ``` 2. Reload the systemd config files with `sudo systemctl daemon-reload` 3. Start and enable the service with `sudo systemctl enable --now laptop-lid.service` Now the status should be correct even after connecting/disconnecting when the computer is off. ### AppArmor 1. `sudo pacman -S apparmor` 2. `sudo systemctl enable --now apparmor` 3. `sudo systemctl enable --now auditd` 4. Add the correct kernel parameters /boot/loaders/entries/arch.conf ```conf title Arch Linux ... options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1... ``` ### Firejail Firejail launches supported applications in a sandboxed environment where it limits access to system files and resources. For example: - Firefox will not be able to access more than a small subset of your home directory. - VSCode will not be able to acces ~/.config/autostart. 1. `sudo pacman -S firejail` 2. `sudo firecfg` 3. `firecfg --fix` ### AppImage Support fuse is required to run most appimages. Also chmod +x before running. 1. `sudo pacman -S fuse` 2. `cp ~/Downloads/xxxxxxx.appimage ~/Applications 3. Write a .desktop entry at ~/.local/share/applications/ ```conf [Desktop Entry] Encoding=UTF-8 Name= Exec=/home/ducoterra/Applications/ Icon=/home/ducoterra/Applications/ Type=Application Categories=; ``` ### Bluetooth 1. `sudo pacman -S bluez bluez-utils` 2. `sudo systemctl enable --now bluetooth` ### Audio Without pipewire-pulse the audio level/device will reset every reboot. 1. `sudo pacman -S pipewire-pulse` (remove conflicting packages) ### Firefox You'll want firefox and gnome-browser-connector (for gnome extension management). ```bash sudo pacman -S firefox gnome-browser-connector ``` ### RDP Remote Desktop 1. `sudo pacman -S remmina freerdp` ### Virtualization 1. Install virtualization capabilties ```bash sudo pacman -S qemu-full libvirt iptables-nft dnsmasq virt-manager qemu-desktop swtpm sudo usermod -aG libvirt ducoterra sudo virsh net-autostart default ``` 2. Edit /etc/libvirt/libvirtd.conf ```conf ... unix_sock_group = 'libvirt' ... unix_sock_rw_perms = '0770' ... ``` 3. Edit /etc/libvirt/qemu.**conf** ```conf # Some examples of valid values are: # # user = "qemu" # A user named "qemu" # user = "+0" # Super user (uid=0) # user = "100" # A user named "100" or a user with uid=100 # user = "ducoterra" # The group for QEMU processes run by the system instance. It can be # specified in a similar way to user. group = "ducoterra" ``` 4. `systemctl enable --now libvirtd` If you get a blank screen when launching a VM check that you've used the correct bios - either secboot or not secboot. This is the most common problem. **Arch Guests** In order to get drivers for spice you'll need the guest spice drivers: ```bash sudo pacman -S qemu-guest-agent spice-vdagent ``` ### CUPS Printing 12. `sudo pacman -S cups cups-pdf avahi` 14. `sudo vim /etc/nsswitch.conf` ```conf hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns ``` 15. `sudo systemctl start cups` 16. `sudo systemctl start avahi-daemon` ### Steam Edit /etc/pacman.conf ```conf [multilib] Include = /etc/pacman.d/mirrorlist ``` ```bash sudo pacman -S steam steam-native ``` When prompted, use vulkan-radeon `steam-native` allows vaapi hardware encoding for steam remote play. ### XWayland Provides compatibility with X server applications (like wine) 1. `sudo pacman -S xorg-xwayland` ### Wireguard Wireguard requires `linux-headers`. If that isn't installed or is misconfigured your vpn likely won't activate. 1. `sudo pacman -S wireguard-tools` ### btrbk #### Snapshots 1. Grab the btrbk binary from the github repo. Copy it to /usr/local/bin/btrbk. 2. Create a snapshot config /etc/btrbk/snapshots.conf ```conf snapshot_preserve_min 24h snapshot_preserve 14d volume /mnt/btr_pool subvolume root snapshot_dir .snapshots volume /mnt/btr_pool subvolume home snapshot_dir .snapshots volume /mnt/btr_pool subvolume libvirt snapshot_dir .snapshots volume /mnt/btr_pool subvolume nextcloud snapshot_dir .snapshots ``` 3. Then create a snapshot service /etc/systemd/system/btrbk_snapshots.service ```conf [Unit] Description=Runs btrbk with config file at /etc/btrbk/snapshots.conf [Service] ExecStart=/usr/local/bin/btrbk -c /etc/btrbk/snapshots.conf -v run ``` 4. Then create a timer for the service /etc/systemd/system/btrbk_snapshots.timer ```conf [Unit] Description=Run snapshots every hour [Timer] OnCalendar=hourly AccuracySec=10min Persistent=true Unit=btrbk_snapshots.service [Install] WantedBy=timers.target ``` 5. Then enable the service ```bash systemctl enable --now btrbk_snapshots.conf ``` #### Backups Before you begin, go through the usual process of setting up an encrypted drive: 1. Install udisks2 for automatic usb drive mounting ```bash pacman -S udisks2 ``` 2. Crypttab automatically loads keys named `.key` from `/etc/cryptsetup-keys.d` ```bash mkdir /etc/cryptsetup-keys.d ``` 3. Generate a sufficiently random key ```bash dd if=/dev/urandom of=/etc/cryptsetup-keys.d/btr_backup.key bs=64 count=1` ``` 4. Add the key to your backup drive ```bash cryptsetup luksAddKey /dev/sda1 /etc/cryptsetup-keys.d/btr_backup.key ``` 5. Create a crypttab entry /etc/crypttab ```text btr_backup UUID=a074a34c-1211-4f9a-a88c-071b4775fe54 none nofail ``` 6. Create an fstab entry /etc/fstab ```text /dev/mapper/btr_backup /mnt/btr_backup btrfs rw,relatime,ssd,space_cache=v2,subvolid=5,comment=x-gvfs-show,nofail 0 0 ``` 7. Create a read-only mount point to prevent accidental backups to the wrong disk ```bash btrfs subvolume create /mnt/btr_backup btrfs property set /mnt/btr_backup ro true ``` 8. Create a backup config /etc/btrbk/backups.conf ```conf snapshot_create no target_preserve_min no target_preserve 30d volume /mnt/btr_pools target /mnt/btr_backup subvolume root snapshot_dir .snapshots volume /mnt/btr_pools target /mnt/btr_backup subvolume home snapshot_dir .snapshots volume /mnt/btr_pools target /mnt/btr_backup subvolume libvirt snapshot_dir .snapshots ``` 9. Create a backup service /etc/systemd/system/btrbk_backups.service ```conf [Unit] Description=Runs btrbk with config file at /etc/btrbk/btrbk.conf [Service] ExecStart=btrbk -c /etc/btrbk/btrbk.conf -v run ``` 10. Create a timer to activate the service /etc/systemd/system/btrbk_backups.timer ```conf [Unit] Description=Run btrbk every hour [Timer] OnCalendar=hourly AccuracySec=10min Persistent=true Unit=btrbk.service [Install] WantedBy=timers.target ``` 11. Enable the timer ```bash systemctl enable --now btrbk_backup.conf ``` ### ISCSI 1. Add auth login /etc/iscsi/iscsid.conf ```conf node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5 node.session.auth.username = username node.session.auth.password = password ``` 2. Initiate and login to the portal ```bash # Add a new target to your list of nodes iscsiadm \ -m discovery \ -t st \ -p driveripper.reeselink.com # Login to the target iscsiadm \ -m node \ --targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \ -p driveripper.reeselink.com:3260 \ --login # or login to all targets iscsiadm -m node --loginall all # View current session iscsiadm -m session # Log out of all sessions iscsiadm -m node -u ``` #### Backing up a snapshot ```bash pacman -S pv btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscsi ``` ### VSCode For the open source version of code install `code`: ```bash sudo pacman -S code ``` For the proprietary version of vscode install `yay` and then: ```bash yay -S visual-studio-code-bin ``` To save a list of installed extensions run: ```bash code --list-extensions >> vscode_extensions.txt ``` To install that list of extensions run: ```bash cat vscode_extensions.txt | xargs -L 1 code --install-extension ``` ## Apps | Name | Description | | ---------------- | ------------------------- | | base-devel | makepkg requirement | | kubectl | kubernetes kubectl | | wine | wine64 emulator | | steam | steam | | git | git | | iperf3 | iperf3 network speedtest | | spotify-launcher | official spotify launcher | ## Bashrc ~/.bashrc ```bash # .bashrc # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi # User specific binaries if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]] then PATH="$HOME/.local/bin:$HOME/bin:$PATH" fi export PATH # User specific aliases and functions (source .bashrc.d/) if [ -d ~/.bashrc.d ]; then for rc in ~/.bashrc.d/*; do if [ -f "$rc" ]; then . "$rc" fi done fi # clear var used in for loop unset rc ``` ~/.bashrc.d/aliases.sh ```bash # (Mostly) Taken from https://www.cyberciti.biz/tips/bash-aliases-mac-centos-linux-unix.html # Author: Vivek Gite ## Colorize the ls output ## alias ls="ls --color=auto" ## Colorize the grep command output for ease of use (good for log files)## alias grep='grep --color=auto' alias egrep='egrep --color=auto' alias fgrep='fgrep --color=auto' ## Make mount human readable ## alias mount='mount |column -t' ## show open ports ## alias ports='ss -tulanp' # do not delete / or prompt if deleting more than 3 files at a time # alias rm='rm -I --preserve-root' # confirmation # alias mv='mv -i' alias cp='cp -i' alias ln='ln -i' # Parenting changing perms on / # alias chown='chown --preserve-root' alias chmod='chmod --preserve-root' alias chgrp='chgrp --preserve-root' ## pass options to free ## alias meminfo='free -m -l -t' ## get top process eating memory alias psmem='ps auxf | sort -nr -k 4' alias psmem10='ps auxf | sort -nr -k 4 | head -10' ## get top process eating cpu ## alias pscpu='ps auxf | sort -nr -k 3' alias pscpu10='ps auxf | sort -nr -k 3 | head -10' ## this one saved by butt so many times ## alias wget='wget -c' ## set some other defaults ## alias df='df -H' alias du='du -ch' ## ls but with file sizes, showing largest at the bottom ## alias lst='ls --human-readable --size -1 -S --classify -r' ## ls show only directories alias lsd='ls -d */' ## Count the number of files in a directory alias lsc='find . -type f | wc -l' ## ls sort by last modified ## alias lmt='ls -t -1' ``` ## Unecessary ### Plymouth Background Image 1. `sudo cp image.png /usr/share/plymouth/themes/spinner/background-tile.png` 1. `sudo plymouth-set-default-theme -R spinner` ## Help ### Update Grub 1. `grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=BOOT` 1. `cp /boot/EFI/BOOT/grubx64.efi /boot/EFI/BOOT/bootx64.efi` ### Downgrading Kernel You can find old kernel versions at You can find old kernel-header versions at If you want to downgrade to a previously installed kernel you can use pacman cache: 1. `cd /var/cache/pacman/pkg` 2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst` 3. `reboot` If you want to downgrade to a kernel that wasn't previously installed: 1. Download linux... and linux-headers... from above 2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst` 3. `reboot`