server/Workstation

Fork 0

Files

ducoterra a8d75961cd add firejail and apparmor

2023-08-14 12:48:19 -04:00

22 KiB

Raw Blame History

Arch with Gnome

Arch with Gnome

Installation

Follow most of the instructions here: https://wiki.archlinux.org/title/Installation_guide

Download Arch
Verify the image
Create a bootable ISO
Disable secureboot (reenable later)
Put your machine in setup mode

On framework this is done in the UEFI setup page for Security, sub-page Secure Boot, choose “Erase all Secure Boot Settings.”
Boot into the live image

Check for network connectivity

# Check for internet
ip a
ping archlinux.org

timedatectl to update system clock
Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
```
fdisk -l
gdisk /dev/vda
```
- +1G for /boot
- t EFI SYSTEM for /boot
- remaining for /
mkfs.fat -F 32 /dev/vda1 (/mnt/boot partition)
cryptsetup luksFormat /dev/vda2
cryptsetup luksOpen /dev/vda2 root
mkfs.btrfs /dev/mapper/root (root partition)
Mount the root partition with mount /mnt
Mount the boot partition with mount --mkdir /mnt/boot
pacstrap -K /mnt base linux linux-firmware

Note: linux-zen works, linux-hardened breaks appimages
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
hwclock --systohc
echo 'LANG=en_US.UTF-8' > /etc/locale.conf
echo 'KEYMAP=us' > /etc/vconsole.conf
echo 'hostname' > /etc/hostname
pacman -S sudo vim gdm gnome dhclient dhcpcd bash-completion tpm2-tss btrfs-progs

Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt

HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)

mkinitcpio -P
Install systemd-boot

https://wiki.archlinux.org/title/systemd-boot
```
bootctl install
```
edit your loader.conf with some defaults

/boot/loader/loader.conf
```
default  arch.conf
timeout  4
console-mode max
editor   no
```

Create a loader (/usr/share/systemd/bootctl/loader.conf)

/boot/loader/entries/arch.conf

title   Arch Linux
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw

Add a pacman hook for systemd-boot updates

/etc/pacman.d/hooks/95-systemd-boot.hook

[Trigger]
Type = Package
Operation = Upgrade
Target = systemd

[Action]
Description = Gracefully upgrading systemd-boot...
When = PostTransaction
Exec = /usr/bin/systemctl restart systemd-boot-update.service

cd /root/
pacman -S efitools
for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done
pacman -S sbctl
sbctl create-keys
sbctl enroll-keys -m
sbctl status
sbctl verify
sbctl sign -s /boot/vmlinuz-linux
sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI
sbctl status
sudo systemctl enable gdm
useradd ducoterra
passwd ducoterra
groupadd sudo
Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
usermod -aG sudo ducoterra
usermod -aG wheel ducoterra
mkdir /home/ducoterra
chown ducoterra:ducoterra /home/ducoterra
exit
reboot

Don't forget to enable secure boot. Don't forget to add a trusted boot loader. There is a pacman hook which will automatically sign new binaries on update.

Post Install

Locale

Set up locale with correct information (required for certain binaries like minecraft-launcher)

vim /etc/locale.gen

Uncomment the line:

en_US.UTF-8 UTF-8
sudo locale-gen

Hardware Acceleration

(This helps enable hardware encoding/decoding for steam streaming)

Intel

sudo pacman -S libva-utils intel-media-driver
vainfo

AMD

sudo pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu

Firewall

sudo pacman -S ufw
sudo ufw enable

Power Management

For laptops install tlp

sudo pacman -S tlp tlp-rdw
sudo systemctl enable --now tlp
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket

Then configure it with the following settings (optional)

/etc/tlp.conf

# I've seen some issues with usb autosuspend
USB_AUTOSUSPEND=0
# Restore bluetooth/wifi state on reboot
# Otherwise it defaults to on
RESTORE_DEVICE_STATE_ON_STARTUP=1
# Disable wifi when plugged in
# You might not want this for continuity - eg. you're copying a file to a network
# share over wifi - plugging in will cancel the copy with this option enabled.
DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
# Re-enable wifi when unplugged.
DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"

For desktops install cpupower
```
sudo pacman -S cpupower
systemctl enable --now cpupower
```
Temporarily set power profile with cpupower frequency-set -g performance

Edit /etc/default/cpupower
```
governor='performance'
```

TPM2 LUKS Decryption

Using --tpm2-pcrs=7 enforces secure boot and will require password if secure boot is disabled.

pacman -S tpm2-tss
systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7

Don't sleep while plugged in

This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock will prevent it from waking up.

/etc/systemd/logind.conf

...
HandleLidSwitchExternalPower=lock
HandleLidSwitchDocked=ignore
...

Fingerprint Reader Support

Setup

sudo pacman -S fprintd
sudo systemctl enable --now fprintd
Enable fingerprint terminal login but prompt for password first (enter switches to prompt for fingerprint)

/etc/pam.d/sudo
```
# fingerprint auth
auth      sufficient pam_fprintd.so
```

Turn Off Fingerprint When Laptop Lid Closed

To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is reopened, we will use acpid to bind to the button/lid.* event to a custom script that will comment out fprintd auth in /etc/pam.d/sudo.

Usually we'd just systemctl mask fprintd but this breaks gdm (as of 08/06/23). See https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2267 and https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6585.

pacman -S acpid and then systemctl enable --now acpid

Create file /etc/acpi/laptop-lid.sh with the following contents:

#!/bin/bash

if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
    # This is used to detect if a display is connected.
    # For USB C displayport use: 
    # grep -Fxq connected /sys/class/drm/card1-DP-2/status
    # For hdmi use:
    # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
then
    # comment out fprintd
    sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo
else
    # uncomment fprintd
    sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo

fi

Make the file executable with

chmod +x /etc/acpi/laptop-lid.sh
Create file /etc/acpi/events/laptop-lid with the following contents:
```
event=button/lid.*
action=/etc/acpi/laptop-lid.sh
```
Restart the acpid service with:

systemctl restart acpid

Now the fingerprint will be used only when the lid is open.

In order to ensure the correct state after suspend we need a service file which runs our script on wake.

Create a file named /etc/systemd/system/laptop-lid.service with the following contents:

[Unit]
Description=Laptop Lid
After=suspend.target

[Service]
ExecStart=/etc/acpi/laptop-lid.sh

[Install]
WantedBy=multi-user.target
WantedBy=suspend.target

Reload the systemd config files with

sudo systemctl daemon-reload
Start and enable the service with

sudo systemctl enable --now laptop-lid.service

Now the status should be correct even after connecting/disconnecting when the computer is off.

AppArmor

sudo pacman -S apparmor
sudo systemctl enable --now apparmor
sudo systemctl enable --now auditd

Add the correct kernel parameters

/boot/loaders/entries/arch.conf

title Arch Linux
...
options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...

Firejail

Firejail launches supported applications in a sandboxed environment where it limits access to system files and resources.

For example:

Firefox will not be able to access more than a small subset of your home directory.
VSCode will not be able to acces ~/.config/autostart.

sudo pacman -S firejail
sudo firecfg
firecfg --fix

AppImage Support

fuse is required to run most appimages.

Also chmod +x before running.

sudo pacman -S fuse
`cp ~/Downloads/xxxxxxx.appimage ~/Applications

Write a .desktop entry at ~/.local/share/applications/

[Desktop Entry]
Encoding=UTF-8
Name=
Exec=/home/ducoterra/Applications/
Icon=/home/ducoterra/Applications/
Type=Application
Categories=;

Bluetooth

sudo pacman -S bluez bluez-utils
sudo systemctl enable --now bluetooth

Audio

Without pipewire-pulse the audio level/device will reset every reboot.

sudo pacman -S pipewire-pulse (remove conflicting packages)

Firefox

You'll want firefox and gnome-browser-connector (for gnome extension management).

sudo pacman -S firefox gnome-browser-connector

RDP Remote Desktop

sudo pacman -S remmina freerdp

Virtualization

Install virtualization capabilties

sudo pacman -S qemu-full libvirt iptables-nft dnsmasq virt-manager qemu-desktop swtpm
sudo usermod -aG libvirt ducoterra
sudo virsh net-autostart default

Edit /etc/libvirt/libvirtd.conf

...
unix_sock_group = 'libvirt'
...
unix_sock_rw_perms = '0770'
...

Edit /etc/libvirt/qemu.conf

# Some examples of valid values are:
#
#       user = "qemu"   # A user named "qemu"
#       user = "+0"     # Super user (uid=0)
#       user = "100"    # A user named "100" or a user with uid=100
#
user = "ducoterra"

# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
group = "ducoterra"

systemctl enable --now libvirtd

If you get a blank screen when launching a VM check that you've used the correct bios - either secboot or not secboot. This is the most common problem.

Arch Guests

In order to get drivers for spice you'll need the guest spice drivers:

sudo pacman -S qemu-guest-agent spice-vdagent

CUPS Printing

sudo pacman -S cups cups-pdf avahi

sudo vim /etc/nsswitch.conf

hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns

sudo systemctl start cups
sudo systemctl start avahi-daemon

Steam

https://wiki.archlinux.org/title/Official_repositories#multilib

Edit /etc/pacman.conf

[multilib]
Include = /etc/pacman.d/mirrorlist

sudo pacman -S steam steam-native

When prompted, use vulkan-radeon

steam-native allows vaapi hardware encoding for steam remote play.

XWayland

Provides compatibility with X server applications (like wine)

sudo pacman -S xorg-xwayland

Wireguard

Wireguard requires linux-headers. If that isn't installed or is misconfigured your vpn likely won't activate.

sudo pacman -S wireguard-tools

btrbk

Snapshots

Grab the btrbk binary from the github repo. Copy it to /usr/local/bin/btrbk.

Create a snapshot config

/etc/btrbk/snapshots.conf

snapshot_preserve_min   24h
snapshot_preserve       14d

volume /mnt/btr_pool
    subvolume           root
    snapshot_dir        .snapshots

volume /mnt/btr_pool
    subvolume           home
    snapshot_dir        .snapshots

volume /mnt/btr_pool
    subvolume           libvirt
    snapshot_dir        .snapshots

volume /mnt/btr_pool
    subvolume           nextcloud
    snapshot_dir        .snapshots

Then create a snapshot service

/etc/systemd/system/btrbk_snapshots.service

[Unit]
Description=Runs btrbk with config file at /etc/btrbk/snapshots.conf

[Service]
ExecStart=/usr/local/bin/btrbk -c /etc/btrbk/snapshots.conf -v run

Then create a timer for the service

/etc/systemd/system/btrbk_snapshots.timer

[Unit]
Description=Run snapshots every hour

[Timer]
OnCalendar=hourly

AccuracySec=10min
Persistent=true
Unit=btrbk_snapshots.service

[Install]
WantedBy=timers.target

Then enable the service

systemctl enable --now btrbk_snapshots.conf

Backups

Before you begin, go through the usual process of setting up an encrypted drive:

Install udisks2 for automatic usb drive mounting
```
pacman -S udisks2
```
Crypttab automatically loads keys named <drive_name>.key from /etc/cryptsetup-keys.d
```
mkdir /etc/cryptsetup-keys.d
```

Generate a sufficiently random key

dd if=/dev/urandom of=/etc/cryptsetup-keys.d/btr_backup.key bs=64 count=1`

Add the key to your backup drive

cryptsetup luksAddKey /dev/sda1 /etc/cryptsetup-keys.d/btr_backup.key

Create a crypttab entry

/etc/crypttab

btr_backup  UUID=a074a34c-1211-4f9a-a88c-071b4775fe54   none    nofail

Create an fstab entry

/etc/fstab

/dev/mapper/btr_backup  /mnt/btr_backup btrfs   rw,relatime,ssd,space_cache=v2,subvolid=5,comment=x-gvfs-show,nofail    0 0

Create a read-only mount point to prevent accidental backups to the wrong disk

btrfs subvolume create /mnt/btr_backup
btrfs property set /mnt/btr_backup ro true

Create a backup config

/etc/btrbk/backups.conf

snapshot_create         no
target_preserve_min     no
target_preserve         30d

volume /mnt/btr_pools
    target /mnt/btr_backup
    subvolume           root
    snapshot_dir        .snapshots

volume /mnt/btr_pools
    target /mnt/btr_backup
    subvolume           home
    snapshot_dir        .snapshots

volume /mnt/btr_pools
    target /mnt/btr_backup
    subvolume           libvirt
    snapshot_dir        .snapshots

Create a backup service

/etc/systemd/system/btrbk_backups.service

[Unit]
Description=Runs btrbk with config file at /etc/btrbk/btrbk.conf

[Service]
ExecStart=btrbk -c /etc/btrbk/btrbk.conf -v run

Create a timer to activate the service

/etc/systemd/system/btrbk_backups.timer

[Unit]
Description=Run btrbk every hour

[Timer]
OnCalendar=hourly
AccuracySec=10min
Persistent=true
Unit=btrbk.service

[Install]
WantedBy=timers.target

Enable the timer

systemctl enable --now btrbk_backup.conf

ISCSI

Add auth login

/etc/iscsi/iscsid.conf

node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5
node.session.auth.username = username
node.session.auth.password = password

Initiate and login to the portal

# Add a new target to your list of nodes
iscsiadm \
    -m discovery \
    -t st \
    -p driveripper.reeselink.com

# Login to the target
iscsiadm \
    -m node \
    --targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \
    -p driveripper.reeselink.com:3260 \
    --login

# or login to all targets
iscsiadm -m node --loginall all

# View current session
iscsiadm -m session

# Log out of all sessions
iscsiadm -m node -u

Backing up a snapshot

pacman -S pv

btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscsi

VSCode

For the open source version of code install code:

sudo pacman -S code

For the proprietary version of vscode install yay and then:

yay -S visual-studio-code-bin

To save a list of installed extensions run:

code --list-extensions >> vscode_extensions.txt

To install that list of extensions run:

cat vscode_extensions.txt | xargs -L 1 code --install-extension

Apps

Name	Description
base-devel	makepkg requirement
kubectl	kubernetes kubectl
wine	wine64 emulator
steam	steam
git	git
iperf3	iperf3 network speedtest
spotify-launcher	official spotify launcher

Bashrc

~/.bashrc

# .bashrc

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi

# User specific binaries
if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]]
then
    PATH="$HOME/.local/bin:$HOME/bin:$PATH"
fi
export PATH

# User specific aliases and functions (source .bashrc.d/)
if [ -d ~/.bashrc.d ]; then
        for rc in ~/.bashrc.d/*; do
                if [ -f "$rc" ]; then
                        . "$rc"
                fi
        done
fi

# clear var used in for loop
unset rc

~/.bashrc.d/aliases.sh

# (Mostly) Taken from https://www.cyberciti.biz/tips/bash-aliases-mac-centos-linux-unix.html
# Author: Vivek Gite

## Colorize the ls output ##
alias ls="ls --color=auto"

## Colorize the grep command output for ease of use (good for log files)##
alias grep='grep --color=auto'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'

## Make mount human readable ##
alias mount='mount |column -t'

## show open ports ##
alias ports='ss -tulanp'

# do not delete / or prompt if deleting more than 3 files at a time #
alias rm='rm -I --preserve-root'

# confirmation #
alias mv='mv -i'
alias cp='cp -i'
alias ln='ln -i'

# Parenting changing perms on / #
alias chown='chown --preserve-root'
alias chmod='chmod --preserve-root'
alias chgrp='chgrp --preserve-root'

## pass options to free ##
alias meminfo='free -m -l -t'
 
## get top process eating memory
alias psmem='ps auxf | sort -nr -k 4'
alias psmem10='ps auxf | sort -nr -k 4 | head -10'
 
## get top process eating cpu ##
alias pscpu='ps auxf | sort -nr -k 3'
alias pscpu10='ps auxf | sort -nr -k 3 | head -10'

## this one saved by butt so many times ##
alias wget='wget -c'

## set some other defaults ##
alias df='df -H'
alias du='du -ch'

## ls but with file sizes, showing largest at the bottom ## 
alias lst='ls --human-readable --size -1 -S --classify -r'

## ls show only directories
alias lsd='ls -d */'

## Count the number of files in a directory
alias lsc='find . -type f | wc -l'

## ls sort by last modified ##
alias lmt='ls -t -1'

Unecessary

Plymouth Background Image

sudo cp image.png /usr/share/plymouth/themes/spinner/background-tile.png
sudo plymouth-set-default-theme -R spinner

Help

Update Grub

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=BOOT
cp /boot/EFI/BOOT/grubx64.efi /boot/EFI/BOOT/bootx64.efi

Downgrading Kernel

You can find old kernel versions at https://archive.archlinux.org/packages/l/linux/

You can find old kernel-header versions at https://archive.archlinux.org/packages/l/linux-headers/

If you want to downgrade to a previously installed kernel you can use pacman cache:

cd /var/cache/pacman/pkg
pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst
reboot

If you want to downgrade to a kernel that wasn't previously installed:

Download linux... and linux-headers... from above
pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst
reboot

22 KiB Raw Blame History