server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
a8d75961cdb6be212a0ff07a0c2f76248ee4ec4e
Workstation/arch.md
ducoterra a8d75961cd add firejail and apparmor
2023-08-14 12:48:19 -04:00

927 lines
22 KiB
Markdown
Raw Blame History

# Arch with Gnome
<!-- TOC -->
- [Arch with Gnome](#arch-with-gnome)
- [Installation](#installation)
- [Post Install](#post-install)
- [Locale](#locale)
- [Hardware Acceleration](#hardware-acceleration)
- [Firewall](#firewall)
- [Power Management](#power-management)
- [TPM2 LUKS Decryption](#tpm2-luks-decryption)
- [Don't sleep while plugged in](#dont-sleep-while-plugged-in)
- [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [AppArmor](#apparmor)
- [Firejail](#firejail)
- [AppImage Support](#appimage-support)
- [Bluetooth](#bluetooth)
- [Audio](#audio)
- [Firefox](#firefox)
- [RDP Remote Desktop](#rdp-remote-desktop)
- [Virtualization](#virtualization)
- [CUPS Printing](#cups-printing)
- [Steam](#steam)
- [XWayland](#xwayland)
- [Wireguard](#wireguard)
- [btrbk](#btrbk)
- [Snapshots](#snapshots)
- [Backups](#backups)
- [ISCSI](#iscsi)
- [Backing up a snapshot](#backing-up-a-snapshot)
- [VSCode](#vscode)
- [Apps](#apps)
- [Bashrc](#bashrc)
- [Unecessary](#unecessary)
- [Plymouth Background Image](#plymouth-background-image)
- [Help](#help)
- [Update Grub](#update-grub)
- [Downgrading Kernel](#downgrading-kernel)
<!-- /TOC -->
## Installation
Follow most of the instructions here:
<https://wiki.archlinux.org/title/Installation_guide>
1. Download Arch
2. Verify the image
3. Create a bootable ISO
4. Disable secureboot (reenable later)
5. Put your machine in setup mode
On framework this is done in the UEFI setup page for Security, sub-page
Secure Boot, choose “Erase all Secure Boot Settings.”
6. Boot into the live image
7. Check for network connectivity
```bash
# Check for internet
ip a
ping archlinux.org
```
8. `timedatectl` to update system clock
9. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
```bash
fdisk -l
gdisk /dev/vda
```
- +1G for /boot
- t EFI SYSTEM for /boot
- remaining for /
10. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
11. `cryptsetup luksFormat /dev/vda2`
12. `cryptsetup luksOpen /dev/vda2 root`
13. `mkfs.btrfs /dev/mapper/root` (root partition)
14. Mount the root partition with `mount /mnt`
15. Mount the boot partition with `mount --mkdir /mnt/boot`
16. `pacstrap -K /mnt base linux linux-firmware`
Note: linux-zen works, linux-hardened breaks appimages
17. `genfstab -U /mnt >> /mnt/etc/fstab`
18. `arch-chroot /mnt`
19. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
20. `hwclock --systohc`
21. `echo 'LANG=en_US.UTF-8' > /etc/locale.conf`
22. `echo 'KEYMAP=us' > /etc/vconsole.conf`
23. `echo 'hostname' > /etc/hostname`
24. `pacman -S sudo vim gdm gnome dhclient dhcpcd bash-completion tpm2-tss btrfs-progs`
25. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
```conf
HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
```
26. `mkinitcpio -P`
27. Install systemd-boot
https://wiki.archlinux.org/title/systemd-boot
```bash
bootctl install
```
28. edit your loader.conf with some defaults
/boot/loader/loader.conf
```conf
default arch.conf
timeout 4
console-mode max
editor no
```
29. Create a loader (/usr/share/systemd/bootctl/loader.conf)
/boot/loader/entries/arch.conf
```conf
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw
```
30. Add a pacman hook for systemd-boot updates
/etc/pacman.d/hooks/95-systemd-boot.hook
```conf
[Trigger]
Type = Package
Operation = Upgrade
Target = systemd
[Action]
Description = Gracefully upgrading systemd-boot...
When = PostTransaction
Exec = /usr/bin/systemctl restart systemd-boot-update.service
```
31. `cd /root/`
32. `pacman -S efitools`
33. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
34. `pacman -S sbctl`
35. `sbctl create-keys`
36. `sbctl enroll-keys -m`
37. `sbctl status`
38. `sbctl verify`
39. `sbctl sign -s /boot/vmlinuz-linux`
40. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
41. `sbctl status`
42. `sudo systemctl enable gdm`
43. `useradd ducoterra`
44. `passwd ducoterra`
45. `groupadd sudo`
46. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
47. `usermod -aG sudo ducoterra`
48. `usermod -aG wheel ducoterra`
49. `mkdir /home/ducoterra`
50. `chown ducoterra:ducoterra /home/ducoterra`
51. `exit`
52. `reboot`
Don't forget to enable secure boot. Don't forget to add a trusted boot loader.
There is a pacman hook which will automatically sign new binaries on update.
## Post Install
### Locale
Set up locale with correct information (required for certain binaries like minecraft-launcher)
1. `vim /etc/locale.gen`
Uncomment the line:
en_US.UTF-8 UTF-8
2. `sudo locale-gen`
### Hardware Acceleration
(This helps enable hardware encoding/decoding for steam streaming)
Intel
```bash
sudo pacman -S libva-utils intel-media-driver
vainfo
```
AMD
```bash
sudo pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu
```
### Firewall
```bash
sudo pacman -S ufw
sudo ufw enable
```
### Power Management
1. For laptops install `tlp`
```bash
sudo pacman -S tlp tlp-rdw
sudo systemctl enable --now tlp
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket
```
2. Then configure it with the following settings (optional)
/etc/tlp.conf
```conf
# I've seen some issues with usb autosuspend
USB_AUTOSUSPEND=0
# Restore bluetooth/wifi state on reboot
# Otherwise it defaults to on
RESTORE_DEVICE_STATE_ON_STARTUP=1
# Disable wifi when plugged in
# You might not want this for continuity - eg. you're copying a file to a network
# share over wifi - plugging in will cancel the copy with this option enabled.
DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
# Re-enable wifi when unplugged.
DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
```
3. For desktops install cpupower
```bash
sudo pacman -S cpupower
systemctl enable --now cpupower
```
Temporarily set power profile with `cpupower frequency-set -g performance`
Edit /etc/default/cpupower
```conf
governor='performance'
```
### TPM2 LUKS Decryption
Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
1. `pacman -S tpm2-tss`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
### Don't sleep while plugged in
This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock
will prevent it from waking up.
/etc/systemd/logind.conf
```conf
...
HandleLidSwitchExternalPower=lock
HandleLidSwitchDocked=ignore
...
```
### Fingerprint Reader Support
#### Setup
1. `sudo pacman -S fprintd`
2. `sudo systemctl enable --now fprintd`
3. Enable fingerprint terminal login but prompt for password first (enter switches to prompt for fingerprint)
/etc/pam.d/sudo
```conf
# fingerprint auth
auth sufficient pam_fprintd.so
```
#### Turn Off Fingerprint When Laptop Lid Closed
To disable fingerprint authentication when the laptop lid is closed, and
re-enable when it is reopened, we will use acpid to bind to the button/lid.*
event to a custom script that will comment out fprintd auth in /etc/pam.d/sudo.
Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See
<https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2267> and
<https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6585>.
1. `pacman -S acpid` and then `systemctl enable --now acpid`
2. Create file /etc/acpi/laptop-lid.sh with the following contents:
```bash
#!/bin/bash
if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
# This is used to detect if a display is connected.
# For USB C displayport use:
# grep -Fxq connected /sys/class/drm/card1-DP-2/status
# For hdmi use:
# grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
then
# comment out fprintd
sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo
else
# uncomment fprintd
sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo
fi
```
3. Make the file executable with
`chmod +x /etc/acpi/laptop-lid.sh`
4. Create file /etc/acpi/events/laptop-lid with the following contents:
```bash
event=button/lid.*
action=/etc/acpi/laptop-lid.sh
```
5. Restart the acpid service with:
`systemctl restart acpid`
Now the fingerprint will be used only when the lid is open.
In order to ensure the correct state after suspend we need a service file which
runs our script on wake.
1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents:
```bash
[Unit]
Description=Laptop Lid
After=suspend.target
[Service]
ExecStart=/etc/acpi/laptop-lid.sh
[Install]
WantedBy=multi-user.target
WantedBy=suspend.target
```
2. Reload the systemd config files with
`sudo systemctl daemon-reload`
3. Start and enable the service with
`sudo systemctl enable --now laptop-lid.service`
Now the status should be correct even after connecting/disconnecting when the computer is off.
### AppArmor
1. `sudo pacman -S apparmor`
2. `sudo systemctl enable --now apparmor`
3. `sudo systemctl enable --now auditd`
4. Add the correct kernel parameters
/boot/loaders/entries/arch.conf
```conf
title Arch Linux
...
options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
```
### Firejail
Firejail launches supported applications in a sandboxed environment where it limits access
to system files and resources.
For example:
- Firefox will not be able to access more than a small subset of your home directory.
- VSCode will not be able to acces ~/.config/autostart.
1. `sudo pacman -S firejail`
2. `sudo firecfg`
3. `firecfg --fix`
### AppImage Support
fuse is required to run most appimages.
Also chmod +x before running.
1. `sudo pacman -S fuse`
2. `cp ~/Downloads/xxxxxxx.appimage ~/Applications
3. Write a .desktop entry at ~/.local/share/applications/
```conf
[Desktop Entry]
Encoding=UTF-8
Name=
Exec=/home/ducoterra/Applications/
Icon=/home/ducoterra/Applications/
Type=Application
Categories=;
```
### Bluetooth
1. `sudo pacman -S bluez bluez-utils`
2. `sudo systemctl enable --now bluetooth`
### Audio
Without pipewire-pulse the audio level/device will reset every reboot.
1. `sudo pacman -S pipewire-pulse` (remove conflicting packages)
### Firefox
You'll want firefox and gnome-browser-connector (for gnome extension management).
```bash
sudo pacman -S firefox gnome-browser-connector
```
### RDP Remote Desktop
1. `sudo pacman -S remmina freerdp`
### Virtualization
1. Install virtualization capabilties
```bash
sudo pacman -S qemu-full libvirt iptables-nft dnsmasq virt-manager qemu-desktop swtpm
sudo usermod -aG libvirt ducoterra
sudo virsh net-autostart default
```
2. Edit /etc/libvirt/libvirtd.conf
```conf
...
unix_sock_group = 'libvirt'
...
unix_sock_rw_perms = '0770'
...
```
3. Edit /etc/libvirt/qemu.**conf**
```conf
# Some examples of valid values are:
#
# user = "qemu" # A user named "qemu"
# user = "+0" # Super user (uid=0)
# user = "100" # A user named "100" or a user with uid=100
#
user = "ducoterra"
# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
group = "ducoterra"
```
4. `systemctl enable --now libvirtd`
If you get a blank screen when launching a VM check that you've used the correct bios -
either secboot or not secboot. This is the most common problem.
**Arch Guests**
In order to get drivers for spice you'll need the guest spice drivers:
```bash
sudo pacman -S qemu-guest-agent spice-vdagent
```
### CUPS Printing
12. `sudo pacman -S cups cups-pdf avahi`
14. `sudo vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
15. `sudo systemctl start cups`
16. `sudo systemctl start avahi-daemon`
### Steam
<https://wiki.archlinux.org/title/Official_repositories#multilib>
Edit /etc/pacman.conf
```conf
[multilib]
Include = /etc/pacman.d/mirrorlist
```
```bash
sudo pacman -S steam steam-native
```
When prompted, use vulkan-radeon
`steam-native` allows vaapi hardware encoding for steam remote play.
### XWayland
Provides compatibility with X server applications (like wine)
1. `sudo pacman -S xorg-xwayland`
### Wireguard
Wireguard requires `linux-headers`. If that isn't installed or is misconfigured your
vpn likely won't activate.
1. `sudo pacman -S wireguard-tools`
### btrbk
#### Snapshots
1. Grab the btrbk binary from the github repo. Copy it to /usr/local/bin/btrbk.
2. Create a snapshot config
/etc/btrbk/snapshots.conf
```conf
snapshot_preserve_min 24h
snapshot_preserve 14d
volume /mnt/btr_pool
subvolume root
snapshot_dir .snapshots
volume /mnt/btr_pool
subvolume home
snapshot_dir .snapshots
volume /mnt/btr_pool
subvolume libvirt
snapshot_dir .snapshots
volume /mnt/btr_pool
subvolume nextcloud
snapshot_dir .snapshots
```
3. Then create a snapshot service
/etc/systemd/system/btrbk_snapshots.service
```conf
[Unit]
Description=Runs btrbk with config file at /etc/btrbk/snapshots.conf
[Service]
ExecStart=/usr/local/bin/btrbk -c /etc/btrbk/snapshots.conf -v run
```
4. Then create a timer for the service
/etc/systemd/system/btrbk_snapshots.timer
```conf
[Unit]
Description=Run snapshots every hour
[Timer]
OnCalendar=hourly
AccuracySec=10min
Persistent=true
Unit=btrbk_snapshots.service
[Install]
WantedBy=timers.target
```
5. Then enable the service
```bash
systemctl enable --now btrbk_snapshots.conf
```
#### Backups
Before you begin, go through the usual process of setting up an encrypted drive:
1. Install udisks2 for automatic usb drive mounting
```bash
pacman -S udisks2
```
2. Crypttab automatically loads keys named `<drive_name>.key` from `/etc/cryptsetup-keys.d`
```bash
mkdir /etc/cryptsetup-keys.d
```
3. Generate a sufficiently random key
```bash
dd if=/dev/urandom of=/etc/cryptsetup-keys.d/btr_backup.key bs=64 count=1`
```
4. Add the key to your backup drive
```bash
cryptsetup luksAddKey /dev/sda1 /etc/cryptsetup-keys.d/btr_backup.key
```
5. Create a crypttab entry
/etc/crypttab
```text
btr_backup UUID=a074a34c-1211-4f9a-a88c-071b4775fe54 none nofail
```
6. Create an fstab entry
/etc/fstab
```text
/dev/mapper/btr_backup /mnt/btr_backup btrfs rw,relatime,ssd,space_cache=v2,subvolid=5,comment=x-gvfs-show,nofail 0 0
```
7. Create a read-only mount point to prevent accidental backups to the wrong disk
```bash
btrfs subvolume create /mnt/btr_backup
btrfs property set /mnt/btr_backup ro true
```
8. Create a backup config
/etc/btrbk/backups.conf
```conf
snapshot_create no
target_preserve_min no
target_preserve 30d
volume /mnt/btr_pools
target /mnt/btr_backup
subvolume root
snapshot_dir .snapshots
volume /mnt/btr_pools
target /mnt/btr_backup
subvolume home
snapshot_dir .snapshots
volume /mnt/btr_pools
target /mnt/btr_backup
subvolume libvirt
snapshot_dir .snapshots
```
9. Create a backup service
/etc/systemd/system/btrbk_backups.service
```conf
[Unit]
Description=Runs btrbk with config file at /etc/btrbk/btrbk.conf
[Service]
ExecStart=btrbk -c /etc/btrbk/btrbk.conf -v run
```
10. Create a timer to activate the service
/etc/systemd/system/btrbk_backups.timer
```conf
[Unit]
Description=Run btrbk every hour
[Timer]
OnCalendar=hourly
AccuracySec=10min
Persistent=true
Unit=btrbk.service
[Install]
WantedBy=timers.target
```
11. Enable the timer
```bash
systemctl enable --now btrbk_backup.conf
```
### ISCSI
1. Add auth login
/etc/iscsi/iscsid.conf
```conf
node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5
node.session.auth.username = username
node.session.auth.password = password
```
2. Initiate and login to the portal
```bash
# Add a new target to your list of nodes
iscsiadm \
-m discovery \
-t st \
-p driveripper.reeselink.com
# Login to the target
iscsiadm \
-m node \
--targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \
-p driveripper.reeselink.com:3260 \
--login
# or login to all targets
iscsiadm -m node --loginall all
# View current session
iscsiadm -m session
# Log out of all sessions
iscsiadm -m node -u
```
#### Backing up a snapshot
```bash
pacman -S pv
btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscsi
```
### VSCode
For the open source version of code install `code`:
```bash
sudo pacman -S code
```
For the proprietary version of vscode install `yay` and then:
```bash
yay -S visual-studio-code-bin
```
To save a list of installed extensions run:
```bash
code --list-extensions >> vscode_extensions.txt
```
To install that list of extensions run:
```bash
cat vscode_extensions.txt | xargs -L 1 code --install-extension
```
## Apps
| Name | Description |
| ---------------- | ------------------------- |
| base-devel | makepkg requirement |
| kubectl | kubernetes kubectl |
| wine | wine64 emulator |
| steam | steam |
| git | git |
| iperf3 | iperf3 network speedtest |
| spotify-launcher | official spotify launcher |
## Bashrc
~/.bashrc
```bash
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# User specific binaries
if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]]
then
PATH="$HOME/.local/bin:$HOME/bin:$PATH"
fi
export PATH
# User specific aliases and functions (source .bashrc.d/)
if [ -d ~/.bashrc.d ]; then
for rc in ~/.bashrc.d/*; do
if [ -f "$rc" ]; then
. "$rc"
fi
done
fi
# clear var used in for loop
unset rc
```
~/.bashrc.d/aliases.sh
```bash
# (Mostly) Taken from https://www.cyberciti.biz/tips/bash-aliases-mac-centos-linux-unix.html
# Author: Vivek Gite
## Colorize the ls output ##
alias ls="ls --color=auto"
## Colorize the grep command output for ease of use (good for log files)##
alias grep='grep --color=auto'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
## Make mount human readable ##
alias mount='mount |column -t'
## show open ports ##
alias ports='ss -tulanp'
# do not delete / or prompt if deleting more than 3 files at a time #
alias rm='rm -I --preserve-root'
# confirmation #
alias mv='mv -i'
alias cp='cp -i'
alias ln='ln -i'
# Parenting changing perms on / #
alias chown='chown --preserve-root'
alias chmod='chmod --preserve-root'
alias chgrp='chgrp --preserve-root'
## pass options to free ##
alias meminfo='free -m -l -t'
## get top process eating memory
alias psmem='ps auxf | sort -nr -k 4'
alias psmem10='ps auxf | sort -nr -k 4 | head -10'
## get top process eating cpu ##
alias pscpu='ps auxf | sort -nr -k 3'
alias pscpu10='ps auxf | sort -nr -k 3 | head -10'
## this one saved by butt so many times ##
alias wget='wget -c'
## set some other defaults ##
alias df='df -H'
alias du='du -ch'
## ls but with file sizes, showing largest at the bottom ##
alias lst='ls --human-readable --size -1 -S --classify -r'
## ls show only directories
alias lsd='ls -d */'
## Count the number of files in a directory
alias lsc='find . -type f | wc -l'
## ls sort by last modified ##
alias lmt='ls -t -1'
```
## Unecessary
### Plymouth Background Image
1. `sudo cp image.png /usr/share/plymouth/themes/spinner/background-tile.png`
1. `sudo plymouth-set-default-theme -R spinner`
## Help
### Update Grub
1. `grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=BOOT`
1. `cp /boot/EFI/BOOT/grubx64.efi /boot/EFI/BOOT/bootx64.efi`
### Downgrading Kernel
You can find old kernel versions at <https://archive.archlinux.org/packages/l/linux/>
You can find old kernel-header versions at <https://archive.archlinux.org/packages/l/linux-headers/>
If you want to downgrade to a previously installed kernel you can use pacman cache:
1. `cd /var/cache/pacman/pkg`
2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst`
3. `reboot`
If you want to downgrade to a kernel that wasn't previously installed:
1. Download linux... and linux-headers... from above
2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst`
3. `reboot`
Reference in New Issue View Git Blame Copy Permalink