diff --git a/infrastructure/graduated/arch/README.md b/infrastructure/graduated/arch/README.md index e163606..2095b8c 100644 --- a/infrastructure/graduated/arch/README.md +++ b/infrastructure/graduated/arch/README.md @@ -1,7 +1,7 @@ # Arch Base -This is the base configuration from which you can build a variety of systems. Right now -I have instructions for building a: +This is the base configuration from which you can build a variety of systems. Right now I have +instructions for building a: 1. [Workstation](workstation.md) 2. [Gaming PC](gaming.md) @@ -32,9 +32,6 @@ I have instructions for building a: - [Backups](#backups) - [Backing up a snapshot](#backing-up-a-snapshot) - [Chroots](#chroots) - - [Fingerprint Reader Support](#fingerprint-reader-support) - - [Setup](#setup) - - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed) - [Hardware Management](#hardware-management) - [Power Profiles](#power-profiles) - [Color Management](#color-management) @@ -44,21 +41,14 @@ I have instructions for building a: - [Bluetooth](#bluetooth) - [Audio](#audio) - [Software Stores](#software-stores) - - [AppImage Support](#appimage-support) - - [Troubleshooting](#troubleshooting) - [Flatpak](#flatpak) - - [Apps](#apps) - - [Firefox](#firefox) - - [Gnome Extensions](#gnome-extensions) - - [Avahi (Bonjour)](#avahi-bonjour) - - [CUPS Printing](#cups-printing) + - [AppImage](#appimage) ## Installation ### Preparation -Follow most of the instructions here: - +Follow most of the instructions here: 1. Download Arch 2. Verify the image @@ -68,9 +58,10 @@ Follow most of the instructions here: gpg --keyserver-options auto-key-retrieve --verify archlinux-... ``` -3. Create a bootable ISO +3. Create a bootable ISO - 1. If you are booting into a VM, create an ISO with installation files so you don't have to copy-paste: + 1. If you are booting into a VM, create an ISO with installation files so you don't have to + copy-paste: ```bash sudo pacman -S cdrtools @@ -83,12 +74,20 @@ Follow most of the instructions here: ### Installation -You'll want two usb drives while following this guide. One will be the Arch boot drive. The -other will be a support drive with critical files and passwords which we will need to access -after we finish the install. +You'll want two usb drives while following this guide. One will be the Arch boot drive. The other +will be a support drive with critical files and passwords which we will need to access after we +finish the install. 1. Boot into the live image -2. Check for network connectivity +2. If you only have wifi, use iwctl to connect + 1. `iwctl` + 2. `device list` + 3. `adapter wlan0 set-property Powered on` <- Note: replace "wlan0" with the name of your device + 4. `station wlan0 scan` + 5. `station wlan0 get-networks` + 6. `station wlan0 connect SSID` + +3. Check for network connectivity ```bash # Check for internet @@ -96,42 +95,46 @@ after we finish the install. ping archlinux.org ``` -3. `timedatectl` to update system clock -4. Install pwgen for password generation `pacman -S pwgen` -5. If using a VM, mount the iso with arch conf files +4. `timedatectl` to update system clock +5. Sync the pacman database with `pacman -Sy` +6. Install pwgen for password generation `pacman -S pwgen` +7. If using a VM, mount the iso with arch conf files ```bash mount --mkdir /dev/sr1 /media ``` -6. If using a physical computer, mount your support drive +8. If using a physical computer, mount your support drive ```bash mount --mkdir /dev/sdb1 /media ``` -7. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table" +9. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table" ```bash fdisk -l gdisk /dev/vda ``` - - +1G for /boot - - t EFI SYSTEM for /boot - - remaining for / + 1. Delete all existing partitions with `d` + 2. Create a new partition (partition 1) with `n` + 3. When prompted for `last sector` type `+1G` + 4. When prompted for partition structure, type `L` and search for `EFI SYSTEM`, then use that + hex code + 5. Create a second new partition (partition 2) with `n` + 6. Press enter through the remaining options (the defaults are good) -8. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition) -9. This next step involves generating a secure, random password. Make sure to - save this somewhere. I recommend having an encrypted partition on your - installation drive to which you can write a few bytes of text. +10. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition) +11. This next step involves generating a secure, random password. We're going to save this to our + support drive. `echo -n $(pwgen 8 5) | sed 's/ /-/g' > /media/root-key.txt` -10. `cryptsetup luksFormat /dev/vda2 --key-file /path/to/root-key.txt` -11. `cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt` -12. `mkfs.btrfs /dev/mapper/root` (root partition) -13. At this point you can choose how to subvolume your root partition +12. `cryptsetup luksFormat /dev/vda2 --key-file /path/to/root-key.txt` +13. `cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt` +14. `mkfs.btrfs /dev/mapper/root` (root partition) +15. At this point you can choose how to subvolume your root partition ```bash mount --mkdir -o subvolid=5 /btr_pool @@ -139,32 +142,32 @@ after we finish the install. btrfs sub create home /btr_pool ``` -14. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt` -15. Mount the home partition with `mount -o subvol=home /dev/mapper/root /mnt/home` -16. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot` -17. `pacstrap -K /mnt base linux linux-firmware` +16. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt` +17. Mount the home partition with `mount -o subvol=home /dev/mapper/root /mnt/home` +18. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot` +19. `pacstrap -K /mnt base linux linux-firmware` This command might show an error. This is ok, we'll fix it later. 20. `genfstab -U /mnt >> /mnt/etc/fstab` 21. If on VM: Mount the conf files with `mount --mkdir /dev/sr1 /mnt/media` -18. If on a physical computer: mount the support parition with `mount --mkdir /dev/sdb1 /mnt/media` -22. `arch-chroot /mnt` -23. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime` -24. `hwclock --systohc` -25. `echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen` -26. `echo 'KEYMAP=us' > /etc/vconsole.conf` -27. `echo 'hostname' > /etc/hostname` -28. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth` +22. If on a physical computer: mount the support parition with `mount --mkdir /dev/sdb1 /mnt/media` +23. `arch-chroot /mnt` +24. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime` +25. `hwclock --systohc` +26. `echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen` +27. `echo 'KEYMAP=us' > /etc/vconsole.conf` +28. `echo 'hostname' > /etc/hostname` +29. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth` - dhclient/dhcpcd provides dhcp for network - bash-completion provides tab complete - btrfs-progs provides fsck for btrfs - plymouth gives a nice bootloader screen -29. Edit /etc/mkinitcpio.conf and uncomment the line for systemd-boot with an encrypted drive. -30. `mkinitcpio -P` -31. Install systemd-boot +30. Edit /etc/mkinitcpio.conf and uncomment the line for systemd-boot with an encrypted drive. +31. `mkinitcpio -P` +32. Install systemd-boot @@ -172,10 +175,10 @@ after we finish the install. bootctl install ``` - If this raises an error like "efi partition not found" you probably forgot to format - /mnt/boot as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code). + If this raises an error like "efi partition not found" you probably forgot to format /mnt/boot + as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code). -32. edit your loader.conf with some defaults +33. edit your loader.conf with some defaults /boot/loader/loader.conf @@ -186,7 +189,7 @@ after we finish the install. editor no ``` -33. Create a loader (/usr/share/systemd/bootctl/arch.conf for example) +34. Create a loader (/usr/share/systemd/bootctl/arch.conf for example) /boot/loader/entries/arch.conf @@ -197,26 +200,26 @@ after we finish the install. options ... rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root ... ``` - You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut - the excess and copy it into the correct location. + You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut the excess + and copy it into the correct location. ```bash blkid | grep /dev/vda2 >> /boot/loader/entries/arch.conf ``` -34. `useradd ducoterra` -35. `passwd ducoterra` -36. `groupadd sudo` -37. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege -38. `usermod -aG sudo ducoterra` -39. `usermod -aG wheel ducoterra` -40. `mkdir /home/ducoterra` -41. `chown ducoterra:ducoterra /home/ducoterra` -42. `locale-gen` -43. `systemctl enable dhcpcd` -44. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent` -45. If you need ssh: `pacman -S openssh; systemctl enable sshd` -46. Add a pacman hook for systemd-boot updates +35. `useradd ducoterra` +36. `passwd ducoterra` +37. `groupadd sudo` +38. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege +39. `usermod -aG sudo ducoterra` +40. `usermod -aG wheel ducoterra` +41. `mkdir /home/ducoterra` +42. `chown ducoterra:ducoterra /home/ducoterra` +43. `locale-gen` +44. `systemctl enable dhcpcd` +45. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent` +46. If you need ssh: `pacman -S openssh; systemctl enable sshd` +47. Add a pacman hook for systemd-boot updates /etc/pacman.d/hooks/95-systemd-boot.hook @@ -232,30 +235,30 @@ after we finish the install. Exec = /usr/bin/systemctl restart systemd-boot-update.service ``` -47. Install gnome: `pacman -S gdm gnome` +49. Install gnome: `pacman -S gdm gnome` - choose pipewire-jack - choose wireplumber - choose noto-fonts-emoji -48. `systemctl enable gdm` -49. Install NetworkManager `pacman -S networkmanager` -50. `systemctl enable NetworkManager` -51. Install gnome nice-to-haves `pacman -S gnome-tweaks dconf-editor seahorse` -52. Install tpm2-tss for tpm2 disk decryption `pacman -S tpm2-tss` -53. Setup tpm2 disk decryption +50. `systemctl enable gdm` +51. Install NetworkManager `pacman -S networkmanager` +52. `systemctl enable NetworkManager` +53. Install gnome nice-to-haves `pacman -S gnome-tweaks dconf-editor seahorse` +54. Install tpm2-tss for tpm2 disk decryption `pacman -S tpm2-tss` +55. Setup tpm2 disk decryption ```bash systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs="" --unlock-key-file=/media/root-key.txt ``` -54. `exit` -55. `reboot` +56. `exit` +57. `reboot` ### Gnome Keyring -Don't set a password for single-user systems. We're using full-disk encryption. -This will let you login with just a fingerprint. +Don't set a password for single-user systems. We're using full-disk encryption. This will let you +login with just a fingerprint. 1. Install `seahorse` if you haven't already 2. Open the `Passwords and Keys` apps @@ -328,14 +331,29 @@ cd makepkg -si ``` +We can update our AUR packages with a script. As long as you clone your AUR +packages into ~/AUR this will work: + +~./local/scripts/update-aur.sh + +```bash +#!/bin/bash + +for file in $(ls /home/ducoterra/AUR); +do + cd /home/ducoterra/AUR/$file + git pull + makepkg -si +done +``` + ### Security -Every machine, regardless of use-case, should perform some basic hardening. You don't -need to follow every instruction in the above wiki, but you should at least -enable secure boot, tpm2 disk decryption, firewall, apparmor, clamav, btrfs snapshots, -and btrfs backups. +Every machine, regardless of use-case, should perform some basic hardening. You don't need to follow +every instruction in the above wiki, but you should at least enable secure boot, tpm2 disk +decryption, firewall, apparmor, clamav, btrfs snapshots, and btrfs backups. Security Philosophy @@ -347,49 +365,48 @@ Security Philosophy 2. TPM2 Decryption - Since we have secure boot enabled we can safely auto-decrypt our hard drive with a - tpm2 device. This is purely a convenience. + Since we have secure boot enabled we can safely auto-decrypt our hard drive with a tpm2 device. + This is purely a convenience. 3. Firewall - This should be self-explanatory, but I'll explain anyway. Don't allow any arbitrary - network traffic into your device. Block those ports. Only open what you need. Firewalls - drastically reduce the risk of remote exploits by stopping them before they can even - establish a connection. Firewalls can also be used to limit an attacker's ability - to even discover you on a network with icmp blocking. + This should be self-explanatory, but I'll explain anyway. Don't allow any arbitrary network + traffic into your device. Block those ports. Only open what you need. Firewalls drastically + reduce the risk of remote exploits by stopping them before they can even establish a connection. + Firewalls can also be used to limit an attacker's ability to even discover you on a network with + icmp blocking. 4. ClamAV - Much like Windows has Windows Defender, Linux has ClamAV. Running an antivirus scanner - certainly isn't the end-all-be-all of security, and it definitely isn't good enough - on its own to keep your system safe, but in combination with apparmor and a firewall - you can identify and quarantine malware before it has a chance to compromise your system. That - being said, finding *any* malware on a system is reason enough to nuke it from orbit and restore from a - known good backup. + Much like Windows has Windows Defender, Linux has ClamAV. Running an antivirus scanner certainly + isn't the end-all-be-all of security, and it definitely isn't good enough on its own to keep + your system safe, but in combination with apparmor and a firewall you can identify and + quarantine malware before it has a chance to compromise your system. That being said, finding + *any* malware on a system is reason enough to nuke it from orbit and restore from a known good + backup. 5. BTRFS Snapshots - This is not a backup, this is a snapshot. It serves an equally important function, however, - in that it protects you from accidental deletion and corruption. Let's imagine you perform - an update, reboot, and your computer crashes mid-startup. You could easily restore root - from a btrfs snapshot on your system and go on with your day like nothing happened. + This is not a backup, this is a snapshot. It serves an equally important function, however, in + that it protects you from accidental deletion and corruption. Let's imagine you perform an + update, reboot, and your computer crashes mid-startup. You could easily restore root from a + btrfs snapshot on your system and go on with your day like nothing happened. 6. BTRFS Backups - This is a backup. Unlike snapshots, which live on the same drive your system exists - on, backups are physically separate copies of your computer stored (hopefully) in a - physically separate location. In the event your computer is lost or stolen these - backups give you a way to perfectly restore your system to its former glory. + This is a backup. Unlike snapshots, which live on the same drive your system exists on, backups + are physically separate copies of your computer stored (hopefully) in a physically separate + location. In the event your computer is lost or stolen these backups give you a way to perfectly + restore your system to its former glory. #### Secure Boot 1. Put your machine in setup mode - On framework this is done in the UEFI setup page for Security, sub-page - Secure Boot, choose “Erase all Secure Boot Settings.” + On framework this is done in the UEFI setup page for Security, sub-page Secure Boot, choose + “Erase all Secure Boot Settings.” - On my Gigabyte motherboard this is done in the BIOS under security. Set secure boot - to custom. + On my Gigabyte motherboard this is done in the BIOS under security. Set secure boot to custom. 2. `pacman -S efitools sbctl` 3. `cd /btr_pools/root/support/` @@ -416,7 +433,8 @@ You can optionally allow tpm2 decryption only while secure boot is active. Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled. 1. `pacman -S tpm2-tss` -2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt` +2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 + --unlock-key-file=/btr_pools/root/support/root-key.txt` ##### Re-enroll @@ -541,27 +559,25 @@ systemctl enable --now btrbk_snapshots.timer ##### Backups -Before you begin, go through the usual process of setting up an encrypted drive. If -you're using Gnome I recommend using the GUI since it handles encrypted USB drives -really nicely. +Before you begin, go through the usual process of setting up an encrypted drive. If you're using +Gnome I recommend using the GUI since it handles encrypted USB drives really nicely. -First, I'd recommend manually creating the mountpoint and setting it as a read-only. -This prevents backups from being written to the root device when the backup -disk isn't mounted. +First, I'd recommend manually creating the mountpoint and setting it as a read-only. This prevents +backups from being written to the root device when the backup disk isn't mounted. ```bash btrfs sub create /btr_pools/backup btrfs property set /btr_pools/backup ro true ``` -Second, I'd recommend creating subvolumes within your existing volumes for things you -don't want backed up. These include: +Second, I'd recommend creating subvolumes within your existing volumes for things you don't want +backed up. These include: 1. /var/lib/libvirt 2. Nextcloud -Third, I'd recommend iterating dot directories you'd need to restore and writing them -down somewhere: +Third, I'd recommend iterating dot directories you'd need to restore and writing them down +somewhere: 1. .aws 2. .cache @@ -657,130 +673,6 @@ You can create chroot environments to run firejails or just use for testing purp 5. `pacstrap -K /btr_pools/root/chroots/testing base base-devel` 6. `arch-chroot /btr_pools/root/chroots/testing` -#### Fingerprint Reader Support - -##### Setup - -1. `pacman -S fprintd` -2. `systemctl enable --now fprintd` -3. `fprintd-enroll ducoterra` -4. Install to use fingerprint with gnome - -In order to use fingerprint auth with gnome for privileged system stuff with gdm, -edit `/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`. - -```conf -#%PAM-1.0 - -auth required pam_shells.so # User must have shell in /etc/shells -auth requisite pam_nologin.so # Prevents users from loging in if /etc/nologin exists -auth required pam_faillock.so preauth # Timeout after certain number of fails -# Optionally use requisite above if you do not want to prompt for the password -# on locked accounts. -auth sufficient pam_fprintd_grosshack.so --auth [success=2 default=ignore] pam_systemd_home.so -auth [success=1 default=bad] pam_unix.so try_first_pass nullok -auth [default=die] pam_faillock.so authfail -auth optional pam_permit.so -auth required pam_env.so -auth required pam_faillock.so authsucc -# If you drop the above call to pam_faillock.so the lock will be done also -# on non-consecutive authentication failures. - --account [success=1 default=ignore] pam_systemd_home.so -account required pam_unix.so -account optional pam_permit.so -account required pam_time.so - --password [success=1 default=ignore] pam_systemd_home.so -password required pam_unix.so try_first_pass nullok shadow -password optional pam_permit.so - --session optional pam_systemd_home.so -session required pam_limits.so -session required pam_unix.so -session optional pam_permit.so -``` - -##### Turn Off Fingerprint When Laptop Lid Closed - -**NOTE: This may break fingerprint unlock. Testing in progress.** - -To disable fingerprint authentication when the laptop lid is closed, and -re-enable when it is reopened, we will use acpid to bind to the button/lid.* -event to a custom script that will comment out fprintd auth in /etc/pam.d/sudo. - -Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See - and -. - -1. `pacman -S acpid` and then `systemctl enable --now acpid` -2. Create file /etc/acpi/laptop-lid.sh with the following contents: - - ```bash - #!/bin/bash - - if grep -Fq closed /proc/acpi/button/lid/LID0/state # && - # This is used to detect if a display is connected. - # For USB C displayport use: - # grep -Fxq connected /sys/class/drm/card1-DP-2/status - # For hdmi use: - # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status - then - # comment out fprintd - sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo - else - # uncomment fprintd - sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo - - fi - ``` - -3. Make the file executable with - - `chmod +x /etc/acpi/laptop-lid.sh` - -4. Create file /etc/acpi/events/laptop-lid with the following contents: - - ```bash - event=button/lid.* - action=/etc/acpi/laptop-lid.sh - ``` - -5. Restart the acpid service with: - - `systemctl restart acpid` - -Now the fingerprint will be used only when the lid is open. - -In order to ensure the correct state after suspend we need a service file which -runs our script on wake. - -1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents: - - ```bash - [Unit] - Description=Laptop Lid - After=suspend.target - - [Service] - ExecStart=/etc/acpi/laptop-lid.sh - - [Install] - WantedBy=multi-user.target - WantedBy=suspend.target - ``` - -2. Reload the systemd config files with - - `sudo systemctl daemon-reload` - -3. Start and enable the service with - - `sudo systemctl enable --now laptop-lid.service` - -Now the status should be correct even after connecting/disconnecting when the computer is off. - ## Hardware Management ### Power Profiles @@ -839,8 +731,8 @@ vainfo ### Don't sleep while plugged in -This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock -will prevent it from waking up. +This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock will +prevent it from waking up. ```bash vim /etc/systemd/logind.conf @@ -859,9 +751,21 @@ Without pipewire-pulse the audio level/device will reset every reboot. ## Software Stores -### AppImage Support +### Flatpak -Also chmod +x before running. +```bash +pacman -S flatpak +``` + +### AppImage + +Install fuse for appimage support. + +```bash +sudo pacman -S fuse +``` + +Make sure to chmod +x the `.appimage` file before running. 1. `cp ~/Downloads/xxxxxxx.appimage ~/Applications` 2. Find an icon online and save it to ~/.icons @@ -877,69 +781,3 @@ Also chmod +x before running. 4. `desktop-file-validate ~/.local/share/applications/*.desktop` 5. `update-desktop-database` - -#### Troubleshooting - -fuse may be required to run an appimage. - -```bash -sudo pacman -S fuse -``` - -### Flatpak - -```bash -pacman -S flatpak -``` - -## Apps - -### Firefox - -You'll want firefox and gnome-browser-connector (for gnome extension management). - -```bash -pacman -S firefox gnome-browser-connector -``` - -Choose noto-fonts - -#### Gnome Extensions - -1. AlphabeticalAppGrid@stuarthayhurst -2. -3. -4. - -### Avahi (Bonjour) - -1. `pacman -S avahi` -2. `vim /etc/nsswitch.conf` - - ```conf - hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns - ``` - -3. `vim /etc/mdns.allow` - -```conf -.local. -.local -``` - -### CUPS Printing - -Note: you need [avahi](#avahi-bonjour) for auto-discovery. - -1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds` -2. `cups-genppdupdate` -3. `usermod -aG lp ducoterra` -4. `systemctl enable --now cups` -5. In gnome settings: - 1. Add printer - 2. Enter the IP address - 3. Wait... - 4. Select "JetDirect" - 5. Select Generic - 6. Select IPP Printer - 7. Print diff --git a/infrastructure/graduated/arch/workstation.md b/infrastructure/graduated/arch/workstation.md index 2e5465c..5b11a14 100644 --- a/infrastructure/graduated/arch/workstation.md +++ b/infrastructure/graduated/arch/workstation.md @@ -1,8 +1,18 @@ # Workstation - [Workstation](#workstation) + - [Pacman Packages](#pacman-packages) + - [Upgrade/Downgrade](#upgradedowngrade) + - [Freeze package](#freeze-package) + - [Fingerprint Reader Support](#fingerprint-reader-support) + - [Setup](#setup) + - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed) - [SSH](#ssh) - [Templates](#templates) + - [Firefox](#firefox) + - [Gnome Extensions](#gnome-extensions) + - [Avahi (Bonjour)](#avahi-bonjour) + - [CUPS Printing](#cups-printing) - [Toolbox](#toolbox) - [Podman](#podman) - [Docker](#docker) @@ -39,6 +49,153 @@ - [Glances](#glances) - [VirtualBox](#virtualbox) +## Pacman Packages + +### Upgrade/Downgrade + +The [Arch Linux Archive](https://archive.archlinux.org/packages/) keeps snapshots of all packages +from history. Search for your package on the site, copy the link for the `pkg.tar.zst` file, and run +the following: + +```bash +# Replace link with the one you copied +pacman -U https://archive.archlinux.org/packages/g/gdm/gdm-46.2-1-x86_64.pkg.tar.zst +``` + +### Freeze package + +You can freeze a package by adding it to the list of ignores in `/etc/pacman.conf`: + +```conf +... +IgnorePkg = nano vim linux +... +``` + +## Fingerprint Reader Support + +### Setup + +1. `pacman -S fprintd` +2. `systemctl enable --now fprintd` +3. `fprintd-enroll ducoterra` +4. Install to use fingerprint with gnome + +In order to use fingerprint auth with gnome for privileged system stuff with gdm, edit +`/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`. + +```conf +#%PAM-1.0 + +auth required pam_shells.so # User must have shell in /etc/shells +auth requisite pam_nologin.so # Prevents users from loging in if /etc/nologin exists +auth required pam_faillock.so preauth # Timeout after certain number of fails +# Optionally use requisite above if you do not want to prompt for the password +# on locked accounts. +auth sufficient pam_fprintd_grosshack.so +-auth [success=2 default=ignore] pam_systemd_home.so +auth [success=1 default=bad] pam_unix.so try_first_pass nullok +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +# If you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures. + +-account [success=1 default=ignore] pam_systemd_home.so +account required pam_unix.so +account optional pam_permit.so +account required pam_time.so + +-password [success=1 default=ignore] pam_systemd_home.so +password required pam_unix.so try_first_pass nullok shadow +password optional pam_permit.so + +-session optional pam_systemd_home.so +session required pam_limits.so +session required pam_unix.so +session optional pam_permit.so +``` + +### Turn Off Fingerprint When Laptop Lid Closed + +**NOTE: This may break fingerprint unlock. Testing in progress.** + +To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is +reopened, we will use acpid to bind to the button/lid.* event to a custom script that will comment +out fprintd auth in /etc/pam.d/sudo. + +Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See + and +. + +1. `pacman -S acpid` and then `systemctl enable --now acpid` +2. Create file /etc/acpi/laptop-lid.sh with the following contents: + + ```bash + #!/bin/bash + + if grep -Fq closed /proc/acpi/button/lid/LID0/state # && + # This is used to detect if a display is connected. + # For USB C displayport use: + # grep -Fxq connected /sys/class/drm/card1-DP-2/status + # For hdmi use: + # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status + then + # comment out fprintd + sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo + else + # uncomment fprintd + sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo + + fi + ``` + +3. Make the file executable with + + `chmod +x /etc/acpi/laptop-lid.sh` + +4. Create file /etc/acpi/events/laptop-lid with the following contents: + + ```bash + event=button/lid.* + action=/etc/acpi/laptop-lid.sh + ``` + +5. Restart the acpid service with: + + `systemctl restart acpid` + +Now the fingerprint will be used only when the lid is open. + +In order to ensure the correct state after suspend we need a service file which runs our script on +wake. + +1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents: + + ```bash + [Unit] + Description=Laptop Lid + After=suspend.target + + [Service] + ExecStart=/etc/acpi/laptop-lid.sh + + [Install] + WantedBy=multi-user.target + WantedBy=suspend.target + ``` + +2. Reload the systemd config files with + + `sudo systemctl daemon-reload` + +3. Start and enable the service with + + `sudo systemctl enable --now laptop-lid.service` + +Now the status should be correct even after connecting/disconnecting when the computer is off. + ## SSH Generate a key with password protection: @@ -81,6 +238,57 @@ mkdir ~/Templates touch ~/Templates/text.txt ``` + +## Firefox + +You'll want firefox and gnome-browser-connector (for gnome extension management). + +```bash +pacman -S firefox gnome-browser-connector +``` + +Choose noto-fonts + +### Gnome Extensions + +1. AlphabeticalAppGrid@stuarthayhurst +2. +3. +4. + +## Avahi (Bonjour) + +1. `pacman -S avahi` +2. `vim /etc/nsswitch.conf` + + ```conf + hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns + ``` + +3. `vim /etc/mdns.allow` + +```conf +.local. +.local +``` + +## CUPS Printing + +Note: you need [avahi](#avahi-bonjour) for auto-discovery. + +1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds` +2. `cups-genppdupdate` +3. `usermod -aG lp ducoterra` +4. `systemctl enable --now cups` +5. In gnome settings: + 1. Add printer + 2. Enter the IP address + 3. Wait... + 4. Select "JetDirect" + 5. Select Generic + 6. Select IPP Printer + 7. Print + ## Toolbox @@ -494,7 +702,9 @@ Type=Application ```bash -mv ~/Downloads/Nextcloud.Talk-linux-*/Nextcloud* ~/Applications/NextcloudTalk +unzip ~/Downloads/Nextcloud.Talk-linux*.zip -d ~/Downloads +rm -rf ~/Applications/NextcloudTalk +mv ~/Downloads/'Nextcloud Talk-linux-x64' ~/Applications/NextcloudTalk ``` vim ~/.local/share/applications/nextcloud-talk.desktop @@ -533,6 +743,12 @@ Download the best quality video: yt-dlp -f "bv+ba/b" https://... ``` +Download a playlist: + +```bash +yt-dlp -f "bv+ba/b" --write-thumbnail https://www.youtube.com/watch?v=l-unefmAo9k&list=PLuYLhuXt4HrQqnfSceITmv6T_drx1hN84 +``` + ## Iperf3 ```bash