services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

general arch install fixes for Nic's complaints

Browse Source
This commit is contained in:
Reese Wells
2024-08-07 10:55:00 -04:00
parent 602ae8c841
commit 449c0cddbb
2 changed files with 370 additions and 316 deletions
Download Patch File Download Diff File Expand all files Collapse all files

468
infrastructure/graduated/arch/README.md
View File

@@ -1,7 +1,7 @@
# Arch Base
This is the base configuration from which you can build a variety of systems. Right now
I have instructions for building a:
This is the base configuration from which you can build a variety of systems. Right now I have
instructions for building a:
1. [Workstation](workstation.md)
2. [Gaming PC](gaming.md)
@@ -32,9 +32,6 @@ I have instructions for building a:
- [Backups](#backups)
- [Backing up a snapshot](#backing-up-a-snapshot)
- [Chroots](#chroots)
- [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [Hardware Management](#hardware-management)
- [Power Profiles](#power-profiles)
- [Color Management](#color-management)
@@ -44,21 +41,14 @@ I have instructions for building a:
- [Bluetooth](#bluetooth)
- [Audio](#audio)
- [Software Stores](#software-stores)
- [AppImage Support](#appimage-support)
- [Troubleshooting](#troubleshooting)
- [Flatpak](#flatpak)
- [Apps](#apps)
- [Firefox](#firefox)
- [Gnome Extensions](#gnome-extensions)
- [Avahi (Bonjour)](#avahi-bonjour)
- [CUPS Printing](#cups-printing)
- [AppImage](#appimage)
## Installation
### Preparation
Follow most of the instructions here:
<https://wiki.archlinux.org/title/Installation_guide>
Follow most of the instructions here: <https://wiki.archlinux.org/title/Installation_guide>
1. Download Arch
2. Verify the image
@@ -68,9 +58,10 @@ Follow most of the instructions here:
gpg --keyserver-options auto-key-retrieve --verify archlinux-...
```
3. Create a bootable ISO
3. Create a bootable ISO <https://wiki.archlinux.org/title/USB_flash_installation_medium>
1. If you are booting into a VM, create an ISO with installation files so you don't have to copy-paste:
1. If you are booting into a VM, create an ISO with installation files so you don't have to
copy-paste:
```bash
sudo pacman -S cdrtools
@@ -83,12 +74,20 @@ Follow most of the instructions here:
### Installation
You'll want two usb drives while following this guide. One will be the Arch boot drive. The
other will be a support drive with critical files and passwords which we will need to access
after we finish the install.
You'll want two usb drives while following this guide. One will be the Arch boot drive. The other
will be a support drive with critical files and passwords which we will need to access after we
finish the install.
1. Boot into the live image
2. Check for network connectivity
2. If you only have wifi, use iwctl to connect <https://wiki.archlinux.org/title/Iwd#iwctl>
1. `iwctl`
2. `device list`
3. `adapter wlan0 set-property Powered on` <- Note: replace "wlan0" with the name of your device
4. `station wlan0 scan`
5. `station wlan0 get-networks`
6. `station wlan0 connect SSID`
3. Check for network connectivity
```bash
# Check for internet
@@ -96,42 +95,46 @@ after we finish the install.
ping archlinux.org
```
3. `timedatectl` to update system clock
4. Install pwgen for password generation `pacman -S pwgen`
5. If using a VM, mount the iso with arch conf files
4. `timedatectl` to update system clock
5. Sync the pacman database with `pacman -Sy`
6. Install pwgen for password generation `pacman -S pwgen`
7. If using a VM, mount the iso with arch conf files
```bash
mount --mkdir /dev/sr1 /media
```
6. If using a physical computer, mount your support drive
8. If using a physical computer, mount your support drive
```bash
mount --mkdir /dev/sdb1 /media
```
7. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
9. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
```bash
fdisk -l
gdisk /dev/vda
```
- +1G for /boot
- t EFI SYSTEM for /boot
- remaining for /
1. Delete all existing partitions with `d`
2. Create a new partition (partition 1) with `n`
3. When prompted for `last sector` type `+1G`
4. When prompted for partition structure, type `L` and search for `EFI SYSTEM`, then use that
hex code
5. Create a second new partition (partition 2) with `n`
6. Press enter through the remaining options (the defaults are good)
8. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
9. This next step involves generating a secure, random password. Make sure to
save this somewhere. I recommend having an encrypted partition on your
installation drive to which you can write a few bytes of text.
10. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
11. This next step involves generating a secure, random password. We're going to save this to our
support drive.
`echo -n $(pwgen 8 5) | sed 's/ /-/g' > /media/root-key.txt`
10. `cryptsetup luksFormat /dev/vda2 --key-file /path/to/root-key.txt`
11. `cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt`
12. `mkfs.btrfs /dev/mapper/root` (root partition)
13. At this point you can choose how to subvolume your root partition
12. `cryptsetup luksFormat /dev/vda2 --key-file /path/to/root-key.txt`
13. `cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt`
14. `mkfs.btrfs /dev/mapper/root` (root partition)
15. At this point you can choose how to subvolume your root partition
```bash
mount --mkdir -o subvolid=5 /btr_pool
@@ -139,32 +142,32 @@ after we finish the install.
btrfs sub create home /btr_pool
```
14. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt`
15. Mount the home partition with `mount -o subvol=home /dev/mapper/root /mnt/home`
16. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot`
17. `pacstrap -K /mnt base linux linux-firmware`
16. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt`
17. Mount the home partition with `mount -o subvol=home /dev/mapper/root /mnt/home`
18. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot`
19. `pacstrap -K /mnt base linux linux-firmware`
This command might show an error. This is ok, we'll fix it later.
20. `genfstab -U /mnt >> /mnt/etc/fstab`
21. If on VM: Mount the conf files with `mount --mkdir /dev/sr1 /mnt/media`
18. If on a physical computer: mount the support parition with `mount --mkdir /dev/sdb1 /mnt/media`
22. `arch-chroot /mnt`
23. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
24. `hwclock --systohc`
25. `echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen`
26. `echo 'KEYMAP=us' > /etc/vconsole.conf`
27. `echo 'hostname' > /etc/hostname`
28. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth`
22. If on a physical computer: mount the support parition with `mount --mkdir /dev/sdb1 /mnt/media`
23. `arch-chroot /mnt`
24. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
25. `hwclock --systohc`
26. `echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen`
27. `echo 'KEYMAP=us' > /etc/vconsole.conf`
28. `echo 'hostname' > /etc/hostname`
29. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth`
- dhclient/dhcpcd provides dhcp for network
- bash-completion provides tab complete
- btrfs-progs provides fsck for btrfs
- plymouth gives a nice bootloader screen
29. Edit /etc/mkinitcpio.conf and uncomment the line for systemd-boot with an encrypted drive.
30. `mkinitcpio -P`
31. Install systemd-boot
30. Edit /etc/mkinitcpio.conf and uncomment the line for systemd-boot with an encrypted drive.
31. `mkinitcpio -P`
32. Install systemd-boot
<https://wiki.archlinux.org/title/systemd-boot>
@@ -172,10 +175,10 @@ after we finish the install.
bootctl install
```
If this raises an error like "efi partition not found" you probably forgot to format
/mnt/boot as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code).
If this raises an error like "efi partition not found" you probably forgot to format /mnt/boot
as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code).
32. edit your loader.conf with some defaults
33. edit your loader.conf with some defaults
/boot/loader/loader.conf
@@ -186,7 +189,7 @@ after we finish the install.
editor no
```
33. Create a loader (/usr/share/systemd/bootctl/arch.conf for example)
34. Create a loader (/usr/share/systemd/bootctl/arch.conf for example)
/boot/loader/entries/arch.conf
@@ -197,26 +200,26 @@ after we finish the install.
options ... rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root ...
```
You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut
the excess and copy it into the correct location.
You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut the excess
and copy it into the correct location.
```bash
blkid | grep /dev/vda2 >> /boot/loader/entries/arch.conf
```
34. `useradd ducoterra`
35. `passwd ducoterra`
36. `groupadd sudo`
37. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
38. `usermod -aG sudo ducoterra`
39. `usermod -aG wheel ducoterra`
40. `mkdir /home/ducoterra`
41. `chown ducoterra:ducoterra /home/ducoterra`
42. `locale-gen`
43. `systemctl enable dhcpcd`
44. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
45. If you need ssh: `pacman -S openssh; systemctl enable sshd`
46. Add a pacman hook for systemd-boot updates
35. `useradd ducoterra`
36. `passwd ducoterra`
37. `groupadd sudo`
38. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
39. `usermod -aG sudo ducoterra`
40. `usermod -aG wheel ducoterra`
41. `mkdir /home/ducoterra`
42. `chown ducoterra:ducoterra /home/ducoterra`
43. `locale-gen`
44. `systemctl enable dhcpcd`
45. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
46. If you need ssh: `pacman -S openssh; systemctl enable sshd`
47. Add a pacman hook for systemd-boot updates
/etc/pacman.d/hooks/95-systemd-boot.hook
@@ -232,30 +235,30 @@ after we finish the install.
Exec = /usr/bin/systemctl restart systemd-boot-update.service
```
47. Install gnome: `pacman -S gdm gnome`
49. Install gnome: `pacman -S gdm gnome`
- choose pipewire-jack
- choose wireplumber
- choose noto-fonts-emoji
48. `systemctl enable gdm`
49. Install NetworkManager `pacman -S networkmanager`
50. `systemctl enable NetworkManager`
51. Install gnome nice-to-haves `pacman -S gnome-tweaks dconf-editor seahorse`
52. Install tpm2-tss for tpm2 disk decryption `pacman -S tpm2-tss`
53. Setup tpm2 disk decryption
50. `systemctl enable gdm`
51. Install NetworkManager `pacman -S networkmanager`
52. `systemctl enable NetworkManager`
53. Install gnome nice-to-haves `pacman -S gnome-tweaks dconf-editor seahorse`
54. Install tpm2-tss for tpm2 disk decryption `pacman -S tpm2-tss`
55. Setup tpm2 disk decryption
```bash
systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs="" --unlock-key-file=/media/root-key.txt
```
54. `exit`
55. `reboot`
56. `exit`
57. `reboot`
### Gnome Keyring
Don't set a password for single-user systems. We're using full-disk encryption.
This will let you login with just a fingerprint.
Don't set a password for single-user systems. We're using full-disk encryption. This will let you
login with just a fingerprint.
1. Install `seahorse` if you haven't already
2. Open the `Passwords and Keys` apps
@@ -328,14 +331,29 @@ cd <folder name>
makepkg -si
```
We can update our AUR packages with a script. As long as you clone your AUR
packages into ~/AUR this will work:
~./local/scripts/update-aur.sh
```bash
#!/bin/bash
for file in $(ls /home/ducoterra/AUR);
do
cd /home/ducoterra/AUR/$file
git pull
makepkg -si
done
```
### Security
<https://wiki.archlinux.org/title/security>
Every machine, regardless of use-case, should perform some basic hardening. You don't
need to follow every instruction in the above wiki, but you should at least
enable secure boot, tpm2 disk decryption, firewall, apparmor, clamav, btrfs snapshots,
and btrfs backups.
Every machine, regardless of use-case, should perform some basic hardening. You don't need to follow
every instruction in the above wiki, but you should at least enable secure boot, tpm2 disk
decryption, firewall, apparmor, clamav, btrfs snapshots, and btrfs backups.
Security Philosophy
@@ -347,49 +365,48 @@ Security Philosophy
2. TPM2 Decryption
Since we have secure boot enabled we can safely auto-decrypt our hard drive with a
tpm2 device. This is purely a convenience.
Since we have secure boot enabled we can safely auto-decrypt our hard drive with a tpm2 device.
This is purely a convenience.
3. Firewall
This should be self-explanatory, but I'll explain anyway. Don't allow any arbitrary
network traffic into your device. Block those ports. Only open what you need. Firewalls
drastically reduce the risk of remote exploits by stopping them before they can even
establish a connection. Firewalls can also be used to limit an attacker's ability
to even discover you on a network with icmp blocking.
This should be self-explanatory, but I'll explain anyway. Don't allow any arbitrary network
traffic into your device. Block those ports. Only open what you need. Firewalls drastically
reduce the risk of remote exploits by stopping them before they can even establish a connection.
Firewalls can also be used to limit an attacker's ability to even discover you on a network with
icmp blocking.
4. ClamAV
Much like Windows has Windows Defender, Linux has ClamAV. Running an antivirus scanner
certainly isn't the end-all-be-all of security, and it definitely isn't good enough
on its own to keep your system safe, but in combination with apparmor and a firewall
you can identify and quarantine malware before it has a chance to compromise your system. That
being said, finding *any* malware on a system is reason enough to nuke it from orbit and restore from a
known good backup.
Much like Windows has Windows Defender, Linux has ClamAV. Running an antivirus scanner certainly
isn't the end-all-be-all of security, and it definitely isn't good enough on its own to keep
your system safe, but in combination with apparmor and a firewall you can identify and
quarantine malware before it has a chance to compromise your system. That being said, finding
*any* malware on a system is reason enough to nuke it from orbit and restore from a known good
backup.
5. BTRFS Snapshots
This is not a backup, this is a snapshot. It serves an equally important function, however,
in that it protects you from accidental deletion and corruption. Let's imagine you perform
an update, reboot, and your computer crashes mid-startup. You could easily restore root
from a btrfs snapshot on your system and go on with your day like nothing happened.
This is not a backup, this is a snapshot. It serves an equally important function, however, in
that it protects you from accidental deletion and corruption. Let's imagine you perform an
update, reboot, and your computer crashes mid-startup. You could easily restore root from a
btrfs snapshot on your system and go on with your day like nothing happened.
6. BTRFS Backups
This is a backup. Unlike snapshots, which live on the same drive your system exists
on, backups are physically separate copies of your computer stored (hopefully) in a
physically separate location. In the event your computer is lost or stolen these
backups give you a way to perfectly restore your system to its former glory.
This is a backup. Unlike snapshots, which live on the same drive your system exists on, backups
are physically separate copies of your computer stored (hopefully) in a physically separate
location. In the event your computer is lost or stolen these backups give you a way to perfectly
restore your system to its former glory.
#### Secure Boot
1. Put your machine in setup mode
On framework this is done in the UEFI setup page for Security, sub-page
Secure Boot, choose “Erase all Secure Boot Settings.”
On framework this is done in the UEFI setup page for Security, sub-page Secure Boot, choose
“Erase all Secure Boot Settings.”
On my Gigabyte motherboard this is done in the BIOS under security. Set secure boot
to custom.
On my Gigabyte motherboard this is done in the BIOS under security. Set secure boot to custom.
2. `pacman -S efitools sbctl`
3. `cd /btr_pools/root/support/`
@@ -416,7 +433,8 @@ You can optionally allow tpm2 decryption only while secure boot is active.
Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
1. `pacman -S tpm2-tss`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
--unlock-key-file=/btr_pools/root/support/root-key.txt`
##### Re-enroll
@@ -541,27 +559,25 @@ systemctl enable --now btrbk_snapshots.timer
##### Backups
Before you begin, go through the usual process of setting up an encrypted drive. If
you're using Gnome I recommend using the GUI since it handles encrypted USB drives
really nicely.
Before you begin, go through the usual process of setting up an encrypted drive. If you're using
Gnome I recommend using the GUI since it handles encrypted USB drives really nicely.
First, I'd recommend manually creating the mountpoint and setting it as a read-only.
This prevents backups from being written to the root device when the backup
disk isn't mounted.
First, I'd recommend manually creating the mountpoint and setting it as a read-only. This prevents
backups from being written to the root device when the backup disk isn't mounted.
```bash
btrfs sub create /btr_pools/backup
btrfs property set /btr_pools/backup ro true
```
Second, I'd recommend creating subvolumes within your existing volumes for things you
don't want backed up. These include:
Second, I'd recommend creating subvolumes within your existing volumes for things you don't want
backed up. These include:
1. /var/lib/libvirt
2. Nextcloud
Third, I'd recommend iterating dot directories you'd need to restore and writing them
down somewhere:
Third, I'd recommend iterating dot directories you'd need to restore and writing them down
somewhere:
1. .aws
2. .cache
@@ -657,130 +673,6 @@ You can create chroot environments to run firejails or just use for testing purp
5. `pacstrap -K /btr_pools/root/chroots/testing base base-devel`
6. `arch-chroot /btr_pools/root/chroots/testing`
#### Fingerprint Reader Support
##### Setup
1. `pacman -S fprintd`
2. `systemctl enable --now fprintd`
3. `fprintd-enroll ducoterra`
4. Install <https://aur.archlinux.org/pam-fprint-grosshack.git> to use fingerprint with gnome
In order to use fingerprint auth with gnome for privileged system stuff with gdm,
edit `/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`.
```conf
#%PAM-1.0
auth required pam_shells.so # User must have shell in /etc/shells
auth requisite pam_nologin.so # Prevents users from loging in if /etc/nologin exists
auth required pam_faillock.so preauth # Timeout after certain number of fails
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth sufficient pam_fprintd_grosshack.so
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
```
##### Turn Off Fingerprint When Laptop Lid Closed
**NOTE: This may break fingerprint unlock. Testing in progress.**
To disable fingerprint authentication when the laptop lid is closed, and
re-enable when it is reopened, we will use acpid to bind to the button/lid.*
event to a custom script that will comment out fprintd auth in /etc/pam.d/sudo.
Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See
<https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2267> and
<https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6585>.
1. `pacman -S acpid` and then `systemctl enable --now acpid`
2. Create file /etc/acpi/laptop-lid.sh with the following contents:
```bash
#!/bin/bash
if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
# This is used to detect if a display is connected.
# For USB C displayport use:
# grep -Fxq connected /sys/class/drm/card1-DP-2/status
# For hdmi use:
# grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
then
# comment out fprintd
sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo
else
# uncomment fprintd
sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo
fi
```
3. Make the file executable with
`chmod +x /etc/acpi/laptop-lid.sh`
4. Create file /etc/acpi/events/laptop-lid with the following contents:
```bash
event=button/lid.*
action=/etc/acpi/laptop-lid.sh
```
5. Restart the acpid service with:
`systemctl restart acpid`
Now the fingerprint will be used only when the lid is open.
In order to ensure the correct state after suspend we need a service file which
runs our script on wake.
1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents:
```bash
[Unit]
Description=Laptop Lid
After=suspend.target
[Service]
ExecStart=/etc/acpi/laptop-lid.sh
[Install]
WantedBy=multi-user.target
WantedBy=suspend.target
```
2. Reload the systemd config files with
`sudo systemctl daemon-reload`
3. Start and enable the service with
`sudo systemctl enable --now laptop-lid.service`
Now the status should be correct even after connecting/disconnecting when the computer is off.
## Hardware Management
### Power Profiles
@@ -839,8 +731,8 @@ vainfo
### Don't sleep while plugged in
This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock
will prevent it from waking up.
This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock will
prevent it from waking up.
```bash
vim /etc/systemd/logind.conf
@@ -859,9 +751,21 @@ Without pipewire-pulse the audio level/device will reset every reboot.
## Software Stores
### AppImage Support
### Flatpak
Also chmod +x before running.
```bash
pacman -S flatpak
```
### AppImage
Install fuse for appimage support.
```bash
sudo pacman -S fuse
```
Make sure to chmod +x the `.appimage` file before running.
1. `cp ~/Downloads/xxxxxxx.appimage ~/Applications`
2. Find an icon online and save it to ~/.icons
@@ -877,69 +781,3 @@ Also chmod +x before running.
4. `desktop-file-validate ~/.local/share/applications/*.desktop`
5. `update-desktop-database`
#### Troubleshooting
fuse may be required to run an appimage.
```bash
sudo pacman -S fuse
```
### Flatpak
```bash
pacman -S flatpak
```
## Apps
### Firefox
You'll want firefox and gnome-browser-connector (for gnome extension management).
```bash
pacman -S firefox gnome-browser-connector
```
Choose noto-fonts
#### Gnome Extensions
1. AlphabeticalAppGrid@stuarthayhurst
2. <Vitals@CoreCoding.com>
3. <dash-to-dock@micxgx.gmail.com>
4. <tactile@lundal.io>
### Avahi (Bonjour)
1. `pacman -S avahi`
2. `vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
3. `vim /etc/mdns.allow`
```conf
.local.
.local
```
### CUPS Printing
Note: you need [avahi](#avahi-bonjour) for auto-discovery.
1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds`
2. `cups-genppdupdate`
3. `usermod -aG lp ducoterra`
4. `systemctl enable --now cups`
5. In gnome settings:
1. Add printer
2. Enter the IP address
3. Wait...
4. Select "JetDirect"
5. Select Generic
6. Select IPP Printer
7. Print

218
infrastructure/graduated/arch/workstation.md
View File

@@ -1,8 +1,18 @@
# Workstation
- [Workstation](#workstation)
- [Pacman Packages](#pacman-packages)
- [Upgrade/Downgrade](#upgradedowngrade)
- [Freeze package](#freeze-package)
- [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [SSH](#ssh)
- [Templates](#templates)
- [Firefox](#firefox)
- [Gnome Extensions](#gnome-extensions)
- [Avahi (Bonjour)](#avahi-bonjour)
- [CUPS Printing](#cups-printing)
- [Toolbox](#toolbox)
- [Podman](#podman)
- [Docker](#docker)
@@ -39,6 +49,153 @@
- [Glances](#glances)
- [VirtualBox](#virtualbox)
## Pacman Packages
### Upgrade/Downgrade
The [Arch Linux Archive](https://archive.archlinux.org/packages/) keeps snapshots of all packages
from history. Search for your package on the site, copy the link for the `pkg.tar.zst` file, and run
the following:
```bash
# Replace link with the one you copied
pacman -U https://archive.archlinux.org/packages/g/gdm/gdm-46.2-1-x86_64.pkg.tar.zst
```
### Freeze package
You can freeze a package by adding it to the list of ignores in `/etc/pacman.conf`:
```conf
...
IgnorePkg = nano vim linux
...
```
## Fingerprint Reader Support
### Setup
1. `pacman -S fprintd`
2. `systemctl enable --now fprintd`
3. `fprintd-enroll ducoterra`
4. Install <https://aur.archlinux.org/pam-fprint-grosshack.git> to use fingerprint with gnome
In order to use fingerprint auth with gnome for privileged system stuff with gdm, edit
`/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`.
```conf
#%PAM-1.0
auth required pam_shells.so # User must have shell in /etc/shells
auth requisite pam_nologin.so # Prevents users from loging in if /etc/nologin exists
auth required pam_faillock.so preauth # Timeout after certain number of fails
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth sufficient pam_fprintd_grosshack.so
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
```
### Turn Off Fingerprint When Laptop Lid Closed
**NOTE: This may break fingerprint unlock. Testing in progress.**
To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is
reopened, we will use acpid to bind to the button/lid.* event to a custom script that will comment
out fprintd auth in /etc/pam.d/sudo.
Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See
<https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2267> and
<https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6585>.
1. `pacman -S acpid` and then `systemctl enable --now acpid`
2. Create file /etc/acpi/laptop-lid.sh with the following contents:
```bash
#!/bin/bash
if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
# This is used to detect if a display is connected.
# For USB C displayport use:
# grep -Fxq connected /sys/class/drm/card1-DP-2/status
# For hdmi use:
# grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
then
# comment out fprintd
sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo
else
# uncomment fprintd
sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo
fi
```
3. Make the file executable with
`chmod +x /etc/acpi/laptop-lid.sh`
4. Create file /etc/acpi/events/laptop-lid with the following contents:
```bash
event=button/lid.*
action=/etc/acpi/laptop-lid.sh
```
5. Restart the acpid service with:
`systemctl restart acpid`
Now the fingerprint will be used only when the lid is open.
In order to ensure the correct state after suspend we need a service file which runs our script on
wake.
1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents:
```bash
[Unit]
Description=Laptop Lid
After=suspend.target
[Service]
ExecStart=/etc/acpi/laptop-lid.sh
[Install]
WantedBy=multi-user.target
WantedBy=suspend.target
```
2. Reload the systemd config files with
`sudo systemctl daemon-reload`
3. Start and enable the service with
`sudo systemctl enable --now laptop-lid.service`
Now the status should be correct even after connecting/disconnecting when the computer is off.
## SSH
Generate a key with password protection:
@@ -81,6 +238,57 @@ mkdir ~/Templates
touch ~/Templates/text.txt
```
## Firefox
You'll want firefox and gnome-browser-connector (for gnome extension management).
```bash
pacman -S firefox gnome-browser-connector
```
Choose noto-fonts
### Gnome Extensions
1. AlphabeticalAppGrid@stuarthayhurst
2. <Vitals@CoreCoding.com>
3. <dash-to-dock@micxgx.gmail.com>
4. <tactile@lundal.io>
## Avahi (Bonjour)
1. `pacman -S avahi`
2. `vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
3. `vim /etc/mdns.allow`
```conf
.local.
.local
```
## CUPS Printing
Note: you need [avahi](#avahi-bonjour) for auto-discovery.
1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds`
2. `cups-genppdupdate`
3. `usermod -aG lp ducoterra`
4. `systemctl enable --now cups`
5. In gnome settings:
1. Add printer
2. Enter the IP address
3. Wait...
4. Select "JetDirect"
5. Select Generic
6. Select IPP Printer
7. Print
## Toolbox
<https://wiki.archlinux.org/title/Toolbox>
@@ -494,7 +702,9 @@ Type=Application
<https://github.com/nextcloud-releases/talk-desktop/releases>
```bash
mv ~/Downloads/Nextcloud.Talk-linux-*/Nextcloud* ~/Applications/NextcloudTalk
unzip ~/Downloads/Nextcloud.Talk-linux*.zip -d ~/Downloads
rm -rf ~/Applications/NextcloudTalk
mv ~/Downloads/'Nextcloud Talk-linux-x64' ~/Applications/NextcloudTalk
```
vim ~/.local/share/applications/nextcloud-talk.desktop
@@ -533,6 +743,12 @@ Download the best quality video:
yt-dlp -f "bv+ba/b" https://...
```
Download a playlist:
```bash
yt-dlp -f "bv+ba/b" --write-thumbnail https://www.youtube.com/watch?v=l-unefmAo9k&list=PLuYLhuXt4HrQqnfSceITmv6T_drx1hN84
```
## Iperf3
```bash