general arch install fixes for Nic's complaints

2024-08-07 10:55:00 -04:00
parent 602ae8c841
commit 449c0cddbb
2 changed files with 370 additions and 316 deletions
--- a/infrastructure/graduated/arch/README.md
+++ b/infrastructure/graduated/arch/README.md
@@ -1,7 +1,7 @@
 # Arch Base
-This is the base configuration from which you can build a variety of systems. Right now
+This is the base configuration from which you can build a variety of systems. Right now I have
-I have instructions for building a:
+instructions for building a:
 1. [Workstation](workstation.md)
 2. [Gaming PC](gaming.md)
@@ -32,9 +32,6 @@ I have instructions for building a:
        - [Backups](#backups)
        - [Backing up a snapshot](#backing-up-a-snapshot)
      - [Chroots](#chroots)
      - [Fingerprint Reader Support](#fingerprint-reader-support)
        - [Setup](#setup)
        - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
  - [Hardware Management](#hardware-management)
    - [Power Profiles](#power-profiles)
    - [Color Management](#color-management)
@@ -44,21 +41,14 @@ I have instructions for building a:
    - [Bluetooth](#bluetooth)
    - [Audio](#audio)
  - [Software Stores](#software-stores)
    - [AppImage Support](#appimage-support)
      - [Troubleshooting](#troubleshooting)
    - [Flatpak](#flatpak)
-  - [Apps](#apps)
+    - [AppImage](#appimage)
    - [Firefox](#firefox)
      - [Gnome Extensions](#gnome-extensions)
    - [Avahi (Bonjour)](#avahi-bonjour)
    - [CUPS Printing](#cups-printing)
 ## Installation
 ### Preparation
-Follow most of the instructions here:
+Follow most of the instructions here: <https://wiki.archlinux.org/title/Installation_guide>
 <https://wiki.archlinux.org/title/Installation_guide>
 1. Download Arch
 2. Verify the image
@@ -68,9 +58,10 @@ Follow most of the instructions here:
    gpg --keyserver-options auto-key-retrieve --verify archlinux-...
    ```
-3. Create a bootable ISO
+3. Create a bootable ISO <https://wiki.archlinux.org/title/USB_flash_installation_medium>
-    1. If you are booting into a VM, create an ISO with installation files so you don't have to copy-paste:
+    1. If you are booting into a VM, create an ISO with installation files so you don't have to
       copy-paste:
        ```bash
        sudo pacman -S cdrtools
@@ -83,12 +74,20 @@ Follow most of the instructions here:
 ### Installation
-You'll want two usb drives while following this guide. One will be the Arch boot drive. The
+You'll want two usb drives while following this guide. One will be the Arch boot drive. The other
-other will be a support drive with critical files and passwords which we will need to access
+will be a support drive with critical files and passwords which we will need to access after we
-after we finish the install.
+finish the install.
 1. Boot into the live image
-2. Check for network connectivity
+2. If you only have wifi, use iwctl to connect <https://wiki.archlinux.org/title/Iwd#iwctl>
   1. `iwctl`
   2. `device list`
   3. `adapter wlan0 set-property Powered on` <- Note: replace "wlan0" with the name of your device
   4. `station wlan0 scan`
   5. `station wlan0 get-networks`
   6. `station wlan0 connect SSID`
 3. Check for network connectivity
    ```bash
    # Check for internet
@@ -96,42 +95,46 @@ after we finish the install.
    ping archlinux.org
    ```
-3. `timedatectl` to update system clock
+4. `timedatectl` to update system clock
-4. Install pwgen for password generation `pacman -S pwgen`
+5. Sync the pacman database with `pacman -Sy`
-5. If using a VM, mount the iso with arch conf files
+6. Install pwgen for password generation `pacman -S pwgen`
 7. If using a VM, mount the iso with arch conf files
    ```bash
    mount --mkdir /dev/sr1 /media
    ```
-6. If using a physical computer, mount your support drive
+8. If using a physical computer, mount your support drive
    ```bash
    mount --mkdir /dev/sdb1 /media
    ```
-7. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
+9. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
    ```bash
    fdisk -l
    gdisk /dev/vda
    ```
-    - +1G for /boot
+    1. Delete all existing partitions with `d`
-    - t EFI SYSTEM for /boot
+    2. Create a new partition (partition 1) with `n`
-    - remaining for /
+    3. When prompted for `last sector` type `+1G`
    4. When prompted for partition structure, type `L` and search for `EFI SYSTEM`, then use that
       hex code
    5. Create a second new partition (partition 2) with `n`
    6. Press enter through the remaining options (the defaults are good)
-8. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
+10. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
-9.  This next step involves generating a secure, random password. Make sure to
+11. This next step involves generating a secure, random password. We're going to save this to our
-   save this somewhere. I recommend having an encrypted partition on your
+    support drive.
   installation drive to which you can write a few bytes of text.
    `echo -n $(pwgen 8 5) | sed 's/ /-/g' > /media/root-key.txt`
-10. `cryptsetup luksFormat /dev/vda2  --key-file /path/to/root-key.txt`
+12. `cryptsetup luksFormat /dev/vda2  --key-file /path/to/root-key.txt`
-11. `cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt`
+13. `cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt`
-12. `mkfs.btrfs /dev/mapper/root` (root partition)
+14. `mkfs.btrfs /dev/mapper/root` (root partition)
-13. At this point you can choose how to subvolume your root partition
+15. At this point you can choose how to subvolume your root partition
    ```bash
    mount --mkdir -o subvolid=5 /btr_pool
@@ -139,32 +142,32 @@ after we finish the install.
    btrfs sub create home /btr_pool
    ```
-14. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt`
+16. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt`
-15. Mount the home partition with `mount -o subvol=home /dev/mapper/root /mnt/home`
+17. Mount the home partition with `mount -o subvol=home /dev/mapper/root /mnt/home`
-16. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot`
+18. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot`
-17. `pacstrap -K /mnt base linux linux-firmware`
+19. `pacstrap -K /mnt base linux linux-firmware`
    This command might show an error. This is ok, we'll fix it later.
 20. `genfstab -U /mnt >> /mnt/etc/fstab`
 21. If on VM: Mount the conf files with `mount --mkdir /dev/sr1 /mnt/media`
-18. If on a physical computer: mount the support parition with `mount --mkdir /dev/sdb1 /mnt/media`
+22. If on a physical computer: mount the support parition with `mount --mkdir /dev/sdb1 /mnt/media`
-22. `arch-chroot /mnt`
+23. `arch-chroot /mnt`
-23. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
+24. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
-24. `hwclock --systohc`
+25. `hwclock --systohc`
-25. `echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen`
+26. `echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen`
-26. `echo 'KEYMAP=us' > /etc/vconsole.conf`
+27. `echo 'KEYMAP=us' > /etc/vconsole.conf`
-27. `echo 'hostname' > /etc/hostname`
+28. `echo 'hostname' > /etc/hostname`
-28. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth`
+29. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth`
    - dhclient/dhcpcd provides dhcp for network
    - bash-completion provides tab complete
    - btrfs-progs provides fsck for btrfs
    - plymouth gives a nice bootloader screen
-29. Edit /etc/mkinitcpio.conf and uncomment the line for systemd-boot with an encrypted drive.
+30. Edit /etc/mkinitcpio.conf and uncomment the line for systemd-boot with an encrypted drive.
-30. `mkinitcpio -P`
+31. `mkinitcpio -P`
-31. Install systemd-boot
+32. Install systemd-boot
    <https://wiki.archlinux.org/title/systemd-boot>
@@ -172,10 +175,10 @@ after we finish the install.
    bootctl install
    ```
-    If this raises an error like "efi partition not found" you probably forgot to format
+    If this raises an error like "efi partition not found" you probably forgot to format /mnt/boot
-    /mnt/boot as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code).
+    as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code).
-32. edit your loader.conf with some defaults
+33. edit your loader.conf with some defaults
    /boot/loader/loader.conf
@@ -186,7 +189,7 @@ after we finish the install.
    editor   no
    ```
-33. Create a loader (/usr/share/systemd/bootctl/arch.conf for example)
+34. Create a loader (/usr/share/systemd/bootctl/arch.conf for example)
    /boot/loader/entries/arch.conf
@@ -197,26 +200,26 @@ after we finish the install.
    options ... rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root ...
    ```
-    You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut
+    You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut the excess
-    the excess and copy it into the correct location.
+    and copy it into the correct location.
    ```bash
    blkid | grep /dev/vda2 >> /boot/loader/entries/arch.conf
    ```
-34. `useradd ducoterra`
+35. `useradd ducoterra`
-35. `passwd ducoterra`
+36. `passwd ducoterra`
-36. `groupadd sudo`
+37. `groupadd sudo`
-37. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
+38. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
-38. `usermod -aG sudo ducoterra`
+39. `usermod -aG sudo ducoterra`
-39. `usermod -aG wheel ducoterra`
+40. `usermod -aG wheel ducoterra`
-40. `mkdir /home/ducoterra`
+41. `mkdir /home/ducoterra`
-41. `chown ducoterra:ducoterra /home/ducoterra`
+42. `chown ducoterra:ducoterra /home/ducoterra`
-42. `locale-gen`
+43. `locale-gen`
-43. `systemctl enable dhcpcd`
+44. `systemctl enable dhcpcd`
-44. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
+45. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
-45. If you need ssh: `pacman -S openssh; systemctl enable sshd`
+46. If you need ssh: `pacman -S openssh; systemctl enable sshd`
-46. Add a pacman hook for systemd-boot updates
+47. Add a pacman hook for systemd-boot updates
    /etc/pacman.d/hooks/95-systemd-boot.hook
@@ -232,30 +235,30 @@ after we finish the install.
    Exec = /usr/bin/systemctl restart systemd-boot-update.service
    ```
-47. Install gnome: `pacman -S gdm gnome`
+49. Install gnome: `pacman -S gdm gnome`
    - choose pipewire-jack
    - choose wireplumber
    - choose noto-fonts-emoji
-48. `systemctl enable gdm`
+50. `systemctl enable gdm`
-49. Install NetworkManager `pacman -S networkmanager`
+51. Install NetworkManager `pacman -S networkmanager`
-50. `systemctl enable NetworkManager`
+52. `systemctl enable NetworkManager`
-51. Install gnome nice-to-haves `pacman -S gnome-tweaks dconf-editor seahorse`
+53. Install gnome nice-to-haves `pacman -S gnome-tweaks dconf-editor seahorse`
-52. Install tpm2-tss for tpm2 disk decryption `pacman -S tpm2-tss`
+54. Install tpm2-tss for tpm2 disk decryption `pacman -S tpm2-tss`
-53. Setup tpm2 disk decryption
+55. Setup tpm2 disk decryption
    ```bash
    systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs="" --unlock-key-file=/media/root-key.txt
    ```
 54. `exit`
 55. `reboot`
 56. `exit`
 57. `reboot`
 ### Gnome Keyring
-Don't set a password for single-user systems. We're using full-disk encryption.
+Don't set a password for single-user systems. We're using full-disk encryption. This will let you
-This will let you login with just a fingerprint.
+login with just a fingerprint.
 1. Install `seahorse` if you haven't already
 2. Open the `Passwords and Keys` apps
@@ -328,14 +331,29 @@ cd <folder name>
 makepkg -si
 ```
 We can update our AUR packages with a script. As long as you clone your AUR
 packages into ~/AUR this will work:
 ~./local/scripts/update-aur.sh
 ```bash
 #!/bin/bash
 for file in $(ls /home/ducoterra/AUR);
 do
    cd /home/ducoterra/AUR/$file
    git pull
    makepkg -si
 done
 ```
 ### Security
 <https://wiki.archlinux.org/title/security>
-Every machine, regardless of use-case, should perform some basic hardening. You don't
+Every machine, regardless of use-case, should perform some basic hardening. You don't need to follow
-need to follow every instruction in the above wiki, but you should at least
+every instruction in the above wiki, but you should at least enable secure boot, tpm2 disk
-enable secure boot, tpm2 disk decryption, firewall, apparmor, clamav, btrfs snapshots,
+decryption, firewall, apparmor, clamav, btrfs snapshots, and btrfs backups.
 and btrfs backups.
 Security Philosophy
@@ -347,49 +365,48 @@ Security Philosophy
 2. TPM2 Decryption
-    Since we have secure boot enabled we can safely auto-decrypt our hard drive with a
+    Since we have secure boot enabled we can safely auto-decrypt our hard drive with a tpm2 device.
-    tpm2 device. This is purely a convenience.
+    This is purely a convenience.
 3. Firewall
-    This should be self-explanatory, but I'll explain anyway. Don't allow any arbitrary
+    This should be self-explanatory, but I'll explain anyway. Don't allow any arbitrary network
-    network traffic into your device. Block those ports. Only open what you need. Firewalls
+    traffic into your device. Block those ports. Only open what you need. Firewalls drastically
-    drastically reduce the risk of remote exploits by stopping them before they can even
+    reduce the risk of remote exploits by stopping them before they can even establish a connection.
-    establish a connection. Firewalls can also be used to limit an attacker's ability
+    Firewalls can also be used to limit an attacker's ability to even discover you on a network with
-    to even discover you on a network with icmp blocking.
+    icmp blocking.
 4. ClamAV
-    Much like Windows has Windows Defender, Linux has ClamAV. Running an antivirus scanner
+    Much like Windows has Windows Defender, Linux has ClamAV. Running an antivirus scanner certainly
-    certainly isn't the end-all-be-all of security, and it definitely isn't good enough
+    isn't the end-all-be-all of security, and it definitely isn't good enough on its own to keep
-    on its own to keep your system safe, but in combination with apparmor and a firewall
+    your system safe, but in combination with apparmor and a firewall you can identify and
-    you can identify and quarantine malware before it has a chance to compromise your system. That
+    quarantine malware before it has a chance to compromise your system. That being said, finding
-    being said, finding *any* malware on a system is reason enough to nuke it from orbit and restore from a
+    *any* malware on a system is reason enough to nuke it from orbit and restore from a known good
-    known good backup.
+    backup.
 5. BTRFS Snapshots
-    This is not a backup, this is a snapshot. It serves an equally important function, however,
+    This is not a backup, this is a snapshot. It serves an equally important function, however, in
-    in that it protects you from accidental deletion and corruption. Let's imagine you perform
+    that it protects you from accidental deletion and corruption. Let's imagine you perform an
-    an update, reboot, and your computer crashes mid-startup. You could easily restore root
+    update, reboot, and your computer crashes mid-startup. You could easily restore root from a
-    from a btrfs snapshot on your system and go on with your day like nothing happened.
+    btrfs snapshot on your system and go on with your day like nothing happened.
 6. BTRFS Backups
-    This is a backup. Unlike snapshots, which live on the same drive your system exists
+    This is a backup. Unlike snapshots, which live on the same drive your system exists on, backups
-    on, backups are physically separate copies of your computer stored (hopefully) in a
+    are physically separate copies of your computer stored (hopefully) in a physically separate
-    physically separate location. In the event your computer is lost or stolen these
+    location. In the event your computer is lost or stolen these backups give you a way to perfectly
-    backups give you a way to perfectly restore your system to its former glory.
+    restore your system to its former glory.
 #### Secure Boot
 1. Put your machine in setup mode
-    On framework this is done in the UEFI setup page for Security, sub-page
+    On framework this is done in the UEFI setup page for Security, sub-page Secure Boot, choose
-    Secure Boot, choose “Erase all Secure Boot Settings.”
+    “Erase all Secure Boot Settings.”
-    On my Gigabyte motherboard this is done in the BIOS under security. Set secure boot
+    On my Gigabyte motherboard this is done in the BIOS under security. Set secure boot to custom.
    to custom.
 2. `pacman -S efitools sbctl`
 3. `cd /btr_pools/root/support/`
@@ -416,7 +433,8 @@ You can optionally allow tpm2 decryption only while secure boot is active.
 Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
 1. `pacman -S tpm2-tss`
-2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt`
+2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
   --unlock-key-file=/btr_pools/root/support/root-key.txt`
 ##### Re-enroll
@@ -541,27 +559,25 @@ systemctl enable --now btrbk_snapshots.timer
 ##### Backups
-Before you begin, go through the usual process of setting up an encrypted drive. If
+Before you begin, go through the usual process of setting up an encrypted drive. If you're using
-you're using Gnome I recommend using the GUI since it handles encrypted USB drives
+Gnome I recommend using the GUI since it handles encrypted USB drives really nicely.
 really nicely.
-First, I'd recommend manually creating the mountpoint and setting it as a read-only.
+First, I'd recommend manually creating the mountpoint and setting it as a read-only. This prevents
-This prevents backups from being written to the root device when the backup
+backups from being written to the root device when the backup disk isn't mounted.
 disk isn't mounted.
 ```bash
 btrfs sub create /btr_pools/backup
 btrfs property set /btr_pools/backup ro true
 ```
-Second, I'd recommend creating subvolumes within your existing volumes for things you
+Second, I'd recommend creating subvolumes within your existing volumes for things you don't want
-don't want backed up. These include:
+backed up. These include:
 1. /var/lib/libvirt
 2. Nextcloud
-Third, I'd recommend iterating dot directories you'd need to restore and writing them
+Third, I'd recommend iterating dot directories you'd need to restore and writing them down
-down somewhere:
+somewhere:
 1. .aws
 2. .cache
@@ -657,130 +673,6 @@ You can create chroot environments to run firejails or just use for testing purp
 5. `pacstrap -K /btr_pools/root/chroots/testing base base-devel`
 6. `arch-chroot /btr_pools/root/chroots/testing`
 #### Fingerprint Reader Support
 ##### Setup
 1. `pacman -S fprintd`
 2. `systemctl enable --now fprintd`
 3. `fprintd-enroll ducoterra`
 4. Install <https://aur.archlinux.org/pam-fprint-grosshack.git> to use fingerprint with gnome
 In order to use fingerprint auth with gnome for privileged system stuff with gdm,
 edit `/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`.
 ```conf
 #%PAM-1.0
 auth       required                    pam_shells.so # User must have shell in /etc/shells
 auth       requisite                   pam_nologin.so # Prevents users from loging in if /etc/nologin exists
 auth       required                    pam_faillock.so      preauth # Timeout after certain number of fails
 # Optionally use requisite above if you do not want to prompt for the password
 # on locked accounts.
 auth       sufficient                  pam_fprintd_grosshack.so
 -auth      [success=2 default=ignore]  pam_systemd_home.so
 auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
 auth       [default=die]               pam_faillock.so      authfail
 auth       optional                    pam_permit.so
 auth       required                    pam_env.so
 auth       required                    pam_faillock.so      authsucc
 # If you drop the above call to pam_faillock.so the lock will be done also
 # on non-consecutive authentication failures.
 -account   [success=1 default=ignore]  pam_systemd_home.so
 account    required                    pam_unix.so
 account    optional                    pam_permit.so
 account    required                    pam_time.so
 -password  [success=1 default=ignore]  pam_systemd_home.so
 password   required                    pam_unix.so          try_first_pass nullok shadow
 password   optional                    pam_permit.so
 -session   optional                    pam_systemd_home.so
 session    required                    pam_limits.so
 session    required                    pam_unix.so
 session    optional                    pam_permit.so
 ```
 ##### Turn Off Fingerprint When Laptop Lid Closed
 **NOTE: This may break fingerprint unlock. Testing in progress.**
 To disable fingerprint authentication when the laptop lid is closed, and
 re-enable when it is reopened, we will use acpid to bind to the button/lid.*
 event to a custom script that will comment out fprintd auth in /etc/pam.d/sudo.
 Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See
 <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2267> and
 <https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6585>.
 1. `pacman -S acpid` and then `systemctl enable --now acpid`
 2. Create file /etc/acpi/laptop-lid.sh with the following contents:
    ```bash
    #!/bin/bash
    if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
        # This is used to detect if a display is connected.
        # For USB C displayport use: 
        # grep -Fxq connected /sys/class/drm/card1-DP-2/status
        # For hdmi use:
        # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
    then
        # comment out fprintd
        sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo
    else
        # uncomment fprintd
        sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo
    fi
    ```
 3. Make the file executable with
    `chmod +x /etc/acpi/laptop-lid.sh`
 4. Create file /etc/acpi/events/laptop-lid with the following contents:
    ```bash
    event=button/lid.*
    action=/etc/acpi/laptop-lid.sh
    ```
 5. Restart the acpid service with:
    `systemctl restart acpid`
 Now the fingerprint will be used only when the lid is open.
 In order to ensure the correct state after suspend we need a service file which
 runs our script on wake.
 1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents:
    ```bash
    [Unit]
    Description=Laptop Lid
    After=suspend.target
    [Service]
    ExecStart=/etc/acpi/laptop-lid.sh
    [Install]
    WantedBy=multi-user.target
    WantedBy=suspend.target
    ```
 2. Reload the systemd config files with
    `sudo systemctl daemon-reload`
 3. Start and enable the service with
    `sudo systemctl enable --now laptop-lid.service`
 Now the status should be correct even after connecting/disconnecting when the computer is off.
 ## Hardware Management
 ### Power Profiles
@@ -839,8 +731,8 @@ vainfo
 ### Don't sleep while plugged in
-This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock
+This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock will
-will prevent it from waking up.
+prevent it from waking up.
 ```bash
 vim /etc/systemd/logind.conf
@@ -859,9 +751,21 @@ Without pipewire-pulse the audio level/device will reset every reboot.
 ## Software Stores
-### AppImage Support
+### Flatpak
-Also chmod +x before running.
+```bash
 pacman -S flatpak
 ```
 ### AppImage
 Install fuse for appimage support.
 ```bash
 sudo pacman -S fuse
 ```
 Make sure to chmod +x the `.appimage` file before running.
 1. `cp ~/Downloads/xxxxxxx.appimage ~/Applications`
 2. Find an icon online and save it to ~/.icons
@@ -877,69 +781,3 @@ Also chmod +x before running.
 4. `desktop-file-validate ~/.local/share/applications/*.desktop`
 5. `update-desktop-database`
 #### Troubleshooting
 fuse may be required to run an appimage.
 ```bash
 sudo pacman -S fuse
 ```
 ### Flatpak
 ```bash
 pacman -S flatpak
 ```
 ## Apps
 ### Firefox
 You'll want firefox and gnome-browser-connector (for gnome extension management).
 ```bash
 pacman -S firefox gnome-browser-connector
 ```
 Choose noto-fonts
 #### Gnome Extensions
 1. AlphabeticalAppGrid@stuarthayhurst
 2. <Vitals@CoreCoding.com>
 3. <dash-to-dock@micxgx.gmail.com>
 4. <tactile@lundal.io>
 ### Avahi (Bonjour)
 1. `pacman -S avahi`
 2. `vim /etc/nsswitch.conf`
    ```conf
    hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
    ```
 3. `vim /etc/mdns.allow`
 ```conf
 .local.
 .local
 ```
 ### CUPS Printing
 Note: you need [avahi](#avahi-bonjour) for auto-discovery.
 1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds`
 2. `cups-genppdupdate`
 3. `usermod -aG lp ducoterra`
 4. `systemctl enable --now cups`
 5. In gnome settings: 
   1. Add printer
   2. Enter the IP address
   3. Wait...
   4. Select "JetDirect"
   5. Select Generic
   6. Select IPP Printer
   7. Print
--- a/infrastructure/graduated/arch/workstation.md
+++ b/infrastructure/graduated/arch/workstation.md
@@ -1,8 +1,18 @@
 # Workstation
 - [Workstation](#workstation)
  - [Pacman Packages](#pacman-packages)
    - [Upgrade/Downgrade](#upgradedowngrade)
    - [Freeze package](#freeze-package)
  - [Fingerprint Reader Support](#fingerprint-reader-support)
    - [Setup](#setup)
    - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
  - [SSH](#ssh)
  - [Templates](#templates)
  - [Firefox](#firefox)
    - [Gnome Extensions](#gnome-extensions)
  - [Avahi (Bonjour)](#avahi-bonjour)
  - [CUPS Printing](#cups-printing)
  - [Toolbox](#toolbox)
  - [Podman](#podman)
  - [Docker](#docker)
@@ -39,6 +49,153 @@
  - [Glances](#glances)
  - [VirtualBox](#virtualbox)
 ## Pacman Packages
 ### Upgrade/Downgrade
 The [Arch Linux Archive](https://archive.archlinux.org/packages/) keeps snapshots of all packages
 from history. Search for your package on the site, copy the link for the `pkg.tar.zst` file, and run
 the following:
 ```bash
 # Replace link with the one you copied
 pacman -U https://archive.archlinux.org/packages/g/gdm/gdm-46.2-1-x86_64.pkg.tar.zst
 ```
 ### Freeze package
 You can freeze a package by adding it to the list of ignores in `/etc/pacman.conf`:
 ```conf
 ...
 IgnorePkg  = nano vim linux
 ...
 ```
 ## Fingerprint Reader Support
 ### Setup
 1. `pacman -S fprintd`
 2. `systemctl enable --now fprintd`
 3. `fprintd-enroll ducoterra`
 4. Install <https://aur.archlinux.org/pam-fprint-grosshack.git> to use fingerprint with gnome
 In order to use fingerprint auth with gnome for privileged system stuff with gdm, edit
 `/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`.
 ```conf
 #%PAM-1.0
 auth       required                    pam_shells.so # User must have shell in /etc/shells
 auth       requisite                   pam_nologin.so # Prevents users from loging in if /etc/nologin exists
 auth       required                    pam_faillock.so      preauth # Timeout after certain number of fails
 # Optionally use requisite above if you do not want to prompt for the password
 # on locked accounts.
 auth       sufficient                  pam_fprintd_grosshack.so
 -auth      [success=2 default=ignore]  pam_systemd_home.so
 auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
 auth       [default=die]               pam_faillock.so      authfail
 auth       optional                    pam_permit.so
 auth       required                    pam_env.so
 auth       required                    pam_faillock.so      authsucc
 # If you drop the above call to pam_faillock.so the lock will be done also
 # on non-consecutive authentication failures.
 -account   [success=1 default=ignore]  pam_systemd_home.so
 account    required                    pam_unix.so
 account    optional                    pam_permit.so
 account    required                    pam_time.so
 -password  [success=1 default=ignore]  pam_systemd_home.so
 password   required                    pam_unix.so          try_first_pass nullok shadow
 password   optional                    pam_permit.so
 -session   optional                    pam_systemd_home.so
 session    required                    pam_limits.so
 session    required                    pam_unix.so
 session    optional                    pam_permit.so
 ```
 ### Turn Off Fingerprint When Laptop Lid Closed
 **NOTE: This may break fingerprint unlock. Testing in progress.**
 To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is
 reopened, we will use acpid to bind to the button/lid.* event to a custom script that will comment
 out fprintd auth in /etc/pam.d/sudo.
 Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See
 <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2267> and
 <https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6585>.
 1. `pacman -S acpid` and then `systemctl enable --now acpid`
 2. Create file /etc/acpi/laptop-lid.sh with the following contents:
    ```bash
    #!/bin/bash
    if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
        # This is used to detect if a display is connected.
        # For USB C displayport use: 
        # grep -Fxq connected /sys/class/drm/card1-DP-2/status
        # For hdmi use:
        # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
    then
        # comment out fprintd
        sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo
    else
        # uncomment fprintd
        sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo
    fi
    ```
 3. Make the file executable with
    `chmod +x /etc/acpi/laptop-lid.sh`
 4. Create file /etc/acpi/events/laptop-lid with the following contents:
    ```bash
    event=button/lid.*
    action=/etc/acpi/laptop-lid.sh
    ```
 5. Restart the acpid service with:
    `systemctl restart acpid`
 Now the fingerprint will be used only when the lid is open.
 In order to ensure the correct state after suspend we need a service file which runs our script on
 wake.
 1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents:
    ```bash
    [Unit]
    Description=Laptop Lid
    After=suspend.target
    [Service]
    ExecStart=/etc/acpi/laptop-lid.sh
    [Install]
    WantedBy=multi-user.target
    WantedBy=suspend.target
    ```
 2. Reload the systemd config files with
    `sudo systemctl daemon-reload`
 3. Start and enable the service with
    `sudo systemctl enable --now laptop-lid.service`
 Now the status should be correct even after connecting/disconnecting when the computer is off.
 ## SSH
 Generate a key with password protection:
@@ -81,6 +238,57 @@ mkdir ~/Templates
 touch ~/Templates/text.txt
 ```
 ## Firefox
 You'll want firefox and gnome-browser-connector (for gnome extension management).
 ```bash
 pacman -S firefox gnome-browser-connector
 ```
 Choose noto-fonts
 ### Gnome Extensions
 1. AlphabeticalAppGrid@stuarthayhurst
 2. <Vitals@CoreCoding.com>
 3. <dash-to-dock@micxgx.gmail.com>
 4. <tactile@lundal.io>
 ## Avahi (Bonjour)
 1. `pacman -S avahi`
 2. `vim /etc/nsswitch.conf`
    ```conf
    hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
    ```
 3. `vim /etc/mdns.allow`
 ```conf
 .local.
 .local
 ```
 ## CUPS Printing
 Note: you need [avahi](#avahi-bonjour) for auto-discovery.
 1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds`
 2. `cups-genppdupdate`
 3. `usermod -aG lp ducoterra`
 4. `systemctl enable --now cups`
 5. In gnome settings: 
   1. Add printer
   2. Enter the IP address
   3. Wait...
   4. Select "JetDirect"
   5. Select Generic
   6. Select IPP Printer
   7. Print
 ## Toolbox
 <https://wiki.archlinux.org/title/Toolbox>
@@ -494,7 +702,9 @@ Type=Application
 <https://github.com/nextcloud-releases/talk-desktop/releases>
 ```bash
-mv ~/Downloads/Nextcloud.Talk-linux-*/Nextcloud* ~/Applications/NextcloudTalk
+unzip ~/Downloads/Nextcloud.Talk-linux*.zip -d ~/Downloads
 rm -rf ~/Applications/NextcloudTalk
 mv ~/Downloads/'Nextcloud Talk-linux-x64' ~/Applications/NextcloudTalk
 ```
 vim ~/.local/share/applications/nextcloud-talk.desktop
@@ -533,6 +743,12 @@ Download the best quality video:
 yt-dlp -f "bv+ba/b" https://...
 ```
 Download a playlist:
 ```bash
 yt-dlp -f "bv+ba/b" --write-thumbnail https://www.youtube.com/watch?v=l-unefmAo9k&list=PLuYLhuXt4HrQqnfSceITmv6T_drx1hN84
 ```
 ## Iperf3
 ```bash