reorganize after reinstall

2024-08-03 01:27:55 -04:00
parent a8d72d4b9a
commit 9f03aef14a
4 changed files with 325 additions and 380 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ secrets/
 venv/
 tmp/
 .vscode/
 Unsorted/
--- a/infrastructure/graduated/arch/README.md
+++ b/infrastructure/graduated/arch/README.md
@@ -14,10 +14,13 @@ I have instructions for building a:
  - [Installation](#installation)
    - [Preparation](#preparation)
    - [Boot](#boot)
    - [Base Tools](#base-tools)
    - [ZSH](#zsh)
    - [Prompt Themes](#prompt-themes)
    - [AUR](#aur)
    - [Security](#security)
      - [Secure Boot](#secure-boot)
-      - [TPM2 LUKS Decryption](#tpm2-luks-decryption)
+      - [TPM2 LUKS Decryption with Secure Boot](#tpm2-luks-decryption-with-secure-boot)
        - [Re-enroll](#re-enroll)
      - [FIDO2 LUKS Decryption](#fido2-luks-decryption)
      - [Firewall](#firewall)
@@ -25,7 +28,6 @@ I have instructions for building a:
        - [Install Apparmor](#install-apparmor)
        - [Custom Profiles](#custom-profiles)
      - [ClamAV](#clamav)
        - [Config](#config)
      - [btrbk](#btrbk)
        - [fstab](#fstab)
        - [Snapshots](#snapshots)
@@ -35,9 +37,8 @@ I have instructions for building a:
      - [Fingerprint Reader Support](#fingerprint-reader-support)
        - [Setup](#setup)
        - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
  - [Desktop Environment](#desktop-environment)
    - [Gnome](#gnome)
  - [Hardware Management](#hardware-management)
    - [Power Profiles](#power-profiles)
    - [Color Management](#color-management)
    - [Washed out colors with power-profiles-daemon](#washed-out-colors-with-power-profiles-daemon)
    - [Hardware Acceleration](#hardware-acceleration)
@@ -50,6 +51,7 @@ I have instructions for building a:
      - [Troubleshooting](#troubleshooting)
    - [Flatpak](#flatpak)
  - [Apps](#apps)
    - [Toolbox](#toolbox)
    - [Firefox](#firefox)
      - [Gnome Extensions](#gnome-extensions)
    - [Avahi (Bonjour)](#avahi-bonjour)
@@ -89,6 +91,10 @@ Follow most of the instructions here:
 ### Boot
 You'll want two usb drives while following this guide. One will be the Arch boot drive. The
 other will be a support drive with critical files and passwords which we will need to access
 after we finish the install.
 1. Boot into the live image
 2. Check for network connectivity
@@ -99,13 +105,20 @@ Follow most of the instructions here:
    ```
 3. `timedatectl` to update system clock
-4. If using a VM, mount the iso with arch conf files
+4. Install pwgen for password generation `pacman -S pwgen`
 5. If using a VM, mount the iso with arch conf files
    ```bash
    mount --mkdir /dev/sr1 /media
    ```
-5. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
+6. If using a physical computer, mount your support drive
    ```bash
    mount --mkdir /dev/sdb1 /media
    ```
 7. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
    ```bash
    fdisk -l
@@ -116,57 +129,50 @@ Follow most of the instructions here:
    - t EFI SYSTEM for /boot
    - remaining for /
-6. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
+8. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
-7. This next step involves generating a secure, random password. Make sure to
+9.  This next step involves generating a secure, random password. Make sure to
   save this somewhere. I recommend having an encrypted partition on your
   installation drive to which you can write a few bytes of text.
-    `echo -n $(pwgen 8 5) | sed 's/ /-/g' > root-key.txt`
+    `echo -n $(pwgen 8 5) | sed 's/ /-/g' > /media/root-key.txt`
-8. `cryptsetup luksFormat /dev/vda2  --key-file /path/to/root-key.txt`
+10. `cryptsetup luksFormat /dev/vda2  --key-file /path/to/root-key.txt`
-9. `cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt`
+11. `cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt`
-10. `mkfs.btrfs /dev/mapper/root` (root partition)
+12. `mkfs.btrfs /dev/mapper/root` (root partition)
-11. At this point you can choose how to subvolume your root partition
+13. At this point you can choose how to subvolume your root partition
    ```bash
    mount --mkdir -o subvolid=5 /btr_pool
    btrfs sub create root /btr_pool
    btrfs sub create home /btr_pool
    ...
    ```
-12. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt`
+14. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt`
-13. Mount the home partition with `mount -o subvol=home /dev/mapper/root /mnt/home`
+15. Mount the home partition with `mount -o subvol=home /dev/mapper/root /mnt/home`
-14. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot`
+16. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot`
-15. If on VM: Mount the conf files with `mount --mkdir /dev/sr1 /mnt/media`
+17. `pacstrap -K /mnt base linux linux-firmware`
 16. `pacstrap -K /mnt base linux linux-firmware`
    This command might show an error. This is ok, we'll fix it later.
-17. `genfstab -U /mnt >> /mnt/etc/fstab`
+20. `genfstab -U /mnt >> /mnt/etc/fstab`
-18. `arch-chroot /mnt`
+21. If on VM: Mount the conf files with `mount --mkdir /dev/sr1 /mnt/media`
-19. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
+18. If on a physical computer: mount the support parition with `mount --mkdir /dev/sdb1 /mnt/media`
-20. `hwclock --systohc`
+22. `arch-chroot /mnt`
-21. `echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen`
+23. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
-22. `echo 'KEYMAP=us' > /etc/vconsole.conf`
+24. `hwclock --systohc`
-23. `echo 'hostname' > /etc/hostname`
+25. `echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen`
-24. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth`
+26. `echo 'KEYMAP=us' > /etc/vconsole.conf`
 27. `echo 'hostname' > /etc/hostname`
 28. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth`
    - dhclient/dhcpcd provides dhcp for network
    - bash-completion provides tab complete
    - btrfs-progs provides fsck for btrfs
    - plymouth gives a nice bootloader screen
-25. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
+29. Edit /etc/mkinitcpio.conf and uncomment the line for systemd-boot with an encrypted drive.
-
+30. `mkinitcpio -P`
-    /etc/mkinitcpio.conf
+31. Install systemd-boot
    ```conf
    HOOKS=(systemd plymouth autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
    ```
 26. `mkinitcpio -P`
 27. Install systemd-boot
    <https://wiki.archlinux.org/title/systemd-boot>
@@ -177,51 +183,48 @@ Follow most of the instructions here:
    If this raises an error like "efi partition not found" you probably forgot to format
    /mnt/boot as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code).
-28. edit your loader.conf with some defaults
+32. edit your loader.conf with some defaults
    /boot/loader/loader.conf
    ```conf
-    default  main.conf
+    default  arch.conf
    timeout  4
    console-mode max
    editor   no
    ```
-29. Create a loader (/usr/share/systemd/bootctl/arch.conf for example)
+33. Create a loader (/usr/share/systemd/bootctl/arch.conf for example)
-    /boot/loader/entries/main.conf
+    /boot/loader/entries/arch.conf
    ```conf
    title   Arch Linux
    linux   /vmlinuz-linux
    initrd  /initramfs-linux.img
-    options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw
+    options ... rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root ...
    ```
    You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut
    the excess and copy it into the correct location.
    ```bash
-    blkid | grep /dev/vda2 >> /boot/loader/entries/main.conf
+    blkid | grep /dev/vda2 >> /boot/loader/entries/arch.conf
    ```
-30. `useradd ducoterra`
+34. `useradd ducoterra`
-31. `passwd ducoterra`
+35. `passwd ducoterra`
-32. `groupadd sudo`
+36. `groupadd sudo`
-33. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
+37. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
-34. `usermod -aG sudo ducoterra`
+38. `usermod -aG sudo ducoterra`
-35. `usermod -aG wheel ducoterra`
+39. `usermod -aG wheel ducoterra`
-36. `mkdir /home/ducoterra`
+40. `mkdir /home/ducoterra`
-37. `chown ducoterra:ducoterra /home/ducoterra`
+41. `chown ducoterra:ducoterra /home/ducoterra`
-38. `locale-gen`
+42. `locale-gen`
-39. `systemctl enable dhcpcd`
+43. `systemctl enable dhcpcd`
-40. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
+44. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
-41. If you need ssh: `pacman -S openssh; systemctl enable sshd`
+45. If you need ssh: `pacman -S openssh; systemctl enable sshd`
-42. `exit`
+46. Add a pacman hook for systemd-boot updates
 43. `reboot`
 44. Remove your installation medium and boot into arch
 45. Add a pacman hook for systemd-boot updates
    /etc/pacman.d/hooks/95-systemd-boot.hook
@@ -237,13 +240,83 @@ Follow most of the instructions here:
    Exec = /usr/bin/systemctl restart systemd-boot-update.service
    ```
 47. Install gnome: `pacman -S gdm gnome`
    - choose pipewire-jack
    - choose wireplumber
    - choose noto-fonts-emoji
 48. `systemctl enable gdm`
 49. Install NetworkManager `pacman -S networkmanager`
 50. `systemctl enable NetworkManager`
 51. Install gnome nice-to-haves `pacman -S gnome-tweaks dconf-editor seahorse`
 52. Install tpm2-tss for tpm2 disk decryption `pacman -S tpm2-tss`
 53. Setup tpm2 disk decryption
    ```bash
    systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs="" --unlock-key-file=/media/root-key.txt
    ```
 54. `exit`
 55. `reboot`
 ### Base Tools
 ```bash
 # gvfs and gvfs-dnssd are for webdav support
 pacman -S rsync which git iperf3 pwgen dosfstools exfatprogs gvfs gvfs-dnssd wget
 ```
 ### ZSH
 ```bash
 pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile
 chsh -s $(which zsh)
 cat <<EOF > ~/.zshrc
 # Basic settings
 autoload bashcompinit && bashcompinit
 autoload -U compinit; compinit
 zstyle ':completion:*' menu select
 # Prompt settings
 autoload -Uz promptinit
 promptinit
 PROMPT_EOL_MARK=
 # Syntax Highlighting
 source /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
 source /usr/share/zsh/plugins/zsh-autosuggestions/zsh-autosuggestions.zsh
 # Command Not Found Autocomplete
 source /usr/share/doc/pkgfile/command-not-found.zsh
 ### Custom Commands and Aliases ###
 EOF
 ```
 ### Prompt Themes
 See: <https://wiki.archlinux.org/title/Zsh#Prompt_themes>
 Use `prompt -l` to list prompts
 Use `prompt -p` to see previews
 In your `.zshrc` set the following:
 ```bash
 autoload -Uz promptinit
 promptinit
 prompt grml
 ```
 ### AUR
 The AUR lets you install community-created and maintained packages. Here are the basics:
 ```bash
 pacman -S --needed git base-devel
-mkdir ~/aur
+mkdir ~/AUR
 # When you find a project, the basic installation looks like this:
 git clone <git repo from aur>
@@ -281,16 +354,7 @@ Security Philosophy
    establish a connection. Firewalls can also be used to limit an attacker's ability
    to even discover you on a network with icmp blocking.
-4. AppArmor
+4. ClamAV
    AppArmor is a mandatory access control system like SELinux. Even if you
    don't configure it beyond its defaults, AppArmor is still a good thing to
    have available. Apps which come with an apparmor profile will offer you an
    additional layer of security. In the same way that a firewall protects you
    from remote attacks, AppArmor protects you from privilege escalation
    attacks and malicious binaries by blocking them at the source.
 5. ClamAV
    Much like Windows has Windows Defender, Linux has ClamAV. Running an antivirus scanner
    certainly isn't the end-all-be-all of security, and it definitely isn't good enough
@@ -299,14 +363,14 @@ Security Philosophy
    being said, finding *any* malware on a system is reason enough to nuke it from orbit and restore from a
    known good backup.
-6. BTRFS Snapshots
+5. BTRFS Snapshots
    This is not a backup, this is a snapshot. It serves an equally important function, however,
    in that it protects you from accidental deletion and corruption. Let's imagine you perform
    an update, reboot, and your computer crashes mid-startup. You could easily restore root
    from a btrfs snapshot on your system and go on with your day like nothing happened.
-7. BTRFS Backups
+6. BTRFS Backups
    This is a backup. Unlike snapshots, which live on the same drive your system exists
    on, backups are physically separate copies of your computer stored (hopefully) in a
@@ -341,7 +405,9 @@ Security Philosophy
 There is a pacman hook which will automatically sign new binaries on update.
-#### TPM2 LUKS Decryption
+#### TPM2 LUKS Decryption with Secure Boot
 You can optionally allow tpm2 decryption only while secure boot is active.
 Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
@@ -456,26 +522,17 @@ Access Modes
 - OR -
-1. `freshclam`
+1. `touch /var/log/clamav/freshclam.log`
 2. `systemctl enable --now clamav-freshclam.service`
 3. `systemctl enable --now clamav-daemon.service`
 4. `clamdscan --multiscan --fdpass /home/ducoterra`
 ##### Config
 ```conf
 UpdateLogFile /var/log/clamav/freshclam.log
 PidFile /run/clamav/freshclam.pid
 DatabaseMirror database.clamav.net
 NotifyClamd /etc/clamav/clamd.conf
 ```
 #### btrbk
 ```bash
 cd Downloads
 wget https://raw.githubusercontent.com/digint/btrbk/master/btrbk
-clamscan .
+clamdscan .
 chmod +x btrbk
 sudo mv btrbk /usr/bin/
 ```
@@ -492,84 +549,74 @@ mkdir -p /btr_pools/root
 ```conf
 # btr_pools
-UUID=84153269-f194-43f7-a4fe-e72aaffdb97a       /btr_pools/root               btrfs           rw,relatime,ssd,space_cache=v2,subvolid=256,subvolid=5  0 0
+UUID=84153269-f194-43f7-a4fe-e72aaffdb97a       /btr_pools/root               btrfs           rw,relatime,ssd,space_cache=v2,subvolid=5  0 0
 ```
 ```bash
 systemctl daemon-reload
 mount -a
 btrfs sub create /btr_pools/root/.snapshots
 btrbk -c /etc/btrbk/snapshots.conf dryrun
 btrbk -c /etc/btrbk/snapshots.conf run
 ```
 ##### Snapshots
-1. Create a snapshot config
+`mkdir /etc/btrbk`
-    /etc/btrbk/snapshots.conf
+Create a snapshot config
-    ```conf
+/etc/btrbk/snapshots.conf
    snapshot_preserve_min   24h
    snapshot_preserve       14d
-    # root
+```conf
-    volume /btr_pools/root
+snapshot_preserve_min   24h
 snapshot_preserve       24h
 # root
 volume /btr_pools/root
    subvolume           root
    snapshot_dir        .snapshots
-    # home
+# home
-    volume /btr_pools/root
+volume /btr_pools/root
    subvolume           home
    snapshot_dir        .snapshots
 ```
-    # libvirt
+Then create a snapshot service
    volume /btr_pools/root
        subvolume           libvirt
        snapshot_dir        .snapshots
-    # nextcloud
+/etc/systemd/system/btrbk_snapshots.service
    volume /btr_pools/root
        subvolume           nextcloud
        snapshot_dir        .snapshots
    ```
-2. Then create a snapshot service
+```conf
 [Unit]
 Description=Runs btrbk with config file at /etc/btrbk/snapshots.conf
-    /etc/systemd/system/btrbk_snapshots.service
+[Service]
 ExecStart=/usr/bin/btrbk -c /etc/btrbk/snapshots.conf -v run
 ```
-    ```conf
+Then create a timer for the service
    [Unit]
    Description=Runs btrbk with config file at /etc/btrbk/snapshots.conf
-    [Service]
+/etc/systemd/system/btrbk_snapshots.timer
    ExecStart=/usr/bin/btrbk -c /etc/btrbk/snapshots.conf -v run
    ```
-3. Then create a timer for the service
+```conf
 [Unit]
 Description=Run snapshots every hour
-    /etc/systemd/system/btrbk_snapshots.timer
+[Timer]
 OnCalendar=hourly
-    ```conf
+AccuracySec=10min
-    [Unit]
+Persistent=true
-    Description=Run snapshots every hour
+Unit=btrbk_snapshots.service
-    [Timer]
+[Install]
-    OnCalendar=hourly
+WantedBy=timers.target
 ```
-    AccuracySec=10min
+Then enable the service
    Persistent=true
    Unit=btrbk_snapshots.service
-    [Install]
+```bash
-    WantedBy=timers.target
+systemctl enable --now btrbk_snapshots.timer
-    ```
+```
 4. Then enable the service
    ```bash
    systemctl enable --now btrbk_snapshots.timer
    ```
 ##### Backups
@@ -596,17 +643,17 @@ Third, I'd recommend iterating dot directories you'd need to restore and writing
 down somewhere:
 1. .aws
-2. .config
+2. .cache
-3. .gitconfig
+3. .config
-4. .icons
+4. .gitconfig
-5. .kube
+5. .icons
-6. .local
+6. .kube
-7. .minecraft
+7. .local
-8. .ssh
+8. .minecraft
-9. .steam
+9. .mozilla
-10. .vimrc
+10. .ssh
-11. .vscode
+11. .steam
-12. .vscode-oss
+12. .vimrc
 13. .wireguard
 14. .zshrc
@@ -695,7 +742,9 @@ You can create chroot environments to run firejails or just use for testing purp
 1. `pacman -S fprintd`
 2. `systemctl enable --now fprintd`
 3. `fprintd-enroll ducoterra`
-4. Enable fingerprint terminal login but prompt for password first (enter switches to prompt for fingerprint)
+4. ~~Enable fingerprint terminal login but prompt for password first (enter switches to prompt for fingerprint)~~
    DON'T DO THIS <https://wiki.archlinux.org/title/Fprint#Login_configuration>
    /etc/pam.d/sudo
@@ -783,33 +832,44 @@ runs our script on wake.
 Now the status should be correct even after connecting/disconnecting when the computer is off.
 ## Desktop Environment
 ### Gnome
 1. `pacman -S gdm gnome`
    - choose pipewire-jack
    - choose wireplumber
    - choose noto-fonts-emoji
 2. `systemctl enable --now gdm`
 3. `pacman -S networkmanager`
 4. `systemctl enable --now NetworkManager`
 5. `pacman -S gnome-tweaks dconf-editor seahorse`
 ## Hardware Management
 ### Power Profiles
 <https://wiki.archlinux.org/title/CPU_frequency_scaling#power-profiles-daemon>
 ```bash
 pacman -S power-profiles-daemon
 systemctl enable --now power-profiles-daemon
 ```
 ### Color Management
 <https://wiki.archlinux.org/title/Framework_Laptop_13#Display>
 <https://wiki.archlinux.org/title/ICC_profiles#Wayland>
 ```bash
 cp /home/ducoterra/Downloads/BOE_CQ... /usr/share/color/icc/colord/
 colormgr get-profiles
 colormgr get-devices
 colormgr device-add-profile xrandr-BOE-0x095f-0x00000000 icc-eca2e6d155d550a5e78c97a34ac3fcae
 ```
 ### Washed out colors with power-profiles-daemon
 <https://wiki.archlinux.org/title/Framework_Laptop_13#(AMD)_Washed-out_colors_when_using_power-profiles-daemon_in_power-saver_or_balanced_mode>
 ```bash
 systemctl edit power-profiles-daemon.service --drop-in=disable_panel_powersavings
 ```
 ```conf
 [Service]
 ExecStart=
 ExecStart=/usr/lib/power-profiles-daemon --block-action=amdgpu_panel_power
 ```
 ### Hardware Acceleration
 (This helps enable hardware encoding/decoding for steam streaming)
@@ -833,13 +893,8 @@ vainfo
 This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock
 will prevent it from waking up.
-/etc/systemd/logind.conf
+```bash
-
+vim /etc/systemd/logind.conf
 ```conf
 ...
 HandleLidSwitchExternalPower=lock
 HandleLidSwitchDocked=ignore
 ...
 ```
 ### Bluetooth
@@ -939,6 +994,24 @@ pacman -S flatpak
 ## Apps
 ### Toolbox
 <https://wiki.archlinux.org/title/Toolbox>
 Toolbox is a containerized workstation service via podman.
 ```bash
 # select "crun" when prompted
 pacman -S toolbox
 toolbox create
 toolbox enter
 sudo pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile
 ```
 ### Firefox
 You'll want firefox and gnome-browser-connector (for gnome extension management).
@@ -958,19 +1031,19 @@ Choose noto-fonts
 ### Avahi (Bonjour)
-1. `sudo pacman -S avahi`
+1. `pacman -S avahi`
-2. `sudo vim /etc/nsswitch.conf`
+2. `vim /etc/nsswitch.conf`
    ```conf
    hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
    ```
-3. `sudo vim /etc/mdns.allow`
+3. `vim /etc/mdns.allow`
-    ```conf
+```conf
-    .local.
+.local.
-    .local
+.local
-    ```
+```
 ### CUPS Printing
--- a/infrastructure/graduated/arch/gaming.md
+++ b/infrastructure/graduated/arch/gaming.md
@@ -176,6 +176,26 @@ pacman -U --noconfirm sunshine.pkg.tar.zst
 <https://github.com/moonlight-stream/moonlight-qt/releases>
 ```bash
 mv ~/Downloads/Moonlight-*.AppImage ~/Applications/Moonlight.AppImage
 chmod +x ~/Applications/*.AppImage
 ```
 vim ~/.local/share/applications/moonlight.desktop
 ```conf
 [Desktop Entry]
 Name=Moonlight
 Exec=/home/ducoterra/Applications/Moonlight.AppImage %u
 Icon=/home/ducoterra/.icons/Moonlight.ico
 Type=Application
 ```
 ```bash
 update-desktop-database
 ```
 Ctrl + Alt + Shift + Q (Moonlight Stream)
 Quit the streaming session (leaving the game running on the host PC)
--- a/infrastructure/graduated/arch/workstation.md
+++ b/infrastructure/graduated/arch/workstation.md
@@ -1,15 +1,6 @@
 # Workstation
 - [Workstation](#workstation)
  - [Framework AMD Notes](#framework-amd-notes)
    - [ATH12K Wifi Drivers](#ath12k-wifi-drivers)
    - [Microcode](#microcode)
    - [linux-git kernel](#linux-git-kernel)
  - [Base Tools](#base-tools)
  - [ZSH](#zsh)
    - [Prompt Themes](#prompt-themes)
    - [Aliases](#aliases)
      - [Rollback Pacman Update](#rollback-pacman-update)
  - [Podman](#podman)
  - [Docker](#docker)
  - [QEMU/KVM](#qemukvm)
@@ -37,140 +28,12 @@
  - [AWS CLI](#aws-cli)
  - [NSlookup](#nslookup)
  - [rpi-imager](#rpi-imager)
    - [Install rpi-imager](#install-rpi-imager)
    - [Upgrade rpi-imager](#upgrade-rpi-imager)
  - [qFlipper](#qflipper)
  - [Nextcloud Talk](#nextcloud-talk)
-
+  - [FFMpeg](#ffmpeg)
-## Framework AMD Notes
+  - [Youtube-dlp](#youtube-dlp)
-
+  - [Iperf3](#iperf3)
-### ATH12K Wifi Drivers
+  - [Glances](#glances)
 Install the wireless-regdb to set the regulatory domain to US
 ```bash
 pacman -S wireless-regdb
 ```
 Edit `/etc/conf.d/wireless-regdom` to set the domain
 <https://git.codelinaro.org/clo/ath-firmware/ath12k-firmware/-/tree/main>
 1. `git clone https://git.codelinaro.org/clo/ath-firmware/ath12k-firmware`
 2. `cd ath12k-firmware`
 3. Run the following:
    ```bash
    wget https://github.com/qca/qca-swiss-army-knife/raw/master/tools/scripts/ath12k/ath12k-fw-repo
    chmod 755 ath12k-fw-repo
    sudo ./ath12k-fw-repo --install /lib/firmware
    ```
 4. `sudo cp ath12k/board.bin /lib/firmware/ath12k/WCN7850/hw2.0/`
 5. `sudo cp ath12k/regdb.bin /lib/firmware/ath12k/WCN7850/hw2.0/`
 6. Reboot
 ### Microcode
 ```bash
 pacman -S amd-ucode
 ```
 Edit /boot/loader/entries/.conf and add the following:
 ```bash
 title       Arch Linux (Work)
 linux       /vmlinuz-linux
 initrd      /amd-ucode.img
 initrd      /initramfs-linux.img
 options     ...
 ```
 ### linux-git kernel
 <https://aur.archlinux.org/packages/linux-git>
 1. `git clone https://aur.archlinux.org/linux-git.git`
 2. `cd linux-git`
 3. `makepkg`
 4. `sudo pacman -U linux-git... linux-git-headers...`
 ## Base Tools
 ```bash
 # gvfs and gvfs-dnssd are for webdav support
 pacman -S rsync which git iperf3 pwgen dosfstools exfatprogs gvfs gvfs-dnssd
 ```
 ## ZSH
 ```bash
 pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile
 chsh -s $(which zsh)
 cat <<EOF > ~/.zshrc
 # Basic settings
 autoload bashcompinit && bashcompinit
 autoload -U compinit; compinit
 zstyle ':completion:*' menu select
 # Prompt settings
 autoload -Uz promptinit
 promptinit
 PROMPT_EOL_MARK=
 # Syntax Highlighting
 source /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
 source /usr/share/zsh/plugins/zsh-autosuggestions/zsh-autosuggestions.zsh
 # Command Not Found Autocomplete
 source /usr/share/doc/pkgfile/command-not-found.zsh
 ### Custom Commands and Aliases ###
 EOF
 ```
 ### Prompt Themes
 See: <https://wiki.archlinux.org/title/Zsh#Prompt_themes>
 Use `prompt -l` to list prompts
 Use `prompt -p` to see previews
 In your `.zshrc` set the following:
 ```bash
 autoload -Uz promptinit
 promptinit
 prompt grml
 ```
 ### Aliases
 You can put you aliases in `.zshrc` with the following format:
 ```bash
 alias update='sudo pacman -Syu --noconfirm'
 ```
 It's recommended that for complicated/multiline aliases you create a folder called
 `~/.local/scripts` where you store each alias. Make sure to back up this folder!
 #### Rollback Pacman Update
 This script will grep for all updates performed today and roll them back one by one.
 rollback_update.sh
 ```bash
 grep -a upgraded /var/log/pacman.log| grep $(date +"%Y-%m-%d") > /tmp/lastupdates.txt
 awk '{print $4}' /tmp/lastupdates.txt > /tmp/lines1;awk '{print $5}' /tmp/lastupdates.txt | sed 's/(/-/g' > /tmp/lines2
 paste /tmp/lines1 /tmp/lines2 > /tmp/lines
 tr -d "[:blank:]" < /tmp/lines > /tmp/packages
 cd /var/cache/pacman/pkg/
 for i in $(cat /tmp/packages); do sudo pacman --noconfirm -U "$i"*; done
 ```
 ## Podman
@@ -211,41 +74,14 @@ You can use btrfs as your storage driver by following these instructions:
 ## QEMU/KVM
-1. Install virtualization capabilties
+Install virtualization capabilties
-    ```bash
+```bash
-    pacman -S qemu-full libvirt iptables-nft dnsmasq virt-manager qemu-desktop swtpm
+# DNSMasq is required - do not start it with systemd, qemu will handle that.
-    usermod -aG libvirt ducoterra
+pacman -S qemu-full dnsmasq virt-manager
-    ```
+systemctl enable --now libvirtd
-
+virsh net-autostart default
-2. Edit /etc/libvirt/libvirtd.conf
+```
    ```conf
    ...
    unix_sock_group = 'libvirt'
    ...
    unix_sock_rw_perms = '0770'
    ...
    ```
 3. Edit /etc/libvirt/qemu.conf
    ```conf
    # Some examples of valid values are:
    #
    #       user = "qemu"   # A user named "qemu"
    #       user = "+0"     # Super user (uid=0)
    #       user = "100"    # A user named "100" or a user with uid=100
    #
    user = "ducoterra"
    # The group for QEMU processes run by the system instance. It can be
    # specified in a similar way to user.
    group = "ducoterra"
    ```
 4. `sudo systemctl enable --now libvirtd`
 5. `sudo virsh net-autostart default`
 If you get a blank screen when launching a VM check that you've used the correct bios -
 either secboot or not secboot. This is the most common problem.
@@ -560,6 +396,7 @@ Type=Application
 # Install less if you don't have it already
 pacman -S less
 cd ~/Downloads
 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 unzip awscliv2.zip
 sudo ./aws/install
@@ -574,7 +411,11 @@ complete -C '/usr/local/bin/aws_completer' aws
 ## NSlookup
 ```bash
-pacman -Syu bind
+# Do this in a toolbox
 toolbox enter
 # Install
 pacman -S bind
 ```
 ## rpi-imager
@@ -582,33 +423,9 @@ pacman -Syu bind
 <https://github.com/raspberrypi/rpi-imager>
 ```bash
-sudo pacman -S cmake qt5-base
+toolbox create -d ubuntu -r 24.04
-```
+toolbox enter toolbox enter ubuntu-toolbox-24.04
-
+sudo apt install rpi-imager
 ### Install rpi-imager
 ```bash
 git clone https://github.com/raspberrypi/rpi-imager.git
 cd rpi-imager
 mkdir -p build
 cd build
 cmake ../src
 make
 sudo make install
 ```
 ### Upgrade rpi-imager
 ```bash
 ```bash
 cd rpi-imager
 git pull
 rm -r build
 mkdir -p build
 cd build
 cmake ../src
 make
 sudo make install
 ```
 ## qFlipper
@@ -649,3 +466,37 @@ Type=Application
 ```bash
 update-desktop-database
 ```
 ## FFMpeg
 ```bash
 # Select pipewire-jack when prompted
 pacman -S ffmpeg
 ```
 ## Youtube-dlp
 <https://github.com/yt-dlp/yt-dlp>
 1. Download `yt-dlp_linux`
 2. `clamdscan yt-dlp_linux`
 3. `cp yt-dlp_linux /usr/local/bin/yt-dlp`
 4. Install ffmpeg `pacman -S ffmpeg`
 Download the best quality video:
 ```bash
 yt-dlp -f "bv+ba/b" https://...
 ```
 ## Iperf3
 ```bash
 pacman -S iperf3
 ```
 ## Glances
 ```bash
 pacman -S glances
 ```