more post-installation updates and fixes

2024-08-04 10:01:08 -04:00
parent e4f58cf8f1
commit d55f842ab8
8 changed files with 77 additions and 308 deletions
--- a/hardware/graduated/unifi/README.md
+++ b/hardware/graduated/unifi/README.md
@@ -0,0 +1,15 @@
 # Unifi
 ## WiFi
 As of Aug 2024, auto seems to give the best results.
 ![Unifi Wifi Example](../../images/wifi.png)
 ![Unifi 6 Enterprise](../../images/u6e.png)
 ![Unifi 7 Pro](../../images/u7pro.png)
 ## Firewall
 ![Unifi v6 Firewall](../../images/firewall_accept.png)
--- a/hardware/images/firewall_accept.png
+++ b/hardware/images/firewall_accept.png
--- a/hardware/images/u6e.png
+++ b/hardware/images/u6e.png
--- a/hardware/images/u7pro.png
+++ b/hardware/images/u7pro.png
--- a/hardware/images/wifi.png
+++ b/hardware/images/wifi.png
--- a/infrastructure/graduated/arch/README.md
+++ b/infrastructure/graduated/arch/README.md
@@ -13,7 +13,8 @@ I have instructions for building a:
  - [Table of Contents](#table-of-contents)
  - [Installation](#installation)
    - [Preparation](#preparation)
-    - [Boot](#boot)
+    - [Installation](#installation-1)
    - [Gnome Keyring](#gnome-keyring)
    - [Base Tools](#base-tools)
    - [ZSH](#zsh)
    - [Prompt Themes](#prompt-themes)
@@ -24,9 +25,6 @@ I have instructions for building a:
        - [Re-enroll](#re-enroll)
      - [FIDO2 LUKS Decryption](#fido2-luks-decryption)
      - [Firewall](#firewall)
      - [AppArmor](#apparmor)
        - [Install Apparmor](#install-apparmor)
        - [Custom Profiles](#custom-profiles)
      - [ClamAV](#clamav)
      - [btrbk](#btrbk)
        - [fstab](#fstab)
@@ -45,21 +43,15 @@ I have instructions for building a:
    - [Don't sleep while plugged in](#dont-sleep-while-plugged-in)
    - [Bluetooth](#bluetooth)
    - [Audio](#audio)
    - [ISCSI](#iscsi)
  - [Software Stores](#software-stores)
    - [AppImage Support](#appimage-support)
      - [Troubleshooting](#troubleshooting)
    - [Flatpak](#flatpak)
  - [Apps](#apps)
    - [Toolbox](#toolbox)
    - [Firefox](#firefox)
      - [Gnome Extensions](#gnome-extensions)
    - [Avahi (Bonjour)](#avahi-bonjour)
    - [CUPS Printing](#cups-printing)
    - [Yubikey](#yubikey)
  - [Bashrc](#bashrc)
    - [Colorized Prompt](#colorized-prompt)
    - [Standard Bashrc](#standard-bashrc)
 ## Installation
@@ -89,7 +81,7 @@ Follow most of the instructions here:
 4. Disable secureboot (reenable later)
-### Boot
+### Installation
 You'll want two usb drives while following this guide. One will be the Arch boot drive. The
 other will be a support drive with critical files and passwords which we will need to access
@@ -259,6 +251,12 @@ after we finish the install.
 54. `exit`
 55. `reboot`
 ### Gnome Keyring
 Don't set a password for single-user systems. We're using full-disk encryption.
 This will let you login with just a fingerprint.
 ### Base Tools
 ```bash
@@ -388,7 +386,7 @@ Security Philosophy
    to custom.
 2. `pacman -S efitools sbctl`
-3. `cd /root/`
+3. `cd /btr_pools/root/support/`
 4. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
 5. `sbctl create-keys`
 6. `sbctl enroll-keys -m`
@@ -412,13 +410,13 @@ You can optionally allow tpm2 decryption only while secure boot is active.
 Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
 1. `pacman -S tpm2-tss`
-2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
+2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt`
 ##### Re-enroll
 ```bash
-systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
+systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt
-systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
+systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt
 ```
 #### FIDO2 LUKS Decryption
@@ -432,89 +430,6 @@ pacman -S ufw
 systemctl enable --now ufw
 ```
 #### AppArmor
 ##### Install Apparmor
 Apparmor protects your system by limiting the access binaries have to specific files.
 All binaries which are protected by apparmor profiles have a whitelist of allowed
 paths they can touch, even if they run as root.
 1. `pacman -S apparmor`
 2. `systemctl enable --now apparmor`
 3. `systemctl enable --now auditd`
 4. Add the correct kernel parameters
    /boot/loaders/entries/main.conf
    ```conf
    title Arch Linux
    ...
    options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
    ```
 5. `reboot`
 ##### Custom Profiles
 You will likely need to create custom profiles for your apps. There are a few ways to
 do this but the least painful ways are as follows:
 1. A profile already exists in `/usr/share/apparmor/extra-profiles/`
    Check here first. More than likely there's a good starting point. This will probably
    need to be tuned but you can (and should) copy it to /etc/apparmor.d
 2. No profile exists in `/usr/share/apparmor/extra-profiles/`
    You can use `aa-genprof <binary>` to generate a profile for that binary and begin
    listening to log events. Then, launch the application and use it as intended. When
    you've done what you consider to be the typical use-case you should.
    1. Press `s` until it begins recommending additions to your profile
    2. Use (A) or (D) to add or deny paths
    3. Use (G) to glob a path
    4. Use (N) to write a custom path
    5. If prompted for an executable choose (I) to inherit the execution privileges from the parent process or (P) to use this application's profile. Sanitize if you chooose this app's profile
    6. When done, (F) to finish and (S) to save.
    7. Use `apparmor_parser -r /etc/apparmor.d/<profile>` to reload the profile
    8. Run `aa-enforce /etc/apparmor.d/<profile>` to set to enforce mode
    9. Try to launch the app. It will probably crash
    10. Run `aa-logprof`, add rules, `apparmor_parser -r /etc/apparmor.d/<profile>`, launch app, repeat until it works
    11. You can `tail /var/log/audit/audit.log` and grab a string like `msg=audit(1692576444.967:102858)` to use as a starting point rather than parsing the whole log. Like: `aa-logprof -m 'msg=audit(1692576444.967:102858)'`.
 From <https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html>
 ```text
 Access Modes
    File permission access modes consists of combinations of the following modes:
    r       - read
    w       - write -- conflicts with append
    a       - append -- conflicts with write
    ux      - unconfined execute
    Ux      - unconfined execute -- scrub the environment
    px      - discrete profile execute
    Px      - discrete profile execute -- scrub the environment
    cx      - transition to subprofile on execute
    Cx      - transition to subprofile on execute -- scrub the environment
    ix      - inherit execute
    pix     - discrete profile execute with inherit fallback
    Pix     - discrete profile execute with inherit fallback -- scrub the environment
    cix     - transition to subprofile on execute with inherit fallback
    Cix     - transition to subprofile on execute with inherit fallback -- scrub the
            environment
    pux     - discrete profile execute with fallback to unconfined
    PUx     - discrete profile execute with fallback to unconfined -- scrub the environment
    cux     - transition to subprofile on execute with fallback to unconfined
    CUx     - transition to subprofile on execute with fallback to unconfined -- scrub the
            environment
    deny x  - disallow execute (in rules with the deny qualifier)
    m       - allow PROT_EXEC with mmap(2) calls
    l       - link
    k       - lock
 ```
 #### ClamAV
 1. `pacman -S clamav`
@@ -729,11 +644,12 @@ btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscs
 You can create chroot environments to run firejails or just use for testing purposes.
-1. `btrfs sub create /chroots`
+1. `cd /btr_pools/root`
-2. `mkdir /testing`
+2. `btrfs sub create chroots`
-3. `pacman -S arch-install-scripts`
+3. `mkdir /btr_pools/root/chroots/testing`
-4. `pacstrap -K /chroots/testing/ base base-devel`
+4. `pacman -S arch-install-scripts`
-5. `arch-chroot /chroots/testing`
+5. `pacstrap -K /btr_pools/root/chroots/testing base base-devel`
 6. `arch-chroot /btr_pools/root/chroots/testing`
 #### Fingerprint Reader Support
@@ -907,55 +823,6 @@ Without pipewire-pulse the audio level/device will reset every reboot.
 1. `pacman -S pipewire-pulse` (remove conflicting packages)
 ### ISCSI
 ```bash
 pacman -S open-iscsi
 systemctl enable --now iscsid
 ```
 1. Add auth login
    /etc/iscsi/iscsid.conf
    ```conf
    node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5
    node.session.auth.username = username
    node.session.auth.password = password
    ```
 2. Initiate and login to the portal
    ```bash
    # Add a new target to your list of nodes
    iscsiadm \
        -m discovery \
        -t st \
        -p driveripper.reeselink.com
    # Login to the target
    iscsiadm \
        -m node \
        --targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \
        -p driveripper.reeselink.com:3260 \
        --login
    # or login to all targets
    iscsiadm -m node --loginall all
    # View current session
    iscsiadm -m session
    # Log out of all sessions
    iscsiadm -m node -u
    # Log out of a single session
    iscsiadm -m node -T iqn.2023-01.driveripper.reeselink.com:2024-01-framework --logout
    # Remove session
    iscsiadm -m node -o delete -T iqn.2023-01.driveripper.reeselink.com:2023-01-framework
    ```
 ## Software Stores
 ### AppImage Support
@@ -993,24 +860,6 @@ pacman -S flatpak
 ## Apps
 ### Toolbox
 <https://wiki.archlinux.org/title/Toolbox>
 Toolbox is a containerized workstation service via podman.
 ```bash
 # select "crun" when prompted
 pacman -S toolbox
 toolbox create
 toolbox enter
 sudo pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile
 ```
 ### Firefox
 You'll want firefox and gnome-browser-connector (for gnome extension management).
@@ -1046,140 +895,17 @@ Choose noto-fonts
 ### CUPS Printing
-Note: you probably need avahi (see above)
+Note: you need [avahi](#avahi-bonjour) for auto-discovery.
-1. `sudo pacman -S cups cups-pdf system-config-printer`
+1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds`
-2. `sudo vim /etc/nsswitch.conf`
+2. `cups-genppdupdate`
-
+3. `usermod -aG lp ducoterra`
-    ```conf
+4. `systemctl enable --now cups`
-    hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
+5. In gnome settings: 
-    ```
+   1. Add printer
-
+   2. Enter the IP address
-3. `sudo systemctl start cups`
+   3. Wait...
-4. `sudo systemctl start avahi-daemon`
+   4. Select "JetDirect"
-
+   5. Select Generic
-### Yubikey
+   6. Select IPP Printer
-
+   7. Print
 You'll need the yubikey manager appimage in addition to the pacman package
 ```bash
 sudo pacman -S yubikey-manager
 ```
 Reboot and things should work. You might also have to start pcscd:
 ```bash
 sudo systemctl enable --now pcscd
 ```
 ## Bashrc
 ### Colorized Prompt
 <https://colors.sh/>
 You can change the prompt color by setting PROMPT_COLOR at the top of your .bashrc
 Examples:
 Yellow: `PROMPT_COLOR=33;`
 Orange: `PROMPT_COLOR=38;5;208;`
 Red: `PROMPT_COLOR=38;5;160;`
 ### Standard Bashrc
 Don't do this if you installed `zsh`
 ~/.bashrc
 ```bash
 # .bashrc
 # Source global definitions
 if [ -f /etc/bashrc ]; then
        . /etc/bashrc
 fi
 # User specific binaries
 if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]]
 then
    PATH="$HOME/.local/bin:$HOME/bin:$PATH"
 fi
 export PATH
 # User specific aliases and functions (source .bashrc.d/)
 if [ -d ~/.bashrc.d ]; then
        for rc in ~/.bashrc.d/*; do
                if [ -f "$rc" ]; then
                        . "$rc"
                fi
        done
 fi
 # clear var used in for loop
 unset rc
 ```
 ~/.bashrc.d/aliases.sh
 ```bash
 # (Mostly) Taken from https://www.cyberciti.biz/tips/bash-aliases-mac-centos-linux-unix.html
 # Author: Vivek Gite
 ## Colorize the ls output ##
 alias ls="ls --color=auto"
 ## Colorize the grep command output for ease of use (good for log files)##
 alias grep='grep --color=auto'
 alias egrep='egrep --color=auto'
 alias fgrep='fgrep --color=auto'
 ## Make mount human readable ##
 alias mount='mount |column -t'
 ## show open ports ##
 alias ports='ss -tulanp'
 # do not delete / or prompt if deleting more than 3 files at a time #
 alias rm='rm -I --preserve-root'
 # confirmation #
 alias mv='mv -i'
 alias cp='cp -i'
 alias ln='ln -i'
 # Parenting changing perms on / #
 alias chown='chown --preserve-root'
 alias chmod='chmod --preserve-root'
 alias chgrp='chgrp --preserve-root'
 ## pass options to free ##
 alias meminfo='free -m -l -t'
 ## get top process eating memory
 alias psmem='ps auxf | sort -nr -k 4'
 alias psmem10='ps auxf | sort -nr -k 4 | head -10'
 ## get top process eating cpu ##
 alias pscpu='ps auxf | sort -nr -k 3'
 alias pscpu10='ps auxf | sort -nr -k 3 | head -10'
 ## this one saved by butt so many times ##
 alias wget='wget -c'
 ## set some other defaults ##
 alias df='df -H'
 alias du='du -ch'
 ## ls but with file sizes, showing largest at the bottom ## 
 alias lst='ls --human-readable --size -1 -S --classify -r'
 ## ls show only directories
 alias lsd='ls -d */'
 ## Count the number of files in a directory
 alias lsc='find . -type f | wc -l'
 ## ls sort by last modified ##
 alias lmt='ls -t -1'
 ```
--- a/infrastructure/graduated/arch/workstation.md
+++ b/infrastructure/graduated/arch/workstation.md
@@ -1,6 +1,7 @@
 # Workstation
 - [Workstation](#workstation)
  - [Toolbox](#toolbox)
  - [Podman](#podman)
  - [Docker](#docker)
  - [QEMU/KVM](#qemukvm)
@@ -36,6 +37,23 @@
  - [Glances](#glances)
  - [VirtualBox](#virtualbox)
 ## Toolbox
 <https://wiki.archlinux.org/title/Toolbox>
 Toolbox is a containerized workstation service via podman.
 ```bash
 # select "crun" when prompted
 pacman -S toolbox
 toolbox create
 toolbox enter
 sudo pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile
 ```
 ## Podman
 Install with the following
@@ -226,7 +244,7 @@ chmod +x ~/Applications/*.AppImage
 ```conf
 [Desktop Entry]
 Name=Bitwarden
-Exec=/home/ducoterra/Applications/Bitwarden.AppImage
+Exec=/home/ducoterra/Applications/Bitwarden.AppImage %u
 Icon=/home/ducoterra/.icons/bitwarden.png
 Type=Application
 ```
@@ -482,5 +500,8 @@ pacman -S glances
 For the linux kernel, choose virtualbox-host-modules-arch
 ```bash
-sudo pacman -S virtualbox
+pacman -S virtualbox
 # Required reboot to load the kernel modules
 reboot
 ```
--- a/infrastructure/graduated/qemu/README.md
+++ b/infrastructure/graduated/qemu/README.md
@@ -8,6 +8,13 @@
 ## QCOW2
 QCOW2 (KVM, Xen)        qcow2
 QED (KVM)               qed
 raw                     raw
 VDI (VirtualBox)        vdi
 VHD (Hyper-V)           vpc
 VMDK (VMware)           vmdk
 ### Restore qcow snapshots
 ```bash