services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

moving everything to active or retired vs incubating and graduated
All checks were successful
Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 14s
Details

Browse Source
This commit is contained in:
Reese Wells
2025-04-19 18:46:40 -04:00
parent 6e393d90ee
commit ef9104c796
234 changed files with 456 additions and 244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1064
active/os_arch/arch-base.md Normal file
View File

File diff suppressed because it is too large Load Diff

922
active/os_arch/arch-workstation.md Normal file
View File

@@ -0,0 +1,922 @@
# Workstation
- [Workstation](#workstation)
- [Pacman Packages](#pacman-packages)
- [Upgrade/Downgrade](#upgradedowngrade)
- [Freeze package](#freeze-package)
- [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [SSH](#ssh)
- [Templates](#templates)
- [Ungoogled Chromium](#ungoogled-chromium)
- [Ungoogled Chromium AUR](#ungoogled-chromium-aur)
- [Ungoogled Chromium Manual Build](#ungoogled-chromium-manual-build)
- [Firefox](#firefox)
- [Gnome Extensions](#gnome-extensions)
- [Avahi (Bonjour)](#avahi-bonjour)
- [CUPS Printing](#cups-printing)
- [Toolbox](#toolbox)
- [Podman](#podman)
- [Docker](#docker)
- [QEMU/KVM](#qemukvm)
- [Arch Guests](#arch-guests)
- [Kubernetes](#kubernetes)
- [VSCode](#vscode)
- [Wireguard](#wireguard)
- [Remote Desktop](#remote-desktop)
- [Transmission](#transmission)
- [VLC](#vlc)
- [Bitwarden](#bitwarden)
- [Nextcloud](#nextcloud)
- [Insomnia](#insomnia)
- [QMK](#qmk)
- [Initialization](#initialization)
- [Development](#development)
- [Cura](#cura)
- [Creality Print](#creality-print)
- [Bambu Studio](#bambu-studio)
- [Firewall Rules for LAN Printer](#firewall-rules-for-lan-printer)
- [Adding LAN printer via config](#adding-lan-printer-via-config)
- [Custom Filament Profiles](#custom-filament-profiles)
- [Orca Slicer](#orca-slicer)
- [AWS CLI](#aws-cli)
- [NSlookup](#nslookup)
- [rpi-imager](#rpi-imager)
- [qFlipper](#qflipper)
- [Nextcloud Talk](#nextcloud-talk)
- [FFMpeg](#ffmpeg)
- [Youtube-dlp](#youtube-dlp)
- [Iperf3](#iperf3)
- [Glances](#glances)
- [VirtualBox](#virtualbox)
- [Email](#email)
- [Traffic Usage](#traffic-usage)
- [Wine](#wine)
- [KDE Connect (GSConnect)](#kde-connect-gsconnect)
- [Python](#python)
- [Pyenv](#pyenv)
- [Poetry](#poetry)
- [Note Taking](#note-taking)
- [Calculator](#calculator)
- [Disk Usqage](#disk-usqage)
## Pacman Packages
### Upgrade/Downgrade
The [Arch Linux Archive](https://archive.archlinux.org/packages/) keeps snapshots of all packages
from history. Search for your package on the site, copy the link for the `pkg.tar.zst` file, and run
the following:
```bash
# Replace link with the one you copied
pacman -U https://archive.archlinux.org/packages/g/gdm/gdm-46.2-1-x86_64.pkg.tar.zst
```
### Freeze package
You can freeze a package by adding it to the list of ignores in `/etc/pacman.conf`:
```conf
...
IgnorePkg = nano vim linux
...
```
## Fingerprint Reader Support
### Setup
1. `pacman -S fprintd`
2. `systemctl enable --now fprintd`
3. `fprintd-enroll ducoterra`
4. Install <https://aur.archlinux.org/pam-fprint-grosshack.git> to use fingerprint with gnome
In order to use fingerprint auth with gnome for privileged system stuff with gdm, edit
`/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`.
```conf
#%PAM-1.0
auth required pam_shells.so # User must have shell in /etc/shells
auth requisite pam_nologin.so # Prevents users from loging in if /etc/nologin exists
auth required pam_faillock.so preauth # Timeout after certain number of fails
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth sufficient pam_fprintd_grosshack.so
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
```
### Turn Off Fingerprint When Laptop Lid Closed
**NOTE: This may break fingerprint unlock. Testing in progress.**
To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is
reopened, we will use acpid to bind to the button/lid.* event to a custom script that will comment
out fprintd auth in /etc/pam.d/sudo.
Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See
<https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2267> and
<https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6585>.
1. `pacman -S acpid` and then `systemctl enable --now acpid`
2. Create file /etc/acpi/laptop-lid.sh with the following contents:
```bash
#!/bin/bash
if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
# This is used to detect if a display is connected.
# For USB C displayport use:
# grep -Fxq connected /sys/class/drm/card1-DP-2/status
# For hdmi use:
# grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
then
# comment out fprintd
sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo
else
# uncomment fprintd
sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo
fi
```
3. Make the file executable with
`chmod +x /etc/acpi/laptop-lid.sh`
4. Create file /etc/acpi/events/laptop-lid with the following contents:
```bash
event=button/lid.*
action=/etc/acpi/laptop-lid.sh
```
5. Restart the acpid service with:
`systemctl restart acpid`
Now the fingerprint will be used only when the lid is open.
In order to ensure the correct state after suspend we need a service file which runs our script on
wake.
1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents:
```bash
[Unit]
Description=Laptop Lid
After=suspend.target
[Service]
ExecStart=/etc/acpi/laptop-lid.sh
[Install]
WantedBy=multi-user.target
WantedBy=suspend.target
```
2. Reload the systemd config files with
`sudo systemctl daemon-reload`
3. Start and enable the service with
`sudo systemctl enable --now laptop-lid.service`
Now the status should be correct even after connecting/disconnecting when the computer is off.
## SSH
Generate a key with password protection:
```bash
# Omit "-N 'password'" to have it prompt you
ssh-keygen -f ~/.ssh/test-key -N 'PASSWORD'
```
Change the password for an ssh key:
```bash
# Use "-N ''" to remove the password
ssh-keygen -p -N 'PASSWORD' -f ~/.ssh/test-key
```
This is an example config entry in `~/.ssh/config`:
```conf
Host my-host
Hostname my-host.reeselink.com
User root
ProxyCommand none
ForwardAgent no
ForwardX11 no
Port 22
KeepAlive yes
IdentityFile ~/.ssh/id_my-host_rsa
```
You can ssh to that host with `ssh my-host` after adding a config entry.
## Templates
You can add files in `~/Templates` to give yourself quick-create options in the gnome
file browser context menu.
```bash
mkdir ~/Templates
touch ~/Templates/text.txt
```
## Ungoogled Chromium
<https://github.com/ungoogled-software/ungoogled-chromium-archlinux>
### Ungoogled Chromium AUR
<https://aur.archlinux.org/packages/ungoogled-chromium-bin>
Make sure to `pacman -S gnome-browser-connector` and grab the [Gnome Shell Integration](https://chromewebstore.google.com/detail/gnome-shell-integration/gphhapmejobijbbhgpjhcjognlahblep)
Install the [chromium-web-store](https://github.com/NeverDecaf/chromium-web-store) extension to use
chrome web store extensions.
### Ungoogled Chromium Manual Build
<https://github.com/ungoogled-software/ungoogled-chromium-archlinux>
```bash
# Install required dependencies. Make sure your user has access to sudo
sudo pacman -S base-devel
# Clone this repository
git clone https://github.com/ungoogled-software/ungoogled-chromium-archlinux
# Navigate into the repository
cd ungoogled-chromium-archlinux
# Check out the latest tag
git checkout $(git describe --abbrev=0 --tags)
# Start the build, this will download all necessary dependencies automatically
makepkg -s
# Install
makepkg --install
```
## Firefox
You'll want firefox and gnome-browser-connector (for gnome extension management).
```bash
pacman -S firefox gnome-browser-connector
```
Choose noto-fonts
### Gnome Extensions
1. AlphabeticalAppGrid@stuarthayhurst
2. <Vitals@CoreCoding.com>
3. <dash-to-dock@micxgx.gmail.com>
4. <tactile@lundal.io>
5. GSConnect
## Avahi (Bonjour)
1. `pacman -S avahi`
2. `vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
3. `vim /etc/mdns.allow`
```conf
.local.
.local
```
## CUPS Printing
Note: you need [avahi](#avahi-bonjour) for auto-discovery.
1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds`
2. `cups-genppdupdate`
3. `usermod -aG lp ducoterra`
4. `systemctl enable --now cups`
To add a new printer:
<https://github.com/OpenPrinting/cups/?tab=readme-ov-file#setting-up-printers>
`lpadmin -p printer-name -E -v "ipp://1.2.3.4/ipp/print" -m everywhere`
## Toolbox
<https://wiki.archlinux.org/title/Toolbox>
Toolbox is a containerized workstation service via podman.
```bash
# select "crun" when prompted
pacman -S toolbox
toolbox create
toolbox enter
sudo pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile
```
## Podman
Install with the following
`pacman -S podman buildah cni-plugins slirp4netns podman-dnsname aardvark-dns`
Then you can run rootless containers like so:
```bash
podman pull docker.io/library/python:3.11
podman run -it python:3.11 bash
podman network create test
podman pod create --network test --publish 8000:8000 test1
podman run -it --pod test1 python:3.11 bash
```
You can also deploy pods with kubernetes yamls.
```bash
podman network create test
podman kube play --network test podman-deploy.yaml --replace
```
## Docker
```bash
pacman -Sy docker docker-compose
usermod -aG docker ducoterra
```
logout, log back in to use docker as non-root user.
You can use btrfs as your storage driver by following these instructions:
<https://docs.docker.com/storage/storagedriver/btrfs-driver/>
## QEMU/KVM
Install virtualization capabilties
```bash
# DNSMasq is required - do not start it with systemd, qemu will handle that.
pacman -S qemu-full dnsmasq virt-manager
systemctl enable --now libvirtd
virsh net-autostart default
```
Then edit `/etc/libvirt/network.conf` and add:
```conf
firewall_backend="iptables"
```
Make sure to restart libvirtd with `systemctl restart libvirtd`.
If you get a blank screen when launching a VM check that you've used the correct bios -
either secboot or not secboot. This is the most common problem.
### Arch Guests
In order to get drivers for spice you'll need the guest spice drivers:
```bash
sudo pacman -S qemu-guest-agent spice-vdagent
```
## Kubernetes
```bash
pacman -S kubectl helm
```
## VSCode
For the open source version of code install `code`:
```bash
sudo pacman -S code
```
You'll probably also want to enable default vscode marketplace extensions (like pylance):
See Arch wiki here: <https://wiki.archlinux.org/title/Visual_Studio_Code#Extensions_support>
Code Marketplace: <https://aur.archlinux.org/packages/code-marketplace>
Pylance Support: <https://aur.archlinux.org/packages/code-features>
This version of code does not render with wayland by default. If using
fractional scaling this causes blurriness. To fix this you'll need to modify the
.desktop file and add the wayland argument:
```bash
cp /usr/share/applications/code-oss.desktop ~/.local/share/applications/
vim ~/.local/share/applications/code-oss.desktop
```
Add `--ozone-platform=wayland` to the `Exec` section:
```conf
[Desktop Entry]
...
Exec=code-oss --ozone-platform=wayland %F
...
[Desktop Action new-empty-window]
...
Exec=code-oss --ozone-platform=wayland --new-window %F
...
```
For the proprietary version of vscode use the AUR:
<https://aur.archlinux.org/packages/visual-studio-code-bin>
```bash
cd ~/aur
git clone https://aur.archlinux.org/visual-studio-code-bin.git
cd visual-studio-code-bin
makepkg -si
```
## Wireguard
Wireguard requires `linux-headers`. If that isn't installed or is misconfigured your
vpn likely won't activate.
```bash
pacman -S wireguard-tools
```
## Remote Desktop
```bash
pacman -S remmina freerdp
```
## Transmission
```bash
pacman -S gtk4 transmission-gtk
```
## VLC
```bash
pacman -S vlc
```
## Bitwarden
```bash
pacman -S bitwarden
```
Enable fractional scaling support:
```bash
cp /usr/share/applications/bitwarden.desktop ~/.local/share/applications/
vim ~/.local/share/applications/bitwarden.desktop
```
bitwarden.desktop
```conf
[Desktop Entry]
...
Exec=bitwarden-desktop --ozone-platform=wayland
...
```
## Nextcloud
<https://wiki.archlinux.org/title/Nextcloud#Desktop>
```bash
pacman -S nextcloud-client
```
For app icon support, install <https://extensions.gnome.org/extension/615/appindicator-support/>
## Insomnia
<https://github.com/Kong/insomnia/releases/tag/core@2023.5.7>
```bash
mv ~/Downloads/Insomnia*.AppImage ~/Applications/Insomnia.AppImage
chmod +x ~/Applications/*.AppImage
```
```conf
[Desktop Entry]
Name=Insomnia
Exec=/home/ducoterra/Applications/Insomnia.AppImage
Icon=/home/ducoterra/.icons/insomnia.png
Type=Application
```
## QMK
### Initialization
I have a mirror and a fork of the mirror on my personal Gitea. For this strategy you'll
need to checkout the fork and add the mirror. This ensures I'll always have an up-to-date
mirror of qmk while also giving me a repo to make changes for my personal keyboards.
```bash
git clone git@gitea.reeseapps.com:ducoterra/qmk_firmware.git
cd qmk_firmware
git remote add mirror git@gitea.reeseapps.com:mirrors/qmk_firmware.git
git fetch mirror
git rebase mirror/master
pacman -S qmk
qmk setup
sudo cp /home/ducoterra/qmk_firmware/util/udev/50-qmk.rules /etc/udev/rules.d/
qmk config user.keyboard=keychron/q11/ansi_encoder
qmk config user.keymap=ducoterra
```
### Development
Every time you start a project you'll want to sync with the mirror.
```bash
git fetch mirror
git rebase mirror/master
```
Commit to master while you're in the fork.
## Cura
<https://ultimaker.com/software/ultimaker-cura/#links>
```bash
mv ~/Downloads/*Cura*.AppImage ~/Applications/Cura.AppImage
chmod +x ~/Applications/*.AppImage
```
```conf
[Desktop Entry]
Name=Cura
Exec=/home/ducoterra/Applications/Cura.AppImage
Icon=/home/ducoterra/.icons/cura.png
Type=Application
```
## Creality Print
<https://www.creality.com/pages/download-software?spm=..page_11657537.creality_print_1.1>
```bash
mv ~/Downloads/Creality_Print*.AppImage ~/Applications/Creality_Print.AppImage
chmod +x ~/Applications/*.AppImage
```
```conf
[Desktop Entry]
Name=Creality Print
Exec=/home/ducoterra/Applications/Creality_Print.AppImage
Icon=/home/ducoterra/.icons/creality_print.png
Type=Application
```
## Bambu Studio
Install with flatpak.
```bash
flatpak install com.bambulab.BambuStudio
```
### Firewall Rules for LAN Printer
For local LAN discovery allow 2021/udp
```bash
sudo ufw allow 2021/udp
sudo ufw reload
```
### Adding LAN printer via config
The config is located at `~/.var/app/com.bambulab.BambuStudio/config/BambuStudio/BambuStudio.conf`
At the very top of the config you can add a pin for a printer permanently with:
```json
"access_code": {
"printer serial number": "access code here"
},
```
### Custom Filament Profiles
Custom profiles are located at
`.var/app/com.bambulab.BambuStudio/config/BambuStudio/user/default/filament/base`
Sync this with something like Nextcloud.
## Orca Slicer
<https://github.com/SoftFever/OrcaSlicer>
This is an open source fork of Bambu Slicer with more features.
```bash
# You might need to install webkit2gtk
pacman -S webkit2gtk
```
```bash
mv ~/Downloads/OrcaSlicer*.AppImage ~/Applications/OrcaSlicer.AppImage
chmod +x ~/Applications/*.AppImage
```
```conf
[Desktop Entry]
Name=Orca Slicer
Exec=/home/ducoterra/Applications/OrcaSlicer.AppImage
Icon=/home/ducoterra/.icons/orca_slicer.png
Type=Application
```
## AWS CLI
<https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html>
```bash
# Install less if you don't have it already
pacman -S less
cd ~/Downloads
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
```
Add the following to your .zshrc:
```bash
complete -C '/usr/local/bin/aws_completer' aws
```
## NSlookup
```bash
# Do this in a toolbox
toolbox enter
# Install
pacman -S bind
```
## rpi-imager
<https://github.com/raspberrypi/rpi-imager>
```bash
toolbox create -d ubuntu -r 24.04
toolbox enter toolbox enter ubuntu-toolbox-24.04
sudo apt install rpi-imager
```
## qFlipper
<https://flipperzero.one/update>
```bash
mv ~/Downloads/*qFlipper*.AppImage ~/Applications/qFlipper.AppImage
chmod +x ~/Applications/*.AppImage
```
```conf
[Desktop Entry]
Name=qFlipper
Exec=/home/ducoterra/Applications/qFlipper.AppImage
Icon=/home/ducoterra/.icons/qFlipper.png
Type=Application
```
## Nextcloud Talk
<https://github.com/nextcloud-releases/talk-desktop/releases>
```bash
unzip ~/Downloads/Nextcloud.Talk-linux*.zip -d ~/Downloads
rm -rf ~/Applications/NextcloudTalk
mv ~/Downloads/'Nextcloud Talk-linux-x64' ~/Applications/NextcloudTalk
```
vim ~/.local/share/applications/nextcloud-talk.desktop
```conf
[Desktop Entry]
Name=Nextcloud Talk
Exec="/home/ducoterra/Applications/NextcloudTalk/Nextcloud Talk" --ozone-platform=wayland %U
Icon=/home/ducoterra/.icons/NextcloudTalk.png
Type=Application
```
```bash
update-desktop-database
```
## FFMpeg
```bash
# Select pipewire-jack when prompted
pacman -S ffmpeg
```
## Youtube-dlp
<https://github.com/yt-dlp/yt-dlp>
1. Download `yt-dlp_linux`
2. `clamdscan yt-dlp_linux`
3. `cp yt-dlp_linux /usr/local/bin/yt-dlp`
4. Install ffmpeg `pacman -S ffmpeg`
Download the best quality video:
```bash
yt-dlp -f "bv+ba/b" https://...
```
Download a playlist:
```bash
yt-dlp -f "bv+ba/b" --write-thumbnail https://www.youtube.com/watch?v=l-unefmAo9k&list=PLuYLhuXt4HrQqnfSceITmv6T_drx1hN84
```
## Iperf3
```bash
pacman -S iperf3
```
## Glances
```bash
pacman -S glances
```
## VirtualBox
<https://wiki.archlinux.org/title/VirtualBox>
For the linux kernel, choose virtualbox-host-modules-arch
```bash
pacman -S virtualbox
# Required reboot to load the kernel modules
reboot
```
## Email
- Download Proton Mail Bridge PKGBUILD: <https://proton.me/mail/bridge>
```bash
makepkg -si
```
- Open protonmail bridge and login
- Install geary email client
```bash
pacman -S geary
```
- Open geary
- Add the account following protonmail bridge's instructions
## Traffic Usage
Nethogs shows per-app network utilization.
```bash
pacman -S nethogs
# You'll need to run this with sudo if you aren't root
nethogs
```
## Wine
```bash
pacman -S wine
```
You can adjust the dpi scaling for wine with `winecfg`.
## KDE Connect (GSConnect)
Install the GSConnect extension for Gnome.
Open the firewall for connecting devices <https://userbase.kde.org/KDEConnect#Troubleshooting>
```bash
sudo ufw allow 1714:1764/udp
sudo ufw allow 1714:1764/tcp
sudo ufw reload
```
## Python
### Pyenv
<https://github.com/pyenv/pyenv?tab=readme-ov-file#installation>
```bash
curl https://pyenv.run | bash
```
Add to `~/.zshrc`:
```bash
export PYENV_ROOT="$HOME/.pyenv"
[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init -)"
```
Install and use a Python version:
```bash
pyenv install 3.13
pyenv global 3.13
```
### Poetry
<https://python-poetry.org/docs/>
```bash
python -m pip install --user pipx
python -m pipx ensurepath
pipx install poetry
pipx ensurepath # source ~/.zshrc or ~/.bashrc
```
Create a new project in the current directory
```bash
poetry new .
```
## Note Taking
```bash
flatpak install org.kde.marknote
```
## Calculator
```bash
flatpak install org.gnome.Calculator
```
## Disk Usqage
```bash
flatpak install org.gnome.baobab
```

9
active/os_arch/arch_support_files/95-systemd-boot.hook Normal file
View File

@@ -0,0 +1,9 @@
[Trigger]
Type = Package
Operation = Upgrade
Target = systemd
[Action]
Description = Gracefully upgrading systemd-boot...
When = PostTransaction
Exec = /usr/bin/systemctl restart systemd-boot-update.service

4
active/os_arch/arch_support_files/arch.conf Normal file
View File

@@ -0,0 +1,4 @@
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options quiet splash rd.luks.name=UUID=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw

4
active/os_arch/arch_support_files/loader.conf Normal file
View File

@@ -0,0 +1,4 @@
default arch.conf
timeout 4
console-mode max
editor no

1032
active/os_arch/ath12k/ath12k-fw-repo Executable file
View File

File diff suppressed because it is too large Load Diff

BIN
active/os_arch/ath12k/board.bin Normal file
View File

Binary file not shown.

BIN
active/os_arch/ath12k/regdb.bin Normal file
View File

Binary file not shown.

61
active/os_arch/deprecated.md Normal file
View File

@@ -0,0 +1,61 @@
# Deprecated
## Firejail
Don't use firejail, it's a suid binary which only runs in userspace. Apparmor does
almost exactly the same thing but runs in the kernel at boot and protects you more
completely. I'm leaving this here in case you're interested but realistically you
should just learn apparmor.
Firejail launches supported applications in a sandboxed environment where it limits access
to system files and resources.
For example:
- Firefox will not be able to access more than a small subset of your home directory.
- VSCode will not be able to acces ~/.config/autostart.
1. `sudo pacman -S firejail`
2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
3. `sudo firecfg`
4. `firecfg --fix`
5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
6. Add a pacman hook to apply firejail on install
/etc/pacman.d/hooks/firejail.hook
```conf
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/share/applications/*.desktop
[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
```
You can run firejail with noprofile to fix access issues (like firefox gnome connector)
```bash
firejail --noprofile firefox
```
You'll probably want to enable the following
`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
/etc/firejail/firejail.config
```conf
browser-disable-u2f no
chroot yes
firejail-prompt yes
force-nonewprivs yes
tracelog yes
```

511
active/os_arch/gaming.md Normal file
View File

@@ -0,0 +1,511 @@
# Gaming
- [Gaming](#gaming)
- [Discord](#discord)
- [Steam](#steam)
- [autostart](#autostart)
- [mangohud](#mangohud)
- [Scaling](#scaling)
- [Streaming](#streaming)
- [FSR](#fsr)
- [Sunshine and Moonlight](#sunshine-and-moonlight)
- [Install Sunshine](#install-sunshine)
- [Ports](#ports)
- [Install Moonlight](#install-moonlight)
- [Flatpak](#flatpak)
- [Commands](#commands)
- [Configuration](#configuration)
- [ProtonUp-QT](#protonup-qt)
- [VSCode](#vscode)
- [XWayland](#xwayland)
- [Wine](#wine)
- [Spotify](#spotify)
- [VLC](#vlc)
- [Remote Desktop](#remote-desktop)
- [OBS](#obs)
- [Xbox Controller](#xbox-controller)
- [Mangohud](#mangohud-1)
- [Minecraft with Mangohud](#minecraft-with-mangohud)
- [ffmpeg](#ffmpeg)
- [AUR](#aur)
- [Intel 11th gen](#intel-11th-gen)
- [AMD 7900xtx](#amd-7900xtx)
- [Taking Game Cips](#taking-game-cips)
- [MPV](#mpv)
- [Minecraft](#minecraft)
- [Launcher](#launcher)
- [MultiMC](#multimc)
## Discord
```bash
pacman -S discord
```
## Steam
<https://wiki.archlinux.org/title/Official_repositories#multilib>
Edit /etc/pacman.conf
```conf
[multilib]
Include = /etc/pacman.d/mirrorlist
```
```bash
pacman -S steam
```
When prompted use vulkan-radeon on AMD and vulkan-intel on intel.
### autostart
```bash
ln -s ~/.local/share/applications/steam-native.desktop ~/.config/autostart/
```
### mangohud
Start steam with mangohud
```bash
pacman -S mangohud lib32-mangohud
cp /usr/share/applications/steam.desktop ~/.local/share/applications/steam.desktop
```
Edit ~/.local/share/applications/steam.desktop:
```conf
Exec=/usr/bin/mangohud /usr/bin/steam-native %U
```
### Scaling
On HiDPI screens you might need to manually scale the steam interface. This can be done by editing
the .desktop file:
```bash
cp /usr/share/applications/steam.desktop ~/.local/share/applications/steam.desktop
```
Edit `~/.local/share/applications/steam.desktop`
```conf
Exec=/usr/bin/mangohud /usr/bin/steam-runtime -forcedesktopscaling 2 %U
```
### Streaming
See [Sunshine and Moonlight](#sunshine-and-moonlight) first! It's much better than steam streaming.
Works great from Arch hosts to Arch guests with a little configuration.
1. wifi
Your wifi should be isolated to the fastest band you have available at the widest channel width on
the least populated channel. BSS Transition and Fast Roaming are the only settings I enable since
they do make a difference for video calls and streaming while moving from room to room but don't
cause interference or connectivity issues like the other settings.
![unifi wifi config](media/unifi_wifi_config.png)
2. host
Your host settings don't matter too much since you'll be limited to Steam's compatibility with
Arch's mesa drivers, the current kernel version, and whether Mercury is retrograde. Steam does a
pretty good job automatically selecting the correct libraries and capture mechanism. Here are
the settings I use:
![steam host settings](media/steam_host_settings.png)
3. Client
Here's where things start to matter. As of kernel `6.7.6-arch1-2`, `mesa 1:24.0.2-1`,
`libva 2.20.0-1`, `mesa-vdpau 1:24.0.2-1`, and `libvdpau 1.5-2` hardware decoding works on Arch
with AMD integrated graphics on both my framework (Ryzen 7 7840U w/ Radeon 780M Graphics) and my
Steam Deck.
In the steam advanced client settings select "Enhanced 4k" to start. Do not change
the Resolution limit. Decoding at the native resolution of your screen will always perform
better than using a non-native resolution. In my testing even lower resolutions result in
20-30ms of additional delay over native. Framerate limit should stay at automatic. This will try
to match the streaming framerate to your display's refresh rate. You can set this to 60 if
things are lagging too much. Bandwidth limit can be adjusted up and down to fit your wifi's
limitations if you are experience frame drops and stuttering. If you experience issues like
crashing on launch, blank screen or strange artifacts disable hardware decoding. HEVC and low
latency networking have never caused me issues. Here are my settings:
![steam client settings](media/steam_client_settings.png)
And to show what a properly configured client can do, here's Crab Champions streamed to my
laptop at 2k, 99fps. Note the streaming latency is ~10ms and the dark blue (encode time), light
blue (network transmit time), and red (decode time) lines are extremely close together.
![enhanced 4k framework](media/enhanced_4k_framework.png)
My Steam Deck performs about the same but with a lower (~7ms) streaming latency. This is
expected because the steam deck streams at 1280x720 which means faster encode and transmit.
If the red line is far above the blue lines it means your decoding (software or hardware) is
struggling to keep up. Either it's not decoding at native resolution (likely transforming the
decoded frame to match the display resolution) or your cpu/gpu is doing something else.
If the light blue line is far above the dark blue line your wifi is slow. Increase channel
width, increase transmit power, ensure devices are connected to 5 or 6Ghz, and ensure your
device has the latest drivers.
If the dark blue line is far above the x axis of the graph your host is struggling to encode
fast enough. Likely the host's cpu/gpu is doing something else or it's an old computer
### FSR
<https://linux-gaming.kwindu.eu/index.php?title=FSR_-_FidelityFX_Super_Resolution>
> This sharpens the image. 4 is an example value. 0 is maximum sharpness, higher values mean less sharpening. 5 is the maximum value. The default is 2
```bash
WINE_FULLSCREEN_FSR=1 WINE_FULLSCREEN_FSR_STRENGTH=2
```
## Sunshine and Moonlight
<https://docs.lizardbyte.dev/projects/sunshine/en/latest/>
Sunshine is desktop streaming service that leverages hardware encoding to provide near-zero latency
network streaming to any device that can run moonlight.
### Install Sunshine
The flatpak seems to work well. The arch package keeps breaking due to
deps. See boost-libs and then libicuuc.so.76.
<https://docs.lizardbyte.dev/projects/sunshine/latest/md_docs_2getting__started.html#install-system-level>
```bash
flatpak install --system flathub dev.lizardbyte.app.Sunshine
sudo -i
flatpak run --command=additional-install.sh dev.lizardbyte.app.Sunshine
systemctl enable --now sunshine
```
#### Ports
HTTPS: 47984 TCP (offset by -5 from the main port)
HTTP: 47989 TCP (the main port)
Web: 47990 TCP (offset by +1 from the main port)
RTSP: 48010 TCP/UDP (offset by +21 from the main port)
Video: 47998 UDP (offset by +9 from the main port)
Control: 47999 UDP (offset by +10 from the main port)
Audio: 48000 UDP (offset by +11 from the main port)
Mic (unused): 48002 UDP (offset by +13 from the main port)
TCP: 47984, 47989, 48010
UDP: 47998-48000, 48002, 48010
```bash
ufw allow 47984/tcp
ufw allow 47989/tcp
ufw allow 48010/tcp
ufw allow 47998-48000/udp
ufw allow 48002/udp
ufw allow 48010/udp
```
### Install Moonlight
#### Flatpak
```bash
flatpak install moonlight
```
#### Commands
Ctrl + Alt + Shift + Q (Moonlight Stream)
Quit the streaming session (leaving the game running on the host PC)
Ctrl + Alt + Shift + S (Moonlight Stream)
Open performance stats overlay (not supported on Steam Link or Raspberry Pi)
Ctrl + Alt + Shift + M (Moonlight Stream)
Toggle mouse mode (pointer capture or direct control)
Ctrl + Alt + Shift + V (Moonlight Stream)
Type clipboard text on the host
### Configuration
Sunshine doesn't need a ton of config. For streaming to devices like the steam deck
and my computer I would recommend adding a new application that uses the `display_scale.py`
script to set the resolution of the host before connecting.
1. Copy `display_scale.py` to your host
2. Create a new application
3. Add command: `/home/ducoterra/display_scale.py 1920x1080 1`
4. Optionally add undo command: `/home/ducoterra/display_scale.py 3840x2160 1`
5. Save and connect!
## ProtonUp-QT
<https://davidotek.github.io/protonup-qt/>
```bash
mv ~/Downloads/ProtonUp-Qt*.AppImage ~/Applications/ProtonUp-Qt.AppImage
chmod +x ~/Applications/*.AppImage
```
```conf
[Desktop Entry]
Name=ProtonUp-Qt
Exec=/home/ducoterra/Applications/ProtonUp-Qt.AppImage
Icon=/home/ducoterra/.icons/ProtonUp-Qt.png
Type=Application
```
## VSCode
For the open source version of code install `code`:
```bash
pacman -S code
```
## XWayland
Provides compatibility with X server applications (like wine)
```bash
pacman -S xorg-xwayland
```
## Wine
```bash
pacman -S wine
```
## Spotify
```bash
pacman -S spotify-launcher
```
## VLC
```bash
pacman -S vlc
```
## Remote Desktop
```bash
pacman -S remmina freerdp
```
## OBS
<https://aur.archlinux.org/packages/obs-vkcapture-git>
```bash
pacman -S obs-studio qt6-wayland
cd ~/aur
git clone https://aur.archlinux.org/obs-vkcapture-git.git
cd obs-vkcapture-git
makepkg -si
```
Add "Game Capture" to your scene.
Start your games with `env OBS_VKCAPTURE=1 %command%`
## Xbox Controller
1. Install bluetooth packages
```bash
pacman -S bluez bluez-plugins bluez-utils
```
1. Edit the bluetooth conf and set the controller to bredr
/etc/bluetooth/main.conf
```conf
ControllerMode = bredr
```
1. Now reset the bluetooth service
```bash
systemctl restart bluetooth
```
1. Connect your controller
1. Comment out the line in the bluetooth conf you just edited
1. Restart the bluetooth service
## Mangohud
<https://github.com/flightlessmango/MangoHud#arch-based-distributions>
```bash
sudo pacman -S mangohud lib32-mangohud
```
```bash
mkdir ~/.config/MangoHud
cp /usr/share/doc/mangohud/MangoHud.conf.example ~/.config/MangoHud/MangoHud.conf
```
Edit `~/.config/MangoHud/MangoHud.conf` and tweak as you see fit.
Then add `mangohud env MANGOHUD_CONFIGFILE=/home/ducoterra/.config/MangoHud/MangoHud.conf %command%` to your steam launch.
### Minecraft with Mangohud
MultiMC offers a "Wrapper" option in Settings -> Custom commands. Add `/usr/bin/mangohud --dlsym`.
## ffmpeg
<https://wiki.archlinux.org/title/FFmpeg>
### AUR
<https://aur.archlinux.org/ffmpeg-full.git>
### Intel 11th gen
```bash
pacman -S ffmpeg libmfx intel-media-sdk
ffmpeg \
-hwaccel qsv \
-c:v hevc_qsv \
-hwaccel_output_format qsv \
-i input.mkv \
-c:v hevc_qsv \
-global_quality 25 \
output.mp4
```
### AMD 7900xtx
<https://wiki.archlinux.org/title/FFmpeg#VA-API>
```bash
sudo pacman -S ffpmeg mesa libva-mesa-driver
reboot
ffmpeg \
-hwaccel vaapi \
-vaapi_device /dev/dri/renderD128 \
-hwaccel_output_format vaapi \
-i input.mp4 \
-c:v hevc_vaapi \
-rc_mode 1 \
-qp 25 \
output.mp4
ffmpeg \
-hwaccel vaapi \
-vaapi_device /dev/dri/renderD128 \
-hwaccel_output_format vaapi \
-i input.mp4 \
-c:v h264_vaapi \
-b:v 0 \
-maxrate 100M \
output.mp4
```
### Taking Game Cips
1. Install [MPV](#mpv)
1. Open the video clip in mpv
1. Press `del` to always show the seek bar
1. Click the timestamp in the bottom left to show milliseconds
1. Use `,` and `.` to seek frame by frame to find the start frame
1. Use the following ffmpeg command to trim clips
```bash
# format start_time and end_time like `00:00:34.000` (hh:mm:ss.mmm)
export input_file=
export output_file=
export start_time=
export end_time=
# -r 30 == frame rate of 30
# -vf scale scales the output
ffmpeg \
-ss $start_time \
-to $end_time \
-i $input_file \
-c:v libx264 \
-b:v 0 \
-vf scale=1920:1080 \
-r 30 \
$output_file
```
1. Then concat clips with the following
```bash
# Create mylist.txt
cat <<EOF > clips.txt
file '/path/to/file1'
file '/path/to/file2'
file '/path/to/file3'
EOF
```
```bash
ffmpeg -f concat -i mylist.txt -c copy output.mp4
```
## MPV
<https://wiki.archlinux.org/title/Mpv>
MPV is an alternative to VLC with a couple key benefits:
1. Reverse frame-by-frame seeking
2. millisecond timestamp
These are great for video clipping with ffmpeg.
```bash
pacman -S mpv
```
## Minecraft
### Launcher
<https://wiki.archlinux.org/title/minecraft>
<https://aur.archlinux.org/packages/minecraft-launcher>
```bash
cd ~/aur
git clone https://aur.archlinux.org/minecraft-launcher.git
cd minecraft-launcher
makepkg -si
```
### MultiMC
MultiMC allows you to maintain and run multiple installations of minecraft with handy
shortcuts for installing mod loaders and many more features. It's super easy to install
on arch.
<https://github.com/MultiMC/multimc-pkgbuild>
1. Install `jre-openjdk-headless`
```bash
cd ~/aur
git clone https://github.com/MultiMC/multimc-pkgbuild.git
cd multimc-pkgbuild
makepkg -si
```

55
active/os_arch/help.md Normal file
View File

@@ -0,0 +1,55 @@
# Help
- [Help](#help)
- [Remove unused packages](#remove-unused-packages)
- [Update Grub](#update-grub)
- [Downgrading Kernel](#downgrading-kernel)
- [Set Plymouth Background Image](#set-plymouth-background-image)
## Remove unused packages
Make sure to use the `-Rs` flag when removing. This will clean up deps.
```bash
pacman -Rs package
```
To see a list of packages that are orphaned you can run:
```bash
pacman -Qtdq
```
To remove those packages you can run
```bash
pacman -Qtdq | pacman -Rns -
```
## Update Grub
1. `grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=BOOT`
1. `cp /boot/EFI/BOOT/grubx64.efi /boot/EFI/BOOT/bootx64.efi`
## Downgrading Kernel
You can find old kernel versions at <https://archive.archlinux.org/packages/l/linux/>
You can find old kernel-header versions at <https://archive.archlinux.org/packages/l/linux-headers/>
If you want to downgrade to a previously installed kernel you can use pacman cache:
1. `cd /var/cache/pacman/pkg`
2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst`
3. `reboot`
If you want to downgrade to a kernel that wasn't previously installed:
1. Download linux... and linux-headers... from above
2. `pacman -U linux-x.x.x.arch1-1-x86_64.pkg.tar.zst linux-headers-x.x.x.arch1-1-x86_64.pkg.tar.zst`
3. `reboot`
## Set Plymouth Background Image
1. `sudo cp image.png /usr/share/plymouth/themes/spinner/background-tile.png`
1. `sudo plymouth-set-default-theme -R spinner`

65
active/os_arch/k3s.md Normal file
View File

@@ -0,0 +1,65 @@
# K3S Cluster
## Cluster Setup
1. Install wireguard
```bash
pacman -S wireguard-tools linux-headers
```
2. Assign static IPs to each node
/etc/dhcpcd.conf
```conf
...
interface enp1s0
static ip_address=192.168.122.51/24 # 52, 53
static routers=192.168.122.1
static domain_name_servers=192.168.122.1
```
## K3S Installation
1. Generate a secure token
```bash
umask 077
k3s token generate > token.txt
export SECRET=$(cat token.txt)
```
2. Create the cluster
```bash
curl -sfL https://get.k3s.io | K3S_TOKEN=$SECRET sh -s - server \
--cluster-init \
--flannel-backend=wireguard-native \
--disable=traefik \
--secrets-encryption \
--tls-san=192.168.122.51
```
3. Join each server node
```bash
curl -sfL https://get.k3s.io | K3S_TOKEN=$SECRET sh -s - server \
--server https://192.168.122.51:6443 \
--flannel-backend=wireguard-native \
--disable=traefik \
--secrets-encryption \
--tls-san=192.168.122.52
```
4. Copy the kube config at /etc/rancher/k3s/k3s.yaml to YOUR computer at ~/.kube/dev-config
```bash
export KUBECONFIG=~/.kube/dev-config
```
5. Modify the dev-config file's `server` attribute, replace with your IP/hostname
## Secrets Encryption
<https://docs.k3s.io/cli/secrets-encrypt>

222
active/os_arch/kubernetes.md Normal file
View File

@@ -0,0 +1,222 @@
# Kubernetes
- [Kubernetes](#kubernetes)
- [Setup](#setup)
- [MetalLB](#metallb)
- [Ingress Nginx](#ingress-nginx)
- [Cert Manager](#cert-manager)
- [Storage](#storage)
<https://wiki.archlinux.org/title/Kubernetes>
## Setup
```bash
pacman -S kubeadm kubelet containerd cni-plugins cilium-cli helm kubectl
```
/etc/modules-load.d/k8s.conf
```conf
overlay
br_netfilter
```
/etc/sysctl.d/k8s.conf
```conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
```
/etc/containerd/config.toml
```toml
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
...
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
```
```bash
reboot
mkdir /etc/containerd
containerd config default > /etc/containerd/config.toml
systemctl enable --now containerd
systemctl enable --now kubelet
kubeadm init --pod-network-cidr='10.244.0.0/16'
mkdir -p $HOME/.kube
cp /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
cilium-cli install
# Note the "-" at the end, this removes the taint
kubectl taint node kube node-role.kubernetes.io/control-plane:NoSchedule-
```
## MetalLB
Install with helm:
```bash
helm repo add metallb https://metallb.github.io/metallb
helm install metallb metallb/metallb -n kube-system
```
You must create a production pool if IP Addresses. Apply the following config
(substituting your public IP address space)
```yaml
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: production
namespace: kube-system
spec:
# Production services will go here. Public IPs are expensive, so we leased
# just 4 of them.
addresses:
- 192.168.122.206/32
```
Here is an example service which allows IP sharing and uses the "production" address pool.
```yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx-demo
annotations:
metallb.universe.tf/address-pool: production
metallb.universe.tf/allow-shared-ip: "nginx"
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
selector:
app.kubernetes.io/name: ingress-nginx-demo
ports:
- name: ingress-nginx-demo
protocol: TCP
port: 8000
targetPort: http
```
## Ingress Nginx
Now we need an ingress solution (preferably with certs for https). We'll be using nginx since
it's a little bit more configurable than traefik (though don't sell traefik short, it's really
good. Just finnicky when you have use cases they haven't explicitly coded for).
```bash
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm upgrade --install \
ingress-nginx \
ingress-nginx/ingress-nginx \
--values ingress-nginx-values.yaml \
--namespace ingress-nginx \
--create-namespace
```
## Cert Manager
Cert manager handles automatic TLS for our ingress with Let's Encrypt.
Install with helm:
```bash
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.12.4 \
--set installCRDs=true
```
Now we need to create an issuer. Apply the following config:
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: nginx@ducoterra.net
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
```
Here's an example ingress definition:
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-nginx-demo
annotations:
cert-manager.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.org/client-max-body-size: "0"
spec:
rules:
- host: ingress-nginx-demo.reeseapps.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ingress-nginx-demo
port:
number: 80
tls:
- hosts:
- ingress-nginx-demo.reeseapps.com
secretName: ingress-nginx-demo-tls-cert
```
## Storage
We can use host-path storage immediately like so:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: test-webserver
spec:
containers:
- name: test-webserver
image: registry.k8s.io/test-webserver:latest
volumeMounts:
- mountPath: /var/local/aaa
name: mydir
- mountPath: /var/local/aaa/1.txt
name: myfile
volumes:
- name: mydir
hostPath:
# Ensure the file directory is created.
path: /var/local/aaa
type: DirectoryOrCreate
- name: myfile
hostPath:
path: /var/local/aaa/1.txt
type: FileOrCreate
```

BIN
active/os_arch/media/enhanced_4k_framework.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.4 MiB

BIN
active/os_arch/media/steam_client_settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
active/os_arch/media/steam_host_settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 213 KiB

BIN
active/os_arch/media/unifi_wifi_config.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 83 KiB