Files

ducoterra 9833a696d2 more ipv6 fixes

2024-07-31 22:36:46 -04:00

29 KiB

Raw Blame History

Arch Base

This is the base configuration from which you can build a variety of systems. Right now I have instructions for building a:

Arch Base

Installation

Preparation

Follow most of the instructions here: https://wiki.archlinux.org/title/Installation_guide

Download Arch

Verify the image

gpg --auto-key-locate clear,wkd -v --locate-external-key pierre@archlinux.org

Create a bootable ISO
1. If you are booting into a VM, create an ISO with installation files so you don't have to copy-paste:
```
sudo pacman -S cdrtools
mkisofs -r -iso-level 4 -l -o /tmp/arch-files.iso ./arch
```
2. If you are booting from a live usb, copy the files in ./arch to the usb drive
Disable secureboot (reenable later)

Boot

Boot into the live image

Check for network connectivity

# Check for internet
ip a
ping archlinux.org

timedatectl to update system clock
If using a VM, mount the iso with arch conf files
```
mount --mkdir /dev/sr1 /media
```
Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
```
fdisk -l
gdisk /dev/vda
```
- +1G for /boot
- t EFI SYSTEM for /boot
- remaining for /
mkfs.fat -F 32 /dev/vda1 (/mnt/boot partition)
This next step involves generating a secure, random password. Make sure to save this somewhere. I recommend having an encrypted partition on your installation drive to which you can write a few bytes of text.

echo -n $(pwgen 8 5) | sed 's/ /-/g' > root-key.txt
cryptsetup luksFormat /dev/vda2 --key-file /path/to/root-key.txt
cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt
mkfs.btrfs /dev/mapper/root (root partition)

At this point you can choose how to subvolume your root partition

mount --mkdir -o subvolid=5 /btr_pool
btrfs sub create root /btr_pool
btrfs sub create home /btr_pool
...

Mount the root partition with mount -o subvol=root /dev/mapper/root /mnt
Mount the home partition with mount -o subvol=home /dev/mapper/root /mnt/home
Mount the boot partition with mount --mkdir /dev/vda1 /mnt/boot
If on VM: Mount the conf files with mount --mkdir /dev/sr1 /mnt/media
pacstrap -K /mnt base linux linux-firmware

This command might show an error. This is ok, we'll fix it later.
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
hwclock --systohc
echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen
echo 'KEYMAP=us' > /etc/vconsole.conf
echo 'hostname' > /etc/hostname
pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth
- dhclient/dhcpcd provides dhcp for network
- bash-completion provides tab complete
- btrfs-progs provides fsck for btrfs
- plymouth gives a nice bootloader screen

Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt

/etc/mkinitcpio.conf

HOOKS=(systemd plymouth autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)

mkinitcpio -P
Install systemd-boot

https://wiki.archlinux.org/title/systemd-boot
```
bootctl install
```
If this raises an error like "efi partition not found" you probably forgot to format /mnt/boot as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code).
edit your loader.conf with some defaults

/boot/loader/loader.conf
```
default  main.conf
timeout  4
console-mode max
editor   no
```

Create a loader (/usr/share/systemd/bootctl/arch.conf for example)

/boot/loader/entries/main.conf

title   Arch Linux
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw

You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut the excess and copy it into the correct location.

blkid | grep /dev/vda2 >> /boot/loader/entries/main.conf

useradd ducoterra
passwd ducoterra
groupadd sudo
Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
usermod -aG sudo ducoterra
usermod -aG wheel ducoterra
mkdir /home/ducoterra
chown ducoterra:ducoterra /home/ducoterra
locale-gen
systemctl enable dhcpcd
If on VM install guest drivers: pacman -S qemu-guest-agent spice-vdagent
If you need ssh: pacman -S openssh; systemctl enable sshd
exit
reboot
Remove your installation medium and boot into arch

Add a pacman hook for systemd-boot updates

/etc/pacman.d/hooks/95-systemd-boot.hook

[Trigger]
Type = Package
Operation = Upgrade
Target = systemd

[Action]
Description = Gracefully upgrading systemd-boot...
When = PostTransaction
Exec = /usr/bin/systemctl restart systemd-boot-update.service

AUR

The AUR lets you install community-created and maintained packages. Here are the basics:

pacman -S --needed git base-devel
mkdir ~/aur

# When you find a project, the basic installation looks like this:
git clone <git repo from aur>
cd <folder name>
makepkg -si

Security

https://wiki.archlinux.org/title/security

Every machine, regardless of use-case, should perform some basic hardening. You don't need to follow every instruction in the above wiki, but you should at least enable secure boot, tpm2 disk decryption, firewall, apparmor, clamav, btrfs snapshots, and btrfs backups.

Security Philosophy

Secure Boot

Protection from pre-boot malware that might hijack your EFI binary.

https://www.rodsbooks.com/efi-bootloaders/secureboot.html
TPM2 Decryption

Since we have secure boot enabled we can safely auto-decrypt our hard drive with a tpm2 device. This is purely a convenience.
Firewall

This should be self-explanatory, but I'll explain anyway. Don't allow any arbitrary network traffic into your device. Block those ports. Only open what you need. Firewalls drastically reduce the risk of remote exploits by stopping them before they can even establish a connection. Firewalls can also be used to limit an attacker's ability to even discover you on a network with icmp blocking.
AppArmor

AppArmor is a mandatory access control system like SELinux. Even if you don't configure it beyond its defaults, AppArmor is still a good thing to have available. Apps which come with an apparmor profile will offer you an additional layer of security. In the same way that a firewall protects you from remote attacks, AppArmor protects you from privilege escalation attacks and malicious binaries by blocking them at the source.
ClamAV

Much like Windows has Windows Defender, Linux has ClamAV. Running an antivirus scanner certainly isn't the end-all-be-all of security, and it definitely isn't good enough on its own to keep your system safe, but in combination with apparmor and a firewall you can identify and quarantine malware before it has a chance to compromise your system. That being said, finding any malware on a system is reason enough to nuke it from orbit and restore from a known good backup.
BTRFS Snapshots

This is not a backup, this is a snapshot. It serves an equally important function, however, in that it protects you from accidental deletion and corruption. Let's imagine you perform an update, reboot, and your computer crashes mid-startup. You could easily restore root from a btrfs snapshot on your system and go on with your day like nothing happened.
BTRFS Backups

This is a backup. Unlike snapshots, which live on the same drive your system exists on, backups are physically separate copies of your computer stored (hopefully) in a physically separate location. In the event your computer is lost or stolen these backups give you a way to perfectly restore your system to its former glory.

Secure Boot

Put your machine in setup mode

On framework this is done in the UEFI setup page for Security, sub-page Secure Boot, choose “Erase all Secure Boot Settings.”

On my Gigabyte motherboard this is done in the BIOS under security. Set secure boot to custom.
pacman -S efitools sbctl
cd /root/
for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done
sbctl create-keys
sbctl enroll-keys -m
sbctl status
sbctl verify
sbctl sign -s /boot/vmlinuz-linux
sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI
sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi
sbctl verify
reboot
Enable secure boot
sbctl status to check secure boot
bootctl to check boot loader status

There is a pacman hook which will automatically sign new binaries on update.

TPM2 LUKS Decryption

Using --tpm2-pcrs=7 enforces secure boot and will require password if secure boot is disabled.

pacman -S tpm2-tss
systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7

Re-enroll

systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7

FIDO2 LUKS Decryption

pacman -S libfido2

Firewall

pacman -S ufw
systemctl enable --now ufw

AppArmor

Install Apparmor

Apparmor protects your system by limiting the access binaries have to specific files. All binaries which are protected by apparmor profiles have a whitelist of allowed paths they can touch, even if they run as root.

pacman -S apparmor
systemctl enable --now apparmor
systemctl enable --now auditd

Add the correct kernel parameters

/boot/loaders/entries/main.conf

title Arch Linux
...
options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...

reboot

Custom Profiles

You will likely need to create custom profiles for your apps. There are a few ways to do this but the least painful ways are as follows:

A profile already exists in /usr/share/apparmor/extra-profiles/

Check here first. More than likely there's a good starting point. This will probably need to be tuned but you can (and should) copy it to /etc/apparmor.d
No profile exists in /usr/share/apparmor/extra-profiles/

You can use aa-genprof <binary> to generate a profile for that binary and begin listening to log events. Then, launch the application and use it as intended. When you've done what you consider to be the typical use-case you should.
1. Press s until it begins recommending additions to your profile
2. Use (A) or (D) to add or deny paths
3. Use (G) to glob a path
4. Use (N) to write a custom path
5. If prompted for an executable choose (I) to inherit the execution privileges from the parent process or (P) to use this application's profile. Sanitize if you chooose this app's profile
6. When done, (F) to finish and (S) to save.
7. Use apparmor_parser -r /etc/apparmor.d/<profile> to reload the profile
8. Run aa-enforce /etc/apparmor.d/<profile> to set to enforce mode
9. Try to launch the app. It will probably crash
10. Run aa-logprof, add rules, apparmor_parser -r /etc/apparmor.d/<profile>, launch app, repeat until it works
11. You can tail /var/log/audit/audit.log and grab a string like msg=audit(1692576444.967:102858) to use as a starting point rather than parsing the whole log. Like: aa-logprof -m 'msg=audit(1692576444.967:102858)'.

From https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html

Access Modes
    File permission access modes consists of combinations of the following modes:

    r       - read
    w       - write -- conflicts with append
    a       - append -- conflicts with write
    ux      - unconfined execute
    Ux      - unconfined execute -- scrub the environment
    px      - discrete profile execute
    Px      - discrete profile execute -- scrub the environment
    cx      - transition to subprofile on execute
    Cx      - transition to subprofile on execute -- scrub the environment
    ix      - inherit execute
    pix     - discrete profile execute with inherit fallback
    Pix     - discrete profile execute with inherit fallback -- scrub the environment
    cix     - transition to subprofile on execute with inherit fallback
    Cix     - transition to subprofile on execute with inherit fallback -- scrub the
            environment
    pux     - discrete profile execute with fallback to unconfined
    PUx     - discrete profile execute with fallback to unconfined -- scrub the environment
    cux     - transition to subprofile on execute with fallback to unconfined
    CUx     - transition to subprofile on execute with fallback to unconfined -- scrub the
            environment
    deny x  - disallow execute (in rules with the deny qualifier)
    m       - allow PROT_EXEC with mmap(2) calls
    l       - link
    k       - lock

ClamAV

pacman -S clamav
clamscan --recursive --infected /path/to/dir

OR -

freshclam
systemctl enable --now clamav-freshclam.service
systemctl enable --now clamav-daemon.service
clamdscan --multiscan --fdpass /home/ducoterra

Config

UpdateLogFile /var/log/clamav/freshclam.log
PidFile /run/clamav/freshclam.pid
DatabaseMirror database.clamav.net
NotifyClamd /etc/clamav/clamd.conf

btrbk

cd Downloads
wget https://raw.githubusercontent.com/digint/btrbk/master/btrbk
clamscan .
chmod +x btrbk
sudo mv btrbk /usr/bin/

fstab

You'll need to mount your btrfs volumes in a location which exposes their subvolumes.

mkdir -p /btr_pools/root

/etc/fstab

# btr_pools
UUID=84153269-f194-43f7-a4fe-e72aaffdb97a       /btr_pools/root               btrfs           rw,relatime,ssd,space_cache=v2,subvolid=256,subvolid=5  0 0

systemctl daemon-reload
mount -a
btrfs sub create /btr_pools/root/.snapshots
btrbk -c /etc/btrbk/snapshots.conf dryrun
btrbk -c /etc/btrbk/snapshots.conf run

Snapshots

Create a snapshot config

/etc/btrbk/snapshots.conf

snapshot_preserve_min   24h
snapshot_preserve       14d

# root
volume /btr_pools/root
    subvolume           root
    snapshot_dir        .snapshots

# home
volume /btr_pools/root
    subvolume           home
    snapshot_dir        .snapshots

# libvirt
volume /btr_pools/root
    subvolume           libvirt
    snapshot_dir        .snapshots

# nextcloud
volume /btr_pools/root
    subvolume           nextcloud
    snapshot_dir        .snapshots

Then create a snapshot service

/etc/systemd/system/btrbk_snapshots.service

[Unit]
Description=Runs btrbk with config file at /etc/btrbk/snapshots.conf

[Service]
ExecStart=/usr/bin/btrbk -c /etc/btrbk/snapshots.conf -v run

Then create a timer for the service

/etc/systemd/system/btrbk_snapshots.timer

[Unit]
Description=Run snapshots every hour

[Timer]
OnCalendar=hourly

AccuracySec=10min
Persistent=true
Unit=btrbk_snapshots.service

[Install]
WantedBy=timers.target

Then enable the service

systemctl enable --now btrbk_snapshots.timer

Backups

Before you begin, go through the usual process of setting up an encrypted drive. If you're using Gnome I recommend using the GUI since it handles encrypted USB drives really nicely.

The only thing I'd recommend doing manually is creating the mountpoint as a read-only subvolume. This prevents backups from being written to the root device when the backup disk isn't mounted.

btrfs sub create /btr_pools/backup
btrfs property set /btr_pools/backup ro true

Create a backup config

/etc/btrbk/backups.conf

snapshot_create         no
target_preserve_min     no
target_preserve         30d

# root
volume /btr_pools/root
    target /btr_pools/backup
    subvolume           root
    snapshot_dir        .snapshots

# home
volume /btr_pools/root
    target /btr_pools/backup
    subvolume           home
    snapshot_dir        .snapshots

# libvirt
volume /btr_pools/root
    target /btr_pools/backup
    subvolume           libvirt
    snapshot_dir        .snapshots

Create a backup service

/etc/systemd/system/btrbk_backups.service

[Unit]
Description=Runs btrbk with config file at /etc/btrbk/backups.conf

[Service]
ExecStart=/usr/bin/btrbk -c /etc/btrbk/backups.conf -v run

Create a timer to activate the service

/etc/systemd/system/btrbk_backups.timer

[Unit]
Description=Run btrbk backups every hour

[Timer]
OnCalendar=hourly
AccuracySec=10min
Persistent=true
Unit=btrbk_backups.service

[Install]
WantedBy=timers.target

Enable the timer

systemctl enable --now btrbk_backup.conf

Backing up a snapshot

pacman -S pv

btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscsi

Chroots

You can create chroot environments to run firejails or just use for testing purposes.

btrfs sub create /chroots
mkdir /testing
pacman -S arch-install-scripts
pacstrap -K /chroots/testing/ base base-devel
arch-chroot /chroots/testing

Fingerprint Reader Support

Setup

pacman -S fprintd
systemctl enable --now fprintd
fprintd-enroll ducoterra
Enable fingerprint terminal login but prompt for password first (enter switches to prompt for fingerprint)

/etc/pam.d/sudo
```
# fingerprint auth
auth      sufficient pam_fprintd.so
```

Turn Off Fingerprint When Laptop Lid Closed

NOTE: This may break fingerprint unlock. Testing in progress.

To disable fingerprint authentication when the laptop lid is closed, and re-enable when it is reopened, we will use acpid to bind to the button/lid.* event to a custom script that will comment out fprintd auth in /etc/pam.d/sudo.

Usually we'd just systemctl mask fprintd but this breaks gdm (as of 08/06/23). See https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2267 and https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6585.

pacman -S acpid and then systemctl enable --now acpid

Create file /etc/acpi/laptop-lid.sh with the following contents:

#!/bin/bash

if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
    # This is used to detect if a display is connected.
    # For USB C displayport use: 
    # grep -Fxq connected /sys/class/drm/card1-DP-2/status
    # For hdmi use:
    # grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
then
    # comment out fprintd
    sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo
else
    # uncomment fprintd
    sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo

fi

Make the file executable with

chmod +x /etc/acpi/laptop-lid.sh
Create file /etc/acpi/events/laptop-lid with the following contents:
```
event=button/lid.*
action=/etc/acpi/laptop-lid.sh
```
Restart the acpid service with:

systemctl restart acpid

Now the fingerprint will be used only when the lid is open.

In order to ensure the correct state after suspend we need a service file which runs our script on wake.

Create a file named /etc/systemd/system/laptop-lid.service with the following contents:

[Unit]
Description=Laptop Lid
After=suspend.target

[Service]
ExecStart=/etc/acpi/laptop-lid.sh

[Install]
WantedBy=multi-user.target
WantedBy=suspend.target

Reload the systemd config files with

sudo systemctl daemon-reload
Start and enable the service with

sudo systemctl enable --now laptop-lid.service

Now the status should be correct even after connecting/disconnecting when the computer is off.

Desktop Environment

Gnome

pacman -S gdm gnome
- choose pipewire-jack
- choose wireplumber
- choose noto-fonts-emoji
systemctl enable --now gdm
pacman -S networkmanager
systemctl enable --now NetworkManager
pacman -S gnome-tweaks dconf-editor seahorse

Hardware Management

Hardware Acceleration

(This helps enable hardware encoding/decoding for steam streaming)

Intel

pacman -S libva-utils intel-media-driver
vainfo

AMD

pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu
vainfo

Power Management

For laptops install tlp

pacman -S tlp tlp-rdw
systemctl enable --now tlp
systemctl mask systemd-rfkill.service
systemctl mask systemd-rfkill.socket

Then configure it with the following settings (optional)

/etc/tlp.conf

# I've seen some issues with usb autosuspend
USB_AUTOSUSPEND=0
# Restore bluetooth/wifi state on reboot
# Otherwise it defaults to on
RESTORE_DEVICE_STATE_ON_STARTUP=1
# Disable wifi when plugged in
# You might not want this for continuity - eg. you're copying a file to a network
# share over wifi - plugging in will cancel the copy with this option enabled.
DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
# Re-enable wifi when unplugged.
DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"

For desktops install cpupower
```
pacman -S cpupower
systemctl enable --now cpupower
```
Temporarily set power profile with cpupower frequency-set -g performance

Edit /etc/default/cpupower
```
governor='performance'
```

Don't sleep while plugged in

This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock will prevent it from waking up.

/etc/systemd/logind.conf

...
HandleLidSwitchExternalPower=lock
HandleLidSwitchDocked=ignore
...

Bluetooth

pacman -S bluez bluez-utils
systemctl enable --now bluetooth

Audio

Without pipewire-pulse the audio level/device will reset every reboot.

pacman -S pipewire-pulse (remove conflicting packages)

ISCSI

pacman -S open-iscsi
systemctl enable --now iscsid

Add auth login

/etc/iscsi/iscsid.conf

node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5
node.session.auth.username = username
node.session.auth.password = password

Initiate and login to the portal

# Add a new target to your list of nodes
iscsiadm \
    -m discovery \
    -t st \
    -p driveripper.reeselink.com

# Login to the target
iscsiadm \
    -m node \
    --targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \
    -p driveripper.reeselink.com:3260 \
    --login

# or login to all targets
iscsiadm -m node --loginall all

# View current session
iscsiadm -m session

# Log out of all sessions
iscsiadm -m node -u

# Log out of a single session
iscsiadm -m node -T iqn.2023-01.driveripper.reeselink.com:2024-01-framework --logout

# Remove session
iscsiadm -m node -o delete -T iqn.2023-01.driveripper.reeselink.com:2023-01-framework

Software Stores

AppImage Support

Also chmod +x before running.

cp ~/Downloads/xxxxxxx.appimage ~/Applications
Find an icon online and save it to ~/.icons

Write a .desktop entry at ~/.local/share/applications/

[Desktop Entry]
Name=
Exec=/home/ducoterra/Applications/
Icon=/home/ducoterra/.icons/
Type=Application

desktop-file-validate ~/.local/share/applications/*.desktop
update-desktop-database

Troubleshooting

fuse may be required to run an appimage.

sudo pacman -S fuse

Flatpak

pacman -S flatpak

Apps

Firefox

You'll want firefox and gnome-browser-connector (for gnome extension management).

pacman -S firefox gnome-browser-connector

Choose noto-fonts

Gnome Extensions

Avahi (Bonjour)

sudo pacman -S avahi

sudo vim /etc/nsswitch.conf

hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns

sudo vim /etc/mdns.allow
```
.local.
.local
```

CUPS Printing

Note: you probably need avahi (see above)

sudo pacman -S cups cups-pdf system-config-printer