services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9833a696d2ff2adbd5731a55a98ccc117de264a8
homelab/infrastructure/graduated/arch/README.md
ducoterra 9833a696d2 more ipv6 fixes
2024-07-31 22:36:46 -04:00

1126 lines
29 KiB
Markdown
Raw Blame History

# Arch Base
This is the base configuration from which you can build a variety of systems. Right now
I have instructions for building a:
1. [Workstation](workstation.md)
2. [Gaming PC](gaming.md)
3. [Kubernetes Server](server.md)
## Table of Contents
- [Arch Base](#arch-base)
- [Table of Contents](#table-of-contents)
- [Installation](#installation)
- [Preparation](#preparation)
- [Boot](#boot)
- [AUR](#aur)
- [Security](#security)
- [Secure Boot](#secure-boot)
- [TPM2 LUKS Decryption](#tpm2-luks-decryption)
- [Re-enroll](#re-enroll)
- [FIDO2 LUKS Decryption](#fido2-luks-decryption)
- [Firewall](#firewall)
- [AppArmor](#apparmor)
- [Install Apparmor](#install-apparmor)
- [Custom Profiles](#custom-profiles)
- [ClamAV](#clamav)
- [Config](#config)
- [btrbk](#btrbk)
- [fstab](#fstab)
- [Snapshots](#snapshots)
- [Backups](#backups)
- [Backing up a snapshot](#backing-up-a-snapshot)
- [Chroots](#chroots)
- [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
- [Desktop Environment](#desktop-environment)
- [Gnome](#gnome)
- [Hardware Management](#hardware-management)
- [Hardware Acceleration](#hardware-acceleration)
- [Power Management](#power-management)
- [Don't sleep while plugged in](#dont-sleep-while-plugged-in)
- [Bluetooth](#bluetooth)
- [Audio](#audio)
- [ISCSI](#iscsi)
- [Software Stores](#software-stores)
- [AppImage Support](#appimage-support)
- [Troubleshooting](#troubleshooting)
- [Flatpak](#flatpak)
- [Apps](#apps)
- [Firefox](#firefox)
- [Gnome Extensions](#gnome-extensions)
- [Avahi (Bonjour)](#avahi-bonjour)
- [CUPS Printing](#cups-printing)
- [Yubikey](#yubikey)
- [Bashrc](#bashrc)
- [Colorized Prompt](#colorized-prompt)
- [Standard Bashrc](#standard-bashrc)
## Installation
### Preparation
Follow most of the instructions here:
<https://wiki.archlinux.org/title/Installation_guide>
1. Download Arch
2. Verify the image
```bash
gpg --auto-key-locate clear,wkd -v --locate-external-key pierre@archlinux.org
```
3. Create a bootable ISO
1. If you are booting into a VM, create an ISO with installation files so you don't have to copy-paste:
```bash
sudo pacman -S cdrtools
mkisofs -r -iso-level 4 -l -o /tmp/arch-files.iso ./arch
```
2. If you are booting from a live usb, copy the files in ./arch to the usb drive
4. Disable secureboot (reenable later)
### Boot
1. Boot into the live image
2. Check for network connectivity
```bash
# Check for internet
ip a
ping archlinux.org
```
3. `timedatectl` to update system clock
4. If using a VM, mount the iso with arch conf files
```bash
mount --mkdir /dev/sr1 /media
```
5. Create disk partitions. Use gdisk or beware "bootctl install is not on a gpt partition table"
```bash
fdisk -l
gdisk /dev/vda
```
- +1G for /boot
- t EFI SYSTEM for /boot
- remaining for /
6. `mkfs.fat -F 32 /dev/vda1` (/mnt/boot partition)
7. This next step involves generating a secure, random password. Make sure to
save this somewhere. I recommend having an encrypted partition on your
installation drive to which you can write a few bytes of text.
`echo -n $(pwgen 8 5) | sed 's/ /-/g' > root-key.txt`
8. `cryptsetup luksFormat /dev/vda2 --key-file /path/to/root-key.txt`
9. `cryptsetup luksOpen /dev/vda2 root --key-file /path/to/root-key.txt`
10. `mkfs.btrfs /dev/mapper/root` (root partition)
11. At this point you can choose how to subvolume your root partition
```bash
mount --mkdir -o subvolid=5 /btr_pool
btrfs sub create root /btr_pool
btrfs sub create home /btr_pool
...
```
12. Mount the root partition with `mount -o subvol=root /dev/mapper/root /mnt`
13. Mount the home partition with `mount -o subvol=home /dev/mapper/root /mnt/home`
14. Mount the boot partition with `mount --mkdir /dev/vda1 /mnt/boot`
15. If on VM: Mount the conf files with `mount --mkdir /dev/sr1 /mnt/media`
16. `pacstrap -K /mnt base linux linux-firmware`
This command might show an error. This is ok, we'll fix it later.
17. `genfstab -U /mnt >> /mnt/etc/fstab`
18. `arch-chroot /mnt`
19. `ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime`
20. `hwclock --systohc`
21. `echo 'en_US.UTF-8 UTF-8' > /etc/locale.gen`
22. `echo 'KEYMAP=us' > /etc/vconsole.conf`
23. `echo 'hostname' > /etc/hostname`
24. `pacman -S sudo vim dhclient dhcpcd bash-completion btrfs-progs plymouth`
- dhclient/dhcpcd provides dhcp for network
- bash-completion provides tab complete
- btrfs-progs provides fsck for btrfs
- plymouth gives a nice bootloader screen
25. Edit /etc/mkinitcpio.conf and set up systemd/sd-encrypt
/etc/mkinitcpio.conf
```conf
HOOKS=(systemd plymouth autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
```
26. `mkinitcpio -P`
27. Install systemd-boot
<https://wiki.archlinux.org/title/systemd-boot>
```bash
bootctl install
```
If this raises an error like "efi partition not found" you probably forgot to format
/mnt/boot as an EFI partition. Edit this by reformatting it with gdisk (ef00 is the hex code).
28. edit your loader.conf with some defaults
/boot/loader/loader.conf
```conf
default main.conf
timeout 4
console-mode max
editor no
```
29. Create a loader (/usr/share/systemd/bootctl/arch.conf for example)
/boot/loader/entries/main.conf
```conf
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options quiet splash rd.luks.name=d9828faa-2b8c-4184-9e74-9054ae328c6d=root root=/dev/mapper/root rootflags=subvol=root nvme.noacpi=1 acpi_osi="!Windows 2020" mem_sleep_default="deep" rw
```
You can get the UUID of the disk into arch.conf with some grepping. Use vim to cut
the excess and copy it into the correct location.
```bash
blkid | grep /dev/vda2 >> /boot/loader/entries/main.conf
```
30. `useradd ducoterra`
31. `passwd ducoterra`
32. `groupadd sudo`
33. Edit /etc/sudoers and uncomment the section allowing sudo and wheel group privilege
34. `usermod -aG sudo ducoterra`
35. `usermod -aG wheel ducoterra`
36. `mkdir /home/ducoterra`
37. `chown ducoterra:ducoterra /home/ducoterra`
38. `locale-gen`
39. `systemctl enable dhcpcd`
40. If on VM install guest drivers: `pacman -S qemu-guest-agent spice-vdagent`
41. If you need ssh: `pacman -S openssh; systemctl enable sshd`
42. `exit`
43. `reboot`
44. Remove your installation medium and boot into arch
45. Add a pacman hook for systemd-boot updates
/etc/pacman.d/hooks/95-systemd-boot.hook
```conf
[Trigger]
Type = Package
Operation = Upgrade
Target = systemd
[Action]
Description = Gracefully upgrading systemd-boot...
When = PostTransaction
Exec = /usr/bin/systemctl restart systemd-boot-update.service
```
### AUR
The AUR lets you install community-created and maintained packages. Here are the basics:
```bash
pacman -S --needed git base-devel
mkdir ~/aur
# When you find a project, the basic installation looks like this:
git clone <git repo from aur>
cd <folder name>
makepkg -si
```
### Security
<https://wiki.archlinux.org/title/security>
Every machine, regardless of use-case, should perform some basic hardening. You don't
need to follow every instruction in the above wiki, but you should at least
enable secure boot, tpm2 disk decryption, firewall, apparmor, clamav, btrfs snapshots,
and btrfs backups.
Security Philosophy
1. Secure Boot
Protection from pre-boot malware that might hijack your EFI binary.
<https://www.rodsbooks.com/efi-bootloaders/secureboot.html>
2. TPM2 Decryption
Since we have secure boot enabled we can safely auto-decrypt our hard drive with a
tpm2 device. This is purely a convenience.
3. Firewall
This should be self-explanatory, but I'll explain anyway. Don't allow any arbitrary
network traffic into your device. Block those ports. Only open what you need. Firewalls
drastically reduce the risk of remote exploits by stopping them before they can even
establish a connection. Firewalls can also be used to limit an attacker's ability
to even discover you on a network with icmp blocking.
4. AppArmor
AppArmor is a mandatory access control system like SELinux. Even if you
don't configure it beyond its defaults, AppArmor is still a good thing to
have available. Apps which come with an apparmor profile will offer you an
additional layer of security. In the same way that a firewall protects you
from remote attacks, AppArmor protects you from privilege escalation
attacks and malicious binaries by blocking them at the source.
5. ClamAV
Much like Windows has Windows Defender, Linux has ClamAV. Running an antivirus scanner
certainly isn't the end-all-be-all of security, and it definitely isn't good enough
on its own to keep your system safe, but in combination with apparmor and a firewall
you can identify and quarantine malware before it has a chance to compromise your system. That
being said, finding *any* malware on a system is reason enough to nuke it from orbit and restore from a
known good backup.
6. BTRFS Snapshots
This is not a backup, this is a snapshot. It serves an equally important function, however,
in that it protects you from accidental deletion and corruption. Let's imagine you perform
an update, reboot, and your computer crashes mid-startup. You could easily restore root
from a btrfs snapshot on your system and go on with your day like nothing happened.
7. BTRFS Backups
This is a backup. Unlike snapshots, which live on the same drive your system exists
on, backups are physically separate copies of your computer stored (hopefully) in a
physically separate location. In the event your computer is lost or stolen these
backups give you a way to perfectly restore your system to its former glory.
#### Secure Boot
1. Put your machine in setup mode
On framework this is done in the UEFI setup page for Security, sub-page
Secure Boot, choose “Erase all Secure Boot Settings.”
On my Gigabyte motherboard this is done in the BIOS under security. Set secure boot
to custom.
2. `pacman -S efitools sbctl`
3. `cd /root/`
4. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
5. `sbctl create-keys`
6. `sbctl enroll-keys -m`
7. `sbctl status`
8. `sbctl verify`
9. `sbctl sign -s /boot/vmlinuz-linux`
10. `sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI`
11. `sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi`
12. `sbctl verify`
13. `reboot`
14. Enable secure boot
15. `sbctl status` to check secure boot
16. `bootctl` to check boot loader status
There is a pacman hook which will automatically sign new binaries on update.
#### TPM2 LUKS Decryption
Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
1. `pacman -S tpm2-tss`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
##### Re-enroll
```bash
systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
```
#### FIDO2 LUKS Decryption
1. `pacman -S libfido2`
#### Firewall
```bash
pacman -S ufw
systemctl enable --now ufw
```
#### AppArmor
##### Install Apparmor
Apparmor protects your system by limiting the access binaries have to specific files.
All binaries which are protected by apparmor profiles have a whitelist of allowed
paths they can touch, even if they run as root.
1. `pacman -S apparmor`
2. `systemctl enable --now apparmor`
3. `systemctl enable --now auditd`
4. Add the correct kernel parameters
/boot/loaders/entries/main.conf
```conf
title Arch Linux
...
options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
```
5. `reboot`
##### Custom Profiles
You will likely need to create custom profiles for your apps. There are a few ways to
do this but the least painful ways are as follows:
1. A profile already exists in `/usr/share/apparmor/extra-profiles/`
Check here first. More than likely there's a good starting point. This will probably
need to be tuned but you can (and should) copy it to /etc/apparmor.d
2. No profile exists in `/usr/share/apparmor/extra-profiles/`
You can use `aa-genprof <binary>` to generate a profile for that binary and begin
listening to log events. Then, launch the application and use it as intended. When
you've done what you consider to be the typical use-case you should.
1. Press `s` until it begins recommending additions to your profile
2. Use (A) or (D) to add or deny paths
3. Use (G) to glob a path
4. Use (N) to write a custom path
5. If prompted for an executable choose (I) to inherit the execution privileges from the parent process or (P) to use this application's profile. Sanitize if you chooose this app's profile
6. When done, (F) to finish and (S) to save.
7. Use `apparmor_parser -r /etc/apparmor.d/<profile>` to reload the profile
8. Run `aa-enforce /etc/apparmor.d/<profile>` to set to enforce mode
9. Try to launch the app. It will probably crash
10. Run `aa-logprof`, add rules, `apparmor_parser -r /etc/apparmor.d/<profile>`, launch app, repeat until it works
11. You can `tail /var/log/audit/audit.log` and grab a string like `msg=audit(1692576444.967:102858)` to use as a starting point rather than parsing the whole log. Like: `aa-logprof -m 'msg=audit(1692576444.967:102858)'`.
From <https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html>
```text
Access Modes
File permission access modes consists of combinations of the following modes:
r - read
w - write -- conflicts with append
a - append -- conflicts with write
ux - unconfined execute
Ux - unconfined execute -- scrub the environment
px - discrete profile execute
Px - discrete profile execute -- scrub the environment
cx - transition to subprofile on execute
Cx - transition to subprofile on execute -- scrub the environment
ix - inherit execute
pix - discrete profile execute with inherit fallback
Pix - discrete profile execute with inherit fallback -- scrub the environment
cix - transition to subprofile on execute with inherit fallback
Cix - transition to subprofile on execute with inherit fallback -- scrub the
environment
pux - discrete profile execute with fallback to unconfined
PUx - discrete profile execute with fallback to unconfined -- scrub the environment
cux - transition to subprofile on execute with fallback to unconfined
CUx - transition to subprofile on execute with fallback to unconfined -- scrub the
environment
deny x - disallow execute (in rules with the deny qualifier)
m - allow PROT_EXEC with mmap(2) calls
l - link
k - lock
```
#### ClamAV
1. `pacman -S clamav`
2. `clamscan --recursive --infected /path/to/dir`
- OR -
1. `freshclam`
2. `systemctl enable --now clamav-freshclam.service`
3. `systemctl enable --now clamav-daemon.service`
4. `clamdscan --multiscan --fdpass /home/ducoterra`
##### Config
```conf
UpdateLogFile /var/log/clamav/freshclam.log
PidFile /run/clamav/freshclam.pid
DatabaseMirror database.clamav.net
NotifyClamd /etc/clamav/clamd.conf
```
#### btrbk
```bash
cd Downloads
wget https://raw.githubusercontent.com/digint/btrbk/master/btrbk
clamscan .
chmod +x btrbk
sudo mv btrbk /usr/bin/
```
##### fstab
You'll need to mount your btrfs volumes in a location which exposes their subvolumes.
```bash
mkdir -p /btr_pools/root
```
/etc/fstab
```conf
# btr_pools
UUID=84153269-f194-43f7-a4fe-e72aaffdb97a /btr_pools/root btrfs rw,relatime,ssd,space_cache=v2,subvolid=256,subvolid=5 0 0
```
```bash
systemctl daemon-reload
mount -a
btrfs sub create /btr_pools/root/.snapshots
btrbk -c /etc/btrbk/snapshots.conf dryrun
btrbk -c /etc/btrbk/snapshots.conf run
```
##### Snapshots
1. Create a snapshot config
/etc/btrbk/snapshots.conf
```conf
snapshot_preserve_min 24h
snapshot_preserve 14d
# root
volume /btr_pools/root
subvolume root
snapshot_dir .snapshots
# home
volume /btr_pools/root
subvolume home
snapshot_dir .snapshots
# libvirt
volume /btr_pools/root
subvolume libvirt
snapshot_dir .snapshots
# nextcloud
volume /btr_pools/root
subvolume nextcloud
snapshot_dir .snapshots
```
2. Then create a snapshot service
/etc/systemd/system/btrbk_snapshots.service
```conf
[Unit]
Description=Runs btrbk with config file at /etc/btrbk/snapshots.conf
[Service]
ExecStart=/usr/bin/btrbk -c /etc/btrbk/snapshots.conf -v run
```
3. Then create a timer for the service
/etc/systemd/system/btrbk_snapshots.timer
```conf
[Unit]
Description=Run snapshots every hour
[Timer]
OnCalendar=hourly
AccuracySec=10min
Persistent=true
Unit=btrbk_snapshots.service
[Install]
WantedBy=timers.target
```
4. Then enable the service
```bash
systemctl enable --now btrbk_snapshots.timer
```
##### Backups
Before you begin, go through the usual process of setting up an encrypted drive. If
you're using Gnome I recommend using the GUI since it handles encrypted USB drives
really nicely.
The only thing I'd recommend doing manually is creating the mountpoint as a read-only
subvolume. This prevents backups from being written to the root device when the backup
disk isn't mounted.
```bash
btrfs sub create /btr_pools/backup
btrfs property set /btr_pools/backup ro true
```
1. Create a backup config
/etc/btrbk/backups.conf
```conf
snapshot_create no
target_preserve_min no
target_preserve 30d
# root
volume /btr_pools/root
target /btr_pools/backup
subvolume root
snapshot_dir .snapshots
# home
volume /btr_pools/root
target /btr_pools/backup
subvolume home
snapshot_dir .snapshots
# libvirt
volume /btr_pools/root
target /btr_pools/backup
subvolume libvirt
snapshot_dir .snapshots
```
2. Create a backup service
/etc/systemd/system/btrbk_backups.service
```conf
[Unit]
Description=Runs btrbk with config file at /etc/btrbk/backups.conf
[Service]
ExecStart=/usr/bin/btrbk -c /etc/btrbk/backups.conf -v run
```
3. Create a timer to activate the service
/etc/systemd/system/btrbk_backups.timer
```conf
[Unit]
Description=Run btrbk backups every hour
[Timer]
OnCalendar=hourly
AccuracySec=10min
Persistent=true
Unit=btrbk_backups.service
[Install]
WantedBy=timers.target
```
4. Enable the timer
```bash
systemctl enable --now btrbk_backup.conf
```
##### Backing up a snapshot
```bash
pacman -S pv
btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscsi
```
#### Chroots
You can create chroot environments to run firejails or just use for testing purposes.
1. `btrfs sub create /chroots`
2. `mkdir /testing`
3. `pacman -S arch-install-scripts`
4. `pacstrap -K /chroots/testing/ base base-devel`
5. `arch-chroot /chroots/testing`
#### Fingerprint Reader Support
##### Setup
1. `pacman -S fprintd`
2. `systemctl enable --now fprintd`
3. `fprintd-enroll ducoterra`
4. Enable fingerprint terminal login but prompt for password first (enter switches to prompt for fingerprint)
/etc/pam.d/sudo
```conf
# fingerprint auth
auth sufficient pam_fprintd.so
```
##### Turn Off Fingerprint When Laptop Lid Closed
**NOTE: This may break fingerprint unlock. Testing in progress.**
To disable fingerprint authentication when the laptop lid is closed, and
re-enable when it is reopened, we will use acpid to bind to the button/lid.*
event to a custom script that will comment out fprintd auth in /etc/pam.d/sudo.
Usually we'd just `systemctl mask fprintd` but this breaks gdm (as of 08/06/23). See
<https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2267> and
<https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6585>.
1. `pacman -S acpid` and then `systemctl enable --now acpid`
2. Create file /etc/acpi/laptop-lid.sh with the following contents:
```bash
#!/bin/bash
if grep -Fq closed /proc/acpi/button/lid/LID0/state # &&
# This is used to detect if a display is connected.
# For USB C displayport use:
# grep -Fxq connected /sys/class/drm/card1-DP-2/status
# For hdmi use:
# grep -Fxq connected /sys/class/drm/card0-HDMI-A-1/status
then
# comment out fprintd
sed -i -E 's/^([^#].*pam_fprintd.so)/#\1/g' /etc/pam.d/sudo
else
# uncomment fprintd
sed -i -E 's/#(.*pam_fprintd.so)/\1/g' /etc/pam.d/sudo
fi
```
3. Make the file executable with
`chmod +x /etc/acpi/laptop-lid.sh`
4. Create file /etc/acpi/events/laptop-lid with the following contents:
```bash
event=button/lid.*
action=/etc/acpi/laptop-lid.sh
```
5. Restart the acpid service with:
`systemctl restart acpid`
Now the fingerprint will be used only when the lid is open.
In order to ensure the correct state after suspend we need a service file which
runs our script on wake.
1. Create a file named /etc/systemd/system/laptop-lid.service with the following contents:
```bash
[Unit]
Description=Laptop Lid
After=suspend.target
[Service]
ExecStart=/etc/acpi/laptop-lid.sh
[Install]
WantedBy=multi-user.target
WantedBy=suspend.target
```
2. Reload the systemd config files with
`sudo systemctl daemon-reload`
3. Start and enable the service with
`sudo systemctl enable --now laptop-lid.service`
Now the status should be correct even after connecting/disconnecting when the computer is off.
## Desktop Environment
### Gnome
1. `pacman -S gdm gnome`
- choose pipewire-jack
- choose wireplumber
- choose noto-fonts-emoji
2. `systemctl enable --now gdm`
3. `pacman -S networkmanager`
4. `systemctl enable --now NetworkManager`
5. `pacman -S gnome-tweaks dconf-editor seahorse`
## Hardware Management
### Hardware Acceleration
(This helps enable hardware encoding/decoding for steam streaming)
Intel
```bash
pacman -S libva-utils intel-media-driver
vainfo
```
AMD
```bash
pacman -S vulkan-radeon libva-utils libva-mesa-driver xf86-video-amdgpu
vainfo
```
### Power Management
1. For laptops install `tlp`
```bash
pacman -S tlp tlp-rdw
systemctl enable --now tlp
systemctl mask systemd-rfkill.service
systemctl mask systemd-rfkill.socket
```
2. Then configure it with the following settings (optional)
/etc/tlp.conf
```conf
# I've seen some issues with usb autosuspend
USB_AUTOSUSPEND=0
# Restore bluetooth/wifi state on reboot
# Otherwise it defaults to on
RESTORE_DEVICE_STATE_ON_STARTUP=1
# Disable wifi when plugged in
# You might not want this for continuity - eg. you're copying a file to a network
# share over wifi - plugging in will cancel the copy with this option enabled.
DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
# Re-enable wifi when unplugged.
DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
```
3. For desktops install cpupower
```bash
pacman -S cpupower
systemctl enable --now cpupower
```
Temporarily set power profile with `cpupower frequency-set -g performance`
Edit /etc/default/cpupower
```conf
governor='performance'
```
### Don't sleep while plugged in
This is needed for the Framework 13 (11th gen) since sleeping while plugged in to a dock
will prevent it from waking up.
/etc/systemd/logind.conf
```conf
...
HandleLidSwitchExternalPower=lock
HandleLidSwitchDocked=ignore
...
```
### Bluetooth
1. `pacman -S bluez bluez-utils`
2. `systemctl enable --now bluetooth`
### Audio
Without pipewire-pulse the audio level/device will reset every reboot.
1. `pacman -S pipewire-pulse` (remove conflicting packages)
### ISCSI
```bash
pacman -S open-iscsi
systemctl enable --now iscsid
```
1. Add auth login
/etc/iscsi/iscsid.conf
```conf
node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5
node.session.auth.username = username
node.session.auth.password = password
```
2. Initiate and login to the portal
```bash
# Add a new target to your list of nodes
iscsiadm \
-m discovery \
-t st \
-p driveripper.reeselink.com
# Login to the target
iscsiadm \
-m node \
--targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \
-p driveripper.reeselink.com:3260 \
--login
# or login to all targets
iscsiadm -m node --loginall all
# View current session
iscsiadm -m session
# Log out of all sessions
iscsiadm -m node -u
# Log out of a single session
iscsiadm -m node -T iqn.2023-01.driveripper.reeselink.com:2024-01-framework --logout
# Remove session
iscsiadm -m node -o delete -T iqn.2023-01.driveripper.reeselink.com:2023-01-framework
```
## Software Stores
### AppImage Support
Also chmod +x before running.
1. `cp ~/Downloads/xxxxxxx.appimage ~/Applications`
2. Find an icon online and save it to ~/.icons
3. Write a .desktop entry at ~/.local/share/applications/
```conf
[Desktop Entry]
Name=
Exec=/home/ducoterra/Applications/
Icon=/home/ducoterra/.icons/
Type=Application
```
4. `desktop-file-validate ~/.local/share/applications/*.desktop`
5. `update-desktop-database`
#### Troubleshooting
fuse may be required to run an appimage.
```bash
sudo pacman -S fuse
```
### Flatpak
```bash
pacman -S flatpak
```
## Apps
### Firefox
You'll want firefox and gnome-browser-connector (for gnome extension management).
```bash
pacman -S firefox gnome-browser-connector
```
Choose noto-fonts
#### Gnome Extensions
1. AlphabeticalAppGrid@stuarthayhurst
2. Vitals@CoreCoding.com
3. dash-to-dock@micxgx.gmail.com
4. tactile@lundal.io
### Avahi (Bonjour)
1. `sudo pacman -S avahi`
2. `sudo vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
3. `sudo vim /etc/mdns.allow`
```conf
.local.
.local
```
### CUPS Printing
Note: you probably need avahi (see above)
1. `sudo pacman -S cups cups-pdf system-config-printer`
2. `sudo vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
3. `sudo systemctl start cups`
4. `sudo systemctl start avahi-daemon`
### Yubikey
You'll need the yubikey manager appimage in addition to the pacman package
```bash
sudo pacman -S yubikey-manager
```
Reboot and things should work. You might also have to start pcscd:
```bash
sudo systemctl enable --now pcscd
```
## Bashrc
### Colorized Prompt
<https://colors.sh/>
You can change the prompt color by setting PROMPT_COLOR at the top of your .bashrc
Examples:
Yellow: `PROMPT_COLOR=33;`
Orange: `PROMPT_COLOR=38;5;208;`
Red: `PROMPT_COLOR=38;5;160;`
### Standard Bashrc
Don't do this if you installed `zsh`
~/.bashrc
```bash
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# User specific binaries
if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]]
then
PATH="$HOME/.local/bin:$HOME/bin:$PATH"
fi
export PATH
# User specific aliases and functions (source .bashrc.d/)
if [ -d ~/.bashrc.d ]; then
for rc in ~/.bashrc.d/*; do
if [ -f "$rc" ]; then
. "$rc"
fi
done
fi
# clear var used in for loop
unset rc
```
~/.bashrc.d/aliases.sh
```bash
# (Mostly) Taken from https://www.cyberciti.biz/tips/bash-aliases-mac-centos-linux-unix.html
# Author: Vivek Gite
## Colorize the ls output ##
alias ls="ls --color=auto"
## Colorize the grep command output for ease of use (good for log files)##
alias grep='grep --color=auto'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
## Make mount human readable ##
alias mount='mount |column -t'
## show open ports ##
alias ports='ss -tulanp'
# do not delete / or prompt if deleting more than 3 files at a time #
alias rm='rm -I --preserve-root'
# confirmation #
alias mv='mv -i'
alias cp='cp -i'
alias ln='ln -i'
# Parenting changing perms on / #
alias chown='chown --preserve-root'
alias chmod='chmod --preserve-root'
alias chgrp='chgrp --preserve-root'
## pass options to free ##
alias meminfo='free -m -l -t'
## get top process eating memory
alias psmem='ps auxf | sort -nr -k 4'
alias psmem10='ps auxf | sort -nr -k 4 | head -10'
## get top process eating cpu ##
alias pscpu='ps auxf | sort -nr -k 3'
alias pscpu10='ps auxf | sort -nr -k 3 | head -10'
## this one saved by butt so many times ##
alias wget='wget -c'
## set some other defaults ##
alias df='df -H'
alias du='du -ch'
## ls but with file sizes, showing largest at the bottom ##
alias lst='ls --human-readable --size -1 -S --classify -r'
## ls show only directories
alias lsd='ls -d */'
## Count the number of files in a directory
alias lsc='find . -type f | wc -l'
## ls sort by last modified ##
alias lmt='ls -t -1'
```
Reference in New Issue View Git Blame Copy Permalink