From 4e898032371c201ba7a2516f65e31810f37b96af Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Thu, 28 Aug 2025 15:43:24 +0200 Subject: [PATCH] Update several guides --- guides/01_INSTALLATION.md | 29 +++++++++------------- guides/03_UNIFIED_KERNEL_IMAGES.md | 14 +++++++++-- guides/05_SYSTEMD_INITRAMFS.md | 40 +++++++++++++++++++----------- guides/06_TPM_UNLOCKING.md | 38 ++++++++++++++++++++++------ guides/99_BATTERY_OPTIMIZATIONS.md | 13 +++++++--- guides/hibernation.md | 7 ++++++ 6 files changed, 97 insertions(+), 44 deletions(-) diff --git a/guides/01_INSTALLATION.md b/guides/01_INSTALLATION.md index b05e861..e1fa750 100644 --- a/guides/01_INSTALLATION.md +++ b/guides/01_INSTALLATION.md @@ -166,11 +166,10 @@ cd ~/dots ./install_root.sh ``` -Exit and reenter chroot, this time into zsh shell +Enter a fish shell for a better experience ```bash -exit -arch-chroot /mnt zsh +fish ``` Create non-privileged user @@ -179,15 +178,17 @@ Create non-privileged user useradd itsdrike usermod -aG wheel itsdrike install -o itsdrike -g itsdrike -d /home/itsdrike +mv ~/dots /home/itsdrike +chown -R itsdrike:itsdrike /home/itsdrike/dots passwd itsdrike chsh -s /usr/bin/zsh itsdrike -su -l itsdrike # press q or esc in the default zsh options +su -l itsdrike +fish ``` Setup user account ```bash -git clone --recursive https://github.com/ItsDrike/dotfiles ~/dots cd ~/dots ./install_user.sh ``` @@ -199,12 +200,6 @@ exit su -l itsdrike ``` -Install LazyVim - -```bash -git clone https://github.com/ItsDrike/lazyvim ~/.config/nvim -``` - ## Fstab adjustments Finally, we'll want to make some slight modifications to `/etc/fstab` file, so @@ -356,6 +351,12 @@ reboot Log in as an unpriviledged user, and: +Connect to Wi-Fi (NetworkManager) + +```bash +nmtui # set up your network from here +``` + Enable Network Time Protocol (time synchronization) ```bash @@ -363,12 +364,6 @@ sudo timedatectl set-ntp true timedatectl status ``` -Connect to a wifi network - -```bash -nmtui -``` - ## Graphical User Interface Finally, you can run the `install_gui.sh` script in my dotfiles, to get all of diff --git a/guides/03_UNIFIED_KERNEL_IMAGES.md b/guides/03_UNIFIED_KERNEL_IMAGES.md index 42c3561..a857a36 100644 --- a/guides/03_UNIFIED_KERNEL_IMAGES.md +++ b/guides/03_UNIFIED_KERNEL_IMAGES.md @@ -45,7 +45,7 @@ kernel command line args): ```bash echo "rw loglevel=3" > /etc/kernel/cmdline echo "cryptdevice=LABEL=CRYPTFS:cryptfs:allow-discards" >> /etc/kernel/cmdline -echo "root=/dev/mapper/cryptfs rootflags=subvol=/@" >> /etc/kernel/cmdline +echo "root=/dev/mapper/cryptfs rootflags=subvol=/root" >> /etc/kernel/cmdline ``` @@ -64,7 +64,7 @@ echo "root=/dev/mapper/cryptfs rootflags=subvol=/@" >> /etc/kernel/cmdline > (which mkinitramfs generates by default). > > That said, you will still need `rootflags` to select the btrfs subvolume -> though, unless the root partition is your default subvolume. +> (unless the root partition is your default subvolume). > > If you aren't sure which initramfs you're using, it's probably `BusyBox`. @@ -177,6 +177,16 @@ initial OS installation: bootctl install --esp-path=/efi ```` +If you had some `systemd-boot` settings in your `/efi/loader/loader.conf`, make sure to re-add those, e.g.: + +```text +timeout 3 +console-mode auto +editor yes +auto-firmware yes +beep no +``` + We can now reboot. Systemd-boot will pick up any UKI images in `/efi/EFI/Linux` automatically (this path is hard-coded), even without any entry configurations. diff --git a/guides/05_SYSTEMD_INITRAMFS.md b/guides/05_SYSTEMD_INITRAMFS.md index cfb4d20..99a9c9e 100644 --- a/guides/05_SYSTEMD_INITRAMFS.md +++ b/guides/05_SYSTEMD_INITRAMFS.md @@ -85,7 +85,7 @@ So, let's edit our kernel parameters: ```bash echo "rw loglevel=3" > /etc/kernel/cmdline # overwrite the existing cmdline -echo "rootflags=subvol=/@" >> /etc/kernel/cmdline +echo "rootflags=subvol=/root" >> /etc/kernel/cmdline ``` You'll also need to modify the `/etc/fstab`, as systemd will not use the @@ -95,6 +95,12 @@ If you prefer using a mapper device, you can also use `/dev/mapper/root`. Alternatively, you can use the label to mount. (if you followed the installation guide, that would be `/dev/disk/by-label/FS`.) +```bash +sed -i 's/\/dev\/mapper\/cryptfs/\/dev\/mapper\/root/g' /etc/fstab +``` + +Make sure to check that you did this right from: + ```bash vim /etc/fstab ``` @@ -125,8 +131,15 @@ support there, you will need to do some more work. To enable numlock before you're prompted for the decryption password, we'll need to create a custom initcpio hook, that will return a systemd service which will -do the enabling. We'll put this hook into `/usr/lib/initcpio/install/numlock`, -with the following content: +do the enabling. We'll put this hook into `/usr/lib/initcpio/install/numlock`. +You can find the hook contents in this dotfiles repository under the matching path, +and just copy it from there: + +```bash +cp ~/dots/root/usr/lib/initcpio/install/numlock /usr/lib/initcpio/install +``` + +Or use the content below: ```bash #!/bin/bash @@ -159,15 +172,16 @@ EOF } ``` -This script is also present in my dotfiles, so you can just copy it from there: +Next we will need to create a `/usr/local/bin/numlock` script, which the +service references. This script will do the actual enabling of numlock. Note +that we can only use the binaries that we explicitly included in our hook +inside our script. -```bash -cp ~/dots/root/usr/lib/initcpio/install/numlock /usr/lib/initcpio/install -``` +If you ran the `install_root.sh` script from my dotfiles during +[INSTALLATION](./01_INSTALLATION.md), this script will already be present in +your `/usr/local/bin` -Next we will need to create that `/usr/local/bin/numlock` script. This script -will do the actual enabling of numlock. Note that we can only use the binaries -that we explicitly included in our hook inside our script. +Otherwise, create this file with the following contents: ```bash #!/bin/bash @@ -176,13 +190,9 @@ for tty in /dev/tty[0-9]; do done ``` -If you ran the `install_root.sh` script from my dotfiles during -[INSTALLATION](./01_INSTALLATION.md), this script will already be present in -your `/usr/local/bin` - Now we will need to add our custom new `numlock` hook to `/etc/mkinitcpio.conf`, before the `sd-encrypt` hook (assuming you're using -encryption), but after the `keyboard` and `sd-vconsole` hooks. +encryption), but after the `sd-vconsole` hook. Finally, we'll need to rebuild initramfs, which we should trigger with `sudo pacman -S linux`, to make sure the secure-boot signing also runs. When diff --git a/guides/06_TPM_UNLOCKING.md b/guides/06_TPM_UNLOCKING.md index 77ba345..e4fc0c6 100644 --- a/guides/06_TPM_UNLOCKING.md +++ b/guides/06_TPM_UNLOCKING.md @@ -32,11 +32,12 @@ support TPM unlocking. > If you can't afford to be vulnerable to this type of attack, you can still > follow through with this, however instead of the TPM seamlessly releasing the > decryption password, you can require a password to be entered, without which -> TPM won't release the decryption password. +> TPM won't release the decryption password. This will be explained later. > > This can be useful if you use a very long encryption passwords, and you want > to be able to enter a shorter passphrase instead (TPM has brute-force -> protection, so a short password isn't actually that unsafe to use). +> protection, so a short password isn't actually that unsafe to use). I'm +> personally using this approach on my devices. ## Check if you actually have the TPM module @@ -149,10 +150,25 @@ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7+12 /dev/gpt-auto-roo > > I have mentioned why you may want to do this in the beginning. > -> In case you do want to go with a PIN, you can also safely drop PCR12, as you -> will be asked for credentials each time anyways, and at that point, the TPM -> unlocking is basically just as secure as regular passphrase unlocking, which -> systemd would fall back to if PCR12 wasn't met. +> In case you do want to go with a PIN, you can also relatively safely drop +> PCR12, as you will be asked for credentials each time anyways, and at that +> point, the TPM unlocking is basically just as secure as regular passphrase +> unlocking, which systemd would fall back to if PCR12 wasn't met. But if you +> still wish to require a full encryption password if kernel params were +> changed, you can keep it (Personally, I like to still keep it). +> +> In case you followed the earlier command already before reading this, it's fine, just run: +> +> ```bash +> cryptsetup luksKillSlot /dev/gpt-auto-root-luks [slot number] +> ``` +> +> Where the slot number should've been shown to you from the cryptenroll +> command. (If you only had one encryption password, that password will +> probably be in slot 0, so you'll want to use slot 1 here.) +> +> After that, you can re-run the `systemd-cryptenroll`, with the +> `--wipe-slot=tpm2` too. @@ -167,7 +183,7 @@ instead of a decryption password. If you're using a bootloader, I'd recommend also trying to modify the kernel parameters, to make sure that TPM does not release the key anymore, and you will -be prompted to enter it manually. +be prompted to enter your full disk decryption key manually. ## Moving to a recovery key @@ -180,6 +196,14 @@ entropy, likely making it a lot more secure than your original key, further improving your chances, if someone attempts a brute-force decryption of your drive. +> [!NOTE] +> I personally prefer to still use my own key which I have memorized, rather +> than a randomly generated one, as I trust it to have sufficiently high +> entropy and I do sometimes need to type it out manually when changing the +> kernel parameters, so I like to be able to do that without having to search +> for a recovery key somewhere. That said, if you store your recovery key +> properly, it will very likely be the technically more secure option. + To generate a recovery key, you can actually also just use `systemd-cryptenroll` (though you can also do it manually with `cryptsetup`): diff --git a/guides/99_BATTERY_OPTIMIZATIONS.md b/guides/99_BATTERY_OPTIMIZATIONS.md index 8c9366c..a04a222 100644 --- a/guides/99_BATTERY_OPTIMIZATIONS.md +++ b/guides/99_BATTERY_OPTIMIZATIONS.md @@ -132,6 +132,16 @@ pacman -S power-profiles-daemon systemctl enable --now power-profiles-daemon ``` +> [!NOTE] +> Depending on where in the installation process you are, when setting this up, +> your system might not yet have the `python-gobject` package, which is an +> optional dependency of `power-profiles-daemon`. If you've already set up a +> graphical environment, you will almost certainly have this pacakge brought in +> by some other pakcage that has a hard-dependency on it, however, if you do +> not, running `powerprofilesctl` will produce a `ModuleNotFound` python error. +> If this happens to you, you can simply run `pacman -S --asdep +> python-gobject`, to bring this package in. + ### Setting power profile manually To try things out, you can set the power profile manually, using @@ -252,9 +262,6 @@ systemctl daemon-reload # make systemd aware of the new service systemctl enable --now power-profiles-monitor ``` -> [!TIP] -> You may have noticed that the script - ## TLP > [!IMPORTANT] diff --git a/guides/hibernation.md b/guides/hibernation.md index 26e14cb..91188bb 100644 --- a/guides/hibernation.md +++ b/guides/hibernation.md @@ -30,6 +30,13 @@ partition. You can do that with the `resume` parameter, like this: - `resume="PARTLABEL=Swap partition` - `resume=/dev/archVolumeGroup/archLogicalVolume` +> [!NOTE] +> If you're using `systemd` based initramfs, you don't actually need this kernel parameter, as it can pick up the +> dynamically mounted swap partition and check it's contents for the hibernation data. If found, systemd will +> perform a hibernation resume. +> +> This is especially nice for certain more complex setups, such as a swap file on an encrypted partition. + ### Swap File If you'd like to use a swap file, set `resume` parameter to the partition on which your swap file lives, and set