Update several guides

guides/01_INSTALLATION.md

@@ -166,11 +166,10 @@ cd ~/dots
 ./install_root.sh
 ```
 
-Exit and reenter chroot, this time into zsh shell
+Enter a fish shell for a better experience
 
 ```bash
-exit
-arch-chroot /mnt zsh
+fish
 ```
 
 Create non-privileged user
@@ -179,15 +178,17 @@ Create non-privileged user
 useradd itsdrike
 usermod -aG wheel itsdrike
 install -o itsdrike -g itsdrike -d /home/itsdrike
+mv ~/dots /home/itsdrike
+chown -R itsdrike:itsdrike /home/itsdrike/dots
 passwd itsdrike
 chsh -s /usr/bin/zsh itsdrike
-su -l itsdrike # press q or esc in the default zsh options
+su -l itsdrike
+fish
 ```
 
 Setup user account
 
 ```bash
-git clone --recursive https://github.com/ItsDrike/dotfiles ~/dots
 cd ~/dots
 ./install_user.sh
 ```
@@ -199,12 +200,6 @@ exit
 su -l itsdrike
 ```
 
-Install LazyVim
-
-```bash
-git clone https://github.com/ItsDrike/lazyvim ~/.config/nvim
-```
-
 ## Fstab adjustments
 
 Finally, we'll want to make some slight modifications to `/etc/fstab` file, so
@@ -356,6 +351,12 @@ reboot
 
 Log in as an unpriviledged user, and:
 
+Connect to Wi-Fi (NetworkManager)
+
+```bash
+nmtui  # set up your network from here
+```
+
 Enable Network Time Protocol (time synchronization)
 
 ```bash
@@ -363,12 +364,6 @@ sudo timedatectl set-ntp true
 timedatectl status
 ```
 
-Connect to a wifi network
-
-```bash
-nmtui
-```
-
 ## Graphical User Interface
 
 Finally, you can run the `install_gui.sh` script in my dotfiles, to get all of

guides/03_UNIFIED_KERNEL_IMAGES.md

@@ -45,7 +45,7 @@ kernel command line args):
 ```bash
 echo "rw loglevel=3" > /etc/kernel/cmdline
 echo "cryptdevice=LABEL=CRYPTFS:cryptfs:allow-discards" >> /etc/kernel/cmdline
-echo "root=/dev/mapper/cryptfs rootflags=subvol=/@" >> /etc/kernel/cmdline
+echo "root=/dev/mapper/cryptfs rootflags=subvol=/root" >> /etc/kernel/cmdline
 ```
 
 <!-- markdownlint-disable MD028 -->
@@ -64,7 +64,7 @@ echo "root=/dev/mapper/cryptfs rootflags=subvol=/@" >> /etc/kernel/cmdline
 > (which mkinitramfs generates by default).
 >
 > That said, you will still need `rootflags` to select the btrfs subvolume
-> though, unless the root partition is your default subvolume.
+> (unless the root partition is your default subvolume).
 >
 > If you aren't sure which initramfs you're using, it's probably `BusyBox`.
 
@@ -177,6 +177,16 @@ initial OS installation:
 bootctl install --esp-path=/efi
 ````
 
+If you had some `systemd-boot` settings in your `/efi/loader/loader.conf`, make sure to re-add those, e.g.:
+
+```text
+timeout 3
+console-mode auto
+editor yes
+auto-firmware yes
+beep no
+```
+
 We can now reboot. Systemd-boot will pick up any UKI images in `/efi/EFI/Linux`
 automatically (this path is hard-coded), even without any entry configurations.
 

guides/05_SYSTEMD_INITRAMFS.md

@@ -85,7 +85,7 @@ So, let's edit our kernel parameters:
 
 ```bash
 echo "rw loglevel=3" > /etc/kernel/cmdline  # overwrite the existing cmdline
-echo "rootflags=subvol=/@" >> /etc/kernel/cmdline
+echo "rootflags=subvol=/root" >> /etc/kernel/cmdline
 ```
 
 You'll also need to modify the `/etc/fstab`, as systemd will not use the
@@ -95,6 +95,12 @@ If you prefer using a mapper device, you can also use `/dev/mapper/root`.
 Alternatively, you can use the label to mount. (if you followed the
 installation guide, that would be `/dev/disk/by-label/FS`.)
 
+```bash
+sed -i 's/\/dev\/mapper\/cryptfs/\/dev\/mapper\/root/g' /etc/fstab
+```
+
+Make sure to check that you did this right from:
+
 ```bash
 vim /etc/fstab
 ```
@@ -125,8 +131,15 @@ support there, you will need to do some more work.
 
 To enable numlock before you're prompted for the decryption password, we'll need
 to create a custom initcpio hook, that will return a systemd service which will
-do the enabling. We'll put this hook into `/usr/lib/initcpio/install/numlock`,
-with the following content:
+do the enabling. We'll put this hook into `/usr/lib/initcpio/install/numlock`.
+You can find the hook contents in this dotfiles repository under the matching path,
+and just copy it from there:
+
+```bash
+cp ~/dots/root/usr/lib/initcpio/install/numlock /usr/lib/initcpio/install
+```
+
+Or use the content below:
 
 ```bash
 #!/bin/bash
@@ -159,15 +172,16 @@ EOF
 }
 ```
 
-This script is also present in my dotfiles, so you can just copy it from there:
+Next we will need to create a `/usr/local/bin/numlock` script, which the
+service references. This script will do the actual enabling of numlock. Note
+that we can only use the binaries that we explicitly included in our hook
+inside our script.
 
-```bash
-cp ~/dots/root/usr/lib/initcpio/install/numlock /usr/lib/initcpio/install
-```
+If you ran the `install_root.sh` script from my dotfiles during
+[INSTALLATION](./01_INSTALLATION.md), this script will already be present in
+your `/usr/local/bin`
 
-Next we will need to create that `/usr/local/bin/numlock` script. This script
-will do the actual enabling of numlock. Note that we can only use the binaries
-that we explicitly included in our hook inside our script.
+Otherwise, create this file with the following contents:
 
 ```bash
 #!/bin/bash
@@ -176,13 +190,9 @@ for tty in /dev/tty[0-9]; do
 done
 ```
 
-If you ran the `install_root.sh` script from my dotfiles during
-[INSTALLATION](./01_INSTALLATION.md), this script will already be present in
-your `/usr/local/bin`
-
 Now we will need to add our custom new `numlock` hook to
 `/etc/mkinitcpio.conf`, before the `sd-encrypt` hook (assuming you're using
-encryption), but after the `keyboard` and `sd-vconsole` hooks.
+encryption), but after the `sd-vconsole` hook.
 
 Finally, we'll need to rebuild initramfs, which we should trigger with `sudo
 pacman -S linux`, to make sure the secure-boot signing also runs. When

guides/06_TPM_UNLOCKING.md

@@ -32,11 +32,12 @@ support TPM unlocking.
 > If you can't afford to be vulnerable to this type of attack, you can still
 > follow through with this, however instead of the TPM seamlessly releasing the
 > decryption password, you can require a password to be entered, without which
-> TPM won't release the decryption password.
+> TPM won't release the decryption password. This will be explained later.
 >
 > This can be useful if you use a very long encryption passwords, and you want
 > to be able to enter a shorter passphrase instead (TPM has brute-force
-> protection, so a short password isn't actually that unsafe to use).
+> protection, so a short password isn't actually that unsafe to use). I'm
+> personally using this approach on my devices.
 
 ## Check if you actually have the TPM module
 
@@ -149,10 +150,25 @@ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7+12 /dev/gpt-auto-roo
 >
 > I have mentioned why you may want to do this in the beginning.
 >
-> In case you do want to go with a PIN, you can also safely drop PCR12, as you
-> will be asked for credentials each time anyways, and at that point, the TPM
-> unlocking is basically just as secure as regular passphrase unlocking, which
-> systemd would fall back to if PCR12 wasn't met.
+> In case you do want to go with a PIN, you can also relatively safely drop
+> PCR12, as you will be asked for credentials each time anyways, and at that
+> point, the TPM unlocking is basically just as secure as regular passphrase
+> unlocking, which systemd would fall back to if PCR12 wasn't met. But if you
+> still wish to require a full encryption password if kernel params were
+> changed, you can keep it (Personally, I like to still keep it).
+>
+> In case you followed the earlier command already before reading this, it's fine, just run:
+>
+> ```bash
+> cryptsetup luksKillSlot /dev/gpt-auto-root-luks [slot number]
+> ```
+> 
+> Where the slot number should've been shown to you from the cryptenroll
+> command. (If you only had one encryption password, that password will
+> probably be in slot 0, so you'll want to use slot 1 here.)
+>
+> After that, you can re-run the `systemd-cryptenroll`, with the
+> `--wipe-slot=tpm2` too.
 
 <!-- markdownlint-enable MD028 -->
 
@@ -167,7 +183,7 @@ instead of a decryption password.
 
 If you're using a bootloader, I'd recommend also trying to modify the kernel
 parameters, to make sure that TPM does not release the key anymore, and you will
-be prompted to enter it manually.
+be prompted to enter your full disk decryption key manually.
 
 ## Moving to a recovery key
 
@@ -180,6 +196,14 @@ entropy, likely making it a lot more secure than your original key, further
 improving your chances, if someone attempts a brute-force decryption of your
 drive.
 
+> [!NOTE]
+> I personally prefer to still use my own key which I have memorized, rather
+> than a randomly generated one, as I trust it to have sufficiently high
+> entropy and I do sometimes need to type it out manually when changing the
+> kernel parameters, so I like to be able to do that without having to search
+> for a recovery key somewhere. That said, if you store your recovery key
+> properly, it will very likely be the technically more secure option.
+
 To generate a recovery key, you can actually also just use `systemd-cryptenroll`
 (though you can also do it manually with `cryptsetup`):
 

guides/99_BATTERY_OPTIMIZATIONS.md

@@ -132,6 +132,16 @@ pacman -S power-profiles-daemon
 systemctl enable --now power-profiles-daemon
 ```
 
+> [!NOTE]
+> Depending on where in the installation process you are, when setting this up,
+> your system might not yet have the `python-gobject` package, which is an
+> optional dependency of `power-profiles-daemon`. If you've already set up a
+> graphical environment, you will almost certainly have this pacakge brought in
+> by some other pakcage that has a hard-dependency on it, however, if you do
+> not, running `powerprofilesctl` will produce a `ModuleNotFound` python error.
+> If this happens to you, you can simply run `pacman -S --asdep
+> python-gobject`, to bring this package in.
+
 ### Setting power profile manually
 
 To try things out, you can set the power profile manually, using
@@ -252,9 +262,6 @@ systemctl daemon-reload # make systemd aware of the new service
 systemctl enable --now power-profiles-monitor
 ```
 
-> [!TIP]
-> You may have noticed that the script
-
 ## TLP
 
 > [!IMPORTANT]

guides/hibernation.md

@@ -30,6 +30,13 @@ partition. You can do that with the `resume` parameter, like this:
 - `resume="PARTLABEL=Swap partition`
 - `resume=/dev/archVolumeGroup/archLogicalVolume`
 
+> [!NOTE]
+> If you're using `systemd` based initramfs, you don't actually need this kernel parameter, as it can pick up the
+> dynamically mounted swap partition and check it's contents for the hibernation data. If found, systemd will
+> perform a hibernation resume.
+>
+> This is especially nice for certain more complex setups, such as a swap file on an encrypted partition.
+
 ### Swap File
 
 If you'd like to use a swap file, set `resume` parameter to the partition on which your swap file lives, and set