diff --git a/guides/9_CACHYOS.md b/guides/9_CACHYOS.md new file mode 100644 index 0000000..2bc5632 --- /dev/null +++ b/guides/9_CACHYOS.md @@ -0,0 +1,52 @@ +# CachyOS + +This guide will walk you through converting your existing Arch Linux installation into a CachyOS installation / installation using the CachyOS optimzied repos. + +## Why + +TODO + +## Installation + +The installation process is fairly straight forward, as CachyOS provides a script to automatically handle configuring +pacman for you to work with the CachyOS repos. All you need to do is: + +```bash +curl https://mirror.cachyos.org/cachyos-repo.tar.xz -o cachyos-repo.tar.xz +tar xvf cachyos-repo.tar.xz && cd cachyos-repo +sudo ./cachyos-repo.sh +``` + +Source: + +## Moving to an optimzied kernel + +Most people decide to use CachyOS mainly to benefit from the optimized kernel packages, as that is generally the most +performance critical part of your system. Even though the CachyOS repos also bring a bunch of other optimized packages, +which definitely contribute to performance improvements too, switching the generic kernel for an optimized one is +usually going to be the most impactful. + +TODO + +## Automatic mirror ranking + +For most Arch installation, `reflector` is used for handling optimizing the mirror order (to improve pacman download speeds), however, for CachyOS, there is a dedicated tool that includes the cachyos repos & mirrors which should be used instead, being [cachyos-rate-mirrors] + +```bash +paru -S cachyos-rate-mirrors +sudo systemctl enable --now cachyos-rate-mirrors.timer +sudo systemctl disable --now reflector.timer +``` + +[cachyos-rate-mirrors]: https://github.com/CachyOS/rate-mirrors + +## Cachyos settings + +Cachyos also provides a `cachyos-settings` package, which contains a set of opinionated settings for various parts of +the system. These are generally designed primarily to improve performance. Personally, I like to handle these on my +own, allowing me to customize them a bit easier from within my dotfiles repo, however, if you do wish to use them, you +can simply do: + +```bash +paru -S cachyos-settings +``` diff --git a/install_root.sh b/install_root.sh index 8c93dc3..591c4da 100755 --- a/install_root.sh +++ b/install_root.sh @@ -74,7 +74,7 @@ echo " - Symlink /etc/resolv.conf to use systemd-resolved stub (you need to be o echo "Optional extra steps:" echo " - enable cronie & copy /etc/crontab & anacrontab from dotfiles" echo " - install docker and copy /etc/docker" -echo " - setup MAC address randomization by copying /etc/NetworkManager" +echo " - setup network manager privacy settings by copying /etc/NetworkManager" echo " - setup battery optimizations (follow guide)" echo " - setup UKIs -> secure-boot -> systemd initramfs -> tpm unlocking (follow guides)" diff --git a/root/etc/NetworkManager/conf.d/dhcp-hostname.conf b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf new file mode 100644 index 0000000..6c6ceed --- /dev/null +++ b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf @@ -0,0 +1,12 @@ +# Do not send the system hostname to DHCP servers. +# +# Normally NetworkManager includes the hostname in DHCP requests so the +# server can label leases or register dynamic DNS entries. Most networks +# do not rely on this, and disabling it slightly reduces information +# leaked about the device (especially when MAC randomization is used). +# +# Individual connections can override this if needed: +# nmcli connection modify ipv4.dhcp-send-hostname yes ipv6.dhcp-send-hostname yes +[connection] +ipv4.dhcp-send-hostname=false +ipv6.dhcp-send-hostname=false diff --git a/root/etc/NetworkManager/conf.d/llmnr-mdns.conf b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf new file mode 100644 index 0000000..676b15b --- /dev/null +++ b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf @@ -0,0 +1,8 @@ +# Disable link-local name resolution protocols. +# +# LLMNR and mDNS allow devices on the same LAN to resolve hostnames +# without DNS. They are rarely needed on managed networks and can +# expose system information to the local network. +[connection] +connection.llmnr=0 +connection.mdns=0 diff --git a/root/etc/mkinitcpio.conf b/root/etc/mkinitcpio.conf new file mode 100644 index 0000000..068f7dc --- /dev/null +++ b/root/etc/mkinitcpio.conf @@ -0,0 +1,81 @@ +# vim:set ft=sh +# MODULES +# The following modules are loaded before any boot hooks are +# run. Advanced users may wish to specify all system modules +# in this array. For instance: +# MODULES=(usbhid xhci_hcd) +MODULES=() + +# BINARIES +# This setting includes any additional binaries a given user may +# wish into the CPIO image. This is run last, so it may be used to +# override the actual binaries included by a given hook +# BINARIES are dependency parsed, so you may safely ignore libraries +BINARIES=() + +# FILES +# This setting is similar to BINARIES above, however, files are added +# as-is and are not parsed in any way. This is useful for config files. +FILES=() + +# HOOKS +# This is the most important setting in this file. The HOOKS control the +# modules and scripts added to the image, and what happens at boot time. +# Order is important, and it is recommended that you do not change the +# order in which HOOKS are added. Run 'mkinitcpio -H ' for +# help on a given hook. +# 'base' is _required_ unless you know precisely what you are doing. +# 'udev' is _required_ in order to automatically load modules +# 'filesystems' is _required_ unless you specify your fs modules in MODULES +# Examples: +## This setup specifies all modules in the MODULES setting above. +## No RAID, lvm2, or encrypted root is needed. +# HOOKS=(base) +# +## This setup will autodetect all modules for your system and should +## work as a sane default +# HOOKS=(base udev autodetect microcode modconf block filesystems fsck) +# +## This setup will generate a 'full' image which supports most systems. +## No autodetection is done. +# HOOKS=(base udev microcode modconf block filesystems fsck) +# +## This setup assembles a mdadm array with an encrypted root file system. +## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices. +# HOOKS=(base udev microcode modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck) +# +## This setup loads an lvm2 volume group. +# HOOKS=(base udev microcode modconf block lvm2 filesystems fsck) +# +## This will create a systemd based initramfs which loads an encrypted root filesystem. +# HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck) +# +## NOTE: If you have /usr on a separate partition, you MUST include the +# usr and fsck hooks. +HOOKS=(base systemd plymouth autodetect microcode modconf kms keyboard sd-vconsole numlock sd-encrypt block filesystems fsck) + +# COMPRESSION +# Use this to compress the initramfs image. By default, zstd compression +# is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9. +# Use 'cat' to create an uncompressed image. +#COMPRESSION="zstd" +#COMPRESSION="gzip" +#COMPRESSION="bzip2" +#COMPRESSION="lzma" +#COMPRESSION="xz" +#COMPRESSION="lzop" +#COMPRESSION="lz4" + +# COMPRESSION_OPTIONS +# Additional options for the compressor +#COMPRESSION_OPTIONS=() + +# MODULES_DECOMPRESS +# Decompress loadable kernel modules and their firmware during initramfs +# creation. Switch (yes/no). +# Enable to allow further decreasing image size when using high compression +# (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage +# at early boot. +# Note that any compressed files will be placed in the uncompressed early CPIO +# to avoid double compression. +#MODULES_DECOMPRESS="no" diff --git a/root/etc/systemd/resolved.conf b/root/etc/systemd/resolved.conf index be2b2e0..ef71348 100644 --- a/root/etc/systemd/resolved.conf +++ b/root/etc/systemd/resolved.conf @@ -31,7 +31,7 @@ FallbackDNS=9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com #Domains= #DNSSEC=no -DNSOverTLS=yes +DNSOverTLS=opportunistic #MulticastDNS=yes #LLMNR=yes #Cache=yes