Update note about /etc/NetworkManager

guides/9_CACHYOS.md

@@ -0,0 +1,52 @@
+# CachyOS
+
+This guide will walk you through converting your existing Arch Linux installation into a CachyOS installation / installation using the CachyOS optimzied repos.
+
+## Why
+
+TODO
+
+## Installation
+
+The installation process is fairly straight forward, as CachyOS provides a script to automatically handle configuring
+pacman for you to work with the CachyOS repos. All you need to do is:
+
+```bash
+curl https://mirror.cachyos.org/cachyos-repo.tar.xz -o cachyos-repo.tar.xz
+tar xvf cachyos-repo.tar.xz && cd cachyos-repo
+sudo ./cachyos-repo.sh
+```
+
+Source: <https://wiki.cachyos.org/features/optimized_repos/#adding-our-repositories-to-an-existing-arch-linux-install>
+
+## Moving to an optimzied kernel
+
+Most people decide to use CachyOS mainly to benefit from the optimized kernel packages, as that is generally the most
+performance critical part of your system. Even though the CachyOS repos also bring a bunch of other optimized packages,
+which definitely contribute to performance improvements too, switching the generic kernel for an optimized one is
+usually going to be the most impactful.
+
+TODO
+
+## Automatic mirror ranking
+
+For most Arch installation, `reflector` is used for handling optimizing the mirror order (to improve pacman download speeds), however, for CachyOS, there is a dedicated tool that includes the cachyos repos & mirrors which should be used instead, being [cachyos-rate-mirrors]
+
+```bash
+paru -S cachyos-rate-mirrors
+sudo systemctl enable --now cachyos-rate-mirrors.timer
+sudo systemctl disable --now reflector.timer
+```
+
+[cachyos-rate-mirrors]: https://github.com/CachyOS/rate-mirrors
+
+## Cachyos settings
+
+Cachyos also provides a `cachyos-settings` package, which contains a set of opinionated settings for various parts of
+the system. These are generally designed primarily to improve performance. Personally, I like to handle these on my
+own, allowing me to customize them a bit easier from within my dotfiles repo, however, if you do wish to use them, you
+can simply do:
+
+```bash
+paru -S cachyos-settings
+```

install_root.sh

@@ -74,7 +74,7 @@ echo " - Symlink /etc/resolv.conf to use systemd-resolved stub (you need to be o
 echo "Optional extra steps:"
 echo " - enable cronie & copy /etc/crontab & anacrontab from dotfiles"
 echo " - install docker and copy /etc/docker"
-echo " - setup MAC address randomization by copying /etc/NetworkManager"
+echo " - setup network manager privacy settings by copying /etc/NetworkManager"
 echo " - setup battery optimizations (follow guide)"
 echo " - setup UKIs -> secure-boot -> systemd initramfs -> tpm unlocking (follow guides)"
 

root/etc/NetworkManager/conf.d/dhcp-hostname.conf

@@ -0,0 +1,12 @@
+# Do not send the system hostname to DHCP servers.
+#
+# Normally NetworkManager includes the hostname in DHCP requests so the
+# server can label leases or register dynamic DNS entries. Most networks
+# do not rely on this, and disabling it slightly reduces information
+# leaked about the device (especially when MAC randomization is used).
+#
+# Individual connections can override this if needed:
+#   nmcli connection modify <connection> ipv4.dhcp-send-hostname yes ipv6.dhcp-send-hostname yes
+[connection]
+ipv4.dhcp-send-hostname=false
+ipv6.dhcp-send-hostname=false

root/etc/NetworkManager/conf.d/llmnr-mdns.conf

@@ -0,0 +1,8 @@
+# Disable link-local name resolution protocols.
+#
+# LLMNR and mDNS allow devices on the same LAN to resolve hostnames
+# without DNS. They are rarely needed on managed networks and can
+# expose system information to the local network.
+[connection]
+connection.llmnr=0
+connection.mdns=0

root/etc/mkinitcpio.conf

@@ -0,0 +1,81 @@
+# vim:set ft=sh
+# MODULES
+# The following modules are loaded before any boot hooks are
+# run.  Advanced users may wish to specify all system modules
+# in this array.  For instance:
+#     MODULES=(usbhid xhci_hcd)
+MODULES=()
+
+# BINARIES
+# This setting includes any additional binaries a given user may
+# wish into the CPIO image.  This is run last, so it may be used to
+# override the actual binaries included by a given hook
+# BINARIES are dependency parsed, so you may safely ignore libraries
+BINARIES=()
+
+# FILES
+# This setting is similar to BINARIES above, however, files are added
+# as-is and are not parsed in any way.  This is useful for config files.
+FILES=()
+
+# HOOKS
+# This is the most important setting in this file.  The HOOKS control the
+# modules and scripts added to the image, and what happens at boot time.
+# Order is important, and it is recommended that you do not change the
+# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
+# help on a given hook.
+# 'base' is _required_ unless you know precisely what you are doing.
+# 'udev' is _required_ in order to automatically load modules
+# 'filesystems' is _required_ unless you specify your fs modules in MODULES
+# Examples:
+##   This setup specifies all modules in the MODULES setting above.
+##   No RAID, lvm2, or encrypted root is needed.
+#    HOOKS=(base)
+#
+##   This setup will autodetect all modules for your system and should
+##   work as a sane default
+#    HOOKS=(base udev autodetect microcode modconf block filesystems fsck)
+#
+##   This setup will generate a 'full' image which supports most systems.
+##   No autodetection is done.
+#    HOOKS=(base udev microcode modconf block filesystems fsck)
+#
+##   This setup assembles a mdadm array with an encrypted root file system.
+##   Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
+#    HOOKS=(base udev microcode modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
+#
+##   This setup loads an lvm2 volume group.
+#    HOOKS=(base udev microcode modconf block lvm2 filesystems fsck)
+#
+##   This will create a systemd based initramfs which loads an encrypted root filesystem.
+#    HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)
+#
+##   NOTE: If you have /usr on a separate partition, you MUST include the
+#    usr and fsck hooks.
+HOOKS=(base systemd plymouth autodetect microcode modconf kms keyboard sd-vconsole numlock sd-encrypt block filesystems fsck)
+
+# COMPRESSION
+# Use this to compress the initramfs image. By default, zstd compression
+# is used for Linux ≥ 5.9 and gzip compression is used for Linux < 5.9.
+# Use 'cat' to create an uncompressed image.
+#COMPRESSION="zstd"
+#COMPRESSION="gzip"
+#COMPRESSION="bzip2"
+#COMPRESSION="lzma"
+#COMPRESSION="xz"
+#COMPRESSION="lzop"
+#COMPRESSION="lz4"
+
+# COMPRESSION_OPTIONS
+# Additional options for the compressor
+#COMPRESSION_OPTIONS=()
+
+# MODULES_DECOMPRESS
+# Decompress loadable kernel modules and their firmware during initramfs
+# creation. Switch (yes/no).
+# Enable to allow further decreasing image size when using high compression
+# (e.g. xz -9e or zstd --long --ultra -22) at the expense of increased RAM usage
+# at early boot.
+# Note that any compressed files will be placed in the uncompressed early CPIO
+# to avoid double compression.
+#MODULES_DECOMPRESS="no"

root/etc/systemd/resolved.conf

@@ -31,7 +31,7 @@
 FallbackDNS=9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com
 #Domains=
 #DNSSEC=no
-DNSOverTLS=yes
+DNSOverTLS=opportunistic
 #MulticastDNS=yes
 #LLMNR=yes
 #Cache=yes