2022-02-01 20:34:39 +00:00
|
|
|
---
|
|
|
|
keywords:
|
|
|
|
- IT
|
|
|
|
---
|
2022-01-29 19:41:03 +00:00
|
|
|
# Archlinux
|
|
|
|
### clean system from old files
|
|
|
|
```
|
|
|
|
paccache -r
|
|
|
|
paccache -ruk0
|
|
|
|
paccache -rk1
|
|
|
|
|
|
|
|
yay -Ycc
|
|
|
|
flatpak uninstall --unused
|
|
|
|
journalctl --disk-usage && journalctl --vacuum-size={size}M
|
|
|
|
```
|
|
|
|
or prepare the file`/etc/systemd/journald.conf` and this value:`SystemMaxUse=50M`
|
|
|
|
|
2022-09-01 14:08:26 +00:00
|
|
|
## archinstall
|
|
|
|
#### preinstalled software
|
|
|
|
```
|
2022-09-02 08:23:52 +00:00
|
|
|
htop vim tmux bash-completion firefox networkmanager git sbctl tpm2-tools base-devel firefox-i18n-de gparted exfatprogs ntfs-3g udftools usbutils btop powertop wireguard-tools acpi_call unrar squashfs-tools bluez-tools bluez-utils ddcutil read-edid cups evemu dconf-editor diffutils libguestfs networkmanager-vpnc pam-u2f go gutenprint p7zip wayland-utils age
|
2022-09-01 14:08:26 +00:00
|
|
|
|
|
|
|
solo2 gpa libfido2 solo1 efitools fprintd opensc nitrokey-app rhash
|
|
|
|
|
|
|
|
keepassxc wl-clipboard element-desktop signal-desktop syncthing
|
|
|
|
thunderbird thunderbird-i18n-de libreoffice-fresh libreoffice-fresh-de nextcloud-client chromium aria2 meld gimp esptool pinta tracker tracker-miner paperwork pdftricks
|
2022-11-01 15:55:51 +00:00
|
|
|
gnome-firmware dmidecode brasero clinfo opencl-mesa opencl-driver clpeak croc cups-pdf handbrake sdparm hdparm smartmontools openocd poke remmina gsmartcontrol partclone ipp-usb
|
2022-09-01 14:08:26 +00:00
|
|
|
radare2 cutter r2ghidra binwalk cabextract hashcat diffpdf ghex flashrom hwinfo i2c-tool nbd virtualbox bootterm veracrypt youtube-dl
|
2022-11-01 15:55:51 +00:00
|
|
|
|
|
|
|
brscan5
|
2022-12-02 05:38:10 +00:00
|
|
|
|
|
|
|
gst-libav gnome-power-manager acpid
|
2022-09-01 14:08:26 +00:00
|
|
|
```
|
|
|
|
### gparted
|
|
|
|
flash usb stick with gparted.iso and dd. boot it
|
|
|
|
1. mount encrypted luks2
|
2022-07-21 13:56:02 +00:00
|
|
|
## customize fresh system
|
2022-09-01 14:08:26 +00:00
|
|
|
#### change /etc/mkinitcpio.conf
|
|
|
|
```
|
|
|
|
MODULES=(btrfs tpm_tis)
|
|
|
|
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)
|
|
|
|
```
|
|
|
|
#### generate linux image
|
|
|
|
```
|
|
|
|
sudo vim /etc/mkinitcpio.d/linux
|
|
|
|
sudo vim /etc/kernel/cmdline
|
|
|
|
sudo mkinitcpio -p linux
|
|
|
|
```
|
2022-07-21 13:56:02 +00:00
|
|
|
- /boot/loader/entries/arch.conf https://wiki.archlinux.org/title/Kernel_parameters#systemd-boot
|
|
|
|
- unified kernel image https://wiki.archlinux.org/title/Unified_kernel_image
|
|
|
|
- kernel cmdline
|
|
|
|
- power state cpu
|
|
|
|
- WARNING: do not use the partuuid in the cmdline. check the uuid correctness with the LUKS container, `blkid`
|
|
|
|
- root and resume are links to the mapper
|
|
|
|
- reboot the system to check if anything is broken
|
|
|
|
- add secureboot https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
|
2022-09-01 14:08:26 +00:00
|
|
|
- systemd-enroll tpm2
|
|
|
|
- WARNING! do not delete slo0
|
|
|
|
- call `systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=yes /dev/nvme0n1p2`
|
|
|
|
- add to cmdline `rd.luks.options=tpm2-device=auto,tpm2-pin=yes`
|
|
|
|
- regenerate unified kernel image `mkinitcpio -p linux`
|
|
|
|
- check `sbctl verify` and resign
|
|
|
|
- reboot and pray
|
|
|
|
- enable pcsc.socket
|
2022-02-26 16:32:15 +00:00
|
|
|
|
2023-01-14 15:54:44 +00:00
|
|
|
### uefi update cd
|
|
|
|
1. download iso image
|
|
|
|
2. extract the upgrade image `geteltorito.pl -o r1qur08w.img r1qur08w.iso`
|
|
|
|
3. put it on the usb stick `dd if=r1qur08w.img o=/dev/sda bs=64K`
|
|
|
|
4. reboot to disable SecureBoot
|
|
|
|
5. reboot to boot
|
|
|
|
6. reboot (UEFI), reboot (EC) and reboot (reasons)
|
|
|
|
7. reboot to activate SecureBoot again
|
|
|
|
|
2022-07-29 09:36:10 +00:00
|
|
|
### git use credential store
|
|
|
|
https://gist.github.com/maelvls/79d49740ce9208c26d6a1b10b0d95b5e
|
2022-10-16 08:31:42 +00:00
|
|
|
well, no:
|
2023-02-08 05:53:15 +00:00
|
|
|
```
|
|
|
|
yay seahorse libgnome-keyring
|
2022-10-16 08:31:42 +00:00
|
|
|
git config --global credential.helper /usr/lib/git-core/git-credential-gnome-libsecret
|
2023-02-08 05:53:15 +00:00
|
|
|
```
|
2022-07-21 13:56:02 +00:00
|
|
|
|
2022-08-02 04:34:00 +00:00
|
|
|
### gnome thumbnail raw picture
|
|
|
|
https://support.system76.com/articles/fix-raw-image-previews/
|
|
|
|
|
|
|
|
|
2022-07-21 13:56:02 +00:00
|
|
|
## failure recovery
|
|
|
|
1. boot from archlinux usb stick
|
|
|
|
2. mount LUKS Container `cryptsetup luksOpen /dev/nvme0n1pX luksDev`
|
|
|
|
3. temporary dir `mkdir tmpmnt`
|
|
|
|
4. mount `mount -o subvol=@ /dev/mapper/luksDev tmp`
|
|
|
|
5. `arch-chroot tmp bash`
|
|
|
|
6. `mount /dev/nmve0n1p1 /boot`
|
|
|
|
7. fix stuff
|
|
|
|
8. `mkinicpio -p linux`
|
2023-03-17 17:50:17 +00:00
|
|
|
9. sbctl verify; sbctl sign /boot/{things}
|
2022-07-21 13:56:02 +00:00
|
|
|
9. sync, unmount boot and tmp
|
2022-08-02 04:34:00 +00:00
|
|
|
10. `cryptsetup luksClose luksdev`
|
2022-11-01 15:55:51 +00:00
|
|
|
|
|
|
|
### acpi lid behaviour
|
|
|
|
the lid can cause wakeups or even prohibited sleep or hibernate. this is done through the acpi subsystem and needs to be fixed on each power up.
|
|
|
|
the pci devices are unknown, maybe NIC and WLAN wake on, SLPB should be the button, RESA
|
|
|
|
```
|
|
|
|
cat /proc/acpi/wakeup
|
|
|
|
Device S-state Status Sysfs node
|
2022-12-02 05:38:10 +00:00
|
|
|
GPP4 S3 *enabled pci:0000:00:02.3
|
2022-11-01 15:55:51 +00:00
|
|
|
RESA S3 *disabled
|
2022-12-02 05:38:10 +00:00
|
|
|
GP17 S3 *enabled pci:0000:00:08.1
|
|
|
|
XHC0 S3 *enabled pci:0000:07:00.3
|
|
|
|
XHC1 S3 *enabled pci:0000:07:00.4
|
2022-11-01 15:55:51 +00:00
|
|
|
LID S4 *enabled platform:PNP0C0D:00
|
|
|
|
SLPB S3 *enabled platform:PNP0C0E:00
|
|
|
|
[user@user-think-yoga acpi]$ sudo echo LID > /proc/acpi/wakeup
|
|
|
|
bash: /proc/acpi/wakeup: Keine Berechtigung
|
|
|
|
[user@user-think-yoga acpi]$ sudo -i
|
|
|
|
[root@user-think-yoga ~]# echo LID > /proc/acpi/wakeup
|
|
|
|
[root@user-think-yoga ~]# cat /proc/acpi/wakeup
|
|
|
|
Device S-state Status Sysfs node
|
2022-12-02 05:38:10 +00:00
|
|
|
Device S-state Status Sysfs node
|
|
|
|
GPP4 S3 *enabled pci:0000:00:02.3
|
2022-11-01 15:55:51 +00:00
|
|
|
RESA S3 *disabled
|
2022-12-02 05:38:10 +00:00
|
|
|
GP17 S3 *enabled pci:0000:00:08.1
|
|
|
|
XHC0 S3 *enabled pci:0000:07:00.3
|
|
|
|
XHC1 S3 *enabled pci:0000:07:00.4
|
|
|
|
LID S4 *disabled platform:PNP0C0D:00
|
2022-11-01 15:55:51 +00:00
|
|
|
SLPB S3 *enabled platform:PNP0C0E:00
|
|
|
|
cat /etc/tmpfiles.d/acpi-lid.conf
|
|
|
|
# Path Mode UID GID Age Argument
|
|
|
|
w /proc/acpi/wakeup - - - - LID
|
|
|
|
|
2022-11-03 18:01:58 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
### usbguard gnome
|
2022-12-02 05:38:10 +00:00
|
|
|
``2022.11.07 currently not working. Gnome not showing any entry
|
2022-11-03 18:01:58 +00:00
|
|
|
```
|
|
|
|
/etc/polkit-1/rules.d/70-allow-usbguard.rules
|
|
|
|
|
|
|
|
// Allow users in wheel group to communicate with USBGuard
|
|
|
|
polkit.addRule(function(action, subject) {
|
|
|
|
if ((action.id == "org.usbguard.Policy1.listRules" ||
|
|
|
|
action.id == "org.usbguard.Policy1.appendRule" ||
|
|
|
|
action.id == "org.usbguard.Policy1.removeRule" ||
|
|
|
|
action.id == "org.usbguard.Devices1.applyDevicePolicy" ||
|
|
|
|
action.id == "org.usbguard.Devices1.listDevices" ||
|
|
|
|
action.id == "org.usbguard1.getParameter" ||
|
|
|
|
action.id == "org.usbguard1.setParameter") &&
|
|
|
|
subject.active == true && subject.local == true &&
|
|
|
|
subject.isInGroup("wheel")) {
|
|
|
|
return polkit.Result.YES;
|
|
|
|
}
|
|
|
|
});
|
|
|
|
```
|
|
|
|
to activate it for gnome:
|
|
|
|
`$ gsettings set org.gnome.desktop.privacy usb-protection true`
|
|
|
|
and to harden it further:
|
|
|
|
`$ gsettings set org.gnome.desktop.privacy usb-protection-level always`
|