---
keywords:
  - IT
---
# Archlinux
### clean system from old files
```
paccache -r
paccache -ruk0
paccache -rk1

yay -Ycc
flatpak uninstall --unused
journalctl --disk-usage && journalctl --vacuum-size={size}M
```
or prepare the file`/etc/systemd/journald.conf` and this value:`SystemMaxUse=50M`

## archinstall
#### preinstalled software
```
htop vim tmux bash-completion firefox networkmanager git sbctl tpm2-tools base-devel firefox-i18n-de gparted exfatprogs ntfs-3g udftools usbutils btop powertop wireguard-tools acpi_call unrar squashfs-tools bluez-tools bluez-utils ddcutil read-edid cups evemu dconf-editor diffutils libguestfs networkmanager-vpnc pam-u2f go gutenprint p7zip wayland-utils age

solo2 gpa libfido2 solo1 efitools fprintd opensc nitrokey-app rhash

keepassxc wl-clipboard element-desktop signal-desktop syncthing
thunderbird thunderbird-i18n-de libreoffice-fresh libreoffice-fresh-de nextcloud-client chromium aria2 meld gimp esptool pinta tracker tracker-miner paperwork pdftricks 
gnome-firmware dmidecode brasero clinfo opencl-mesa opencl-driver clpeak croc cups-pdf handbrake sdparm hdparm smartmontools openocd poke remmina gsmartcontrol partclone ipp-usb
radare2 cutter r2ghidra binwalk cabextract hashcat diffpdf ghex flashrom hwinfo i2c-tool nbd virtualbox bootterm veracrypt youtube-dl

brscan5

gst-libav gnome-power-manager acpid
```
### gparted
flash usb stick with gparted.iso and dd. boot it
1. mount encrypted luks2
## customize fresh system
#### change  /etc/mkinitcpio.conf
```
MODULES=(btrfs tpm_tis)
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)
```
#### generate linux image
```
sudo vim /etc/mkinitcpio.d/linux
sudo vim /etc/kernel/cmdline
sudo mkinitcpio -p linux
```
- /boot/loader/entries/arch.conf https://wiki.archlinux.org/title/Kernel_parameters#systemd-boot
- unified kernel image https://wiki.archlinux.org/title/Unified_kernel_image
- kernel cmdline
    - power state cpu
    - WARNING: do not use the partuuid in the cmdline. check the uuid correctness with the LUKS container, `blkid`
    - root and resume are links to the mapper
- reboot the system to check if anything is broken
- add secureboot https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
- systemd-enroll tpm2
    - WARNING! do not delete slo0
    - call `systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=yes /dev/nvme0n1p2`
    - add to cmdline `rd.luks.options=tpm2-device=auto,tpm2-pin=yes`
    - regenerate unified kernel image `mkinitcpio -p linux`
    - check `sbctl verify` and resign
    - reboot and pray
- enable pcsc.socket

### uefi update cd
1. download iso image
2. extract the upgrade image `geteltorito.pl -o r1qur08w.img r1qur08w.iso`
3. put it on the usb stick `dd if=r1qur08w.img o=/dev/sda bs=64K`
4. reboot to disable SecureBoot
5. reboot to boot
6. reboot (UEFI), reboot (EC) and reboot (reasons)
7. reboot to activate SecureBoot again

### git use credential store
https://gist.github.com/maelvls/79d49740ce9208c26d6a1b10b0d95b5e
well, no:
```
yay seahorse libgnome-keyring
git config --global credential.helper /usr/lib/git-core/git-credential-gnome-libsecret
```

### gnome thumbnail raw picture
https://support.system76.com/articles/fix-raw-image-previews/


## failure recovery
1. boot from archlinux usb stick
2. mount LUKS Container `cryptsetup luksOpen /dev/nvme0n1pX luksDev`
3. temporary dir `mkdir tmpmnt`
4. mount `mount -o subvol=@ /dev/mapper/luksDev tmp`
5. `arch-chroot tmp bash`
6. `mount /dev/nmve0n1p1 /boot`
7. fix stuff
8. `mkinicpio -p linux`
9. sbctl verify; sbctl sign /boot/{things}
9. sync, unmount boot and tmp
10. `cryptsetup luksClose luksdev`

### acpi lid behaviour
the lid can cause wakeups or even prohibited sleep or hibernate. this is done through the acpi subsystem and needs to be fixed on each power up.
the pci devices are unknown, maybe NIC and WLAN wake on, SLPB should be the button, RESA 
```
cat /proc/acpi/wakeup
Device	S-state	  Status   Sysfs node
GPP4	  S3	*enabled   pci:0000:00:02.3
RESA	  S3	*disabled
GP17	  S3	*enabled   pci:0000:00:08.1
XHC0	  S3	*enabled   pci:0000:07:00.3
XHC1	  S3	*enabled   pci:0000:07:00.4
LID	  S4	*enabled   platform:PNP0C0D:00
SLPB	  S3	*enabled   platform:PNP0C0E:00
[user@user-think-yoga acpi]$ sudo echo LID > /proc/acpi/wakeup 
bash: /proc/acpi/wakeup: Keine Berechtigung
[user@user-think-yoga acpi]$ sudo -i
[root@user-think-yoga ~]# echo LID > /proc/acpi/wakeup
[root@user-think-yoga ~]# cat /proc/acpi/wakeup 
Device	S-state	  Status   Sysfs node
Device	S-state	  Status   Sysfs node
GPP4	  S3	*enabled   pci:0000:00:02.3
RESA	  S3	*disabled
GP17	  S3	*enabled   pci:0000:00:08.1
XHC0	  S3	*enabled   pci:0000:07:00.3
XHC1	  S3	*enabled   pci:0000:07:00.4
LID	  S4	*disabled   platform:PNP0C0D:00
SLPB	  S3	*enabled   platform:PNP0C0E:00
cat /etc/tmpfiles.d/acpi-lid.conf 
#    Path                  Mode UID  GID  Age Argument
w    /proc/acpi/wakeup     -    -    -    -   LID

```

### usbguard gnome
``2022.11.07 currently not working. Gnome not showing any entry
```
/etc/polkit-1/rules.d/70-allow-usbguard.rules

// Allow users in wheel group to communicate with USBGuard
polkit.addRule(function(action, subject) {
    if ((action.id == "org.usbguard.Policy1.listRules" ||
         action.id == "org.usbguard.Policy1.appendRule" ||
         action.id == "org.usbguard.Policy1.removeRule" ||
         action.id == "org.usbguard.Devices1.applyDevicePolicy" ||
         action.id == "org.usbguard.Devices1.listDevices" ||
         action.id == "org.usbguard1.getParameter" ||
         action.id == "org.usbguard1.setParameter") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});
```
to activate it for gnome:
`$ gsettings set org.gnome.desktop.privacy usb-protection true`
and to harden it further:
`$ gsettings set org.gnome.desktop.privacy usb-protection-level always`