gedankensplitter/archlinux.md
2023-06-21 22:00:44 +02:00

159 lines
6.0 KiB
Markdown

---
keywords:
- IT
---
# Archlinux
### clean system from old files
```
paccache -r
paccache -ruk0
paccache -rk1
yay -Ycc
flatpak uninstall --unused
journalctl --disk-usage && journalctl --vacuum-size={size}M
```
or prepare the file`/etc/systemd/journald.conf` and this value:`SystemMaxUse=50M`
#### update AUR packages after library change
`yay -S $(pacman -Qoq /usr/lib/python3.9) --answerclean All`
## archinstall
#### preinstalled software
```
htop vim tmux bash-completion firefox networkmanager git sbctl tpm2-tools base-devel firefox-i18n-de gparted exfatprogs ntfs-3g udftools usbutils btop powertop wireguard-tools acpi_call unrar squashfs-tools bluez-tools bluez-utils ddcutil read-edid cups evemu dconf-editor diffutils libguestfs networkmanager-vpnc pam-u2f go gutenprint p7zip wayland-utils age
solo2 gpa libfido2 solo1 efitools fprintd opensc nitrokey-app rhash
keepassxc wl-clipboard element-desktop signal-desktop syncthing
thunderbird thunderbird-i18n-de libreoffice-fresh libreoffice-fresh-de nextcloud-client chromium aria2 meld gimp esptool pinta tracker tracker-miner paperwork pdftricks
gnome-firmware dmidecode brasero clinfo opencl-mesa opencl-driver clpeak croc cups-pdf handbrake sdparm hdparm smartmontools openocd poke remmina gsmartcontrol partclone ipp-usb
radare2 cutter r2ghidra binwalk cabextract hashcat diffpdf ghex flashrom hwinfo i2c-tool nbd virtualbox bootterm veracrypt youtube-dl
brscan5
gst-libav gnome-power-manager acpid
```
### gparted
flash usb stick with gparted.iso and dd. boot it
1. mount encrypted luks2
## customize fresh system
#### change /etc/mkinitcpio.conf
```
MODULES=(btrfs tpm_tis)
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)
```
#### generate linux image
```
sudo vim /etc/mkinitcpio.d/linux
sudo vim /etc/kernel/cmdline
sudo mkinitcpio -p linux
```
- /boot/loader/entries/arch.conf https://wiki.archlinux.org/title/Kernel_parameters#systemd-boot
- unified kernel image https://wiki.archlinux.org/title/Unified_kernel_image
- kernel cmdline
- power state cpu
- WARNING: do not use the partuuid in the cmdline. check the uuid correctness with the LUKS container, `blkid`
- root and resume are links to the mapper
- reboot the system to check if anything is broken
- add secureboot https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
- systemd-enroll tpm2
- WARNING! do not delete slot0
- call `systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=yes /dev/nvme0n1p2`
- add to cmdline `rd.luks.options=tpm2-device=auto,tpm2-pin=yes`
- regenerate unified kernel image `mkinitcpio -p linux`
- check `sbctl verify` and resign `sbctl sign -s/boot/EFI/....`
- reboot and pray
- enable pcsc.socket
### uefi update cd
1. download iso image
2. extract the upgrade image `geteltorito.pl -o r1qur08w.img r1qur08w.iso`
3. put it on the usb stick `dd if=r1qur08w.img o=/dev/sda bs=64K`
4. reboot to disable SecureBoot
5. reboot to boot
6. reboot (UEFI), reboot (EC) and reboot (reasons)
7. reboot to activate SecureBoot again
### git use credential store
https://gist.github.com/maelvls/79d49740ce9208c26d6a1b10b0d95b5e
well, no:
```
yay seahorse libgnome-keyring
git config --global credential.helper /usr/lib/git-core/git-credential-gnome-libsecret
```
### gnome thumbnail raw picture
https://support.system76.com/articles/fix-raw-image-previews/
## failure recovery
1. boot from archlinux usb stick
2. mount LUKS Container `cryptsetup luksOpen /dev/nvme0n1pX luksDev`
3. temporary dir `mkdir tmpmnt`
4. mount `mount -o subvol=@ /dev/mapper/luksDev tmp`
5. `arch-chroot tmp bash`
6. `mount /dev/nmve0n1p1 /boot`
7. fix stuff
8. `mkinicpio -p linux`
9. sbctl verify; sbctl sign /boot/{things}
9. sync, unmount boot and tmp
10. `cryptsetup luksClose luksdev`
### acpi lid behaviour
the lid can cause wakeups or even prohibited sleep or hibernate. this is done through the acpi subsystem and needs to be fixed on each power up.
the pci devices are unknown, maybe NIC and WLAN wake on, SLPB should be the button, RESA
```
cat /proc/acpi/wakeup
Device S-state Status Sysfs node
GPP4 S3 *enabled pci:0000:00:02.3
RESA S3 *disabled
GP17 S3 *enabled pci:0000:00:08.1
XHC0 S3 *enabled pci:0000:07:00.3
XHC1 S3 *enabled pci:0000:07:00.4
LID S4 *enabled platform:PNP0C0D:00
SLPB S3 *enabled platform:PNP0C0E:00
[user@user-think-yoga acpi]$ sudo echo LID > /proc/acpi/wakeup
bash: /proc/acpi/wakeup: Keine Berechtigung
[user@user-think-yoga acpi]$ sudo -i
[root@user-think-yoga ~]# echo LID > /proc/acpi/wakeup
[root@user-think-yoga ~]# cat /proc/acpi/wakeup
Device S-state Status Sysfs node
Device S-state Status Sysfs node
GPP4 S3 *enabled pci:0000:00:02.3
RESA S3 *disabled
GP17 S3 *enabled pci:0000:00:08.1
XHC0 S3 *enabled pci:0000:07:00.3
XHC1 S3 *enabled pci:0000:07:00.4
LID S4 *disabled platform:PNP0C0D:00
SLPB S3 *enabled platform:PNP0C0E:00
cat /etc/tmpfiles.d/acpi-lid.conf
# Path Mode UID GID Age Argument
w /proc/acpi/wakeup - - - - LID
```
### usbguard gnome
``2022.11.07 currently not working. Gnome not showing any entry
```
/etc/polkit-1/rules.d/70-allow-usbguard.rules
// Allow users in wheel group to communicate with USBGuard
polkit.addRule(function(action, subject) {
if ((action.id == "org.usbguard.Policy1.listRules" ||
action.id == "org.usbguard.Policy1.appendRule" ||
action.id == "org.usbguard.Policy1.removeRule" ||
action.id == "org.usbguard.Devices1.applyDevicePolicy" ||
action.id == "org.usbguard.Devices1.listDevices" ||
action.id == "org.usbguard1.getParameter" ||
action.id == "org.usbguard1.setParameter") &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
```
to activate it for gnome:
`$ gsettings set org.gnome.desktop.privacy usb-protection true`
and to harden it further:
`$ gsettings set org.gnome.desktop.privacy usb-protection-level always`