From 39633f53033bfbd8b6abfc01089115640ad6d502 Mon Sep 17 00:00:00 2001 From: Tobias Strobel Date: Sun, 25 Sep 2022 20:01:11 +0200 Subject: [PATCH] Update new setup --- .chezmoiignore | 2 +- bootstrap-from-iso.sh | 195 ++++++ dot_config/sway/config | 241 -------- dot_config/systemd/user/sway-session.target | 6 - dot_config/wldash/config.yaml | 48 -- etc/{bluetooth/main.conf => bluetooth.conf} | 0 etc/dracut-sbctl.conf | 5 + etc/dracut.conf | 19 + etc/faillock.conf | 8 + etc/gdm-profile | 3 + etc/iwd/main.conf | 5 - etc/kernel/cmdline | 1 - etc/loader.conf | 7 + etc/mkinitcpio.conf | 4 - etc/modprobe.conf | 9 + etc/modprobe.d/i915.conf | 1 - etc/networkmanager-mdns.conf | 7 + etc/pacman/00-global-options.conf | 4 + etc/pacman/50-core-repositories.conf | 27 + etc/pacman/55-multilib-repository.conf | 8 + etc/pacman/60-aurutils-repository.conf | 4 + etc/pacman/99-options.conf | 2 + etc/pacman/pacman.conf | 69 +++ etc/reflector.conf | 5 + etc/snap-pac.ini | 46 -- .../configs/root => snapper-root.conf} | 0 etc/sudoers.d/10-defaults | 35 ++ etc/sudoers.d/50-aurutils | 2 + etc/sudoers.d/{override => 50-wheel} | 0 etc/sysctl.conf | 58 ++ etc/sysctl.d/20-quiet-printk.conf | 1 - etc/systemd/network/20-wired.network | 13 - etc/systemd/network/25-wireless.network | 13 - etc/systemd/oomd.conf | 3 + etc/systemd/resolved.conf | 6 + etc/systemd/root-slice-oomd.conf | 13 + etc/systemd/system.conf | 7 + .../system/getty@tty1.service.d/override.conf | 3 - etc/systemd/timesyncd.conf | 3 + etc/systemd/user-service-oomd.conf | 17 + etc/systemd/zram-generator.conf | 1 + install.sh | 577 +++++++++++++----- private_dot_gnupg/gpg-agent.conf | 2 +- private_dot_local/bin/executable_cglaunch | 24 - .../chezmoi/executable_setup-system.sh | 206 ------- run_once_setup-gpg.sh | 15 + run_once_setup-user.sh | 223 ------- setup-system.sh | 206 ------- 48 files changed, 944 insertions(+), 1210 deletions(-) create mode 100644 bootstrap-from-iso.sh delete mode 100644 dot_config/sway/config delete mode 100644 dot_config/systemd/user/sway-session.target delete mode 100644 dot_config/wldash/config.yaml rename etc/{bluetooth/main.conf => bluetooth.conf} (100%) create mode 100644 etc/dracut-sbctl.conf create mode 100644 etc/dracut.conf create mode 100644 etc/faillock.conf create mode 100644 etc/gdm-profile delete mode 100644 etc/iwd/main.conf delete mode 100644 etc/kernel/cmdline create mode 100644 etc/loader.conf delete mode 100644 etc/mkinitcpio.conf create mode 100644 etc/modprobe.conf delete mode 100644 etc/modprobe.d/i915.conf create mode 100644 etc/networkmanager-mdns.conf create mode 100644 etc/pacman/00-global-options.conf create mode 100644 etc/pacman/50-core-repositories.conf create mode 100644 etc/pacman/55-multilib-repository.conf create mode 100644 etc/pacman/60-aurutils-repository.conf create mode 100644 etc/pacman/99-options.conf create mode 100644 etc/pacman/pacman.conf create mode 100644 etc/reflector.conf delete mode 100644 etc/snap-pac.ini rename etc/{snapper/configs/root => snapper-root.conf} (100%) create mode 100644 etc/sudoers.d/10-defaults create mode 100644 etc/sudoers.d/50-aurutils rename etc/sudoers.d/{override => 50-wheel} (100%) create mode 100644 etc/sysctl.conf delete mode 100644 etc/sysctl.d/20-quiet-printk.conf delete mode 100644 etc/systemd/network/20-wired.network delete mode 100644 etc/systemd/network/25-wireless.network create mode 100644 etc/systemd/oomd.conf create mode 100644 etc/systemd/resolved.conf create mode 100644 etc/systemd/root-slice-oomd.conf create mode 100644 etc/systemd/system.conf delete mode 100644 etc/systemd/system/getty@tty1.service.d/override.conf create mode 100644 etc/systemd/timesyncd.conf create mode 100644 etc/systemd/user-service-oomd.conf create mode 100644 etc/systemd/zram-generator.conf mode change 100644 => 100755 install.sh delete mode 100644 private_dot_local/bin/executable_cglaunch delete mode 100644 private_dot_local/private_share/chezmoi/executable_setup-system.sh create mode 100644 run_once_setup-gpg.sh delete mode 100755 run_once_setup-user.sh delete mode 100755 setup-system.sh diff --git a/.chezmoiignore b/.chezmoiignore index 239f04d..97d5072 100644 --- a/.chezmoiignore +++ b/.chezmoiignore @@ -1,4 +1,4 @@ # Do not apply the following files etc/ install.sh -setup-system.sh +bootstrap-from-iso.sh diff --git a/bootstrap-from-iso.sh b/bootstrap-from-iso.sh new file mode 100644 index 0000000..0c221a4 --- /dev/null +++ b/bootstrap-from-iso.sh @@ -0,0 +1,195 @@ +#!/usr/bin/env bash +# +# Bootstrap a new Arch system from an installation ISO. +# +# Bootable USB: +# - [Download](https://archlinux.org/download/) ISO and GPG files +# - Verify the ISO file: `$ pacman-key -v archlinux--x86_64.iso.sig` +# - Create a bootable USB with: `# dd if=archlinux*.iso of=/dev/sdX && sync` +# +# UEFI setup: +# +# - Set boot mode to UEFI, disable Legacy mode entirely. +# - Temporarily disable Secure Boot. +# - Make sure a strong UEFI administrator password is set. +# - Delete preloaded OEM keys for Secure Boot, allow custom ones. +# +# Run installation: +# +# - Connect to wifi via: `# iwctl station wlan0 connect $SSID` +# - Run: `# bash <(curl -sL https://link.rafe.li/dot)` +# + +set -uo pipefail +trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR + +args=() +target_device="" +new_hostname="" + +while [[ $# -gt 0 ]] +do + arg="$1" + + case "$arg" in + "--device") + target_device="$2" + shift + shift + ;; + "--hostname") + new_hostname="$2" + shift + shift + ;; + *) + args+=("$arg") + shift; + esac +done + +if [[ -z "$target_device" ]]; then + echo "Missing --device argument" >&2 + exit 2; +fi + +if [[ -z "$new_hostname" ]]; then + echo "Missing --hostname argument" >&2 + exit 2; +fi + +if [[ "${#args[@]}" -ne 0 ]]; then + echo "Unexpected extra arguments: ${args[*]}" >&2 + exit 2 +fi + +if [ ! -f /sys/firmware/efi/fw_platform_size ]; then + echo >&2 "You must boot in UEFI mode to continue" + exit 2 +fi + +if [[ "$UID" -ne 0 ]]; then + echo "This script needs to be run as root!" >&2 + exit 3 +fi + +read -rp "THIS SCRIPT WILL OVERWRITE ALL CONTENTS OF ${target_device}. Type uppercase yes to continue: " confirmed + +if [[ "$confirmed" != "YES" ]]; then + echo "aborted" >&2 + exit 128 +fi + +timedatectl set-ntp true +hwclock --systohc --utc +loadkeys de-latin1 + +# Partition +sgdisk --zap-all "${target_device}" +sgdisk --clear \ + --new 1:0:+550MiB --typecode 1:ef00 --change-name 1:EFI \ + --new 2:0:+8GiB --typecode 2:8200 --change-name 2:swap \ + --new 3 --typecode 3:8304 --change-name 3:system \ + "${target_device}" + +# Reload partition table +sleep 5 +partprobe -s "${target_device}" +sleep 3 + +# Encrypt root +echo -n "password" | cryptsetup luksFormat --type luks2 --pbkdf argon2id "/dev/disk/by-partlabel/system" +echo -n "password" | cryptsetup luksOpen --allow-discards --persistent "/dev/disk/by-partlabel/system" system + +# Create file systems +mkfs.fat -F 32 -n "EFI" /dev/disk/by-partlabel/EFI +mkfs.btrfs --force --label system /dev/mapper/system + +# Mount system subvolume and create additional subvolumes +o=defaults,x-mount.mkdir +o_btrfs=$o,compress=zstd,ssd,noatime + +mount -t btrfs LABEL=system /mnt +btrfs subvolume create /mnt/@ # / +btrfs subvolume create /mnt/@home # /home +btrfs subvolume create /mnt/@snapshots # /.snapshots +btrfs subvolume create /mnt/@pkg # /var/cache/pacman/pkg +btrfs subvolume create /mnt/@aurbuild # /var/lib/aurbuild +btrfs subvolume create /mnt/@archbuild # /var/lib/archbuild +btrfs subvolume create /mnt/@log # /var/log +btrfs subvolume create /mnt/@tmp # /var/tmp + +umount -R /mnt +mount -t btrfs -o subvol=@,$o_btrfs LABEL=system /mnt +mount -t btrfs -o subvol=@home,$o_btrfs,nodatacow LABEL=system /mnt/home +mount -t btrfs -o subvol=@snapshots,$o_btrfs LABEL=system /mnt/.snapshots +mount -t btrfs -o subvol=@pkg,$o_btrfs LABEL=system /mnt/var/cache/pacman/pkg +mount -t btrfs -o subvol=@aurbuild,$o_btrfs LABEL=system /mnt/var/lib/aurbuild +mount -t btrfs -o subvol=@archbuild,$o_btrfs LABEL=system /mnt/var/lib/archbuild +mount -t btrfs -o subvol=@log,$o_btrfs LABEL=system /mnt/var/log +mount -t btrfs -o subvol=@tmp,$o_btrfs LABEL=system /mnt/var/tmp + +# Mount additional partitions +mount -o $o LABEL=EFI /mnt/efi + +# Change default btrfs sub-volume (for DPS) +default_subvolume=$(btrfs subvolume list /mnt | grep "path @$" | cut -d ' ' -f2) +btrfs subvolume set-default ${default_subvolume} /mnt + +# Disable CoW for /home due to large loopback files by systemd-homed +chattr +C /mnt/home + +if ! grep "# Installer cache" /etc/pacman.conf > /dev/null; then + cat >> /etc/pacman.conf << EOF +# Installer cache +[options] +CacheDir = /mnt/var/cache/pacman/pkg +EOF +fi + +# Bootstrap new chroot +reflector --country 'Germany' --protocol https --sort age --latest 5 --save /etc/pacman.d/mirrorlist +pacstrap /mnt base linux linux-firmware intel-ucode btrfs-progs dracut neovim iwd networkmanager + +genfstab -L -p /mnt >> /mnt/etc/fstab + +# Configure timezone, locale, keymap, network +sed -i 's/^#en_US\.UTF-8/en_US\.UTF-8/' /mnt/etc/locale.gen +sed -i 's/^#de_DE\.UTF-8/de_DE\.UTF-8/' /mnt/etc/locale.gen +arch-chroot /mnt locale-gen +arch-chroot /mnt systemd-firstboot \ + --locale="en_US.UTF-8" \ + --keymap="de-latin1" \ + --timezone="Europe/Berlin" \ + --hostname="${new_hostname}" \ + --setup-machine-id +echo -e "127.0.0.1\tlocalhost" >> /mnt/etc/hosts +echo -e "127.0.1.1\t$new_hostname" >> /mnt/etc/hosts +echo -e "\n::1\tlocalhost" >> /mnt/etc/hosts + +# Use systemd-resolved as dns backend for NetworkManager (auto-detected) +ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf + +# Enable iwd as wifi backend for NetworkManager +cat > /mnt/etc/NetworkManager/conf.d/wifi-backend.conf < +hostonly="yes" +hostonly_cmdline="no" +# Add video drivers for early KMS +add_drivers+=" i915 " +# Omit bluetooth; I do not have bluetooth hardware I'd need during early boot, +# and as of 2021-12 it fails to build anyway, see +# https://bugs.archlinux.org/task/72463 and https://github.com/dracutdevs/dracut/pull/1671 +omit_dracutmodules+=" bluetooth " +# Make sure we have the TPM stack available +add_dracutmodules+=" tpm2-tss " diff --git a/etc/faillock.conf b/etc/faillock.conf new file mode 100644 index 0000000..f2162ea --- /dev/null +++ b/etc/faillock.conf @@ -0,0 +1,8 @@ +# Reduce the aggressive defaults of faillock (three failed attempts within 15 minutes lock for 10 minutes) to something +# bearable and pragmatic: 10 failed attempts within 15 minutes lock for 10 minutes + +# Ten failed attempts within 15 minutes… +deny = 10 +fail_interval = 900 +# …lock the system for ten minutes +unlock_time = 600 diff --git a/etc/gdm-profile b/etc/gdm-profile new file mode 100644 index 0000000..817afc5 --- /dev/null +++ b/etc/gdm-profile @@ -0,0 +1,3 @@ +user-db:user +system-db:gdm +file-db:/usr/share/gdm/greeter-dconf-defaults diff --git a/etc/iwd/main.conf b/etc/iwd/main.conf deleted file mode 100644 index b05962e..0000000 --- a/etc/iwd/main.conf +++ /dev/null @@ -1,5 +0,0 @@ -[General] -EnableNetworkConfiguration=true - -[Network] -EnableIPv6=true diff --git a/etc/kernel/cmdline b/etc/kernel/cmdline deleted file mode 100644 index 7e65a67..0000000 --- a/etc/kernel/cmdline +++ /dev/null @@ -1 +0,0 @@ -rd.luks.name=a4a8535e-cd13-4656-8de3-5394281cb369=luks rd.luks.options=fido2-device=auto root=LABEL=btrfs rootflags=subvol=root rw quiet loglevel=3 rd.udev.log_level=3 fbconf=nodefer splash vt.global_cursor_default=0 mem_sleep_default=deep diff --git a/etc/loader.conf b/etc/loader.conf new file mode 100644 index 0000000..f5279f6 --- /dev/null +++ b/etc/loader.conf @@ -0,0 +1,7 @@ +# Directly boot the default kernel; to make the boot menu appear +# press any key during the firmware splash screen. +timeout 0 +# Disable the editor to prevent editing the command line; doesn't matter +# much because in secure boot mode the kernel ignores the boot loader command +# line anyway. +editor no diff --git a/etc/mkinitcpio.conf b/etc/mkinitcpio.conf deleted file mode 100644 index b24d47d..0000000 --- a/etc/mkinitcpio.conf +++ /dev/null @@ -1,4 +0,0 @@ -MODULES=(i915) -BINARIES=(/usr/bin/btrfs) -FILES=() -HOOKS=(base systemd sd-plymouth keyboard autodetect sd-vconsole modconf block sd-encrypt filesystems fsck) diff --git a/etc/modprobe.conf b/etc/modprobe.conf new file mode 100644 index 0000000..4e1ce57 --- /dev/null +++ b/etc/modprobe.conf @@ -0,0 +1,9 @@ +# Managed by my dotfiles + +# Blacklist pcspkr to silence beeps +blacklist pcspkr +# See https://wiki.archlinux.org/index.php/Power_management +options snd_hda_intel power_save=1 +options snd_ac97_codec power_save=1 +options iwlwifi power_save=1 +options i915 fastboot=1 diff --git a/etc/modprobe.d/i915.conf b/etc/modprobe.d/i915.conf deleted file mode 100644 index 532328c..0000000 --- a/etc/modprobe.d/i915.conf +++ /dev/null @@ -1 +0,0 @@ -options i915 fastboot=1 diff --git a/etc/networkmanager-mdns.conf b/etc/networkmanager-mdns.conf new file mode 100644 index 0000000..9faf6bb --- /dev/null +++ b/etc/networkmanager-mdns.conf @@ -0,0 +1,7 @@ +[connection] +# Enable mDNS resolving (1) on all interfaces by default, but do not enable +# mDNS responding, i.e. do not register an mDNS hostname for this connection (2) +# +# We use systemd-resolved only for resolution because responding is handled by +# Avahi for proper discovery. +connection.mdns=1 diff --git a/etc/pacman/00-global-options.conf b/etc/pacman/00-global-options.conf new file mode 100644 index 0000000..d5ff53a --- /dev/null +++ b/etc/pacman/00-global-options.conf @@ -0,0 +1,4 @@ +# Enable colors +Color +VerbosePkgLists +ParallelDownloads = 5 diff --git a/etc/pacman/50-core-repositories.conf b/etc/pacman/50-core-repositories.conf new file mode 100644 index 0000000..56a2e97 --- /dev/null +++ b/etc/pacman/50-core-repositories.conf @@ -0,0 +1,27 @@ +# The testing repositories are disabled by default. To enable, uncomment the +# repo name header and Include lines. You can add preferred servers immediately +# after the header, and they will be used before the default mirrors. + +#[testing] +#Include = /etc/pacman.d/mirrorlist + +[core] +Include = /etc/pacman.d/mirrorlist + +[extra] +Include = /etc/pacman.d/mirrorlist + +#[community-testing] +#Include = /etc/pacman.d/mirrorlist + +[community] +Include = /etc/pacman.d/mirrorlist + +# If you want to run 32 bit applications on your x86_64 system, +# enable the multilib repositories as required here. + +#[multilib-testing] +#Include = /etc/pacman.d/mirrorlist + +#[multilib] +#Include = /etc/pacman.d/mirrorlist diff --git a/etc/pacman/55-multilib-repository.conf b/etc/pacman/55-multilib-repository.conf new file mode 100644 index 0000000..832e43d --- /dev/null +++ b/etc/pacman/55-multilib-repository.conf @@ -0,0 +1,8 @@ +# If you want to run 32 bit applications on your x86_64 system, +# enable the multilib repositories as required here. + +#[multilib-testing] +#Include = /etc/pacman.d/mirrorlist + +#[multilib] +#Include = /etc/pacman.d/mirrorlist diff --git a/etc/pacman/60-aurutils-repository.conf b/etc/pacman/60-aurutils-repository.conf new file mode 100644 index 0000000..48b67b9 --- /dev/null +++ b/etc/pacman/60-aurutils-repository.conf @@ -0,0 +1,4 @@ +# aurutils repo +[aur] +SigLevel = Optional TrustAll +Server = file:///var/cache/pacman/aur diff --git a/etc/pacman/99-options.conf b/etc/pacman/99-options.conf new file mode 100644 index 0000000..26ee9e6 --- /dev/null +++ b/etc/pacman/99-options.conf @@ -0,0 +1,2 @@ +[options] +CacheDir = /var/cache/pacman/pkg \ No newline at end of file diff --git a/etc/pacman/pacman.conf b/etc/pacman/pacman.conf new file mode 100644 index 0000000..e8a52c6 --- /dev/null +++ b/etc/pacman/pacman.conf @@ -0,0 +1,69 @@ +# +# /etc/pacman.conf +# +# See the pacman.conf(5) manpage for option and repository directives + +# +# GENERAL OPTIONS +# +[options] +# The following paths are commented out with their default values listed. +# If you wish to use different paths, uncomment and update the paths. +#RootDir = / +#DBPath = /var/lib/pacman/ +#CacheDir = /var/cache/pacman/pkg/ +#LogFile = /var/log/pacman.log +#GPGDir = /etc/pacman.d/gnupg/ +#HookDir = /etc/pacman.d/hooks/ +HoldPkg = pacman glibc +#XferCommand = /usr/bin/curl -L -C - -f -o %o %u +#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u +#CleanMethod = KeepInstalled +Architecture = auto + +# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup +#IgnorePkg = +#IgnoreGroup = + +#NoUpgrade = +#NoExtract = + +# Misc options +#UseSyslog +#Color +#NoProgressBar +CheckSpace +#VerbosePkgLists +#ParallelDownloads = 5 + +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. +SigLevel = Required DatabaseOptional +LocalFileSigLevel = Optional +#RemoteFileSigLevel = Required + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. + +# +# REPOSITORIES +# - can be defined here or included from another file +# - pacman will search repositories in the order defined here +# - local/custom mirrors can be added here or in separate files +# - repositories listed first will take precedence when packages +# have identical names, regardless of version number +# - URLs will have $repo replaced by the name of the current repo +# - URLs will have $arch replaced by the name of the architecture +# +# Repository entries are of the format: +# [repo-name] +# Server = ServerName +# Include = IncludePath +# +# The header [repo-name] is crucial - it must be present and +# uncommented to enable the repo. +# + +# Include configuration snippets +Include = /etc/pacman.d/conf.d/*.conf diff --git a/etc/reflector.conf b/etc/reflector.conf new file mode 100644 index 0000000..1b5ddef --- /dev/null +++ b/etc/reflector.conf @@ -0,0 +1,5 @@ +--save /etc/pacman.d/mirrorlist +--protocol https +--country Germany +--latest 5 +--sort age diff --git a/etc/snap-pac.ini b/etc/snap-pac.ini deleted file mode 100644 index 462400f..0000000 --- a/etc/snap-pac.ini +++ /dev/null @@ -1,46 +0,0 @@ -# snap-pac example configuration file -# see snap-pac(8) for more details - -# Each section corresponds with a snapper configuration. Add additional sections to add -# other configurations to be snapshotted. By default, only the root configuration is snapshotted. -# Create a section named [DEFAULT] to have a setting apply for all snapper configurations - -## Uncomment to set parameters for snapper configuration named root -#[root] - -## How many characters to limit the description for snapper. -## Default is 72 -#desc_limit = 72 - -## Whether or not to take snapshots of this snapper configuration -## Default is True for root configuration and False for all other configurations -#snapshot = True - -## What snapper cleanup algorithm to use -## Default is number -#cleanup_algorithm = number - -## Pre snapshot description. -## Default is the pacman command that triggered the hook -#pre_description = pacman pre snapshot - -## Post snapshot description. -## Default is the list of packages involved in the pacman transaction -#post_description = pacman post snapshot - -## Uncomment to add "important=yes" to userdata for snapshots referring to these packages -## Default is [] -#important_packages = ["linux", "linux-lts"] - -## Uncomment to add "important=yes" to userdata for snapshots that were created with the following commands -## Default is [] -#important_commands = ["pacman -Syu"] - -## Add custom userdata. Each key-value pair should be an item in the list -## Default is [] -#userdata = ["key=value","foo=bar"] - -## Example for another snapper configuration named "home" -# [home] -## Default is False -# snapshot = True diff --git a/etc/snapper/configs/root b/etc/snapper-root.conf similarity index 100% rename from etc/snapper/configs/root rename to etc/snapper-root.conf diff --git a/etc/sudoers.d/10-defaults b/etc/sudoers.d/10-defaults new file mode 100644 index 0000000..cbe235b --- /dev/null +++ b/etc/sudoers.d/10-defaults @@ -0,0 +1,35 @@ +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home + +# +# Provide password input feedback. +# +Defaults pwfeedback + +# +# Lookup sudoers groups by ID instead of looking up user groups by name; +# we only have one or two groups in this config so looking up by ID is more +# effective. +# +Defaults match_group_by_gid + +# +# Keep a bunch of locale settings and other stuff. +# +Defaults env_reset +Defaults env_keep = "COLORS HOSTNAME HISTSIZE LS_COLORS" +Defaults env_keep += "MAIL LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" diff --git a/etc/sudoers.d/50-aurutils b/etc/sudoers.d/50-aurutils new file mode 100644 index 0000000..e683555 --- /dev/null +++ b/etc/sudoers.d/50-aurutils @@ -0,0 +1,2 @@ +%aurutils ALL = (root) NOPASSWD: SETENV: /usr/bin/makechrootpkg +%aurutils ALL = (root) NOPASSWD: /usr/bin/mkarchroot, /usr/bin/arch-nspawn diff --git a/etc/sudoers.d/override b/etc/sudoers.d/50-wheel similarity index 100% rename from etc/sudoers.d/override rename to etc/sudoers.d/50-wheel diff --git a/etc/sysctl.conf b/etc/sysctl.conf new file mode 100644 index 0000000..e1edcfe --- /dev/null +++ b/etc/sysctl.conf @@ -0,0 +1,58 @@ +# Don't let non-root users get addresses of kernel symbols +kernel.kptr_restrict=1 + +# Disable kexec to disallow replacing the running kernel. +kernel.kexec_load_disabled=1 + +# Only let root ptrace processes, for security reasons. +# Perhaps I'll need to disable this again for devtools & debugging +kernel.yama.ptrace_scope=2 + +# IPv6 Privacy Extensions (RFC 4941) +# --- +# IPv6 typically uses a device's MAC address when choosing an IPv6 address +# to use in autoconfiguration. Privacy extensions allow using a randomly +# generated IPv6 address, which increases privacy. +# +# Acceptable values: +# 0 - don’t use privacy extensions. +# 1 - generate privacy addresses +# 2 - prefer privacy addresses and use them over the normal addresses. +net.ipv6.conf.all.use_tempaddr=2 +net.ipv6.conf.default.use_tempaddr=2 + +# The magic SysRq key enables certain keyboard combinations to be +# interpreted by the kernel to help with debugging. The kernel will respond +# to these keys regardless of the current running applications. +# +# In general, the magic SysRq key is not needed for the average Ubuntu +# system, and having it enabled by default can lead to security issues on +# the console such as being able to dump memory or to kill arbitrary +# processes including the running screen lock. +# +# Here is the list of possible values: +# 0 - disable sysrq completely +# 1 - enable all functions of sysrq +# >1 - enable certain functions by adding up the following values: +# 2 - enable control of console logging level +# 4 - enable control of keyboard (SAK, unraw) +# 8 - enable debugging dumps of processes etc. +# 16 - enable sync command +# 32 - enable remount read-only +# 64 - enable signalling of processes (term, kill, oom-kill) +# 128 - allow reboot/poweroff +# 256 - allow nicing of all RT tasks +# +# For example, to enable both control of console logging level and +# debugging dumps of processes: kernel.sysrq = 10 +# +# 128 + 32 + 16 +kernel.sysrq=176 + +# Disable NMI watchdog (powertop recommendation) +kernel.nmi_watchdog=0 +# Increase writeback time (default's 500, powertop recommendation) +vm.dirty_writeback_centisecs=1500 + +# Quiet +kernel.printk = 3 3 3 3 diff --git a/etc/sysctl.d/20-quiet-printk.conf b/etc/sysctl.d/20-quiet-printk.conf deleted file mode 100644 index 47146d2..0000000 --- a/etc/sysctl.d/20-quiet-printk.conf +++ /dev/null @@ -1 +0,0 @@ -kernel.printk = 3 3 3 3 diff --git a/etc/systemd/network/20-wired.network b/etc/systemd/network/20-wired.network deleted file mode 100644 index 028572c..0000000 --- a/etc/systemd/network/20-wired.network +++ /dev/null @@ -1,13 +0,0 @@ -[Match] -Name=en* - -[Network] -DHCP=yes - -[DHCPv4] -RouteMetric=10 -UseDomains=true - -[IPv6AcceptRA] -RouteMetric=10 -UseDomains=yes diff --git a/etc/systemd/network/25-wireless.network b/etc/systemd/network/25-wireless.network deleted file mode 100644 index b2935f3..0000000 --- a/etc/systemd/network/25-wireless.network +++ /dev/null @@ -1,13 +0,0 @@ -[Match] -Name=wl* - -[Network] -DHCP=yes - -[DHCPv4] -RouteMetric=20 -UseDomains=true - -[IPv6AcceptRA] -RouteMetric=20 -UseDomains=yes diff --git a/etc/systemd/oomd.conf b/etc/systemd/oomd.conf new file mode 100644 index 0000000..046acaf --- /dev/null +++ b/etc/systemd/oomd.conf @@ -0,0 +1,3 @@ +[OOM] +# Reduce default of 30s to 20s; taken from Fedora, so it's likely a good idea +DefaultMemoryPressureDurationSec=20s diff --git a/etc/systemd/resolved.conf b/etc/systemd/resolved.conf new file mode 100644 index 0000000..2cd98a1 --- /dev/null +++ b/etc/systemd/resolved.conf @@ -0,0 +1,6 @@ +# Managed by my dotfiles +[Resolve] +# Resolve mDNS hostnames via resolved, but leave the rest to Avahi +MulticastDNS=resolve +# Enable and enforce DNSSEC +DNSSEC=true diff --git a/etc/systemd/root-slice-oomd.conf b/etc/systemd/root-slice-oomd.conf new file mode 100644 index 0000000..6b87cad --- /dev/null +++ b/etc/systemd/root-slice-oomd.conf @@ -0,0 +1,13 @@ +[Slice] +# Monitor all units, slices, etc. for OOM conditions based on current swap usage +# (default limit is 90% swap use). When the system uses more swap than this +# limit system will start acting on control groups using most swap, in order +# of swap usage (see oomd.conf(5) for details). +# +# systemd recommends to set this on the root slice (see systemd-oomd.service(8)). +# +# systemd does not recommend to generally act upon memory pressure, because most +# system services run fine under memory pressure, and latency (i.e. having a +# responsive service) is usually not important for system services (which are +# mostly invisible anyway). +ManagedOOMSwap=kill diff --git a/etc/systemd/system.conf b/etc/systemd/system.conf new file mode 100644 index 0000000..e18fb3d --- /dev/null +++ b/etc/systemd/system.conf @@ -0,0 +1,7 @@ +[Manager] +# Enable various cgroup accounts to support systemd-oomd. +# See systemd-oomd(1) +DefaultCPUAccounting=true +DefaultIOAccounting=true +DefaultMemoryAccounting=true +DefaultTasksAccounting=true diff --git a/etc/systemd/system/getty@tty1.service.d/override.conf b/etc/systemd/system/getty@tty1.service.d/override.conf deleted file mode 100644 index 01be9de..0000000 --- a/etc/systemd/system/getty@tty1.service.d/override.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/agetty --skip-login --nonewline --noissue --autologin tobias --noclear %I $TERM diff --git a/etc/systemd/timesyncd.conf b/etc/systemd/timesyncd.conf new file mode 100644 index 0000000..ab4f387 --- /dev/null +++ b/etc/systemd/timesyncd.conf @@ -0,0 +1,3 @@ +[Time] +# Default set of NTP servers +NTP=0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org diff --git a/etc/systemd/user-service-oomd.conf b/etc/systemd/user-service-oomd.conf new file mode 100644 index 0000000..da08bf3 --- /dev/null +++ b/etc/systemd/user-service-oomd.conf @@ -0,0 +1,17 @@ +[Service] +# Allow oomd to act on user units under memory pressure; if a unit is under +# memory pressure for a configured amount of time (see ooomd configuration) +# oomd may kill the unit. +# +# systemd-oomd.service(8) recommends to set this for the user service, to keep +# the user slice responsive. If applications run under memory pressure they +# cease being responsive, so we should kill them early to make sure the system +# stays responsive. +ManagedOOMMemoryPressure=kill +# Reduce the amount of time a unit must be under memory pressure before oomd. +# Overrides the oomd default of 90%, see oomd.conf(5) for the precise meaning +# of this setting. +# +# systemd-oomd.service(8) recommends to reduce this for user services; it says +# 40%, but Fedora's defaults are 50%, so let's follow Fedora here. +ManagedOOMMemoryPressureLimit=50% diff --git a/etc/systemd/zram-generator.conf b/etc/systemd/zram-generator.conf new file mode 100644 index 0000000..507a0c4 --- /dev/null +++ b/etc/systemd/zram-generator.conf @@ -0,0 +1 @@ +[zram0] diff --git a/install.sh b/install.sh old mode 100644 new mode 100755 index 0c221a4..f2e9cb1 --- a/install.sh +++ b/install.sh @@ -1,195 +1,438 @@ #!/usr/bin/env bash -# -# Bootstrap a new Arch system from an installation ISO. -# -# Bootable USB: -# - [Download](https://archlinux.org/download/) ISO and GPG files -# - Verify the ISO file: `$ pacman-key -v archlinux--x86_64.iso.sig` -# - Create a bootable USB with: `# dd if=archlinux*.iso of=/dev/sdX && sync` -# -# UEFI setup: -# -# - Set boot mode to UEFI, disable Legacy mode entirely. -# - Temporarily disable Secure Boot. -# - Make sure a strong UEFI administrator password is set. -# - Delete preloaded OEM keys for Secure Boot, allow custom ones. -# -# Run installation: -# -# - Connect to wifi via: `# iwctl station wlan0 connect $SSID` -# - Run: `# bash <(curl -sL https://link.rafe.li/dot)` -# - set -uo pipefail trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR -args=() -target_device="" -new_hostname="" +PRESERVE_ENV=AUR_PAGER,PACKAGER,EDITOR -while [[ $# -gt 0 ]] -do - arg="$1" +if [[ $EUID != 0 ]]; then + echo 'Elevating privileges' + exec sudo --preserve-env="${PRESERVE_ENV}" "$0" "$@" +fi - case "$arg" in - "--device") - target_device="$2" - shift - shift - ;; - "--hostname") - new_hostname="$2" - shift - shift - ;; - *) - args+=("$arg") - shift; - esac +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" + +# Configure pacman +install -pm644 "$DIR/etc/pacman/pacman.conf" /etc/pacman.conf +install -pm644 -Dt /etc/pacman.d/conf.d \ + "$DIR/etc/pacman/00-global-options.conf" \ + "$DIR/etc/pacman/50-core-repositories.conf" \ + "$DIR/etc/pacman/55-multilib-repositories.conf" \ + "$DIR/etc/pacman/60-aurutils-repository.conf" \ + "$DIR/etc/pacman/99-options.conf" + +# Remove packages no longer in use +to_remove=() +for pkg in "${to_remove[@]}"; do + pacman --noconfirm -Rs "$pkg" || true done -if [[ -z "$target_device" ]]; then - echo "Missing --device argument" >&2 - exit 2; +packages=( + # Basic packages & system tools + base + dracut # Build initrd & unified EFI images + linux-firmware + intel-ucode + linux + lsb-release + sudo + zram-generator # swap on compressed RAM, mostly to support systemd-oomd + sbctl # Manage secure boot binaries and sign binaries + # File systems + ntfs-3g + exfatprogs + btrfs-progs + # Hardware tools + fwupd # Firmware updates + usbutils # for lsusb + # System monitoring + htop + lsof + # Power management + powertop + power-profiles-daemon + # Networking + networkmanager + firewalld + # DNS-SD, mostly for printers, i.e. CUPS. Service discovery is handled by Avahi, + # name resolution by systemd-resolved. + avahi + # Arch tools & infrastructure + pacman-contrib # paccache, checkupdates, pacsearch, and others + reflector # Weekly mirrorlist updates + kernel-modules-hook # Keep kernel modules on kernel updates + # Build packages + base-devel + namcap + aurpublish # Publish AUR packages from Git subtrees + # Dotfiles manager + chezmoi + # Terminal, shell & tools + man-db + man-pages + code + neovim + exa # Better ls (with git support) + rsync + curl + p7zip + zip + # Document processing and rendering + pandoc + mdcat + asciidoctor + zathura # Lightweight document viewer + # Spellchecking + hunspell + hunspell-de + hunspell-en_gb + hunspell-en_us + # Git and related tools + git + git-filter-repo + tea # CLI for gitea servers + tig # Curses git interfaces + # Bash tools + shellcheck + shfmt + # Other development tools + jq # Process JSON on command line + # Desktop tools + wl-clipboard + dconf-editor + # Desktop services + xdg-user-dirs + xdg-utils + xdg-desktop-portal + pcsclite # Smartcard daemon, for e-ID + cups + bluez + sane + pipewire-pulse # Pipewire-based pulse-audio, replaces pulseaudio + wireplumber # Recommended pipewire session & policy manager + firefox # Browser + firefox-i18n-de + vlc # Video player + inkscape # Vector graphics + gimp # Pixel graphics + qalculate-gtk # Powerful calculator + libreoffice-fresh + libreoffice-fresh-de + lollypop # Music player + #xournalpp # Handwriting tool + #signal-desktop # Secure mobile messenger + # Fonts & themes + # Fallback font with huge coverage and colored emojis + noto-fonts + noto-fonts-extra + noto-fonts-cjk + noto-fonts-emoji + # Microsoft compatibility fonts + ttf-liberation + ttf-caladea + ttf-carlito + ttf-cascadia-code + # Gnome + gdm + gnome-characters + gnome-keyring + gnome-screenshot + gnome-maps + gnome-clocks + gnome-weather + gnome-calendar + gnome-shell + gnome-shell-extensions + gnome-shell-extension-appindicator + gnome-remote-desktop + gnome-system-monitor + gnome-control-center + gnome-tweaks + gnome-backgrounds + gnome-themes-extra # For adwaita-dark + xdg-desktop-portal-gnome # Desktop portals + xdg-user-dirs-gtk + evolution + file-roller + yelp # Online help system + nautilus + python-nautilus + gvfs-afc + gvfs-goa + gvfs-gphoto2 + gvfs-mtp + gvfs-nfs + gvfs-smb + sushi # Previewer for nautilus + evince # Document viewer + eog # Image viewer + simple-scan + seahorse # Credential manager + baobab # Disk space analyser + # Multimedia for gnome + gst-plugins-good + gst-plugins-bad + gst-plugins-ugly +) + +optdeps=( + # pipewire + pipewire-pulse wireplumber + # linux: wireless frequency policies (provided as crda) + wireless-regdb + # pipewire: zeroconf support + pipewire-zeroconf + # poppler: data files + poppler-data + # dracut: + binutils # --uefi + elfutils # stripping + sbsigntools # efi signing + tpm2-tools # tpm2-tss + # zathura: PDF support + zathura-pdf-mupdf + # libva: intel drivers + intel-media-driver + # gnome-shell-extension-appindicator: GTK3 apps + libappindicator-gtk3 + # aurutils: chroot support + devtools + # zim: spell checking + gtkspell3 + # inkscape: optimized SVGs + scour + # kiconthemes: Additional icons for KDE apps + #breeze-icons +) + +pacman -Syu --needed "${packages[@]}" +pacman -S --needed --asdeps "${optdeps[@]}" +pacman -D --asdeps "${optdeps[@]}" + +# Currently dracut is missing an optdepends on tpm2-tools, see +# https://bugs.archlinux.org/task/73229 +pacman -D --asexplicit tpm2-tools + +services=( + # Core system services + systemd-boot-update.service # Update boot loader automatically + systemd-homed.service # homed for user management and home areas + systemd-oomd.service # Userspace OOM killer + systemd-timesyncd.service # Time sync + systemd-resolved.service # DNS resolution + # Other system services + firewalld.service # Firewall + # Timers + fstrim.timer # Periodically trim file systems… + "btrfs-scrub@$(systemd-escape -p /).timer" # scrub root filesystem… + paccache.timer # clean pacman cache… + pkgfile-update.timer # update pkgfile list… + fwupd-refresh.timer # check for firmware updates… + reflector.timer # and update the mirrorlist. + # Desktop services + gdm.service # Desktop manager + power-profiles-daemon.service # Power profile management + NetworkManager.service # Network manager for desktops + avahi-daemon.service # Local network service discovery (for WLAN printers) + cups.service # Printing + bluetooth.service # Bluetooth + pcscd.socket # Smartcards, mostly eID +) + +if [[ -n "${SUDO_USER:-}" ]]; then + # Scrub home directory of my user account + services+=("btrfs-scrub@$(systemd-escape -p "/home/${SUDO_USER}").timer") fi -if [[ -z "$new_hostname" ]]; then - echo "Missing --hostname argument" >&2 - exit 2; +systemctl enable "${services[@]}" + +# See /usr/share/factory/etc/nsswitch.conf for the Arch Linux factory defaults. +# We add mdns hostnames (from Avahi) and libvirtd names, and also shuffle things around +# to follow the recommendations in nss-resolve(8) which Arch Linux deliberately doesn't +# do by default, see e.g. https://bugs.archlinux.org/task/57852 +NSS_HOSTS=( + # Resolves containers managed by systemd-machined + mymachines + # Resolve everything else with systemd-resolved and bail out if resolved + # doesn't find hostname. Everything after this stanza is just fallback in + # case resolved is down + resolve '[!UNAVAIL=return]' + # Resolve hosts from /etc/hosts (systemd-resolved handles /etc/hosts as well + # so this comes after resolve) + files + # Resolves gethostname(), i.e. /etc/hostname + myhostname + # Resolves from DNS + dns + ) +sed -i '/^hosts: /s/^hosts: .*/'"hosts: ${NSS_HOSTS[*]}/" /etc/nsswitch.conf + +# Bootloader and initrd configuration +install -pm644 "$DIR/etc/dracut.conf" /etc/dracut.conf.d/50-custom.conf +install -pm644 "$DIR/etc/loader.conf" /efi/loader/loader.conf +if [[ -f /usr/share/secureboot/keys/db/db.key ]] && [[ -f /usr/share/secureboot/keys/db/db.pem ]]; then + install -pm644 "$DIR/etc/dracut-sbctl.conf" /etc/dracut.conf.d/90-sbctl-signing.conf +else + rm -f /etc/dracut.conf.d/90-sbctl-signing.conf fi -if [[ "${#args[@]}" -ne 0 ]]; then - echo "Unexpected extra arguments: ${args[*]}" >&2 - exit 2 +# System configuration +install -pm644 "$DIR/etc/faillock.conf" /etc/security/faillock.conf +install -pm644 "$DIR/etc/modprobe.conf" /etc/modprobe.d/modprobe.conf + +# sudo configuration +install -dm750 /etc/sudoers.d/ +install -pm600 -t/etc/sudoers.d "$DIR"/etc/sudoers.d/* + +# Systemd configuration +ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf +install -Dpm644 "$DIR/etc/systemd/system.conf" /etc/systemd/system.conf.d/50-custom.conf +install -Dpm644 "$DIR/etc/systemd/timesyncd.conf" /etc/systemd/timesyncd.conf.d/50-custom.conf +install -Dpm644 "$DIR/etc/systemd/resolved.conf" /etc/systemd/resolved.conf.d/50-custom.conf +install -Dpm644 "$DIR/etc/systemd/zram-generator.conf" /etc/systemd/zram-generator.conf +install -Dpm644 "$DIR/etc/systemd/oomd.conf" /etc/systemd/oomd.conf.d/oomd.conf +install -Dpm644 "$DIR/etc/systemd/root-slice-oomd.conf" /etc/systemd/system/-.slice.d/50-oomd.conf +install -Dpm644 "$DIR/etc/systemd/user-service-oomd.conf" /etc/systemd/system/user@.service.d/50-oomd.conf + +# Services configuration +install -Dpm644 "$DIR/etc/networkmanager-mdns.conf" /etc/NetworkManager/conf.d/50-mdns.conf +install -Dpm644 "$DIR/etc/reflector.conf" /etc/xdg/reflector/reflector.conf +install -Dpm644 "$DIR/etc/bluetooth.conf" /etc/bluetooth/main.conf +install -Dpm644 "$DIR/etc/snapper-root.conf" /etc/snapper/configs/root + +# Global font configuration +for file in 10-hinting-slight 10-sub-pixel-rgb 11-lcdfilter-default; do + ln -sf /usr/share/fontconfig/conf.avail/$file.conf /etc/fonts/conf.d/$file.conf +done + +# Locale settings +localectl set-locale de_DE.UTF-8 +# --no-convert stops localectl from trying to apply the text console layout to +# X11/Wayland and vice versa +localectl set-keymap --no-convert us +localectl set-x11-keymap --no-convert us,de pc105 + +# GDM dconf profile, for global GDM configuration, see +# https://help.gnome.org/admin/system-admin-guide/stable/login-banner.html.en +install -Dpm644 "$DIR/etc/gdm-profile" /etc/dconf/profile/gdm + +# Start firewalld and configure it +systemctl start firewalld.service +firewall-cmd --permanent --zone=home \ + --add-service=upnp-client \ + --add-service=rdp \ + --add-service=ssh +# Don't allow incoming SSH connections on public networks (this is a weird default imho) +firewall-cmd --permanent --zone=public --remove-service=ssh +firewall-cmd --reload + +# Setup secure boot +if command -v sbctl > /dev/null && [[ -f /usr/share/secureboot/keys/db/db.key ]]; then + # Generate signed bootloader image + if ! sbctl list-files | grep -q /usr/lib/systemd/boot/efi/systemd-bootx64.efi; then + sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi + bootctl update --graceful + fi + + # Generate signed firmware updater + if ! sbctl list-files | grep -q /usr/lib/fwupd/efi/fwupdx64.efi; then + sbctl sign -s -o /usr/lib/fwupd/efi/fwupdx64.efi.signed /usr/lib/fwupd/efi/fwupdx64.efi + fi + + sbctl sign-all + sbctl verify # Safety check fi -if [ ! -f /sys/firmware/efi/fw_platform_size ]; then - echo >&2 "You must boot in UEFI mode to continue" - exit 2 +# Install or update, and then configure the bootloader. +# Do this AFTER signing the boot loader with sbctl, see above, to make sure we +# install the signed loader. +if ! [[ -e /efi/EFI/BOOT/BOOTX64.EFI ]]; then + bootctl install +else + bootctl update --graceful fi -if [[ "$UID" -ne 0 ]]; then - echo "This script needs to be run as root!" >&2 - exit 3 +# Initialize AUR repo +if [[ ! -d /var/cache/pacman/aur ]]; then + install -m755 -d /var/cache/pacman/aur + repo-add /var/cache/pacman/aur/aur.db.tar.zst fi -read -rp "THIS SCRIPT WILL OVERWRITE ALL CONTENTS OF ${target_device}. Type uppercase yes to continue: " confirmed - -if [[ "$confirmed" != "YES" ]]; then - echo "aborted" >&2 - exit 128 +# Allow myself to build AUR packages +if [[ -n "${SUDO_USER:-}" && "$(stat -c '%U' /var/cache/pacman/aur)" != "$SUDO_USER" ]]; then + chown -R "$SUDO_USER:$SUDO_USER" /var/cache/pacman/aur fi -timedatectl set-ntp true -hwclock --systohc --utc -loadkeys de-latin1 - -# Partition -sgdisk --zap-all "${target_device}" -sgdisk --clear \ - --new 1:0:+550MiB --typecode 1:ef00 --change-name 1:EFI \ - --new 2:0:+8GiB --typecode 2:8200 --change-name 2:swap \ - --new 3 --typecode 3:8304 --change-name 3:system \ - "${target_device}" - -# Reload partition table -sleep 5 -partprobe -s "${target_device}" -sleep 3 - -# Encrypt root -echo -n "password" | cryptsetup luksFormat --type luks2 --pbkdf argon2id "/dev/disk/by-partlabel/system" -echo -n "password" | cryptsetup luksOpen --allow-discards --persistent "/dev/disk/by-partlabel/system" system - -# Create file systems -mkfs.fat -F 32 -n "EFI" /dev/disk/by-partlabel/EFI -mkfs.btrfs --force --label system /dev/mapper/system - -# Mount system subvolume and create additional subvolumes -o=defaults,x-mount.mkdir -o_btrfs=$o,compress=zstd,ssd,noatime - -mount -t btrfs LABEL=system /mnt -btrfs subvolume create /mnt/@ # / -btrfs subvolume create /mnt/@home # /home -btrfs subvolume create /mnt/@snapshots # /.snapshots -btrfs subvolume create /mnt/@pkg # /var/cache/pacman/pkg -btrfs subvolume create /mnt/@aurbuild # /var/lib/aurbuild -btrfs subvolume create /mnt/@archbuild # /var/lib/archbuild -btrfs subvolume create /mnt/@log # /var/log -btrfs subvolume create /mnt/@tmp # /var/tmp - -umount -R /mnt -mount -t btrfs -o subvol=@,$o_btrfs LABEL=system /mnt -mount -t btrfs -o subvol=@home,$o_btrfs,nodatacow LABEL=system /mnt/home -mount -t btrfs -o subvol=@snapshots,$o_btrfs LABEL=system /mnt/.snapshots -mount -t btrfs -o subvol=@pkg,$o_btrfs LABEL=system /mnt/var/cache/pacman/pkg -mount -t btrfs -o subvol=@aurbuild,$o_btrfs LABEL=system /mnt/var/lib/aurbuild -mount -t btrfs -o subvol=@archbuild,$o_btrfs LABEL=system /mnt/var/lib/archbuild -mount -t btrfs -o subvol=@log,$o_btrfs LABEL=system /mnt/var/log -mount -t btrfs -o subvol=@tmp,$o_btrfs LABEL=system /mnt/var/tmp - -# Mount additional partitions -mount -o $o LABEL=EFI /mnt/efi - -# Change default btrfs sub-volume (for DPS) -default_subvolume=$(btrfs subvolume list /mnt | grep "path @$" | cut -d ' ' -f2) -btrfs subvolume set-default ${default_subvolume} /mnt - -# Disable CoW for /home due to large loopback files by systemd-homed -chattr +C /mnt/home - -if ! grep "# Installer cache" /etc/pacman.conf > /dev/null; then - cat >> /etc/pacman.conf << EOF -# Installer cache -[options] -CacheDir = /mnt/var/cache/pacman/pkg +# Bootstrap aurutils +if [[ -n "${SUDO_USER:-}" ]] && ! command -v aur &>/dev/null; then + sudo -u "$SUDO_USER" bash <<'EOF' +set -xeuo pipefail +BDIR="$(mktemp -d --tmpdir aurutils.XXXXXXXX)" +echo "Building in $BDIR" +cd "$BDIR" +git clone --depth=1 "https://aur.archlinux.org/aurutils.git" +cd aurutils +makepkg --noconfirm --nocheck -rsi EOF fi -# Bootstrap new chroot -reflector --country 'Germany' --protocol https --sort age --latest 5 --save /etc/pacman.d/mirrorlist -pacstrap /mnt base linux linux-firmware intel-ucode btrfs-progs dracut neovim iwd networkmanager - -genfstab -L -p /mnt >> /mnt/etc/fstab - -# Configure timezone, locale, keymap, network -sed -i 's/^#en_US\.UTF-8/en_US\.UTF-8/' /mnt/etc/locale.gen -sed -i 's/^#de_DE\.UTF-8/de_DE\.UTF-8/' /mnt/etc/locale.gen -arch-chroot /mnt locale-gen -arch-chroot /mnt systemd-firstboot \ - --locale="en_US.UTF-8" \ - --keymap="de-latin1" \ - --timezone="Europe/Berlin" \ - --hostname="${new_hostname}" \ - --setup-machine-id -echo -e "127.0.0.1\tlocalhost" >> /mnt/etc/hosts -echo -e "127.0.1.1\t$new_hostname" >> /mnt/etc/hosts -echo -e "\n::1\tlocalhost" >> /mnt/etc/hosts - -# Use systemd-resolved as dns backend for NetworkManager (auto-detected) -ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf - -# Enable iwd as wifi backend for NetworkManager -cat > /mnt/etc/NetworkManager/conf.d/wifi-backend.conf <>"/etc/aurutils/pacman-aur.conf" +# aurutils repo +[aur] +SigLevel = Optional TrustAll +Server = file:///var/cache/pacman/aur EOF +fi -# Install dracut opt deps required to build unified kernel images -arch-chroot /mnt pacman -S --noconfirm --asdeps binutils elfutils -arch-chroot /mnt dracut -f --uefi --regenerate-all -# Install bootloader -arch-chroot /mnt bootctl install +aur_packages=( + # AUR helper + aurutils + # Splash screen at boot + plymouth + # Gnome extensions + gnome-shell-extension-nasa-apod + # Gnome tools + gnome-search-providers-vscode + # Dracut hook to build kernel images for systemd boot + dracut-hook-uefi + # Additional fonts + otf-vollkorn # My favorite serif font for documents + ttf-fira-go # A nice font for presentations + # Additional tools + git-gone + # Connect phone and desktop system + gnome-shell-extension-gsconnect +) -# Enable resolved -systemctl --root /mnt enable systemd-resolved -# Enable NetworkManager -systemctl --root /mnt enable NetworkManager -# Enable homed -systemctl --root /mnt enable systemd-homed +aur_optdeps=( + # plymouth: truetype fonts + ttf-dejavu cantarell-fonts +) -# Set root password -echo "root:password" | chpasswd -R /mnt +if [[ -n "${SUDO_USER:-}" ]]; then + # Build AUR packages and install them + if [[ ${#aur_packages} -gt 0 ]]; then + sudo -u "$SUDO_USER" --preserve-env="${PRESERVE_ENV}" \ + nice aur sync -daur -cRT "${aur_packages[@]}" "${aur_optdeps[@]}" + pacman --needed -Syu "${aur_packages[@]}" + fi + if [[ ${#aur_optdeps[@]} -gt 0 ]]; then + pacman --needed -S --asdeps "${aur_optdeps[@]}" + pacman -D --asdeps "${aur_optdeps[@]}" + fi -echo "BOOTSTRAPPING FINISHED" + remove_from_repo=() + if [[ ${#remove_from_repo[@]} -gt 0 ]]; then + for pkg in "${remove_from_repo[@]}"; do + rm -f "/var/cache/pacman/aur/${pkg}-"*.pkg.tar.* + done + sudo -u "$SUDO_USER" repo-remove /var/cache/pacman/aur/aur.db.tar.zst "${remove_from_repo[@]}" || true + fi +fi + +# Set plymouth theme +if command -v plymouth-set-default-theme > /dev/null; then + plymouth-set-default-theme bgrt +fi diff --git a/private_dot_gnupg/gpg-agent.conf b/private_dot_gnupg/gpg-agent.conf index 7c55520..e375849 100644 --- a/private_dot_gnupg/gpg-agent.conf +++ b/private_dot_gnupg/gpg-agent.conf @@ -4,4 +4,4 @@ enable-ssh-support ttyname $GPG_TTY default-cache-ttl 60 max-cache-ttl 120 -pinentry-program /usr/bin/pinentry-curses +pinentry-program /usr/bin/pinentry-gtk4 diff --git a/private_dot_local/bin/executable_cglaunch b/private_dot_local/bin/executable_cglaunch deleted file mode 100644 index e24fc61..0000000 --- a/private_dot_local/bin/executable_cglaunch +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -# https://github.com/maximbaz/dotfiles/blob/61a40e111012dd589dad89ff0d31dcd1be8f8529/.local/bin/cglaunch - -if [ "$1" = "--term" ]; then - shift - - kitty_args=() - if [[ "$1" == "-"* ]]; then - while [[ "$#" -gt 1 ]] && [[ "$1" != "--" ]]; do - kitty_args+=("$1") - shift - done - [[ "$1" != "--" ]] || shift - fi - - title="${1##*/}" - title="${title:-kitty}" - app="kitty ${kitty_args[@]} --class $title" -else - title="${1##*/}" - args="--scope" -fi - -exec systemd-run --quiet --no-block --user --slice app.slice --unit "launch-$title-$(date '+%s%N')" $args -- $app "$@" diff --git a/private_dot_local/private_share/chezmoi/executable_setup-system.sh b/private_dot_local/private_share/chezmoi/executable_setup-system.sh deleted file mode 100644 index 15536fc..0000000 --- a/private_dot_local/private_share/chezmoi/executable_setup-system.sh +++ /dev/null @@ -1,206 +0,0 @@ -#!/bin/bash - -set -e -exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done) - -script_name="$(basename "$0")" -dotfiles_dir="$( - cd "$(dirname "$0")" - pwd -)" -cd "$dotfiles_dir" - -if (("$EUID")); then - sudo -s "$dotfiles_dir/$script_name" "$@" - exit 0 -fi - -if [ "$1" = "-r" ]; then - echo >&2 "Running in reverse mode!" - reverse=1 -fi - -copy() { - if [ -z "$reverse" ]; then - orig_file="$dotfiles_dir/$1" - dest_file="/$1" - else - orig_file="/$1" - dest_file="$dotfiles_dir/$1" - fi - - mkdir -p "$(dirname "$orig_file")" - mkdir -p "$(dirname "$dest_file")" - - rm -rf "$dest_file" - - cp -R "$orig_file" "$dest_file" - if [ -z "$reverse" ]; then - [ -n "$2" ] && chmod "$2" "$dest_file" - else - chown -R $USER "$dest_file" - fi - echo "$dest_file <= $orig_file" -} - -is_chroot() { - ! cmp -s /proc/1/mountinfo /proc/self/mountinfo -} - -systemctl_enable() { - echo "systemctl enable "$1"" - systemctl enable "$1" -} - -systemctl_enable_start() { - echo "systemctl enable --now "$1"" - systemctl enable "$1" - systemctl start "$1" -} - -echo "" -echo "==========================" -echo "Setting up /etc configs..." -echo "==========================" - -copy "etc/kernel/cmdline" -copy "etc/sysctl.d/20-quiet-printk.conf" -copy "etc/modprobe.d/i915.conf" -#copy "etc/aurutils/pacman-x86_64.conf" -copy "etc/bluetooth/main.conf" -#copy "etc/conf.d/snapper" -#copy "etc/default/earlyoom" -#copy "etc/docker/daemon.json" -#copy "etc/fwupd/uefi_capsule.conf" -#copy "etc/modules-load.d/v4l2loopback.conf" -#copy "etc/modprobe.d/v4l2loopback.conf" -#copy "etc/nftables.conf" -#copy "etc/pacman.conf" -#copy "etc/pacman.d/hooks" -#copy "etc/pam.d/polkit-1" -#copy "etc/pam.d/sudo" -copy "etc/snap-pac.ini" -copy "etc/snapper/configs/root" -#copy "etc/ssh/ssh_config" -copy "etc/sudoers.d/override" -#copy "etc/sysctl.d/99-sysctl.conf" -#copy "etc/systemd/journald.conf.d/override.conf" -#copy "etc/systemd/logind.conf.d/override.conf" -copy "etc/systemd/network/20-wired.network" -copy "etc/systemd/network/25-wireless.network" -copy "etc/iwd/main.conf" -copy "etc/mkinitcpio.conf" -#copy "etc/systemd/resolved.conf.d/dnssec.conf" -copy "etc/systemd/system/getty@tty1.service.d/override.conf" -#copy "etc/systemd/system/usbguard.service.d/override.conf" -#copy "etc/systemd/system/reflector.service" -#copy "etc/systemd/system/reflector.timer" -#copy "etc/systemd/system/system-dotfiles-sync.service" -#copy "etc/systemd/system/system-dotfiles-sync.timer" -#copy "etc/systemd/system.conf.d/kill-fast.conf" -#copy "etc/usbguard/usbguard-daemon.conf" 600 -#copy "etc/systemd/system/backup-repo@pkgbuild" -#copy "etc/systemd/system/backup-repo@.service" -#copy "etc/systemd/system/backup-repo@.timer" - -(("$reverse")) && exit 0 - -echo "" -echo "=================================" -echo "Enabling and starting services..." -echo "=================================" - -sysctl --system > /dev/null - -systemctl daemon-reload -systemctl_enable_start "bluetooth.service" -#systemctl_enable_start "btrfs-scrub@-.timer" -#systemctl_enable_start "btrfs-scrub@mnt-btrfs\x2droot.timer" -#systemctl_enable_start "btrfs-scrub@home.timer" -#systemctl_enable_start "btrfs-scrub@var-cache-pacman.timer" -#systemctl_enable_start "btrfs-scrub@var-log.timer" -#systemctl_enable_start "btrfs-scrub@var-tmp.timer" -#systemctl_enable_start "btrfs-scrub@\x2esnapshots.timer" -#systemctl_enable_start "btrfs-scrub@var-lib-aurbuild.timer" -#systemctl_enable_start "btrfs-scrub@var-lib-archbuild.timer" -#systemctl_enable_start "btrfs-scrub@var-lib-docker.timer" -#systemctl_enable_start "docker.socket" -#systemctl_enable_start "earlyoom.service" -systemctl_enable_start "fstrim.timer" -systemctl_enable_start "iwd.service" -#systemctl_enable_start "linux-modules-cleanup.service" -#systemctl_enable_start "lenovo_fix.service" -#systemctl_enable_start "nftables.service" -systemctl_enable_start "pcscd.socket" -#systemctl_enable_start "reflector.timer" -#systemctl_enable_start "snapper-cleanup.timer" -#systemctl_enable_start "system-dotfiles-sync.timer" -systemctl_enable_start "systemd-networkd.socket" -systemctl_enable_start "systemd-resolved.service" -systemctl_enable_start "systemd-timesyncd" -#systemctl_enable_start "tlp.service" - -#if [ ! -s "/etc/usbguard/rules.conf" ]; then -# echo >&2 "=== Remember to set usbguard rules: usbguard generate-policy >! /etc/usbguard/rules.conf" -#else -# chmod 600 /etc/usbguard/rules.conf -# systemctl_enable_start "usbguard.service" -# systemctl_enable_start "usbguard-dbus.service" -#fi - -#systemctl_enable_start "backup-repo@pkgbuild.timer" - -#echo "" -#echo "===============================" -#echo "Creating top level Trash dir..." -#echo "===============================" -#mkdir --parent /.Trash -#chmod a+rw /.Trash -#chmod +t /.Trash -#echo "Done" - -echo "" -echo "=======================================" -echo "Finishing various user configuration..." -echo "=======================================" - -if is_chroot; then - echo >&2 "=== Running in chroot, skipping /etc/resolv.conf setup..." -else - echo "Configuring /etc/resolv.conf" - ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf -fi - -echo "Configuring NTP" -timedatectl set-ntp true - -echo "Configuring aurutils" -ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf - -PLYMOUTH_THEME="spinner" -if [ "$(plymouth-set-default-theme)" != "$PLYMOUTH_THEME" ]; then - echo "Configuring plymouth" - plymouth-set-default-theme "$PLYMOUTH_THEME" -fi - -echo "Configuring mkinitcpio + secure boot" - -mkinitcpio -P - -if [ ! -s "/etc/arch-secure-boot/keys/PK.auth" ]; then - arch-secure-boot initial-setup -else - arch-secure-boot generate-efi -fi - -if [ ! -f /efi/EFI/secureboot/KeyTool-signed.efi ]; then - echo "Preparing KeyTool to allow install PK key" - mkdir -p /efi/EFI/secureboot - sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi - cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth - mount="$(findmnt -n -o SOURCE -T "/efi")" - partition="${mount##*[!0-9]}" - entry="/EFI/secureboot/KeyTool-signed.efi" - efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool" - echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI" -fi diff --git a/run_once_setup-gpg.sh b/run_once_setup-gpg.sh new file mode 100644 index 0000000..8ef9d8a --- /dev/null +++ b/run_once_setup-gpg.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e +exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done) + +MY_PGP_KEY_ID="A3F9CE82F38FC1F220CC2A1D63CCF3229371555E" + +if ! gpg -k | grep "$MY_PGP_KEY_ID" > /dev/null; then + echo "Importing my public PGP key" + curl -s --tlsv1.3 https://tobias.strobel.one/pubkey.txt | gpg --import + echo "5\ny\n" | gpg --command-fd 0 --no-tty --batch --edit-key "$MY_PGP_KEY_ID" trust +fi + +find "$HOME/.gnupg" -type f -not -path "*#*" -exec chmod 600 {} \; +find "$HOME/.gnupg" -type d -exec chmod 700 {} \; diff --git a/run_once_setup-user.sh b/run_once_setup-user.sh deleted file mode 100755 index a30f8b2..0000000 --- a/run_once_setup-user.sh +++ /dev/null @@ -1,223 +0,0 @@ -#!/bin/bash - -set -e -exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done) - -MY_PGP_KEY_ID="A3F9CE82F38FC1F220CC2A1D63CCF3229371555E" - -dotfiles_dir="$( - cd "$(dirname "$0")" - pwd -)" -cd "$dotfiles_dir" - -link() { - orig_file="$dotfiles_dir/$1" - if [ -n "$2" ]; then - dest_file="$HOME/$2" - else - dest_file="$HOME/$1" - fi - - mkdir -p "$(dirname "$orig_file")" - mkdir -p "$(dirname "$dest_file")" - - rm -rf "$dest_file" - ln -s "$orig_file" "$dest_file" - echo "$dest_file -> $orig_file" -} - -is_chroot() { - ! cmp -s /proc/1/mountinfo /proc/self/mountinfo -} - -systemctl_enable_start() { - echo "systemctl --user enable --now "$1"" - systemctl --user enable --now "$1" -} - -#echo "===========================" -#echo "Setting up user dotfiles..." -#echo "===========================" - -#link ".gnupg/$(cut -d'-' -f1 /etc/hostname)-gpg.conf" ".gnupg/gpg.conf" -#link ".gnupg/gpg-agent.conf" -#link ".ignore" -#link ".magic" -#link ".p10k.zsh" -#link ".p10k.zsh" ".p10k-ascii-8color.zsh" -#link ".zprofile" -#link ".zsh-aliases" -#link ".zshenv" -#link ".zshrc" -# -#link ".config/bat" -#link ".config/chromium-flags.conf" -#link ".config/environment.d" -#link ".config/flashfocus" -#link ".config/git/$(cut -d'-' -f1 /etc/hostname)" ".config/git/config" -#link ".config/git/common" -#link ".config/git/home" -#link ".config/git/ignore" -#link ".config/git/work" -#link ".config/gtk-3.0" -#link ".config/htop" -#link ".config/imapnotify/archlinux.conf" -#link ".config/imapnotify/maximbaz.conf" -#link ".config/kak" -#link ".config/kak-lsp" -#link ".config/kitty" -#link ".config/libinput-gestures.conf" -#link ".config/mako" -#link ".config/mimeapps.list" -#link ".config/mpv" -#link ".config/neomutt/colors" -#link ".config/neomutt/mailcap" -#link ".config/neomutt/neomuttrc" -#link ".config/neomutt/signature" -#link ".config/notmuch" -#link ".config/pacman" -#link ".config/pgcli/config" -#link ".config/pylint" -#link ".config/qalculate/qalc.cfg" -#link ".config/qalculate/qalculate-gtk.cfg" -#link ".config/qutebrowser" -#link ".config/repoctl" -#link ".config/sclirc" -#link ".config/stylua" -#link ".config/swappy" -#link ".config/sway" -#link ".config/swaylock" -#link ".config/systemd/user/backup-packages.service" -#link ".config/systemd/user/backup-packages.timer" -#link ".config/systemd/user/battery-low-notify.service" -#link ".config/systemd/user/mbsync.service" -#link ".config/systemd/user/mbsync.timer" -#link ".config/systemd/user/polkit-gnome.service" -#link ".config/systemd/user/qutebrowser-update-useragent.service" -#link ".config/systemd/user/qutebrowser-update-useragent.timer" -#link ".config/systemd/user/sway-autoname-workspaces.service" -#link ".config/systemd/user/sway-inactive-window-transparency.service" -#link ".config/systemd/user/sway-session.target" -#link ".config/systemd/user/swayr.service" -#link ".config/systemd/user/systembus-notify.service" -#link ".config/systemd/user/udiskie.service" -#link ".config/systemd/user/waybar.service" -#link ".config/systemd/user/waybar-updates.service" -#link ".config/systemd/user/waybar-updates.timer" -#link ".config/systemd/user/wl-clipboard-manager.service" -#link ".config/systemd/user/wlsunset.service" -#link ".config/tig" -#link ".config/transmission/settings.json" -#link ".config/udiskie" -#link ".config/USBGuard" -#link ".config/user-tmpfiles.d" -#link ".config/vimiv" -#link ".config/waybar" -#link ".config/wldash" -#link ".config/xdg-desktop-portal-wlr" -#link ".config/xkb" -#link ".config/xplr" -#link ".config/zathura" -# -#link ".local/bin" -#link ".local/share/applications" -#link ".local/share/qutebrowser/greasemonkey" -#link ".local/share/dbus-1/services/fr.emersion.mako.service" - -if is_chroot; then - echo >&2 "=== Running in chroot, skipping user services..." -else - echo "" - echo "=================================" - echo "Enabling and starting services..." - echo "=================================" - - systemctl --user daemon-reload - systemctl_enable_start pipewire - systemctl_enable_start pipewire-pulse - #systemctl_enable_start "backup-packages.timer" - #systemctl_enable_start "battery-low-notify.service" - #systemctl_enable_start "flashfocus.service" - #systemctl_enable_start "libinput-gestures.service" - #systemctl_enable_start "mako.service" - #systemctl_enable_start "polkit-gnome.service" - #systemctl_enable_start "qutebrowser-update-useragent.timer" - #systemctl_enable_start "sway-autoname-workspaces.service" - #systemctl_enable_start "sway-inactive-window-transparency.service" - #systemctl_enable_start "swayr.service" - #systemctl_enable_start "systembus-notify.service" - #systemctl_enable_start "systemd-tmpfiles-setup.service" - #systemctl_enable_start "udiskie.service" - #systemctl_enable_start "waybar.service" - #systemctl_enable_start "waybar-updates.timer" - #systemctl_enable_start "wl-clipboard-manager.service" - #systemctl_enable_start "wlsunset.service" - #systemctl_enable_start "wluma.service" - #systemctl_enable_start "yubikey-touch-detector.socket" - - #if [[ $HOSTNAME == home-* ]]; then - # if [ -d "$HOME/.mail" ]; then - # systemctl_enable_start "mbsync.timer" - # systemctl_enable_start "goimapnotify@archlinux.service" - # systemctl_enable_start "goimapnotify@maximbaz.service" - # else - # echo >&2 -e " - # === Mail is not configured, skipping... - # === Consult \$MBSYNC_CONFIG for initial setup, and then sync everything using: - # === while ! mbsync -c "\$MBSYNC_CONFIG" -a; do echo 'restarting...'; done - # " - # fi - #fi -fi - -echo "" -echo "=======================================" -echo "Finishing various user configuration..." -echo "=======================================" - -#echo "Configuring MIME types" -#file --compile --magic-file "$HOME/.magic" - -if ! gpg -k | grep "$MY_PGP_KEY_ID" > /dev/null; then - echo "Importing my public PGP key" - curl -s --tlsv1.3 https://tobias.strobel.one/pubkey.txt | gpg --import - echo "5\ny\n" | gpg --command-fd 0 --no-tty --batch --edit-key "$MY_PGP_KEY_ID" trust -fi - -find "$HOME/.gnupg" -type f -not -path "*#*" -exec chmod 600 {} \; -find "$HOME/.gnupg" -type d -exec chmod 700 {} \; - -#if is_chroot; then -# echo >&2 "=== Running in chroot, skipping YubiKey configuration..." -#else -# if [ ! -s "$HOME/.config/Yubico/u2f_keys" ]; then -# echo "Configuring YubiKey for passwordless sudo (touch it now)" -# mkdir -p "$HOME/.config/Yubico" -# pamu2fcfg -umaximbaz > "$HOME/.config/Yubico/u2f_keys" -# fi -#fi - -#if [ -d "$HOME/.password-store" ]; then -# echo "Configuring automatic git push for pass" -# echo -e "#!/bin/sh\n\npass git push" > "$HOME/.password-store/.git/hooks/post-commit" -# chmod +x "$HOME/.password-store/.git/hooks/post-commit" -#else -# echo >&2 "=== Password store is not configured yet, skipping..." -#fi - -#if is_chroot; then -# echo >&2 "=== Running in chroot, skipping GTK file chooser dialog configuration..." -#else -# echo "Configuring GTK file chooser dialog" -# gsettings set org.gtk.Settings.FileChooser sort-directories-first true -#fi - -#echo "Ignoring further changes to often changing config" -#git update-index --assume-unchanged ".config/transmission/settings.json" - -#echo "Configure repo-local git settings" -#git config user.email "code@strobel.one" -#git config user.signingkey "$MY_PGP_KEY_ID" -#git config commit.gpgsign true -#git remote set-url origin "git@github.com:maximbaz/dotfiles.git" diff --git a/setup-system.sh b/setup-system.sh deleted file mode 100755 index 15536fc..0000000 --- a/setup-system.sh +++ /dev/null @@ -1,206 +0,0 @@ -#!/bin/bash - -set -e -exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done) - -script_name="$(basename "$0")" -dotfiles_dir="$( - cd "$(dirname "$0")" - pwd -)" -cd "$dotfiles_dir" - -if (("$EUID")); then - sudo -s "$dotfiles_dir/$script_name" "$@" - exit 0 -fi - -if [ "$1" = "-r" ]; then - echo >&2 "Running in reverse mode!" - reverse=1 -fi - -copy() { - if [ -z "$reverse" ]; then - orig_file="$dotfiles_dir/$1" - dest_file="/$1" - else - orig_file="/$1" - dest_file="$dotfiles_dir/$1" - fi - - mkdir -p "$(dirname "$orig_file")" - mkdir -p "$(dirname "$dest_file")" - - rm -rf "$dest_file" - - cp -R "$orig_file" "$dest_file" - if [ -z "$reverse" ]; then - [ -n "$2" ] && chmod "$2" "$dest_file" - else - chown -R $USER "$dest_file" - fi - echo "$dest_file <= $orig_file" -} - -is_chroot() { - ! cmp -s /proc/1/mountinfo /proc/self/mountinfo -} - -systemctl_enable() { - echo "systemctl enable "$1"" - systemctl enable "$1" -} - -systemctl_enable_start() { - echo "systemctl enable --now "$1"" - systemctl enable "$1" - systemctl start "$1" -} - -echo "" -echo "==========================" -echo "Setting up /etc configs..." -echo "==========================" - -copy "etc/kernel/cmdline" -copy "etc/sysctl.d/20-quiet-printk.conf" -copy "etc/modprobe.d/i915.conf" -#copy "etc/aurutils/pacman-x86_64.conf" -copy "etc/bluetooth/main.conf" -#copy "etc/conf.d/snapper" -#copy "etc/default/earlyoom" -#copy "etc/docker/daemon.json" -#copy "etc/fwupd/uefi_capsule.conf" -#copy "etc/modules-load.d/v4l2loopback.conf" -#copy "etc/modprobe.d/v4l2loopback.conf" -#copy "etc/nftables.conf" -#copy "etc/pacman.conf" -#copy "etc/pacman.d/hooks" -#copy "etc/pam.d/polkit-1" -#copy "etc/pam.d/sudo" -copy "etc/snap-pac.ini" -copy "etc/snapper/configs/root" -#copy "etc/ssh/ssh_config" -copy "etc/sudoers.d/override" -#copy "etc/sysctl.d/99-sysctl.conf" -#copy "etc/systemd/journald.conf.d/override.conf" -#copy "etc/systemd/logind.conf.d/override.conf" -copy "etc/systemd/network/20-wired.network" -copy "etc/systemd/network/25-wireless.network" -copy "etc/iwd/main.conf" -copy "etc/mkinitcpio.conf" -#copy "etc/systemd/resolved.conf.d/dnssec.conf" -copy "etc/systemd/system/getty@tty1.service.d/override.conf" -#copy "etc/systemd/system/usbguard.service.d/override.conf" -#copy "etc/systemd/system/reflector.service" -#copy "etc/systemd/system/reflector.timer" -#copy "etc/systemd/system/system-dotfiles-sync.service" -#copy "etc/systemd/system/system-dotfiles-sync.timer" -#copy "etc/systemd/system.conf.d/kill-fast.conf" -#copy "etc/usbguard/usbguard-daemon.conf" 600 -#copy "etc/systemd/system/backup-repo@pkgbuild" -#copy "etc/systemd/system/backup-repo@.service" -#copy "etc/systemd/system/backup-repo@.timer" - -(("$reverse")) && exit 0 - -echo "" -echo "=================================" -echo "Enabling and starting services..." -echo "=================================" - -sysctl --system > /dev/null - -systemctl daemon-reload -systemctl_enable_start "bluetooth.service" -#systemctl_enable_start "btrfs-scrub@-.timer" -#systemctl_enable_start "btrfs-scrub@mnt-btrfs\x2droot.timer" -#systemctl_enable_start "btrfs-scrub@home.timer" -#systemctl_enable_start "btrfs-scrub@var-cache-pacman.timer" -#systemctl_enable_start "btrfs-scrub@var-log.timer" -#systemctl_enable_start "btrfs-scrub@var-tmp.timer" -#systemctl_enable_start "btrfs-scrub@\x2esnapshots.timer" -#systemctl_enable_start "btrfs-scrub@var-lib-aurbuild.timer" -#systemctl_enable_start "btrfs-scrub@var-lib-archbuild.timer" -#systemctl_enable_start "btrfs-scrub@var-lib-docker.timer" -#systemctl_enable_start "docker.socket" -#systemctl_enable_start "earlyoom.service" -systemctl_enable_start "fstrim.timer" -systemctl_enable_start "iwd.service" -#systemctl_enable_start "linux-modules-cleanup.service" -#systemctl_enable_start "lenovo_fix.service" -#systemctl_enable_start "nftables.service" -systemctl_enable_start "pcscd.socket" -#systemctl_enable_start "reflector.timer" -#systemctl_enable_start "snapper-cleanup.timer" -#systemctl_enable_start "system-dotfiles-sync.timer" -systemctl_enable_start "systemd-networkd.socket" -systemctl_enable_start "systemd-resolved.service" -systemctl_enable_start "systemd-timesyncd" -#systemctl_enable_start "tlp.service" - -#if [ ! -s "/etc/usbguard/rules.conf" ]; then -# echo >&2 "=== Remember to set usbguard rules: usbguard generate-policy >! /etc/usbguard/rules.conf" -#else -# chmod 600 /etc/usbguard/rules.conf -# systemctl_enable_start "usbguard.service" -# systemctl_enable_start "usbguard-dbus.service" -#fi - -#systemctl_enable_start "backup-repo@pkgbuild.timer" - -#echo "" -#echo "===============================" -#echo "Creating top level Trash dir..." -#echo "===============================" -#mkdir --parent /.Trash -#chmod a+rw /.Trash -#chmod +t /.Trash -#echo "Done" - -echo "" -echo "=======================================" -echo "Finishing various user configuration..." -echo "=======================================" - -if is_chroot; then - echo >&2 "=== Running in chroot, skipping /etc/resolv.conf setup..." -else - echo "Configuring /etc/resolv.conf" - ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf -fi - -echo "Configuring NTP" -timedatectl set-ntp true - -echo "Configuring aurutils" -ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf - -PLYMOUTH_THEME="spinner" -if [ "$(plymouth-set-default-theme)" != "$PLYMOUTH_THEME" ]; then - echo "Configuring plymouth" - plymouth-set-default-theme "$PLYMOUTH_THEME" -fi - -echo "Configuring mkinitcpio + secure boot" - -mkinitcpio -P - -if [ ! -s "/etc/arch-secure-boot/keys/PK.auth" ]; then - arch-secure-boot initial-setup -else - arch-secure-boot generate-efi -fi - -if [ ! -f /efi/EFI/secureboot/KeyTool-signed.efi ]; then - echo "Preparing KeyTool to allow install PK key" - mkdir -p /efi/EFI/secureboot - sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi - cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth - mount="$(findmnt -n -o SOURCE -T "/efi")" - partition="${mount##*[!0-9]}" - entry="/EFI/secureboot/KeyTool-signed.efi" - efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool" - echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI" -fi