Update new setup

etc/dracut-sbctl.conf

@@ -0,0 +1,5 @@
+# Sign unified images with sbctl keys to support secure boot
+uefi_secureboot_cert="/usr/share/secureboot/keys/db/db.pem"
+uefi_secureboot_key="/usr/share/secureboot/keys/db/db.key"
+# Enable lockdown if secure boot's on to prevent loading unsigned kernel modules
+kernel_cmdline+=" lockdown=integrity "

etc/dracut.conf

@@ -0,0 +1,19 @@
+# Do not show systemd messages at startup (quiet)
+# Show plymouth splash screen
+kernel_cmdline+=" quiet loglevel=3 rd.udev.log_level=3 fbconf=nodefer splash vt.global_cursor_default=0 mem_sleep_default=deep "
+# Compress to load faster
+compress="zstd"
+# Use hostonly to exclude unnecessary modules, but do not include the hostonly
+# cmdline in the image, because I rely on discoverable partitions to mount the
+# root filesystem.
+# See <https://github.com/dracutdevs/dracut/issues/723#issuecomment-792248568>
+hostonly="yes"
+hostonly_cmdline="no"
+# Add video drivers for early KMS
+add_drivers+=" i915 "
+# Omit bluetooth; I do not have bluetooth hardware I'd need during early boot,
+# and as of 2021-12 it fails to build anyway, see
+# https://bugs.archlinux.org/task/72463 and https://github.com/dracutdevs/dracut/pull/1671
+omit_dracutmodules+=" bluetooth "
+# Make sure we have the TPM stack available
+add_dracutmodules+=" tpm2-tss "

etc/faillock.conf

@@ -0,0 +1,8 @@
+# Reduce the aggressive defaults of faillock (three failed attempts within 15 minutes lock for 10 minutes) to something
+# bearable and pragmatic: 10 failed attempts within 15 minutes lock for 10 minutes
+
+# Ten failed attempts within 15 minutes…
+deny = 10
+fail_interval = 900
+# …lock the system for ten minutes
+unlock_time = 600

etc/gdm-profile

@@ -0,0 +1,3 @@
+user-db:user
+system-db:gdm
+file-db:/usr/share/gdm/greeter-dconf-defaults

etc/iwd/main.conf

@@ -1,5 +0,0 @@
-[General]
-EnableNetworkConfiguration=true
-
-[Network]
-EnableIPv6=true

etc/kernel/cmdline

@@ -1 +0,0 @@
-rd.luks.name=a4a8535e-cd13-4656-8de3-5394281cb369=luks rd.luks.options=fido2-device=auto root=LABEL=btrfs rootflags=subvol=root rw quiet loglevel=3 rd.udev.log_level=3 fbconf=nodefer splash vt.global_cursor_default=0 mem_sleep_default=deep

etc/loader.conf

@@ -0,0 +1,7 @@
+# Directly boot the default kernel; to make the boot menu appear
+# press any key during the firmware splash screen.
+timeout 0
+# Disable the editor to prevent editing the command line; doesn't matter
+# much because in secure boot mode the kernel ignores the boot loader command
+# line anyway.
+editor no

etc/mkinitcpio.conf

@@ -1,4 +0,0 @@
-MODULES=(i915)
-BINARIES=(/usr/bin/btrfs)
-FILES=()
-HOOKS=(base systemd sd-plymouth keyboard autodetect sd-vconsole modconf block sd-encrypt filesystems fsck)

etc/modprobe.conf

@@ -0,0 +1,9 @@
+# Managed by my dotfiles
+
+# Blacklist pcspkr to silence beeps
+blacklist pcspkr
+# See https://wiki.archlinux.org/index.php/Power_management
+options snd_hda_intel power_save=1
+options snd_ac97_codec power_save=1
+options iwlwifi power_save=1
+options i915 fastboot=1

etc/modprobe.d/i915.conf

@@ -1 +0,0 @@
-options i915 fastboot=1

etc/networkmanager-mdns.conf

@@ -0,0 +1,7 @@
+[connection]
+# Enable mDNS resolving (1) on all interfaces by default, but do not enable
+# mDNS responding, i.e. do not register an mDNS hostname for this connection (2)
+#
+# We use systemd-resolved only for resolution because responding is handled by
+# Avahi for proper discovery.
+connection.mdns=1

etc/pacman/00-global-options.conf

@@ -0,0 +1,4 @@
+# Enable colors
+Color
+VerbosePkgLists
+ParallelDownloads = 5

etc/pacman/50-core-repositories.conf

@@ -0,0 +1,27 @@
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# If you want to run 32 bit applications on your x86_64 system,
+# enable the multilib repositories as required here.
+
+#[multilib-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+#[multilib]
+#Include = /etc/pacman.d/mirrorlist

etc/pacman/55-multilib-repository.conf

@@ -0,0 +1,8 @@
+# If you want to run 32 bit applications on your x86_64 system,
+# enable the multilib repositories as required here.
+
+#[multilib-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+#[multilib]
+#Include = /etc/pacman.d/mirrorlist

etc/pacman/60-aurutils-repository.conf

@@ -0,0 +1,4 @@
+# aurutils repo
+[aur]
+SigLevel = Optional TrustAll
+Server = file:///var/cache/pacman/aur

etc/pacman/99-options.conf

@@ -0,0 +1,2 @@
+[options]
+CacheDir = /var/cache/pacman/pkg

etc/pacman/pacman.conf

@@ -0,0 +1,69 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir     = /
+#DBPath      = /var/lib/pacman/
+#CacheDir    = /var/cache/pacman/pkg/
+#LogFile     = /var/log/pacman.log
+#GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
+HoldPkg     = pacman glibc
+#XferCommand = /usr/bin/curl -L -C - -f -o %o %u
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg   =
+#IgnoreGroup =
+
+#NoUpgrade   =
+#NoExtract   =
+
+# Misc options
+#UseSyslog
+#Color
+#NoProgressBar
+CheckSpace
+#VerbosePkgLists
+#ParallelDownloads = 5
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel    = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+#   - can be defined here or included from another file
+#   - pacman will search repositories in the order defined here
+#   - local/custom mirrors can be added here or in separate files
+#   - repositories listed first will take precedence when packages
+#     have identical names, regardless of version number
+#   - URLs will have $repo replaced by the name of the current repo
+#   - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+#       [repo-name]
+#       Server = ServerName
+#       Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# Include configuration snippets
+Include = /etc/pacman.d/conf.d/*.conf

etc/reflector.conf

@@ -0,0 +1,5 @@
+--save /etc/pacman.d/mirrorlist
+--protocol https
+--country Germany
+--latest 5
+--sort age

etc/snap-pac.ini

@@ -1,46 +0,0 @@
-# snap-pac example configuration file
-# see snap-pac(8) for more details
-
-# Each section corresponds with a snapper configuration. Add additional sections to add
-# other configurations to be snapshotted. By default, only the root configuration is snapshotted.
-# Create a section named [DEFAULT] to have a setting apply for all snapper configurations
-
-## Uncomment to set parameters for snapper configuration named root
-#[root]
-
-## How many characters to limit the description for snapper.
-## Default is 72
-#desc_limit = 72
-
-## Whether or not to take snapshots of this snapper configuration
-## Default is True for root configuration and False for all other configurations
-#snapshot = True
-
-## What snapper cleanup algorithm to use
-## Default is number
-#cleanup_algorithm = number
-
-## Pre snapshot description.
-## Default is the pacman command that triggered the hook
-#pre_description = pacman pre snapshot
-
-## Post snapshot description.
-## Default is the list of packages involved in the pacman transaction
-#post_description = pacman post snapshot
-
-## Uncomment to add "important=yes" to userdata for snapshots referring to these packages
-## Default is []
-#important_packages = ["linux", "linux-lts"]
-
-## Uncomment to add "important=yes" to userdata for snapshots that were created with the following commands
-## Default is []
-#important_commands = ["pacman -Syu"]
-
-## Add custom userdata. Each key-value pair should be an item in the list
-## Default is []
-#userdata = ["key=value","foo=bar"]
-
-## Example for another snapper configuration named "home"
-# [home]
-## Default is False
-# snapshot = True

etc/sudoers.d/10-defaults

@@ -0,0 +1,35 @@
+#
+# Refuse to run if unable to disable echo on the tty.
+#
+Defaults   !visiblepw
+
+#
+# Preserving HOME has security implications since many programs
+# use it when searching for configuration files. Note that HOME
+# is already set when the the env_reset option is enabled, so
+# this option is only effective for configurations where either
+# env_reset is disabled or HOME is present in the env_keep list.
+#
+Defaults    always_set_home
+
+#
+# Provide password input feedback.
+#
+Defaults pwfeedback
+
+#
+# Lookup sudoers groups by ID instead of looking up user groups by name;
+# we only have one or two groups in this config so looking up by ID is more
+# effective.
+#
+Defaults    match_group_by_gid
+
+#
+# Keep a bunch of locale settings and other stuff.
+#
+Defaults    env_reset
+Defaults    env_keep =  "COLORS HOSTNAME HISTSIZE LS_COLORS"
+Defaults    env_keep += "MAIL LANG LC_ADDRESS LC_CTYPE"
+Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

etc/sudoers.d/50-aurutils

@@ -0,0 +1,2 @@
+%aurutils ALL = (root) NOPASSWD: SETENV: /usr/bin/makechrootpkg
+%aurutils ALL = (root) NOPASSWD: /usr/bin/mkarchroot, /usr/bin/arch-nspawn

etc/sysctl.conf

@@ -0,0 +1,58 @@
+# Don't let non-root users get addresses of kernel symbols
+kernel.kptr_restrict=1
+
+# Disable kexec to disallow replacing the running kernel.
+kernel.kexec_load_disabled=1
+
+# Only let root ptrace processes, for security reasons.
+# Perhaps I'll need to disable this again for devtools & debugging
+kernel.yama.ptrace_scope=2
+
+# IPv6 Privacy Extensions (RFC 4941)
+# ---
+# IPv6 typically uses a device's MAC address when choosing an IPv6 address
+# to use in autoconfiguration. Privacy extensions allow using a randomly
+# generated IPv6 address, which increases privacy.
+#
+# Acceptable values:
+#    0 - don’t use privacy extensions.
+#    1 - generate privacy addresses
+#    2 - prefer privacy addresses and use them over the normal addresses.
+net.ipv6.conf.all.use_tempaddr=2
+net.ipv6.conf.default.use_tempaddr=2
+
+# The magic SysRq key enables certain keyboard combinations to be
+# interpreted by the kernel to help with debugging. The kernel will respond
+# to these keys regardless of the current running applications.
+#
+# In general, the magic SysRq key is not needed for the average Ubuntu
+# system, and having it enabled by default can lead to security issues on
+# the console such as being able to dump memory or to kill arbitrary
+# processes including the running screen lock.
+#
+# Here is the list of possible values:
+#   0 - disable sysrq completely
+#   1 - enable all functions of sysrq
+#  >1 - enable certain functions by adding up the following values:
+#          2 - enable control of console logging level
+#          4 - enable control of keyboard (SAK, unraw)
+#          8 - enable debugging dumps of processes etc.
+#         16 - enable sync command
+#         32 - enable remount read-only
+#         64 - enable signalling of processes (term, kill, oom-kill)
+#        128 - allow reboot/poweroff
+#        256 - allow nicing of all RT tasks
+#
+#   For example, to enable both control of console logging level and
+#   debugging dumps of processes: kernel.sysrq = 10
+#
+# 128 + 32 + 16
+kernel.sysrq=176
+
+# Disable NMI watchdog (powertop recommendation)
+kernel.nmi_watchdog=0
+# Increase writeback time (default's 500, powertop recommendation)
+vm.dirty_writeback_centisecs=1500
+
+# Quiet
+kernel.printk = 3 3 3 3

etc/sysctl.d/20-quiet-printk.conf

@@ -1 +0,0 @@
-kernel.printk = 3 3 3 3

etc/systemd/network/20-wired.network

@@ -1,13 +0,0 @@
-[Match]
-Name=en*
-
-[Network]
-DHCP=yes
-
-[DHCPv4]
-RouteMetric=10
-UseDomains=true
-
-[IPv6AcceptRA]
-RouteMetric=10
-UseDomains=yes

etc/systemd/network/25-wireless.network

@@ -1,13 +0,0 @@
-[Match]
-Name=wl*
-
-[Network]
-DHCP=yes
-
-[DHCPv4]
-RouteMetric=20
-UseDomains=true
-
-[IPv6AcceptRA]
-RouteMetric=20
-UseDomains=yes

etc/systemd/oomd.conf

@@ -0,0 +1,3 @@
+[OOM]
+# Reduce default of 30s to 20s; taken from Fedora, so it's likely a good idea
+DefaultMemoryPressureDurationSec=20s

etc/systemd/resolved.conf

@@ -0,0 +1,6 @@
+# Managed by my dotfiles
+[Resolve]
+# Resolve mDNS hostnames via resolved, but leave the rest to Avahi
+MulticastDNS=resolve
+# Enable and enforce DNSSEC
+DNSSEC=true

etc/systemd/root-slice-oomd.conf

@@ -0,0 +1,13 @@
+[Slice]
+# Monitor all units, slices, etc. for OOM conditions based on current swap usage
+# (default limit is 90% swap use).  When the system uses more swap than this
+# limit system will start acting on control groups using most swap, in order
+# of swap usage (see oomd.conf(5) for details).
+#
+# systemd recommends to set this on the root slice (see systemd-oomd.service(8)).
+#
+# systemd does not recommend to generally act upon memory pressure, because most
+# system services run fine under memory pressure, and latency (i.e. having a
+# responsive service) is usually not important for system services (which are
+# mostly invisible anyway).
+ManagedOOMSwap=kill

etc/systemd/system.conf

@@ -0,0 +1,7 @@
+[Manager]
+# Enable various cgroup accounts to support systemd-oomd.
+# See systemd-oomd(1)
+DefaultCPUAccounting=true
+DefaultIOAccounting=true
+DefaultMemoryAccounting=true
+DefaultTasksAccounting=true

etc/systemd/system/getty@tty1.service.d/override.conf

@@ -1,3 +0,0 @@
-[Service]
-ExecStart=
-ExecStart=/usr/bin/agetty --skip-login --nonewline --noissue --autologin tobias --noclear %I $TERM

etc/systemd/timesyncd.conf

@@ -0,0 +1,3 @@
+[Time]
+# Default set of NTP servers
+NTP=0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org

etc/systemd/user-service-oomd.conf

@@ -0,0 +1,17 @@
+[Service]
+# Allow oomd to act on user units under memory pressure;  if a unit is under
+# memory pressure for a configured amount of time (see ooomd configuration)
+# oomd may kill the unit.
+#
+# systemd-oomd.service(8) recommends to set this for the user service, to keep
+# the user slice responsive.  If applications run under memory pressure they
+# cease being responsive, so we should kill them early to make sure the system
+# stays responsive.
+ManagedOOMMemoryPressure=kill
+# Reduce the amount of time a unit must be under memory pressure before oomd.
+# Overrides the oomd default of 90%, see oomd.conf(5) for the precise meaning
+# of this setting.
+#
+# systemd-oomd.service(8) recommends to reduce this for user services; it says
+# 40%, but Fedora's defaults are 50%, so let's follow Fedora here.
+ManagedOOMMemoryPressureLimit=50%

etc/systemd/zram-generator.conf

@@ -0,0 +1 @@
+[zram0]