Update new setup

This commit is contained in:
Tobias Strobel 2022-09-25 20:01:11 +02:00
parent 842511035a
commit 39633f5303
48 changed files with 944 additions and 1210 deletions

View file

@ -1,4 +1,4 @@
# Do not apply the following files # Do not apply the following files
etc/ etc/
install.sh install.sh
setup-system.sh bootstrap-from-iso.sh

195
bootstrap-from-iso.sh Normal file
View file

@ -0,0 +1,195 @@
#!/usr/bin/env bash
#
# Bootstrap a new Arch system from an installation ISO.
#
# Bootable USB:
# - [Download](https://archlinux.org/download/) ISO and GPG files
# - Verify the ISO file: `$ pacman-key -v archlinux-<version>-x86_64.iso.sig`
# - Create a bootable USB with: `# dd if=archlinux*.iso of=/dev/sdX && sync`
#
# UEFI setup:
#
# - Set boot mode to UEFI, disable Legacy mode entirely.
# - Temporarily disable Secure Boot.
# - Make sure a strong UEFI administrator password is set.
# - Delete preloaded OEM keys for Secure Boot, allow custom ones.
#
# Run installation:
#
# - Connect to wifi via: `# iwctl station wlan0 connect $SSID`
# - Run: `# bash <(curl -sL https://link.rafe.li/dot)`
#
set -uo pipefail
trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
args=()
target_device=""
new_hostname=""
while [[ $# -gt 0 ]]
do
arg="$1"
case "$arg" in
"--device")
target_device="$2"
shift
shift
;;
"--hostname")
new_hostname="$2"
shift
shift
;;
*)
args+=("$arg")
shift;
esac
done
if [[ -z "$target_device" ]]; then
echo "Missing --device <device> argument" >&2
exit 2;
fi
if [[ -z "$new_hostname" ]]; then
echo "Missing --hostname <hostname> argument" >&2
exit 2;
fi
if [[ "${#args[@]}" -ne 0 ]]; then
echo "Unexpected extra arguments: ${args[*]}" >&2
exit 2
fi
if [ ! -f /sys/firmware/efi/fw_platform_size ]; then
echo >&2 "You must boot in UEFI mode to continue"
exit 2
fi
if [[ "$UID" -ne 0 ]]; then
echo "This script needs to be run as root!" >&2
exit 3
fi
read -rp "THIS SCRIPT WILL OVERWRITE ALL CONTENTS OF ${target_device}. Type uppercase yes to continue: " confirmed
if [[ "$confirmed" != "YES" ]]; then
echo "aborted" >&2
exit 128
fi
timedatectl set-ntp true
hwclock --systohc --utc
loadkeys de-latin1
# Partition
sgdisk --zap-all "${target_device}"
sgdisk --clear \
--new 1:0:+550MiB --typecode 1:ef00 --change-name 1:EFI \
--new 2:0:+8GiB --typecode 2:8200 --change-name 2:swap \
--new 3 --typecode 3:8304 --change-name 3:system \
"${target_device}"
# Reload partition table
sleep 5
partprobe -s "${target_device}"
sleep 3
# Encrypt root
echo -n "password" | cryptsetup luksFormat --type luks2 --pbkdf argon2id "/dev/disk/by-partlabel/system"
echo -n "password" | cryptsetup luksOpen --allow-discards --persistent "/dev/disk/by-partlabel/system" system
# Create file systems
mkfs.fat -F 32 -n "EFI" /dev/disk/by-partlabel/EFI
mkfs.btrfs --force --label system /dev/mapper/system
# Mount system subvolume and create additional subvolumes
o=defaults,x-mount.mkdir
o_btrfs=$o,compress=zstd,ssd,noatime
mount -t btrfs LABEL=system /mnt
btrfs subvolume create /mnt/@ # /
btrfs subvolume create /mnt/@home # /home
btrfs subvolume create /mnt/@snapshots # /.snapshots
btrfs subvolume create /mnt/@pkg # /var/cache/pacman/pkg
btrfs subvolume create /mnt/@aurbuild # /var/lib/aurbuild
btrfs subvolume create /mnt/@archbuild # /var/lib/archbuild
btrfs subvolume create /mnt/@log # /var/log
btrfs subvolume create /mnt/@tmp # /var/tmp
umount -R /mnt
mount -t btrfs -o subvol=@,$o_btrfs LABEL=system /mnt
mount -t btrfs -o subvol=@home,$o_btrfs,nodatacow LABEL=system /mnt/home
mount -t btrfs -o subvol=@snapshots,$o_btrfs LABEL=system /mnt/.snapshots
mount -t btrfs -o subvol=@pkg,$o_btrfs LABEL=system /mnt/var/cache/pacman/pkg
mount -t btrfs -o subvol=@aurbuild,$o_btrfs LABEL=system /mnt/var/lib/aurbuild
mount -t btrfs -o subvol=@archbuild,$o_btrfs LABEL=system /mnt/var/lib/archbuild
mount -t btrfs -o subvol=@log,$o_btrfs LABEL=system /mnt/var/log
mount -t btrfs -o subvol=@tmp,$o_btrfs LABEL=system /mnt/var/tmp
# Mount additional partitions
mount -o $o LABEL=EFI /mnt/efi
# Change default btrfs sub-volume (for DPS)
default_subvolume=$(btrfs subvolume list /mnt | grep "path @$" | cut -d ' ' -f2)
btrfs subvolume set-default ${default_subvolume} /mnt
# Disable CoW for /home due to large loopback files by systemd-homed
chattr +C /mnt/home
if ! grep "# Installer cache" /etc/pacman.conf > /dev/null; then
cat >> /etc/pacman.conf << EOF
# Installer cache
[options]
CacheDir = /mnt/var/cache/pacman/pkg
EOF
fi
# Bootstrap new chroot
reflector --country 'Germany' --protocol https --sort age --latest 5 --save /etc/pacman.d/mirrorlist
pacstrap /mnt base linux linux-firmware intel-ucode btrfs-progs dracut neovim iwd networkmanager
genfstab -L -p /mnt >> /mnt/etc/fstab
# Configure timezone, locale, keymap, network
sed -i 's/^#en_US\.UTF-8/en_US\.UTF-8/' /mnt/etc/locale.gen
sed -i 's/^#de_DE\.UTF-8/de_DE\.UTF-8/' /mnt/etc/locale.gen
arch-chroot /mnt locale-gen
arch-chroot /mnt systemd-firstboot \
--locale="en_US.UTF-8" \
--keymap="de-latin1" \
--timezone="Europe/Berlin" \
--hostname="${new_hostname}" \
--setup-machine-id
echo -e "127.0.0.1\tlocalhost" >> /mnt/etc/hosts
echo -e "127.0.1.1\t$new_hostname" >> /mnt/etc/hosts
echo -e "\n::1\tlocalhost" >> /mnt/etc/hosts
# Use systemd-resolved as dns backend for NetworkManager (auto-detected)
ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf
# Enable iwd as wifi backend for NetworkManager
cat > /mnt/etc/NetworkManager/conf.d/wifi-backend.conf <<EOF
[device]
wifi.backend=iwd
EOF
# Install dracut opt deps required to build unified kernel images
arch-chroot /mnt pacman -S --noconfirm --asdeps binutils elfutils
arch-chroot /mnt dracut -f --uefi --regenerate-all
# Install bootloader
arch-chroot /mnt bootctl install
# Enable resolved
systemctl --root /mnt enable systemd-resolved
# Enable NetworkManager
systemctl --root /mnt enable NetworkManager
# Enable homed
systemctl --root /mnt enable systemd-homed
# Set root password
echo "root:password" | chpasswd -R /mnt
echo "BOOTSTRAPPING FINISHED"

View file

@ -1,241 +0,0 @@
# Default config for sway
#
# Copy this to ~/.config/sway/config and edit it to your liking.
#
# Read `man 5 sway` for a complete reference.
### Variables
#
# Logo key. Use Mod1 for Alt.
set $mod Mod4
# Home row direction keys, like vim
set $left h
set $down j
set $up k
set $right l
# Your preferred terminal emulator
set $term foot
### Output configuration
#
# Default wallpaper (more resolutions are available in /usr/share/backgrounds/sway/)
output * bg /usr/share/backgrounds/sway/Sway_Wallpaper_Blue_1920x1080.png fill
#
# Example configuration:
#
# output HDMI-A-1 resolution 1920x1080 position 1920,0
#
# You can get the names of your outputs by running: swaymsg -t get_outputs
### Idle configuration
#
# Example configuration:
#
exec swayidle -w \
timeout 300 'swaylock -f -c 1e1e1e' \
timeout 600 'swaymsg "output * dpms off"' resume 'swaymsg "output * dpms on"' \
before-sleep 'swaylock -f -c 1e1e1e'
#
# This will lock your screen after 300 seconds of inactivity, then turn off
# your displays after another 300 seconds, and turn your screens back on when
# resumed. It will also lock your screen before your computer goes to sleep.
### Input configuration
#
# Example configuration:
#
# input "2:14:SynPS/2_Synaptics_TouchPad" {
# dwt enabled
# tap enabled
# natural_scroll enabled
# middle_emulation enabled
# }
#
# You can get the names of your inputs by running: swaymsg -t get_inputs
# Read `man 5 sway-input` for more information about this section.
input * {
xkb_layout "de"
}
input type:touchpad {
tap enabled
natural_scroll enabled
}
seat * hide_cursor 10000
# Gaps
gaps inner 5
smart_gaps on
# Borders
default_border pixel 2
default_floating_border none
hide_edge_borders --i3 none
# Disable cursor jumping
mouse_warping none
focus_follows_mouse no
tiling_drag disable
for_window [app_id=".*"] sticky enable
for_window [window_role="pop-up"] floating enable
### Key bindings
#
# Basics:
#
# Start a terminal
bindsym $mod+Return exec $term
# Kill focused window
bindsym $mod+Shift+q kill
# Start your launcher
bindsym $mod+d exec cglaunch wldash
# Drag floating windows by holding down $mod and left mouse button.
# Resize them with right mouse button + $mod.
# Despite the name, also works for non-floating windows.
# Change normal to inverse to use left mouse button for resizing and right
# mouse button for dragging.
floating_modifier $mod normal
# Reload the configuration file
bindsym $mod+Shift+c reload
# Exit sway (logs you out of your Wayland session)
bindsym $mod+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'
#
# Moving around:
#
# Move your focus around
bindsym $mod+$left focus left
bindsym $mod+$down focus down
bindsym $mod+$up focus up
bindsym $mod+$right focus right
# Or use $mod+[up|down|left|right]
bindsym $mod+Left focus left
bindsym $mod+Down focus down
bindsym $mod+Up focus up
bindsym $mod+Right focus right
# Move the focused window with the same, but add Shift
bindsym $mod+Shift+$left move left
bindsym $mod+Shift+$down move down
bindsym $mod+Shift+$up move up
bindsym $mod+Shift+$right move right
# Ditto, with arrow keys
bindsym $mod+Shift+Left move left
bindsym $mod+Shift+Down move down
bindsym $mod+Shift+Up move up
bindsym $mod+Shift+Right move right
#
# Workspaces:
#
# Switch to workspace
bindsym $mod+1 workspace number 1
bindsym $mod+2 workspace number 2
bindsym $mod+3 workspace number 3
bindsym $mod+4 workspace number 4
bindsym $mod+5 workspace number 5
bindsym $mod+6 workspace number 6
bindsym $mod+7 workspace number 7
bindsym $mod+8 workspace number 8
bindsym $mod+9 workspace number 9
bindsym $mod+0 workspace number 10
# Move focused container to workspace
bindsym $mod+Shift+1 move container to workspace number 1
bindsym $mod+Shift+2 move container to workspace number 2
bindsym $mod+Shift+3 move container to workspace number 3
bindsym $mod+Shift+4 move container to workspace number 4
bindsym $mod+Shift+5 move container to workspace number 5
bindsym $mod+Shift+6 move container to workspace number 6
bindsym $mod+Shift+7 move container to workspace number 7
bindsym $mod+Shift+8 move container to workspace number 8
bindsym $mod+Shift+9 move container to workspace number 9
bindsym $mod+Shift+0 move container to workspace number 10
# Note: workspaces can have any name you want, not just numbers.
# We just use 1-10 as the default.
#
# Layout stuff:
#
# You can "split" the current object of your focus with
# $mod+b or $mod+v, for horizontal and vertical splits
# respectively.
bindsym $mod+b splith
bindsym $mod+v splitv
# Switch the current container between different layout styles
bindsym $mod+s layout stacking
bindsym $mod+w layout tabbed
bindsym $mod+e layout toggle split
# Make the current focus fullscreen
bindsym $mod+f fullscreen
# Toggle the current focus between tiling and floating mode
bindsym $mod+Shift+space floating toggle
# Swap focus between the tiling area and the floating area
bindsym $mod+space focus mode_toggle
# Move focus to the parent container
bindsym $mod+a focus parent
#
# Scratchpad:
#
# Sway has a "scratchpad", which is a bag of holding for windows.
# You can send windows there and get them back later.
# Move the currently focused window to the scratchpad
bindsym $mod+Shift+minus move scratchpad
# Show the next scratchpad window or hide the focused scratchpad window.
# If there are multiple scratchpad windows, this command cycles through them.
bindsym $mod+minus scratchpad show
#
# Resizing containers:
#
mode "resize" {
# left will shrink the containers width
# right will grow the containers width
# up will shrink the containers height
# down will grow the containers height
bindsym $left resize shrink width 10px
bindsym $down resize grow height 10px
bindsym $up resize shrink height 10px
bindsym $right resize grow width 10px
# Ditto, with arrow keys
bindsym Left resize shrink width 10px
bindsym Down resize grow height 10px
bindsym Up resize shrink height 10px
bindsym Right resize grow width 10px
# Return to default mode
bindsym Return mode "default"
bindsym Escape mode "default"
}
bindsym $mod+r mode "resize"
# Keybindings
bindsym --to-code {
XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%
XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%
XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle
XF86AudioMicMute exec pactl set-source-mute @DEFAULT_SOURCE@ toggle
XF86MonBrightnessDown exec brightnessctl set 5%-
XF86MonBrightnessUp exec brightnessctl set +5%
}
#
# Status Bar:
#
# Read `man 5 sway-bar` for more information about this section.
bar {
swaybar_command waybar
}
include /etc/sway/config.d/*
exec systemctl --user start sway-session.target

View file

@ -1,6 +0,0 @@
[Unit]
Description=sway compositor session
Documentation=man:systemd.special(7)
BindsTo=graphical-session.target
Wants=graphical-session-pre.target
After=graphical-session-pre.target

View file

@ -1,48 +0,0 @@
---
outputMode: active
scale: 2
background:
red: 0.14
green: 0.14
blue: 0.14
opacity: 1
widget:
margin:
margins: [40, 40, 40, 40]
widget:
verticalLayout:
- horizontalLayout:
- margin:
margins: [0, 176, 0, 64]
widget:
verticalLayout:
- date:
font: ~
font_size: 128.0
- clock:
font: ~
font_size: 512.0
- verticalLayout:
- margin:
margins: [0, 0, 0, 16]
widget:
battery:
font: ~
font_size: 48.0
length: 0
- calendar:
font_primary: ~
font_secondary: ~
font_size: 32.0
sections: 3
- launcher:
font: ~
font_size: 64.0
length: 0
app_opener: "cglaunch"
term_opener: "cglaunch --term"
url_opener: ""
fonts:
sans: sans
mono: mono

5
etc/dracut-sbctl.conf Normal file
View file

@ -0,0 +1,5 @@
# Sign unified images with sbctl keys to support secure boot
uefi_secureboot_cert="/usr/share/secureboot/keys/db/db.pem"
uefi_secureboot_key="/usr/share/secureboot/keys/db/db.key"
# Enable lockdown if secure boot's on to prevent loading unsigned kernel modules
kernel_cmdline+=" lockdown=integrity "

19
etc/dracut.conf Normal file
View file

@ -0,0 +1,19 @@
# Do not show systemd messages at startup (quiet)
# Show plymouth splash screen
kernel_cmdline+=" quiet loglevel=3 rd.udev.log_level=3 fbconf=nodefer splash vt.global_cursor_default=0 mem_sleep_default=deep "
# Compress to load faster
compress="zstd"
# Use hostonly to exclude unnecessary modules, but do not include the hostonly
# cmdline in the image, because I rely on discoverable partitions to mount the
# root filesystem.
# See <https://github.com/dracutdevs/dracut/issues/723#issuecomment-792248568>
hostonly="yes"
hostonly_cmdline="no"
# Add video drivers for early KMS
add_drivers+=" i915 "
# Omit bluetooth; I do not have bluetooth hardware I'd need during early boot,
# and as of 2021-12 it fails to build anyway, see
# https://bugs.archlinux.org/task/72463 and https://github.com/dracutdevs/dracut/pull/1671
omit_dracutmodules+=" bluetooth "
# Make sure we have the TPM stack available
add_dracutmodules+=" tpm2-tss "

8
etc/faillock.conf Normal file
View file

@ -0,0 +1,8 @@
# Reduce the aggressive defaults of faillock (three failed attempts within 15 minutes lock for 10 minutes) to something
# bearable and pragmatic: 10 failed attempts within 15 minutes lock for 10 minutes
# Ten failed attempts within 15 minutes…
deny = 10
fail_interval = 900
# …lock the system for ten minutes
unlock_time = 600

3
etc/gdm-profile Normal file
View file

@ -0,0 +1,3 @@
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults

View file

@ -1,5 +0,0 @@
[General]
EnableNetworkConfiguration=true
[Network]
EnableIPv6=true

View file

@ -1 +0,0 @@
rd.luks.name=a4a8535e-cd13-4656-8de3-5394281cb369=luks rd.luks.options=fido2-device=auto root=LABEL=btrfs rootflags=subvol=root rw quiet loglevel=3 rd.udev.log_level=3 fbconf=nodefer splash vt.global_cursor_default=0 mem_sleep_default=deep

7
etc/loader.conf Normal file
View file

@ -0,0 +1,7 @@
# Directly boot the default kernel; to make the boot menu appear
# press any key during the firmware splash screen.
timeout 0
# Disable the editor to prevent editing the command line; doesn't matter
# much because in secure boot mode the kernel ignores the boot loader command
# line anyway.
editor no

View file

@ -1,4 +0,0 @@
MODULES=(i915)
BINARIES=(/usr/bin/btrfs)
FILES=()
HOOKS=(base systemd sd-plymouth keyboard autodetect sd-vconsole modconf block sd-encrypt filesystems fsck)

9
etc/modprobe.conf Normal file
View file

@ -0,0 +1,9 @@
# Managed by my dotfiles
# Blacklist pcspkr to silence beeps
blacklist pcspkr
# See https://wiki.archlinux.org/index.php/Power_management
options snd_hda_intel power_save=1
options snd_ac97_codec power_save=1
options iwlwifi power_save=1
options i915 fastboot=1

View file

@ -1 +0,0 @@
options i915 fastboot=1

View file

@ -0,0 +1,7 @@
[connection]
# Enable mDNS resolving (1) on all interfaces by default, but do not enable
# mDNS responding, i.e. do not register an mDNS hostname for this connection (2)
#
# We use systemd-resolved only for resolution because responding is handled by
# Avahi for proper discovery.
connection.mdns=1

View file

@ -0,0 +1,4 @@
# Enable colors
Color
VerbosePkgLists
ParallelDownloads = 5

View file

@ -0,0 +1,27 @@
# The testing repositories are disabled by default. To enable, uncomment the
# repo name header and Include lines. You can add preferred servers immediately
# after the header, and they will be used before the default mirrors.
#[testing]
#Include = /etc/pacman.d/mirrorlist
[core]
Include = /etc/pacman.d/mirrorlist
[extra]
Include = /etc/pacman.d/mirrorlist
#[community-testing]
#Include = /etc/pacman.d/mirrorlist
[community]
Include = /etc/pacman.d/mirrorlist
# If you want to run 32 bit applications on your x86_64 system,
# enable the multilib repositories as required here.
#[multilib-testing]
#Include = /etc/pacman.d/mirrorlist
#[multilib]
#Include = /etc/pacman.d/mirrorlist

View file

@ -0,0 +1,8 @@
# If you want to run 32 bit applications on your x86_64 system,
# enable the multilib repositories as required here.
#[multilib-testing]
#Include = /etc/pacman.d/mirrorlist
#[multilib]
#Include = /etc/pacman.d/mirrorlist

View file

@ -0,0 +1,4 @@
# aurutils repo
[aur]
SigLevel = Optional TrustAll
Server = file:///var/cache/pacman/aur

View file

@ -0,0 +1,2 @@
[options]
CacheDir = /var/cache/pacman/pkg

69
etc/pacman/pacman.conf Normal file
View file

@ -0,0 +1,69 @@
#
# /etc/pacman.conf
#
# See the pacman.conf(5) manpage for option and repository directives
#
# GENERAL OPTIONS
#
[options]
# The following paths are commented out with their default values listed.
# If you wish to use different paths, uncomment and update the paths.
#RootDir = /
#DBPath = /var/lib/pacman/
#CacheDir = /var/cache/pacman/pkg/
#LogFile = /var/log/pacman.log
#GPGDir = /etc/pacman.d/gnupg/
#HookDir = /etc/pacman.d/hooks/
HoldPkg = pacman glibc
#XferCommand = /usr/bin/curl -L -C - -f -o %o %u
#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
#CleanMethod = KeepInstalled
Architecture = auto
# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg =
#IgnoreGroup =
#NoUpgrade =
#NoExtract =
# Misc options
#UseSyslog
#Color
#NoProgressBar
CheckSpace
#VerbosePkgLists
#ParallelDownloads = 5
# By default, pacman accepts packages signed by keys that its local keyring
# trusts (see pacman-key and its man page), as well as unsigned packages.
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
#RemoteFileSigLevel = Required
# NOTE: You must run `pacman-key --init` before first using pacman; the local
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
#
# REPOSITORIES
# - can be defined here or included from another file
# - pacman will search repositories in the order defined here
# - local/custom mirrors can be added here or in separate files
# - repositories listed first will take precedence when packages
# have identical names, regardless of version number
# - URLs will have $repo replaced by the name of the current repo
# - URLs will have $arch replaced by the name of the architecture
#
# Repository entries are of the format:
# [repo-name]
# Server = ServerName
# Include = IncludePath
#
# The header [repo-name] is crucial - it must be present and
# uncommented to enable the repo.
#
# Include configuration snippets
Include = /etc/pacman.d/conf.d/*.conf

5
etc/reflector.conf Normal file
View file

@ -0,0 +1,5 @@
--save /etc/pacman.d/mirrorlist
--protocol https
--country Germany
--latest 5
--sort age

View file

@ -1,46 +0,0 @@
# snap-pac example configuration file
# see snap-pac(8) for more details
# Each section corresponds with a snapper configuration. Add additional sections to add
# other configurations to be snapshotted. By default, only the root configuration is snapshotted.
# Create a section named [DEFAULT] to have a setting apply for all snapper configurations
## Uncomment to set parameters for snapper configuration named root
#[root]
## How many characters to limit the description for snapper.
## Default is 72
#desc_limit = 72
## Whether or not to take snapshots of this snapper configuration
## Default is True for root configuration and False for all other configurations
#snapshot = True
## What snapper cleanup algorithm to use
## Default is number
#cleanup_algorithm = number
## Pre snapshot description.
## Default is the pacman command that triggered the hook
#pre_description = pacman pre snapshot
## Post snapshot description.
## Default is the list of packages involved in the pacman transaction
#post_description = pacman post snapshot
## Uncomment to add "important=yes" to userdata for snapshots referring to these packages
## Default is []
#important_packages = ["linux", "linux-lts"]
## Uncomment to add "important=yes" to userdata for snapshots that were created with the following commands
## Default is []
#important_commands = ["pacman -Syu"]
## Add custom userdata. Each key-value pair should be an item in the list
## Default is []
#userdata = ["key=value","foo=bar"]
## Example for another snapper configuration named "home"
# [home]
## Default is False
# snapshot = True

35
etc/sudoers.d/10-defaults Normal file
View file

@ -0,0 +1,35 @@
#
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
#
# Provide password input feedback.
#
Defaults pwfeedback
#
# Lookup sudoers groups by ID instead of looking up user groups by name;
# we only have one or two groups in this config so looking up by ID is more
# effective.
#
Defaults match_group_by_gid
#
# Keep a bunch of locale settings and other stuff.
#
Defaults env_reset
Defaults env_keep = "COLORS HOSTNAME HISTSIZE LS_COLORS"
Defaults env_keep += "MAIL LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

View file

@ -0,0 +1,2 @@
%aurutils ALL = (root) NOPASSWD: SETENV: /usr/bin/makechrootpkg
%aurutils ALL = (root) NOPASSWD: /usr/bin/mkarchroot, /usr/bin/arch-nspawn

58
etc/sysctl.conf Normal file
View file

@ -0,0 +1,58 @@
# Don't let non-root users get addresses of kernel symbols
kernel.kptr_restrict=1
# Disable kexec to disallow replacing the running kernel.
kernel.kexec_load_disabled=1
# Only let root ptrace processes, for security reasons.
# Perhaps I'll need to disable this again for devtools & debugging
kernel.yama.ptrace_scope=2
# IPv6 Privacy Extensions (RFC 4941)
# ---
# IPv6 typically uses a device's MAC address when choosing an IPv6 address
# to use in autoconfiguration. Privacy extensions allow using a randomly
# generated IPv6 address, which increases privacy.
#
# Acceptable values:
# 0 - dont use privacy extensions.
# 1 - generate privacy addresses
# 2 - prefer privacy addresses and use them over the normal addresses.
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2
# The magic SysRq key enables certain keyboard combinations to be
# interpreted by the kernel to help with debugging. The kernel will respond
# to these keys regardless of the current running applications.
#
# In general, the magic SysRq key is not needed for the average Ubuntu
# system, and having it enabled by default can lead to security issues on
# the console such as being able to dump memory or to kill arbitrary
# processes including the running screen lock.
#
# Here is the list of possible values:
# 0 - disable sysrq completely
# 1 - enable all functions of sysrq
# >1 - enable certain functions by adding up the following values:
# 2 - enable control of console logging level
# 4 - enable control of keyboard (SAK, unraw)
# 8 - enable debugging dumps of processes etc.
# 16 - enable sync command
# 32 - enable remount read-only
# 64 - enable signalling of processes (term, kill, oom-kill)
# 128 - allow reboot/poweroff
# 256 - allow nicing of all RT tasks
#
# For example, to enable both control of console logging level and
# debugging dumps of processes: kernel.sysrq = 10
#
# 128 + 32 + 16
kernel.sysrq=176
# Disable NMI watchdog (powertop recommendation)
kernel.nmi_watchdog=0
# Increase writeback time (default's 500, powertop recommendation)
vm.dirty_writeback_centisecs=1500
# Quiet
kernel.printk = 3 3 3 3

View file

@ -1 +0,0 @@
kernel.printk = 3 3 3 3

View file

@ -1,13 +0,0 @@
[Match]
Name=en*
[Network]
DHCP=yes
[DHCPv4]
RouteMetric=10
UseDomains=true
[IPv6AcceptRA]
RouteMetric=10
UseDomains=yes

View file

@ -1,13 +0,0 @@
[Match]
Name=wl*
[Network]
DHCP=yes
[DHCPv4]
RouteMetric=20
UseDomains=true
[IPv6AcceptRA]
RouteMetric=20
UseDomains=yes

3
etc/systemd/oomd.conf Normal file
View file

@ -0,0 +1,3 @@
[OOM]
# Reduce default of 30s to 20s; taken from Fedora, so it's likely a good idea
DefaultMemoryPressureDurationSec=20s

View file

@ -0,0 +1,6 @@
# Managed by my dotfiles
[Resolve]
# Resolve mDNS hostnames via resolved, but leave the rest to Avahi
MulticastDNS=resolve
# Enable and enforce DNSSEC
DNSSEC=true

View file

@ -0,0 +1,13 @@
[Slice]
# Monitor all units, slices, etc. for OOM conditions based on current swap usage
# (default limit is 90% swap use). When the system uses more swap than this
# limit system will start acting on control groups using most swap, in order
# of swap usage (see oomd.conf(5) for details).
#
# systemd recommends to set this on the root slice (see systemd-oomd.service(8)).
#
# systemd does not recommend to generally act upon memory pressure, because most
# system services run fine under memory pressure, and latency (i.e. having a
# responsive service) is usually not important for system services (which are
# mostly invisible anyway).
ManagedOOMSwap=kill

7
etc/systemd/system.conf Normal file
View file

@ -0,0 +1,7 @@
[Manager]
# Enable various cgroup accounts to support systemd-oomd.
# See systemd-oomd(1)
DefaultCPUAccounting=true
DefaultIOAccounting=true
DefaultMemoryAccounting=true
DefaultTasksAccounting=true

View file

@ -1,3 +0,0 @@
[Service]
ExecStart=
ExecStart=/usr/bin/agetty --skip-login --nonewline --noissue --autologin tobias --noclear %I $TERM

View file

@ -0,0 +1,3 @@
[Time]
# Default set of NTP servers
NTP=0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org

View file

@ -0,0 +1,17 @@
[Service]
# Allow oomd to act on user units under memory pressure; if a unit is under
# memory pressure for a configured amount of time (see ooomd configuration)
# oomd may kill the unit.
#
# systemd-oomd.service(8) recommends to set this for the user service, to keep
# the user slice responsive. If applications run under memory pressure they
# cease being responsive, so we should kill them early to make sure the system
# stays responsive.
ManagedOOMMemoryPressure=kill
# Reduce the amount of time a unit must be under memory pressure before oomd.
# Overrides the oomd default of 90%, see oomd.conf(5) for the precise meaning
# of this setting.
#
# systemd-oomd.service(8) recommends to reduce this for user services; it says
# 40%, but Fedora's defaults are 50%, so let's follow Fedora here.
ManagedOOMMemoryPressureLimit=50%

View file

@ -0,0 +1 @@
[zram0]

577
install.sh Normal file → Executable file
View file

@ -1,195 +1,438 @@
#!/usr/bin/env bash #!/usr/bin/env bash
#
# Bootstrap a new Arch system from an installation ISO.
#
# Bootable USB:
# - [Download](https://archlinux.org/download/) ISO and GPG files
# - Verify the ISO file: `$ pacman-key -v archlinux-<version>-x86_64.iso.sig`
# - Create a bootable USB with: `# dd if=archlinux*.iso of=/dev/sdX && sync`
#
# UEFI setup:
#
# - Set boot mode to UEFI, disable Legacy mode entirely.
# - Temporarily disable Secure Boot.
# - Make sure a strong UEFI administrator password is set.
# - Delete preloaded OEM keys for Secure Boot, allow custom ones.
#
# Run installation:
#
# - Connect to wifi via: `# iwctl station wlan0 connect $SSID`
# - Run: `# bash <(curl -sL https://link.rafe.li/dot)`
#
set -uo pipefail set -uo pipefail
trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
args=() PRESERVE_ENV=AUR_PAGER,PACKAGER,EDITOR
target_device=""
new_hostname=""
while [[ $# -gt 0 ]] if [[ $EUID != 0 ]]; then
do echo 'Elevating privileges'
arg="$1" exec sudo --preserve-env="${PRESERVE_ENV}" "$0" "$@"
fi
case "$arg" in DIR="$( cd "$( dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
"--device")
target_device="$2" # Configure pacman
shift install -pm644 "$DIR/etc/pacman/pacman.conf" /etc/pacman.conf
shift install -pm644 -Dt /etc/pacman.d/conf.d \
;; "$DIR/etc/pacman/00-global-options.conf" \
"--hostname") "$DIR/etc/pacman/50-core-repositories.conf" \
new_hostname="$2" "$DIR/etc/pacman/55-multilib-repositories.conf" \
shift "$DIR/etc/pacman/60-aurutils-repository.conf" \
shift "$DIR/etc/pacman/99-options.conf"
;;
*) # Remove packages no longer in use
args+=("$arg") to_remove=()
shift; for pkg in "${to_remove[@]}"; do
esac pacman --noconfirm -Rs "$pkg" || true
done done
if [[ -z "$target_device" ]]; then packages=(
echo "Missing --device <device> argument" >&2 # Basic packages & system tools
exit 2; base
dracut # Build initrd & unified EFI images
linux-firmware
intel-ucode
linux
lsb-release
sudo
zram-generator # swap on compressed RAM, mostly to support systemd-oomd
sbctl # Manage secure boot binaries and sign binaries
# File systems
ntfs-3g
exfatprogs
btrfs-progs
# Hardware tools
fwupd # Firmware updates
usbutils # for lsusb
# System monitoring
htop
lsof
# Power management
powertop
power-profiles-daemon
# Networking
networkmanager
firewalld
# DNS-SD, mostly for printers, i.e. CUPS. Service discovery is handled by Avahi,
# name resolution by systemd-resolved.
avahi
# Arch tools & infrastructure
pacman-contrib # paccache, checkupdates, pacsearch, and others
reflector # Weekly mirrorlist updates
kernel-modules-hook # Keep kernel modules on kernel updates
# Build packages
base-devel
namcap
aurpublish # Publish AUR packages from Git subtrees
# Dotfiles manager
chezmoi
# Terminal, shell & tools
man-db
man-pages
code
neovim
exa # Better ls (with git support)
rsync
curl
p7zip
zip
# Document processing and rendering
pandoc
mdcat
asciidoctor
zathura # Lightweight document viewer
# Spellchecking
hunspell
hunspell-de
hunspell-en_gb
hunspell-en_us
# Git and related tools
git
git-filter-repo
tea # CLI for gitea servers
tig # Curses git interfaces
# Bash tools
shellcheck
shfmt
# Other development tools
jq # Process JSON on command line
# Desktop tools
wl-clipboard
dconf-editor
# Desktop services
xdg-user-dirs
xdg-utils
xdg-desktop-portal
pcsclite # Smartcard daemon, for e-ID
cups
bluez
sane
pipewire-pulse # Pipewire-based pulse-audio, replaces pulseaudio
wireplumber # Recommended pipewire session & policy manager
firefox # Browser
firefox-i18n-de
vlc # Video player
inkscape # Vector graphics
gimp # Pixel graphics
qalculate-gtk # Powerful calculator
libreoffice-fresh
libreoffice-fresh-de
lollypop # Music player
#xournalpp # Handwriting tool
#signal-desktop # Secure mobile messenger
# Fonts & themes
# Fallback font with huge coverage and colored emojis
noto-fonts
noto-fonts-extra
noto-fonts-cjk
noto-fonts-emoji
# Microsoft compatibility fonts
ttf-liberation
ttf-caladea
ttf-carlito
ttf-cascadia-code
# Gnome
gdm
gnome-characters
gnome-keyring
gnome-screenshot
gnome-maps
gnome-clocks
gnome-weather
gnome-calendar
gnome-shell
gnome-shell-extensions
gnome-shell-extension-appindicator
gnome-remote-desktop
gnome-system-monitor
gnome-control-center
gnome-tweaks
gnome-backgrounds
gnome-themes-extra # For adwaita-dark
xdg-desktop-portal-gnome # Desktop portals
xdg-user-dirs-gtk
evolution
file-roller
yelp # Online help system
nautilus
python-nautilus
gvfs-afc
gvfs-goa
gvfs-gphoto2
gvfs-mtp
gvfs-nfs
gvfs-smb
sushi # Previewer for nautilus
evince # Document viewer
eog # Image viewer
simple-scan
seahorse # Credential manager
baobab # Disk space analyser
# Multimedia for gnome
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
)
optdeps=(
# pipewire
pipewire-pulse wireplumber
# linux: wireless frequency policies (provided as crda)
wireless-regdb
# pipewire: zeroconf support
pipewire-zeroconf
# poppler: data files
poppler-data
# dracut:
binutils # --uefi
elfutils # stripping
sbsigntools # efi signing
tpm2-tools # tpm2-tss
# zathura: PDF support
zathura-pdf-mupdf
# libva: intel drivers
intel-media-driver
# gnome-shell-extension-appindicator: GTK3 apps
libappindicator-gtk3
# aurutils: chroot support
devtools
# zim: spell checking
gtkspell3
# inkscape: optimized SVGs
scour
# kiconthemes: Additional icons for KDE apps
#breeze-icons
)
pacman -Syu --needed "${packages[@]}"
pacman -S --needed --asdeps "${optdeps[@]}"
pacman -D --asdeps "${optdeps[@]}"
# Currently dracut is missing an optdepends on tpm2-tools, see
# https://bugs.archlinux.org/task/73229
pacman -D --asexplicit tpm2-tools
services=(
# Core system services
systemd-boot-update.service # Update boot loader automatically
systemd-homed.service # homed for user management and home areas
systemd-oomd.service # Userspace OOM killer
systemd-timesyncd.service # Time sync
systemd-resolved.service # DNS resolution
# Other system services
firewalld.service # Firewall
# Timers
fstrim.timer # Periodically trim file systems…
"btrfs-scrub@$(systemd-escape -p /).timer" # scrub root filesystem…
paccache.timer # clean pacman cache…
pkgfile-update.timer # update pkgfile list…
fwupd-refresh.timer # check for firmware updates…
reflector.timer # and update the mirrorlist.
# Desktop services
gdm.service # Desktop manager
power-profiles-daemon.service # Power profile management
NetworkManager.service # Network manager for desktops
avahi-daemon.service # Local network service discovery (for WLAN printers)
cups.service # Printing
bluetooth.service # Bluetooth
pcscd.socket # Smartcards, mostly eID
)
if [[ -n "${SUDO_USER:-}" ]]; then
# Scrub home directory of my user account
services+=("btrfs-scrub@$(systemd-escape -p "/home/${SUDO_USER}").timer")
fi fi
if [[ -z "$new_hostname" ]]; then systemctl enable "${services[@]}"
echo "Missing --hostname <hostname> argument" >&2
exit 2; # See /usr/share/factory/etc/nsswitch.conf for the Arch Linux factory defaults.
# We add mdns hostnames (from Avahi) and libvirtd names, and also shuffle things around
# to follow the recommendations in nss-resolve(8) which Arch Linux deliberately doesn't
# do by default, see e.g. https://bugs.archlinux.org/task/57852
NSS_HOSTS=(
# Resolves containers managed by systemd-machined
mymachines
# Resolve everything else with systemd-resolved and bail out if resolved
# doesn't find hostname. Everything after this stanza is just fallback in
# case resolved is down
resolve '[!UNAVAIL=return]'
# Resolve hosts from /etc/hosts (systemd-resolved handles /etc/hosts as well
# so this comes after resolve)
files
# Resolves gethostname(), i.e. /etc/hostname
myhostname
# Resolves from DNS
dns
)
sed -i '/^hosts: /s/^hosts: .*/'"hosts: ${NSS_HOSTS[*]}/" /etc/nsswitch.conf
# Bootloader and initrd configuration
install -pm644 "$DIR/etc/dracut.conf" /etc/dracut.conf.d/50-custom.conf
install -pm644 "$DIR/etc/loader.conf" /efi/loader/loader.conf
if [[ -f /usr/share/secureboot/keys/db/db.key ]] && [[ -f /usr/share/secureboot/keys/db/db.pem ]]; then
install -pm644 "$DIR/etc/dracut-sbctl.conf" /etc/dracut.conf.d/90-sbctl-signing.conf
else
rm -f /etc/dracut.conf.d/90-sbctl-signing.conf
fi fi
if [[ "${#args[@]}" -ne 0 ]]; then # System configuration
echo "Unexpected extra arguments: ${args[*]}" >&2 install -pm644 "$DIR/etc/faillock.conf" /etc/security/faillock.conf
exit 2 install -pm644 "$DIR/etc/modprobe.conf" /etc/modprobe.d/modprobe.conf
# sudo configuration
install -dm750 /etc/sudoers.d/
install -pm600 -t/etc/sudoers.d "$DIR"/etc/sudoers.d/*
# Systemd configuration
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
install -Dpm644 "$DIR/etc/systemd/system.conf" /etc/systemd/system.conf.d/50-custom.conf
install -Dpm644 "$DIR/etc/systemd/timesyncd.conf" /etc/systemd/timesyncd.conf.d/50-custom.conf
install -Dpm644 "$DIR/etc/systemd/resolved.conf" /etc/systemd/resolved.conf.d/50-custom.conf
install -Dpm644 "$DIR/etc/systemd/zram-generator.conf" /etc/systemd/zram-generator.conf
install -Dpm644 "$DIR/etc/systemd/oomd.conf" /etc/systemd/oomd.conf.d/oomd.conf
install -Dpm644 "$DIR/etc/systemd/root-slice-oomd.conf" /etc/systemd/system/-.slice.d/50-oomd.conf
install -Dpm644 "$DIR/etc/systemd/user-service-oomd.conf" /etc/systemd/system/user@.service.d/50-oomd.conf
# Services configuration
install -Dpm644 "$DIR/etc/networkmanager-mdns.conf" /etc/NetworkManager/conf.d/50-mdns.conf
install -Dpm644 "$DIR/etc/reflector.conf" /etc/xdg/reflector/reflector.conf
install -Dpm644 "$DIR/etc/bluetooth.conf" /etc/bluetooth/main.conf
install -Dpm644 "$DIR/etc/snapper-root.conf" /etc/snapper/configs/root
# Global font configuration
for file in 10-hinting-slight 10-sub-pixel-rgb 11-lcdfilter-default; do
ln -sf /usr/share/fontconfig/conf.avail/$file.conf /etc/fonts/conf.d/$file.conf
done
# Locale settings
localectl set-locale de_DE.UTF-8
# --no-convert stops localectl from trying to apply the text console layout to
# X11/Wayland and vice versa
localectl set-keymap --no-convert us
localectl set-x11-keymap --no-convert us,de pc105
# GDM dconf profile, for global GDM configuration, see
# https://help.gnome.org/admin/system-admin-guide/stable/login-banner.html.en
install -Dpm644 "$DIR/etc/gdm-profile" /etc/dconf/profile/gdm
# Start firewalld and configure it
systemctl start firewalld.service
firewall-cmd --permanent --zone=home \
--add-service=upnp-client \
--add-service=rdp \
--add-service=ssh
# Don't allow incoming SSH connections on public networks (this is a weird default imho)
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --reload
# Setup secure boot
if command -v sbctl > /dev/null && [[ -f /usr/share/secureboot/keys/db/db.key ]]; then
# Generate signed bootloader image
if ! sbctl list-files | grep -q /usr/lib/systemd/boot/efi/systemd-bootx64.efi; then
sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi
bootctl update --graceful
fi
# Generate signed firmware updater
if ! sbctl list-files | grep -q /usr/lib/fwupd/efi/fwupdx64.efi; then
sbctl sign -s -o /usr/lib/fwupd/efi/fwupdx64.efi.signed /usr/lib/fwupd/efi/fwupdx64.efi
fi
sbctl sign-all
sbctl verify # Safety check
fi fi
if [ ! -f /sys/firmware/efi/fw_platform_size ]; then # Install or update, and then configure the bootloader.
echo >&2 "You must boot in UEFI mode to continue" # Do this AFTER signing the boot loader with sbctl, see above, to make sure we
exit 2 # install the signed loader.
if ! [[ -e /efi/EFI/BOOT/BOOTX64.EFI ]]; then
bootctl install
else
bootctl update --graceful
fi fi
if [[ "$UID" -ne 0 ]]; then # Initialize AUR repo
echo "This script needs to be run as root!" >&2 if [[ ! -d /var/cache/pacman/aur ]]; then
exit 3 install -m755 -d /var/cache/pacman/aur
repo-add /var/cache/pacman/aur/aur.db.tar.zst
fi fi
read -rp "THIS SCRIPT WILL OVERWRITE ALL CONTENTS OF ${target_device}. Type uppercase yes to continue: " confirmed # Allow myself to build AUR packages
if [[ -n "${SUDO_USER:-}" && "$(stat -c '%U' /var/cache/pacman/aur)" != "$SUDO_USER" ]]; then
if [[ "$confirmed" != "YES" ]]; then chown -R "$SUDO_USER:$SUDO_USER" /var/cache/pacman/aur
echo "aborted" >&2
exit 128
fi fi
timedatectl set-ntp true # Bootstrap aurutils
hwclock --systohc --utc if [[ -n "${SUDO_USER:-}" ]] && ! command -v aur &>/dev/null; then
loadkeys de-latin1 sudo -u "$SUDO_USER" bash <<'EOF'
set -xeuo pipefail
# Partition BDIR="$(mktemp -d --tmpdir aurutils.XXXXXXXX)"
sgdisk --zap-all "${target_device}" echo "Building in $BDIR"
sgdisk --clear \ cd "$BDIR"
--new 1:0:+550MiB --typecode 1:ef00 --change-name 1:EFI \ git clone --depth=1 "https://aur.archlinux.org/aurutils.git"
--new 2:0:+8GiB --typecode 2:8200 --change-name 2:swap \ cd aurutils
--new 3 --typecode 3:8304 --change-name 3:system \ makepkg --noconfirm --nocheck -rsi
"${target_device}"
# Reload partition table
sleep 5
partprobe -s "${target_device}"
sleep 3
# Encrypt root
echo -n "password" | cryptsetup luksFormat --type luks2 --pbkdf argon2id "/dev/disk/by-partlabel/system"
echo -n "password" | cryptsetup luksOpen --allow-discards --persistent "/dev/disk/by-partlabel/system" system
# Create file systems
mkfs.fat -F 32 -n "EFI" /dev/disk/by-partlabel/EFI
mkfs.btrfs --force --label system /dev/mapper/system
# Mount system subvolume and create additional subvolumes
o=defaults,x-mount.mkdir
o_btrfs=$o,compress=zstd,ssd,noatime
mount -t btrfs LABEL=system /mnt
btrfs subvolume create /mnt/@ # /
btrfs subvolume create /mnt/@home # /home
btrfs subvolume create /mnt/@snapshots # /.snapshots
btrfs subvolume create /mnt/@pkg # /var/cache/pacman/pkg
btrfs subvolume create /mnt/@aurbuild # /var/lib/aurbuild
btrfs subvolume create /mnt/@archbuild # /var/lib/archbuild
btrfs subvolume create /mnt/@log # /var/log
btrfs subvolume create /mnt/@tmp # /var/tmp
umount -R /mnt
mount -t btrfs -o subvol=@,$o_btrfs LABEL=system /mnt
mount -t btrfs -o subvol=@home,$o_btrfs,nodatacow LABEL=system /mnt/home
mount -t btrfs -o subvol=@snapshots,$o_btrfs LABEL=system /mnt/.snapshots
mount -t btrfs -o subvol=@pkg,$o_btrfs LABEL=system /mnt/var/cache/pacman/pkg
mount -t btrfs -o subvol=@aurbuild,$o_btrfs LABEL=system /mnt/var/lib/aurbuild
mount -t btrfs -o subvol=@archbuild,$o_btrfs LABEL=system /mnt/var/lib/archbuild
mount -t btrfs -o subvol=@log,$o_btrfs LABEL=system /mnt/var/log
mount -t btrfs -o subvol=@tmp,$o_btrfs LABEL=system /mnt/var/tmp
# Mount additional partitions
mount -o $o LABEL=EFI /mnt/efi
# Change default btrfs sub-volume (for DPS)
default_subvolume=$(btrfs subvolume list /mnt | grep "path @$" | cut -d ' ' -f2)
btrfs subvolume set-default ${default_subvolume} /mnt
# Disable CoW for /home due to large loopback files by systemd-homed
chattr +C /mnt/home
if ! grep "# Installer cache" /etc/pacman.conf > /dev/null; then
cat >> /etc/pacman.conf << EOF
# Installer cache
[options]
CacheDir = /mnt/var/cache/pacman/pkg
EOF EOF
fi fi
# Bootstrap new chroot # Configure aurutils
reflector --country 'Germany' --protocol https --sort age --latest 5 --save /etc/pacman.d/mirrorlist if [[ ! -e "/etc/aurutils/pacman-aur.conf" ]]; then
pacstrap /mnt base linux linux-firmware intel-ucode btrfs-progs dracut neovim iwd networkmanager install -Dpm644 /usr/share/devtools/pacman-extra.conf "/etc/aurutils/pacman-aur.conf"
cat <<EOF >>"/etc/aurutils/pacman-aur.conf"
genfstab -L -p /mnt >> /mnt/etc/fstab # aurutils repo
[aur]
# Configure timezone, locale, keymap, network SigLevel = Optional TrustAll
sed -i 's/^#en_US\.UTF-8/en_US\.UTF-8/' /mnt/etc/locale.gen Server = file:///var/cache/pacman/aur
sed -i 's/^#de_DE\.UTF-8/de_DE\.UTF-8/' /mnt/etc/locale.gen
arch-chroot /mnt locale-gen
arch-chroot /mnt systemd-firstboot \
--locale="en_US.UTF-8" \
--keymap="de-latin1" \
--timezone="Europe/Berlin" \
--hostname="${new_hostname}" \
--setup-machine-id
echo -e "127.0.0.1\tlocalhost" >> /mnt/etc/hosts
echo -e "127.0.1.1\t$new_hostname" >> /mnt/etc/hosts
echo -e "\n::1\tlocalhost" >> /mnt/etc/hosts
# Use systemd-resolved as dns backend for NetworkManager (auto-detected)
ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf
# Enable iwd as wifi backend for NetworkManager
cat > /mnt/etc/NetworkManager/conf.d/wifi-backend.conf <<EOF
[device]
wifi.backend=iwd
EOF EOF
fi
# Install dracut opt deps required to build unified kernel images aur_packages=(
arch-chroot /mnt pacman -S --noconfirm --asdeps binutils elfutils # AUR helper
arch-chroot /mnt dracut -f --uefi --regenerate-all aurutils
# Install bootloader # Splash screen at boot
arch-chroot /mnt bootctl install plymouth
# Gnome extensions
gnome-shell-extension-nasa-apod
# Gnome tools
gnome-search-providers-vscode
# Dracut hook to build kernel images for systemd boot
dracut-hook-uefi
# Additional fonts
otf-vollkorn # My favorite serif font for documents
ttf-fira-go # A nice font for presentations
# Additional tools
git-gone
# Connect phone and desktop system
gnome-shell-extension-gsconnect
)
# Enable resolved aur_optdeps=(
systemctl --root /mnt enable systemd-resolved # plymouth: truetype fonts
# Enable NetworkManager ttf-dejavu cantarell-fonts
systemctl --root /mnt enable NetworkManager )
# Enable homed
systemctl --root /mnt enable systemd-homed
# Set root password if [[ -n "${SUDO_USER:-}" ]]; then
echo "root:password" | chpasswd -R /mnt # Build AUR packages and install them
if [[ ${#aur_packages} -gt 0 ]]; then
sudo -u "$SUDO_USER" --preserve-env="${PRESERVE_ENV}" \
nice aur sync -daur -cRT "${aur_packages[@]}" "${aur_optdeps[@]}"
pacman --needed -Syu "${aur_packages[@]}"
fi
if [[ ${#aur_optdeps[@]} -gt 0 ]]; then
pacman --needed -S --asdeps "${aur_optdeps[@]}"
pacman -D --asdeps "${aur_optdeps[@]}"
fi
echo "BOOTSTRAPPING FINISHED" remove_from_repo=()
if [[ ${#remove_from_repo[@]} -gt 0 ]]; then
for pkg in "${remove_from_repo[@]}"; do
rm -f "/var/cache/pacman/aur/${pkg}-"*.pkg.tar.*
done
sudo -u "$SUDO_USER" repo-remove /var/cache/pacman/aur/aur.db.tar.zst "${remove_from_repo[@]}" || true
fi
fi
# Set plymouth theme
if command -v plymouth-set-default-theme > /dev/null; then
plymouth-set-default-theme bgrt
fi

View file

@ -4,4 +4,4 @@ enable-ssh-support
ttyname $GPG_TTY ttyname $GPG_TTY
default-cache-ttl 60 default-cache-ttl 60
max-cache-ttl 120 max-cache-ttl 120
pinentry-program /usr/bin/pinentry-curses pinentry-program /usr/bin/pinentry-gtk4

View file

@ -1,24 +0,0 @@
#!/bin/bash
# https://github.com/maximbaz/dotfiles/blob/61a40e111012dd589dad89ff0d31dcd1be8f8529/.local/bin/cglaunch
if [ "$1" = "--term" ]; then
shift
kitty_args=()
if [[ "$1" == "-"* ]]; then
while [[ "$#" -gt 1 ]] && [[ "$1" != "--" ]]; do
kitty_args+=("$1")
shift
done
[[ "$1" != "--" ]] || shift
fi
title="${1##*/}"
title="${title:-kitty}"
app="kitty ${kitty_args[@]} --class $title"
else
title="${1##*/}"
args="--scope"
fi
exec systemd-run --quiet --no-block --user --slice app.slice --unit "launch-$title-$(date '+%s%N')" $args -- $app "$@"

View file

@ -1,206 +0,0 @@
#!/bin/bash
set -e
exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done)
script_name="$(basename "$0")"
dotfiles_dir="$(
cd "$(dirname "$0")"
pwd
)"
cd "$dotfiles_dir"
if (("$EUID")); then
sudo -s "$dotfiles_dir/$script_name" "$@"
exit 0
fi
if [ "$1" = "-r" ]; then
echo >&2 "Running in reverse mode!"
reverse=1
fi
copy() {
if [ -z "$reverse" ]; then
orig_file="$dotfiles_dir/$1"
dest_file="/$1"
else
orig_file="/$1"
dest_file="$dotfiles_dir/$1"
fi
mkdir -p "$(dirname "$orig_file")"
mkdir -p "$(dirname "$dest_file")"
rm -rf "$dest_file"
cp -R "$orig_file" "$dest_file"
if [ -z "$reverse" ]; then
[ -n "$2" ] && chmod "$2" "$dest_file"
else
chown -R $USER "$dest_file"
fi
echo "$dest_file <= $orig_file"
}
is_chroot() {
! cmp -s /proc/1/mountinfo /proc/self/mountinfo
}
systemctl_enable() {
echo "systemctl enable "$1""
systemctl enable "$1"
}
systemctl_enable_start() {
echo "systemctl enable --now "$1""
systemctl enable "$1"
systemctl start "$1"
}
echo ""
echo "=========================="
echo "Setting up /etc configs..."
echo "=========================="
copy "etc/kernel/cmdline"
copy "etc/sysctl.d/20-quiet-printk.conf"
copy "etc/modprobe.d/i915.conf"
#copy "etc/aurutils/pacman-x86_64.conf"
copy "etc/bluetooth/main.conf"
#copy "etc/conf.d/snapper"
#copy "etc/default/earlyoom"
#copy "etc/docker/daemon.json"
#copy "etc/fwupd/uefi_capsule.conf"
#copy "etc/modules-load.d/v4l2loopback.conf"
#copy "etc/modprobe.d/v4l2loopback.conf"
#copy "etc/nftables.conf"
#copy "etc/pacman.conf"
#copy "etc/pacman.d/hooks"
#copy "etc/pam.d/polkit-1"
#copy "etc/pam.d/sudo"
copy "etc/snap-pac.ini"
copy "etc/snapper/configs/root"
#copy "etc/ssh/ssh_config"
copy "etc/sudoers.d/override"
#copy "etc/sysctl.d/99-sysctl.conf"
#copy "etc/systemd/journald.conf.d/override.conf"
#copy "etc/systemd/logind.conf.d/override.conf"
copy "etc/systemd/network/20-wired.network"
copy "etc/systemd/network/25-wireless.network"
copy "etc/iwd/main.conf"
copy "etc/mkinitcpio.conf"
#copy "etc/systemd/resolved.conf.d/dnssec.conf"
copy "etc/systemd/system/getty@tty1.service.d/override.conf"
#copy "etc/systemd/system/usbguard.service.d/override.conf"
#copy "etc/systemd/system/reflector.service"
#copy "etc/systemd/system/reflector.timer"
#copy "etc/systemd/system/system-dotfiles-sync.service"
#copy "etc/systemd/system/system-dotfiles-sync.timer"
#copy "etc/systemd/system.conf.d/kill-fast.conf"
#copy "etc/usbguard/usbguard-daemon.conf" 600
#copy "etc/systemd/system/backup-repo@pkgbuild"
#copy "etc/systemd/system/backup-repo@.service"
#copy "etc/systemd/system/backup-repo@.timer"
(("$reverse")) && exit 0
echo ""
echo "================================="
echo "Enabling and starting services..."
echo "================================="
sysctl --system > /dev/null
systemctl daemon-reload
systemctl_enable_start "bluetooth.service"
#systemctl_enable_start "btrfs-scrub@-.timer"
#systemctl_enable_start "btrfs-scrub@mnt-btrfs\x2droot.timer"
#systemctl_enable_start "btrfs-scrub@home.timer"
#systemctl_enable_start "btrfs-scrub@var-cache-pacman.timer"
#systemctl_enable_start "btrfs-scrub@var-log.timer"
#systemctl_enable_start "btrfs-scrub@var-tmp.timer"
#systemctl_enable_start "btrfs-scrub@\x2esnapshots.timer"
#systemctl_enable_start "btrfs-scrub@var-lib-aurbuild.timer"
#systemctl_enable_start "btrfs-scrub@var-lib-archbuild.timer"
#systemctl_enable_start "btrfs-scrub@var-lib-docker.timer"
#systemctl_enable_start "docker.socket"
#systemctl_enable_start "earlyoom.service"
systemctl_enable_start "fstrim.timer"
systemctl_enable_start "iwd.service"
#systemctl_enable_start "linux-modules-cleanup.service"
#systemctl_enable_start "lenovo_fix.service"
#systemctl_enable_start "nftables.service"
systemctl_enable_start "pcscd.socket"
#systemctl_enable_start "reflector.timer"
#systemctl_enable_start "snapper-cleanup.timer"
#systemctl_enable_start "system-dotfiles-sync.timer"
systemctl_enable_start "systemd-networkd.socket"
systemctl_enable_start "systemd-resolved.service"
systemctl_enable_start "systemd-timesyncd"
#systemctl_enable_start "tlp.service"
#if [ ! -s "/etc/usbguard/rules.conf" ]; then
# echo >&2 "=== Remember to set usbguard rules: usbguard generate-policy >! /etc/usbguard/rules.conf"
#else
# chmod 600 /etc/usbguard/rules.conf
# systemctl_enable_start "usbguard.service"
# systemctl_enable_start "usbguard-dbus.service"
#fi
#systemctl_enable_start "backup-repo@pkgbuild.timer"
#echo ""
#echo "==============================="
#echo "Creating top level Trash dir..."
#echo "==============================="
#mkdir --parent /.Trash
#chmod a+rw /.Trash
#chmod +t /.Trash
#echo "Done"
echo ""
echo "======================================="
echo "Finishing various user configuration..."
echo "======================================="
if is_chroot; then
echo >&2 "=== Running in chroot, skipping /etc/resolv.conf setup..."
else
echo "Configuring /etc/resolv.conf"
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
fi
echo "Configuring NTP"
timedatectl set-ntp true
echo "Configuring aurutils"
ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf
PLYMOUTH_THEME="spinner"
if [ "$(plymouth-set-default-theme)" != "$PLYMOUTH_THEME" ]; then
echo "Configuring plymouth"
plymouth-set-default-theme "$PLYMOUTH_THEME"
fi
echo "Configuring mkinitcpio + secure boot"
mkinitcpio -P
if [ ! -s "/etc/arch-secure-boot/keys/PK.auth" ]; then
arch-secure-boot initial-setup
else
arch-secure-boot generate-efi
fi
if [ ! -f /efi/EFI/secureboot/KeyTool-signed.efi ]; then
echo "Preparing KeyTool to allow install PK key"
mkdir -p /efi/EFI/secureboot
sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi
cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth
mount="$(findmnt -n -o SOURCE -T "/efi")"
partition="${mount##*[!0-9]}"
entry="/EFI/secureboot/KeyTool-signed.efi"
efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool"
echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI"
fi

15
run_once_setup-gpg.sh Normal file
View file

@ -0,0 +1,15 @@
#!/bin/bash
set -e
exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done)
MY_PGP_KEY_ID="A3F9CE82F38FC1F220CC2A1D63CCF3229371555E"
if ! gpg -k | grep "$MY_PGP_KEY_ID" > /dev/null; then
echo "Importing my public PGP key"
curl -s --tlsv1.3 https://tobias.strobel.one/pubkey.txt | gpg --import
echo "5\ny\n" | gpg --command-fd 0 --no-tty --batch --edit-key "$MY_PGP_KEY_ID" trust
fi
find "$HOME/.gnupg" -type f -not -path "*#*" -exec chmod 600 {} \;
find "$HOME/.gnupg" -type d -exec chmod 700 {} \;

View file

@ -1,223 +0,0 @@
#!/bin/bash
set -e
exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done)
MY_PGP_KEY_ID="A3F9CE82F38FC1F220CC2A1D63CCF3229371555E"
dotfiles_dir="$(
cd "$(dirname "$0")"
pwd
)"
cd "$dotfiles_dir"
link() {
orig_file="$dotfiles_dir/$1"
if [ -n "$2" ]; then
dest_file="$HOME/$2"
else
dest_file="$HOME/$1"
fi
mkdir -p "$(dirname "$orig_file")"
mkdir -p "$(dirname "$dest_file")"
rm -rf "$dest_file"
ln -s "$orig_file" "$dest_file"
echo "$dest_file -> $orig_file"
}
is_chroot() {
! cmp -s /proc/1/mountinfo /proc/self/mountinfo
}
systemctl_enable_start() {
echo "systemctl --user enable --now "$1""
systemctl --user enable --now "$1"
}
#echo "==========================="
#echo "Setting up user dotfiles..."
#echo "==========================="
#link ".gnupg/$(cut -d'-' -f1 /etc/hostname)-gpg.conf" ".gnupg/gpg.conf"
#link ".gnupg/gpg-agent.conf"
#link ".ignore"
#link ".magic"
#link ".p10k.zsh"
#link ".p10k.zsh" ".p10k-ascii-8color.zsh"
#link ".zprofile"
#link ".zsh-aliases"
#link ".zshenv"
#link ".zshrc"
#
#link ".config/bat"
#link ".config/chromium-flags.conf"
#link ".config/environment.d"
#link ".config/flashfocus"
#link ".config/git/$(cut -d'-' -f1 /etc/hostname)" ".config/git/config"
#link ".config/git/common"
#link ".config/git/home"
#link ".config/git/ignore"
#link ".config/git/work"
#link ".config/gtk-3.0"
#link ".config/htop"
#link ".config/imapnotify/archlinux.conf"
#link ".config/imapnotify/maximbaz.conf"
#link ".config/kak"
#link ".config/kak-lsp"
#link ".config/kitty"
#link ".config/libinput-gestures.conf"
#link ".config/mako"
#link ".config/mimeapps.list"
#link ".config/mpv"
#link ".config/neomutt/colors"
#link ".config/neomutt/mailcap"
#link ".config/neomutt/neomuttrc"
#link ".config/neomutt/signature"
#link ".config/notmuch"
#link ".config/pacman"
#link ".config/pgcli/config"
#link ".config/pylint"
#link ".config/qalculate/qalc.cfg"
#link ".config/qalculate/qalculate-gtk.cfg"
#link ".config/qutebrowser"
#link ".config/repoctl"
#link ".config/sclirc"
#link ".config/stylua"
#link ".config/swappy"
#link ".config/sway"
#link ".config/swaylock"
#link ".config/systemd/user/backup-packages.service"
#link ".config/systemd/user/backup-packages.timer"
#link ".config/systemd/user/battery-low-notify.service"
#link ".config/systemd/user/mbsync.service"
#link ".config/systemd/user/mbsync.timer"
#link ".config/systemd/user/polkit-gnome.service"
#link ".config/systemd/user/qutebrowser-update-useragent.service"
#link ".config/systemd/user/qutebrowser-update-useragent.timer"
#link ".config/systemd/user/sway-autoname-workspaces.service"
#link ".config/systemd/user/sway-inactive-window-transparency.service"
#link ".config/systemd/user/sway-session.target"
#link ".config/systemd/user/swayr.service"
#link ".config/systemd/user/systembus-notify.service"
#link ".config/systemd/user/udiskie.service"
#link ".config/systemd/user/waybar.service"
#link ".config/systemd/user/waybar-updates.service"
#link ".config/systemd/user/waybar-updates.timer"
#link ".config/systemd/user/wl-clipboard-manager.service"
#link ".config/systemd/user/wlsunset.service"
#link ".config/tig"
#link ".config/transmission/settings.json"
#link ".config/udiskie"
#link ".config/USBGuard"
#link ".config/user-tmpfiles.d"
#link ".config/vimiv"
#link ".config/waybar"
#link ".config/wldash"
#link ".config/xdg-desktop-portal-wlr"
#link ".config/xkb"
#link ".config/xplr"
#link ".config/zathura"
#
#link ".local/bin"
#link ".local/share/applications"
#link ".local/share/qutebrowser/greasemonkey"
#link ".local/share/dbus-1/services/fr.emersion.mako.service"
if is_chroot; then
echo >&2 "=== Running in chroot, skipping user services..."
else
echo ""
echo "================================="
echo "Enabling and starting services..."
echo "================================="
systemctl --user daemon-reload
systemctl_enable_start pipewire
systemctl_enable_start pipewire-pulse
#systemctl_enable_start "backup-packages.timer"
#systemctl_enable_start "battery-low-notify.service"
#systemctl_enable_start "flashfocus.service"
#systemctl_enable_start "libinput-gestures.service"
#systemctl_enable_start "mako.service"
#systemctl_enable_start "polkit-gnome.service"
#systemctl_enable_start "qutebrowser-update-useragent.timer"
#systemctl_enable_start "sway-autoname-workspaces.service"
#systemctl_enable_start "sway-inactive-window-transparency.service"
#systemctl_enable_start "swayr.service"
#systemctl_enable_start "systembus-notify.service"
#systemctl_enable_start "systemd-tmpfiles-setup.service"
#systemctl_enable_start "udiskie.service"
#systemctl_enable_start "waybar.service"
#systemctl_enable_start "waybar-updates.timer"
#systemctl_enable_start "wl-clipboard-manager.service"
#systemctl_enable_start "wlsunset.service"
#systemctl_enable_start "wluma.service"
#systemctl_enable_start "yubikey-touch-detector.socket"
#if [[ $HOSTNAME == home-* ]]; then
# if [ -d "$HOME/.mail" ]; then
# systemctl_enable_start "mbsync.timer"
# systemctl_enable_start "goimapnotify@archlinux.service"
# systemctl_enable_start "goimapnotify@maximbaz.service"
# else
# echo >&2 -e "
# === Mail is not configured, skipping...
# === Consult \$MBSYNC_CONFIG for initial setup, and then sync everything using:
# === while ! mbsync -c "\$MBSYNC_CONFIG" -a; do echo 'restarting...'; done
# "
# fi
#fi
fi
echo ""
echo "======================================="
echo "Finishing various user configuration..."
echo "======================================="
#echo "Configuring MIME types"
#file --compile --magic-file "$HOME/.magic"
if ! gpg -k | grep "$MY_PGP_KEY_ID" > /dev/null; then
echo "Importing my public PGP key"
curl -s --tlsv1.3 https://tobias.strobel.one/pubkey.txt | gpg --import
echo "5\ny\n" | gpg --command-fd 0 --no-tty --batch --edit-key "$MY_PGP_KEY_ID" trust
fi
find "$HOME/.gnupg" -type f -not -path "*#*" -exec chmod 600 {} \;
find "$HOME/.gnupg" -type d -exec chmod 700 {} \;
#if is_chroot; then
# echo >&2 "=== Running in chroot, skipping YubiKey configuration..."
#else
# if [ ! -s "$HOME/.config/Yubico/u2f_keys" ]; then
# echo "Configuring YubiKey for passwordless sudo (touch it now)"
# mkdir -p "$HOME/.config/Yubico"
# pamu2fcfg -umaximbaz > "$HOME/.config/Yubico/u2f_keys"
# fi
#fi
#if [ -d "$HOME/.password-store" ]; then
# echo "Configuring automatic git push for pass"
# echo -e "#!/bin/sh\n\npass git push" > "$HOME/.password-store/.git/hooks/post-commit"
# chmod +x "$HOME/.password-store/.git/hooks/post-commit"
#else
# echo >&2 "=== Password store is not configured yet, skipping..."
#fi
#if is_chroot; then
# echo >&2 "=== Running in chroot, skipping GTK file chooser dialog configuration..."
#else
# echo "Configuring GTK file chooser dialog"
# gsettings set org.gtk.Settings.FileChooser sort-directories-first true
#fi
#echo "Ignoring further changes to often changing config"
#git update-index --assume-unchanged ".config/transmission/settings.json"
#echo "Configure repo-local git settings"
#git config user.email "code@strobel.one"
#git config user.signingkey "$MY_PGP_KEY_ID"
#git config commit.gpgsign true
#git remote set-url origin "git@github.com:maximbaz/dotfiles.git"

View file

@ -1,206 +0,0 @@
#!/bin/bash
set -e
exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done)
script_name="$(basename "$0")"
dotfiles_dir="$(
cd "$(dirname "$0")"
pwd
)"
cd "$dotfiles_dir"
if (("$EUID")); then
sudo -s "$dotfiles_dir/$script_name" "$@"
exit 0
fi
if [ "$1" = "-r" ]; then
echo >&2 "Running in reverse mode!"
reverse=1
fi
copy() {
if [ -z "$reverse" ]; then
orig_file="$dotfiles_dir/$1"
dest_file="/$1"
else
orig_file="/$1"
dest_file="$dotfiles_dir/$1"
fi
mkdir -p "$(dirname "$orig_file")"
mkdir -p "$(dirname "$dest_file")"
rm -rf "$dest_file"
cp -R "$orig_file" "$dest_file"
if [ -z "$reverse" ]; then
[ -n "$2" ] && chmod "$2" "$dest_file"
else
chown -R $USER "$dest_file"
fi
echo "$dest_file <= $orig_file"
}
is_chroot() {
! cmp -s /proc/1/mountinfo /proc/self/mountinfo
}
systemctl_enable() {
echo "systemctl enable "$1""
systemctl enable "$1"
}
systemctl_enable_start() {
echo "systemctl enable --now "$1""
systemctl enable "$1"
systemctl start "$1"
}
echo ""
echo "=========================="
echo "Setting up /etc configs..."
echo "=========================="
copy "etc/kernel/cmdline"
copy "etc/sysctl.d/20-quiet-printk.conf"
copy "etc/modprobe.d/i915.conf"
#copy "etc/aurutils/pacman-x86_64.conf"
copy "etc/bluetooth/main.conf"
#copy "etc/conf.d/snapper"
#copy "etc/default/earlyoom"
#copy "etc/docker/daemon.json"
#copy "etc/fwupd/uefi_capsule.conf"
#copy "etc/modules-load.d/v4l2loopback.conf"
#copy "etc/modprobe.d/v4l2loopback.conf"
#copy "etc/nftables.conf"
#copy "etc/pacman.conf"
#copy "etc/pacman.d/hooks"
#copy "etc/pam.d/polkit-1"
#copy "etc/pam.d/sudo"
copy "etc/snap-pac.ini"
copy "etc/snapper/configs/root"
#copy "etc/ssh/ssh_config"
copy "etc/sudoers.d/override"
#copy "etc/sysctl.d/99-sysctl.conf"
#copy "etc/systemd/journald.conf.d/override.conf"
#copy "etc/systemd/logind.conf.d/override.conf"
copy "etc/systemd/network/20-wired.network"
copy "etc/systemd/network/25-wireless.network"
copy "etc/iwd/main.conf"
copy "etc/mkinitcpio.conf"
#copy "etc/systemd/resolved.conf.d/dnssec.conf"
copy "etc/systemd/system/getty@tty1.service.d/override.conf"
#copy "etc/systemd/system/usbguard.service.d/override.conf"
#copy "etc/systemd/system/reflector.service"
#copy "etc/systemd/system/reflector.timer"
#copy "etc/systemd/system/system-dotfiles-sync.service"
#copy "etc/systemd/system/system-dotfiles-sync.timer"
#copy "etc/systemd/system.conf.d/kill-fast.conf"
#copy "etc/usbguard/usbguard-daemon.conf" 600
#copy "etc/systemd/system/backup-repo@pkgbuild"
#copy "etc/systemd/system/backup-repo@.service"
#copy "etc/systemd/system/backup-repo@.timer"
(("$reverse")) && exit 0
echo ""
echo "================================="
echo "Enabling and starting services..."
echo "================================="
sysctl --system > /dev/null
systemctl daemon-reload
systemctl_enable_start "bluetooth.service"
#systemctl_enable_start "btrfs-scrub@-.timer"
#systemctl_enable_start "btrfs-scrub@mnt-btrfs\x2droot.timer"
#systemctl_enable_start "btrfs-scrub@home.timer"
#systemctl_enable_start "btrfs-scrub@var-cache-pacman.timer"
#systemctl_enable_start "btrfs-scrub@var-log.timer"
#systemctl_enable_start "btrfs-scrub@var-tmp.timer"
#systemctl_enable_start "btrfs-scrub@\x2esnapshots.timer"
#systemctl_enable_start "btrfs-scrub@var-lib-aurbuild.timer"
#systemctl_enable_start "btrfs-scrub@var-lib-archbuild.timer"
#systemctl_enable_start "btrfs-scrub@var-lib-docker.timer"
#systemctl_enable_start "docker.socket"
#systemctl_enable_start "earlyoom.service"
systemctl_enable_start "fstrim.timer"
systemctl_enable_start "iwd.service"
#systemctl_enable_start "linux-modules-cleanup.service"
#systemctl_enable_start "lenovo_fix.service"
#systemctl_enable_start "nftables.service"
systemctl_enable_start "pcscd.socket"
#systemctl_enable_start "reflector.timer"
#systemctl_enable_start "snapper-cleanup.timer"
#systemctl_enable_start "system-dotfiles-sync.timer"
systemctl_enable_start "systemd-networkd.socket"
systemctl_enable_start "systemd-resolved.service"
systemctl_enable_start "systemd-timesyncd"
#systemctl_enable_start "tlp.service"
#if [ ! -s "/etc/usbguard/rules.conf" ]; then
# echo >&2 "=== Remember to set usbguard rules: usbguard generate-policy >! /etc/usbguard/rules.conf"
#else
# chmod 600 /etc/usbguard/rules.conf
# systemctl_enable_start "usbguard.service"
# systemctl_enable_start "usbguard-dbus.service"
#fi
#systemctl_enable_start "backup-repo@pkgbuild.timer"
#echo ""
#echo "==============================="
#echo "Creating top level Trash dir..."
#echo "==============================="
#mkdir --parent /.Trash
#chmod a+rw /.Trash
#chmod +t /.Trash
#echo "Done"
echo ""
echo "======================================="
echo "Finishing various user configuration..."
echo "======================================="
if is_chroot; then
echo >&2 "=== Running in chroot, skipping /etc/resolv.conf setup..."
else
echo "Configuring /etc/resolv.conf"
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
fi
echo "Configuring NTP"
timedatectl set-ntp true
echo "Configuring aurutils"
ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf
PLYMOUTH_THEME="spinner"
if [ "$(plymouth-set-default-theme)" != "$PLYMOUTH_THEME" ]; then
echo "Configuring plymouth"
plymouth-set-default-theme "$PLYMOUTH_THEME"
fi
echo "Configuring mkinitcpio + secure boot"
mkinitcpio -P
if [ ! -s "/etc/arch-secure-boot/keys/PK.auth" ]; then
arch-secure-boot initial-setup
else
arch-secure-boot generate-efi
fi
if [ ! -f /efi/EFI/secureboot/KeyTool-signed.efi ]; then
echo "Preparing KeyTool to allow install PK key"
mkdir -p /efi/EFI/secureboot
sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi
cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth
mount="$(findmnt -n -o SOURCE -T "/efi")"
partition="${mount##*[!0-9]}"
entry="/EFI/secureboot/KeyTool-signed.efi"
efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool"
echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI"
fi