add bluetooth + move to run_once scripts

This commit is contained in:
Tobias Strobel 2022-03-06 15:44:09 +01:00
parent 70c042bf6a
commit a8c59e69cb
6 changed files with 336 additions and 413 deletions

View file

@ -1,328 +0,0 @@
#!/usr/bin/env bash
#
# Arch Linux installation
#
# Bootable USB:
# - [Download](https://archlinux.org/download/) ISO and GPG files
# - Verify the ISO file: `$ pacman-key -v archlinux-<version>-x86_64.iso.sig`
# - Create a bootable USB with: `# dd if=archlinux*.iso of=/dev/sdX && sync`
#
# UEFI setup:
#
# - Set boot mode to UEFI, disable Legacy mode entirely.
# - Temporarily disable Secure Boot.
# - Make sure a strong UEFI administrator password is set.
# - Delete preloaded OEM keys for Secure Boot, allow custom ones.
# - Set SATA operation to AHCI mode.
#
# Run installation:
#
# - Connect to wifi via: `# iwctl station wlan0 connect WIFI-NETWORK`
# - Run: `# bash <(curl -sL https://link.rafe.li/dot)`
#
# WARNING: this script will destroy data on the selected disk.
#
set -uo pipefail
trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
exec 1> >(tee "stdout.log")
exec 2> >(tee "stderr.log" >&2)
export SNAP_PAC_SKIP=y
# Dialog
BACKTITLE="Arch Linux installation"
get_input() {
title="$1"
description="$2"
input=$(dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --inputbox "$description" 0 0)
echo "$input"
}
get_password() {
title="$1"
description="$2"
while : ; do
init_pass=$(dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --passwordbox "$description" 0 0)
: "${init_pass:?dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --msgbox "Password cannot be empty.\nTry again." 0 0}"
test_pass=$(dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --passwordbox "$description again" 0 0)
if [[ "$init_pass" != "$test_pass" ]]; then
dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --msgbox "Passwords did not match.\nTry again." 0 0
else
break
fi
done
echo "$init_pass"
}
get_choice() {
title="$1"
description="$2"
shift 2
options=("$@")
dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --menu "$description" 0 0 0 "${options[@]}"
}
echo -e "\n### Checking UEFI boot mode"
if [ ! -f /sys/firmware/efi/fw_platform_size ]; then
echo >&2 "You must boot in UEFI mode to continue"
exit 2
fi
echo -e "\n### Ensure the system clock is accurate"
timedatectl set-ntp true
hwclock --systohc --utc
echo -e "\n### Setting keyboard layout to de-latin1"
loadkeys de-latin1
echo -e "\n### Installing additional tools"
pacman -Sy --noconfirm --needed git reflector terminus-font dialog wget
echo -e "\n### HiDPI screens"
noyes=("Yes" "The font is too small" "No" "The font size is just fine")
hidpi=$(get_choice "Font size" "Is your screen HiDPI?" "${noyes[@]}") || exit 1
clear
[[ "$hidpi" == "Yes" ]] && font="ter-132n" || font="ter-716n"
setfont "$font"
hostname=$(get_input "Hostname" "Enter hostname") || exit 1
clear
: "${hostname:?"hostname cannot be empty"}"
user=$(get_input "User" "Enter username") || exit 1
clear
: "${user:?"user cannot be empty"}"
password=$(get_password "User" "Enter password") || exit 1
clear
: "${password:?"password cannot be empty"}"
devicelist=$(lsblk -dplnx size -o name,size | grep -Ev "boot|rpmb|loop" | tac | tr '\n' ' ')
read -r -a devicelist <<< "$devicelist"
device=$(get_choice "Installation" "Select installation disk" "${devicelist[@]}") || exit 1
clear
echo -e "\n### Setting up fastest mirrors"
reflector --country 'Germany,France,' --protocol https --sort rate --save /etc/pacman.d/mirrorlist
echo -e "\n### Setting up partitions"
umount -R /mnt 2> /dev/null || true
cryptsetup luksClose luks 2> /dev/null || true
lsblk -plnx size -o name "${device}" | xargs -n1 wipefs --all
sgdisk --clear "${device}" --new 1::-551MiB "${device}" --new 2::0 --typecode 2:ef00 "${device}"
sgdisk --change-name=1:primary --change-name=2:ESP "${device}"
part_root="$(ls "${device}"* | grep -E "^${device}p?1$")"
part_boot="$(ls "${device}"* | grep -E "^${device}p?2$")"
echo -e "\n### Formatting partitions"
mkfs.vfat -n "EFI" -F 32 "${part_boot}"
echo -n "${password}" | cryptsetup luksFormat --type luks2 --pbkdf argon2id --label luks "${part_root}"
echo -n "${password}" | cryptsetup luksOpen --allow-discards --persistent "${part_root}" luks
mkfs.btrfs -L btrfs /dev/mapper/luks
echo -e "\n### Setting up BTRFS subvolumes"
mount /dev/mapper/luks /mnt
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/pkgs
btrfs subvolume create /mnt/aurbuild
btrfs subvolume create /mnt/archbuild
btrfs subvolume create /mnt/docker
btrfs subvolume create /mnt/logs
btrfs subvolume create /mnt/temp
btrfs subvolume create /mnt/swap
btrfs subvolume create /mnt/snapshots
umount /mnt
mount -o noatime,compress=zstd,subvol=root /dev/mapper/luks /mnt
mkdir -p /mnt/{mnt/btrfs-root,efi,home,var/{cache/pacman,log,tmp,lib/{aurbuild,archbuild,docker}},swap,.snapshots}
mount "${part_boot}" /mnt/efi
mount -o noatime,compress=zstd,subvol=/ /dev/mapper/luks /mnt/mnt/btrfs-root
mount -o noatime,compress=zstd,subvol=home /dev/mapper/luks /mnt/home
mount -o noatime,compress=zstd,subvol=pkgs /dev/mapper/luks /mnt/var/cache/pacman
mount -o noatime,compress=zstd,subvol=aurbuild /dev/mapper/luks /mnt/var/lib/aurbuild
mount -o noatime,compress=zstd,subvol=archbuild /dev/mapper/luks /mnt/var/lib/archbuild
mount -o noatime,compress=zstd,subvol=docker /dev/mapper/luks /mnt/var/lib/docker
mount -o noatime,compress=zstd,subvol=logs /dev/mapper/luks /mnt/var/log
mount -o noatime,compress=zstd,subvol=temp /dev/mapper/luks /mnt/var/tmp
mount -o noatime,compress=zstd,subvol=swap /dev/mapper/luks /mnt/swap
mount -o noatime,compress=zstd,subvol=snapshots /dev/mapper/luks /mnt/.snapshots
echo -e "\n### Configuring custom repo"
mkdir "/mnt/var/cache/pacman/${user}-local"
# if [[ "${user}" == "maximbaz" && "${hostname}" == "home-"* ]]; then
# wget -m -nH -np -q --show-progress --progress=bar:force --reject='index.html*' --cut-dirs=2 -P "/mnt/var/cache/pacman/${user}-local" 'https://pkgbuild.com/~maximbaz/repo/'
# rename -- 'maximbaz.' "${user}-local." "/mnt/var/cache/pacman/${user}-local"/*
# else
repo-add "/mnt/var/cache/pacman/${user}-local/${user}-local.db.tar"
# fi
if ! grep "${user}" /etc/pacman.conf > /dev/null; then
cat >> /etc/pacman.conf << EOF
[${user}-local]
Server = file:///mnt/var/cache/pacman/${user}-local
[maximbaz]
Server = https://pkgbuild.com/~maximbaz/repo
[options]
CacheDir = /mnt/var/cache/pacman/pkg
CacheDir = /mnt/var/cache/pacman/${user}-local
EOF
fi
echo -e "\n### Installing packages"
kernel_packages=(
"linux"
"linux-headers"
"linux-lts"
"linux-firmware"
"intel-ucode"
)
fs_packages=(
"btrfs-progs"
"dosfstools"
"e2fsprogs"
)
network_packages=(
"iwd"
"systemd-resolvconf"
)
basic_packages=(
"man-db"
"man-pages"
"pacman-contrib"
"neovim"
"bash-completion"
"git"
"rsync"
"openssh"
"htop"
"fzf"
"sudo"
)
all_packages=(
${kernel_packages[@]}
${fs_packages[@]}
${network_packages[@]}
${basic_packages[@]}
)
pacstrap /mnt base base-devel arch-secure-boot ${all_packages[@]}
echo -e "\n### Generating base config files"
echo "cryptdevice=PARTLABEL=primary:luks:allow-discards root=LABEL=btrfs rootflags=subvol=root rw quiet mem_sleep_default=deep" > /mnt/etc/kernel/cmdline
genfstab -L /mnt >> /mnt/etc/fstab
echo "FONT=$font" > /mnt/etc/vconsole.conf
echo "KEYMAP=de-latin1" >> /mnt/etc/vconsole.conf
echo "${hostname}" > /mnt/etc/hostname
sed -i 's/^#en_US\.UTF-8/en_US\.UTF-8/' /mnt/etc/locale.gen
sed -i 's/^#de_DE\.UTF-8/de_DE\.UTF-8/' /mnt/etc/locale.gen
echo "LANG=en_US.UTF-8" > /mnt/etc/locale.conf
arch-chroot /mnt locale-gen
ln -sf /usr/share/zoneinfo/Europe/Berlin /mnt/etc/localtime
echo "$hostname" > /mnt/etc/hostname
echo -e "127.0.0.1\tlocalhost" >>/mnt/etc/hosts
echo -e "127.0.1.1\t$hostname" >>/mnt/etc/hosts
echo -e "\n::1\tlocalhost" >>/mnt/etc/hosts
# Propagate the systemd-resolved managed configuration to all clients (stub mode)
ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf
cat >/mnt/etc/systemd/network/20-wired.network <<EOF
[Match]
Name=en*
[Network]
DHCP=yes
[DHCPv4]
RouteMetric=10
UseDomains=true
[IPv6AcceptRA]
RouteMetric=10
UseDomains=yes
EOF
cat >/mnt/etc/systemd/network/25-wireless.network <<EOF
[Match]
Name=wl*
[Network]
DHCP=yes
[DHCPv4]
RouteMetric=20
UseDomains=true
[IPv6AcceptRA]
RouteMetric=20
UseDomains=yes
EOF
mkdir -p /mnt/etc/iwd
cat >/mnt/etc/iwd/main.conf <<EOF
[General]
EnableNetworkConfiguration=true
[Network]
EnableIPv6=true
EOF
arch-chroot /mnt systemctl enable systemd-timesyncd fstrim.timer systemd-networkd systemd-resolved iwd
cat >/mnt/etc/mkinitcpio.conf <<EOF
MODULES=(i915)
BINARIES=(/usr/bin/btrfs)
FILES=()
HOOKS=(base consolefont udev autodetect keyboard keymap modconf block encrypt filesystems fsck shutdown)
EOF
arch-chroot /mnt mkinitcpio -p linux
arch-chroot /mnt arch-secure-boot initial-setup
echo -e "\n### Configuring swap file"
swap_size=$(free --mebi | awk '/Mem:/ {print $2}')
swap_end=$(( $swap_size + 129 + 1 ))MiB
truncate -s 0 /mnt/swap/swapfile
chattr +C /mnt/swap/swapfile
btrfs property set /mnt/swap/swapfile compression none
fallocate -l $swap_end /mnt/swap/swapfile
chmod 600 /mnt/swap/swapfile
mkswap /mnt/swap/swapfile
echo "/swap/swapfile none swap defaults 0 0" >> /mnt/etc/fstab
# sudo
#sed -i 's/# \(%wheel ALL=(ALL:ALL) ALL\)/\1/' /mnt/etc/sudoers
echo -e "\n### Creating user"
arch-chroot /mnt useradd -m "$user"
for group in wheel network video audio input storage power; do
arch-chroot /mnt groupadd -rf "$group"
arch-chroot /mnt gpasswd -a "$user" "$group"
done
echo "$user:$password" | arch-chroot /mnt chpasswd
# disable root login
arch-chroot /mnt passwd -dl root
echo -e "\n### Setting permissions on the custom repo"
arch-chroot /mnt chown -R "$user:$user" "/var/cache/pacman/${user}-local/"
echo -e "\n### Reboot now, and after power off remember to unplug the installation USB"

View file

@ -36,9 +36,9 @@ output * bg /usr/share/backgrounds/sway/Sway_Wallpaper_Blue_1920x1080.png fill
# Example configuration: # Example configuration:
# #
exec swayidle -w \ exec swayidle -w \
timeout 300 'swaylock -f -c 3c3c3c' \ timeout 300 'swaylock -f -c 1e1e1e' \
timeout 600 'swaymsg "output * dpms off"' resume 'swaymsg "output * dpms on"' \ timeout 600 'swaymsg "output * dpms off"' resume 'swaymsg "output * dpms on"' \
before-sleep 'swaylock -f -c 3c3c3c' before-sleep 'swaylock -f -c 1e1e1e'
# #
# This will lock your screen after 300 seconds of inactivity, then turn off # This will lock your screen after 300 seconds of inactivity, then turn off
# your displays after another 300 seconds, and turn your screens back on when # your displays after another 300 seconds, and turn your screens back on when

294
etc/bluetooth/main.conf Normal file
View file

@ -0,0 +1,294 @@
[General]
# Default adapter name
# Defaults to 'BlueZ X.YZ'
#Name = BlueZ
# Default device class. Only the major and minor device class bits are
# considered. Defaults to '0x000000'.
#Class = 0x000100
# How long to stay in discoverable mode before going back to non-discoverable
# The value is in seconds. Default is 180, i.e. 3 minutes.
# 0 = disable timer, i.e. stay discoverable forever
#DiscoverableTimeout = 0
# Always allow pairing even if there are no agent registered
# Possible values: true, false
# Default: false
#AlwaysPairable = false
# How long to stay in pairable mode before going back to non-discoverable
# The value is in seconds. Default is 0.
# 0 = disable timer, i.e. stay pairable forever
#PairableTimeout = 0
# Use vendor id source (assigner), vendor, product and version information for
# DID profile support. The values are separated by ":" and assigner, VID, PID
# and version.
# Possible vendor id source values: bluetooth, usb (default) or false (disabled)
#DeviceID = bluetooth:1234:5678:abcd
# Do reverse service discovery for previously unknown devices that connect to
# us. For BR/EDR this option is really only needed for qualification since the
# BITE tester doesn't like us doing reverse SDP for some test cases, for LE
# this disables the GATT client functionally so it can be used in system which
# can only operate as peripheral.
# Defaults to 'true'.
#ReverseServiceDiscovery = true
# Enable name resolving after inquiry. Set it to 'false' if you don't need
# remote devices name and want shorter discovery cycle. Defaults to 'true'.
#NameResolving = true
# Enable runtime persistency of debug link keys. Default is false which
# makes debug link keys valid only for the duration of the connection
# that they were created for.
#DebugKeys = false
# Restricts all controllers to the specified transport. Default value
# is "dual", i.e. both BR/EDR and LE enabled (when supported by the HW).
# Possible values: "dual", "bredr", "le"
#ControllerMode = dual
# Enables Multi Profile Specification support. This allows to specify if
# system supports only Multiple Profiles Single Device (MPSD) configuration
# or both Multiple Profiles Single Device (MPSD) and Multiple Profiles Multiple
# Devices (MPMD) configurations.
# Possible values: "off", "single", "multiple"
#MultiProfile = off
# Permanently enables the Fast Connectable setting for adapters that
# support it. When enabled other devices can connect faster to us,
# however the tradeoff is increased power consumptions. This feature
# will fully work only on kernel version 4.1 and newer. Defaults to
# 'false'.
FastConnectable = true
# Default privacy setting.
# Enables use of private address.
# Possible values for LE mode: "off", "network/on", "device"
# Possible values for Dual mode: "off", "network/on", "device",
# "limited-network", "limited-device"
#
# - off: Local privacy disabled.
#
# - network/on: A device will only accept advertising packets from peer
# devices that contain private addresses. It may not be compatible with some
# legacy devices since it requires the use of RPA(s) all the time.
#
# - device: A device in device privacy mode is only concerned about the
# privacy of the device and will accept advertising packets from peer devices
# that contain their Identity Address as well as ones that contain a private
# address, even if the peer device has distributed its IRK in the past.
# - limited-network: Apply Limited Discoverable Mode to advertising, which
# follows the same policy as to BR/EDR that publishes the identity address when
# discoverable, and Network Privacy Mode for scanning.
#
# - limited-device: Apply Limited Discoverable Mode to advertising, which
# follows the same policy as to BR/EDR that publishes the identity address when
# discoverable, and Device Privacy Mode for scanning.
#
# Defaults to "off"
#Privacy = off
# Specify the policy to the JUST-WORKS repairing initiated by peer
# Possible values: "never", "confirm", "always"
# Defaults to "never"
#JustWorksRepairing = never
# How long to keep temporary devices around
# The value is in seconds. Default is 30.
# 0 = disable timer, i.e. never keep temporary devices
#TemporaryTimeout = 30
# Enables the device to issue an SDP request to update known services when
# profile is connected. Defaults to true.
#RefreshDiscovery = true
# Enables experimental features and interfaces, alternatively a list of UUIDs
# can be given.
# Possible values: true,false,<UUID List>
# Possible UUIDS:
# d4992530-b9ec-469f-ab01-6c481c47da1c (BlueZ Experimental Debug)
# 671b10b5-42c0-4696-9227-eb28d1b049d6 (BlueZ Experimental Simultaneous Central and Peripheral)
# 15c0a148-c273-11ea-b3de-0242ac130004 (BlueZ Experimental LL privacy)
# 330859bc-7506-492d-9370-9a6f0614037f (BlueZ Experimental Bluetooth Quality Report)
# a6695ace-ee7f-4fb9-881a-5fac66c629af (BlueZ Experimental Offload Codecs)
# Defaults to false.
#Experimental = false
# The duration to avoid retrying to resolve a peer's name, if the previous
# try failed.
# The value is in seconds. Default is 300, i.e. 5 minutes.
#RemoteNameRequestRetryDelay = 300
[BR]
# The following values are used to load default adapter parameters for BR/EDR.
# BlueZ loads the values into the kernel before the adapter is powered if the
# kernel supports the MGMT_LOAD_DEFAULT_PARAMETERS command. If a value isn't
# provided, the kernel will be initialized to it's default value. The actual
# value will vary based on the kernel version and thus aren't provided here.
# The Bluetooth Core Specification should be consulted for the meaning and valid
# domain of each of these values.
# BR/EDR Page scan activity configuration
#PageScanType=
#PageScanInterval=
#PageScanWindow=
# BR/EDR Inquiry scan activity configuration
#InquiryScanType=
#InquiryScanInterval=
#InquiryScanWindow=
# BR/EDR Link supervision timeout
#LinkSupervisionTimeout=
# BR/EDR Page Timeout
#PageTimeout=
# BR/EDR Sniff Intervals
#MinSniffInterval=
#MaxSniffInterval=
[LE]
# The following values are used to load default adapter parameters for LE.
# BlueZ loads the values into the kernel before the adapter is powered if the
# kernel supports the MGMT_LOAD_DEFAULT_PARAMETERS command. If a value isn't
# provided, the kernel will be initialized to it's default value. The actual
# value will vary based on the kernel version and thus aren't provided here.
# The Bluetooth Core Specification should be consulted for the meaning and valid
# domain of each of these values.
# LE advertisement interval (used for legacy advertisement interface only)
#MinAdvertisementInterval=
#MaxAdvertisementInterval=
#MultiAdvertisementRotationInterval=
# LE scanning parameters used for passive scanning supporting auto connect
# scenarios
#ScanIntervalAutoConnect=
#ScanWindowAutoConnect=
# LE scanning parameters used for passive scanning supporting wake from suspend
# scenarios
#ScanIntervalSuspend=
#ScanWindowSuspend=
# LE scanning parameters used for active scanning supporting discovery
# proceedure
#ScanIntervalDiscovery=
#ScanWindowDiscovery=
# LE scanning parameters used for passive scanning supporting the advertisement
# monitor Apis
#ScanIntervalAdvMonitor=
#ScanWindowAdvMonitor=
# LE scanning parameters used for connection establishment.
#ScanIntervalConnect=
#ScanWindowConnect=
# LE default connection parameters. These values are superceeded by any
# specific values provided via the Load Connection Parameters interface
#MinConnectionInterval=
#MaxConnectionInterval=
#ConnectionLatency=
#ConnectionSupervisionTimeout=
#Autoconnecttimeout=
# Scan duration during interleaving scan. Only used when scanning for ADV
# monitors. The units are msec.
# Default: 300
#AdvMonAllowlistScanDuration=
# Default: 500
#AdvMonNoFilterScanDuration=
# Enable/Disable Advertisement Monitor interleave scan for power saving.
# 0: disable
# 1: enable
# Defaults to 1
#EnableAdvMonInterleaveScan=
[GATT]
# GATT attribute cache.
# Possible values:
# always: Always cache attributes even for devices not paired, this is
# recommended as it is best for interoperability, with more consistent
# reconnection times and enables proper tracking of notifications for all
# devices.
# yes: Only cache attributes of paired devices.
# no: Never cache attributes
# Default: always
#Cache = always
# Minimum required Encryption Key Size for accessing secured characteristics.
# Possible values: 0 and 7-16. 0 means don't care.
# Defaults to 0
#KeySize = 0
# Exchange MTU size.
# Possible values: 23-517
# Defaults to 517
#ExchangeMTU = 517
# Number of ATT channels
# Possible values: 1-5 (1 disables EATT)
# Default to 3
#Channels = 3
[AVDTP]
# AVDTP L2CAP Signalling Channel Mode.
# Possible values:
# basic: Use L2CAP Basic Mode
# ertm: Use L2CAP Enhanced Retransmission Mode
#SessionMode = basic
# AVDTP L2CAP Transport Channel Mode.
# Possible values:
# basic: Use L2CAP Basic Mode
# streaming: Use L2CAP Streaming Mode
#StreamMode = basic
[Policy]
#
# The ReconnectUUIDs defines the set of remote services that should try
# to be reconnected to in case of a link loss (link supervision
# timeout). The policy plugin should contain a sane set of values by
# default, but this list can be overridden here. By setting the list to
# empty the reconnection feature gets disabled.
#ReconnectUUIDs=00001112-0000-1000-8000-00805f9b34fb,0000111f-0000-1000-8000-00805f9b34fb,0000110a-0000-1000-8000-00805f9b34fb,0000110b-0000-1000-8000-00805f9b34fb
# ReconnectAttempts define the number of attempts to reconnect after a link
# lost. Setting the value to 0 disables reconnecting feature.
#ReconnectAttempts=7
# ReconnectIntervals define the set of intervals in seconds to use in between
# attempts.
# If the number of attempts defined in ReconnectAttempts is bigger than the
# set of intervals the last interval is repeated until the last attempt.
#ReconnectIntervals=1,2,4,8,16,32,64
# AutoEnable defines option to enable all controllers when they are found.
# This includes adapters present on start as well as adapters that are plugged
# in later on. Defaults to 'false'.
AutoEnable=true
# Audio devices that were disconnected due to suspend will be reconnected on
# resume. ResumeDelay determines the delay between when the controller
# resumes from suspend and a connection attempt is made. A longer delay is
# better for better co-existence with Wi-Fi.
# The value is in seconds.
# Default: 2
#ResumeDelay = 2
[AdvMon]
# Default RSSI Sampling Period. This is used when a client registers an
# advertisement monitor and leaves the RSSISamplingPeriod unset.
# Possible values:
# 0x00 Report all advertisements
# N = 0xXX Report advertisements every N x 100 msec (range: 0x01 to 0xFE)
# 0xFF Report only one advertisement per device during monitoring period
# Default: 0xFF
#RSSISamplingPeriod=0xFF

View file

@ -225,6 +225,9 @@ basic_packages=(
"docbook-xls" # depenency of plymouth-git "docbook-xls" # depenency of plymouth-git
"efitools" # provides KeyTool "efitools" # provides KeyTool
"libfido2" # for systemd-cryptenroll "libfido2" # for systemd-cryptenroll
"bluez"
"bluez-utils"
"usbutils" # for lsusb
) )
all_packages=( all_packages=(
${kernel_packages[@]} ${kernel_packages[@]}
@ -233,10 +236,9 @@ all_packages=(
${basic_packages[@]} ${basic_packages[@]}
) )
pacstrap /mnt base base-devel arch-secure-boot ${all_packages[@]} pacstrap /mnt base base-devel arch-secure-boot chezmoi ${all_packages[@]}
echo -e "\n### Generating base config files" echo -e "\n### Generating base config files"
echo "cryptdevice=PARTLABEL=primary:luks:allow-discards root=LABEL=btrfs rootflags=subvol=root rw quiet mem_sleep_default=deep" > /mnt/etc/kernel/cmdline
genfstab -L /mnt >> /mnt/etc/fstab genfstab -L /mnt >> /mnt/etc/fstab
@ -255,62 +257,6 @@ echo -e "127.0.0.1\tlocalhost" >>/mnt/etc/hosts
echo -e "127.0.1.1\t$hostname" >>/mnt/etc/hosts echo -e "127.0.1.1\t$hostname" >>/mnt/etc/hosts
echo -e "\n::1\tlocalhost" >>/mnt/etc/hosts echo -e "\n::1\tlocalhost" >>/mnt/etc/hosts
# Propagate the systemd-resolved managed configuration to all clients (stub mode)
ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf
cat >/mnt/etc/systemd/network/20-wired.network <<EOF
[Match]
Name=en*
[Network]
DHCP=yes
[DHCPv4]
RouteMetric=10
UseDomains=true
[IPv6AcceptRA]
RouteMetric=10
UseDomains=yes
EOF
cat >/mnt/etc/systemd/network/25-wireless.network <<EOF
[Match]
Name=wl*
[Network]
DHCP=yes
[DHCPv4]
RouteMetric=20
UseDomains=true
[IPv6AcceptRA]
RouteMetric=20
UseDomains=yes
EOF
mkdir -p /mnt/etc/iwd
cat >/mnt/etc/iwd/main.conf <<EOF
[General]
EnableNetworkConfiguration=true
[Network]
EnableIPv6=true
EOF
arch-chroot /mnt systemctl enable systemd-timesyncd fstrim.timer systemd-networkd systemd-resolved iwd
cat >/mnt/etc/mkinitcpio.conf <<EOF
MODULES=(i915)
BINARIES=(/usr/bin/btrfs)
FILES=()
HOOKS=(base consolefont udev autodetect keyboard keymap modconf block encrypt filesystems fsck shutdown)
EOF
arch-chroot /mnt mkinitcpio -p linux
arch-chroot /mnt arch-secure-boot initial-setup
echo -e "\n### Configuring swap file" echo -e "\n### Configuring swap file"
swap_size=$(free --mebi | awk '/Mem:/ {print $2}') swap_size=$(free --mebi | awk '/Mem:/ {print $2}')
swap_end=$(( $swap_size + 129 + 1 ))MiB swap_end=$(( $swap_size + 129 + 1 ))MiB
@ -336,11 +282,7 @@ arch-chroot /mnt passwd -dl root
echo -e "\n### Setting permissions on the custom repo" echo -e "\n### Setting permissions on the custom repo"
arch-chroot /mnt chown -R "$user:$user" "/var/cache/pacman/${user}-local/" arch-chroot /mnt chown -R "$user:$user" "/var/cache/pacman/${user}-local/"
echo -e "\n### Cloning dotfiles" echo -e "\n### Cloning dotfiles and running initial setup"
arch-chroot /mnt sudo -u $user bash -c 'git clone --recursive https://code.strobeto.de/strobeltobias/dotfiles.git ~/.dotfiles' arch-chroot /mnt sudo -u $user sh -c 'chezmoi init --apply https://code.strobeto.de/strobeltobias/dotfiles.git && chezmoi state delete-bucket --bucket=scriptState'
echo -e "\n### Running initial setup" echo -e "\n### DONE - reboot and re-run 'chezmoi apply' to complete system setup"
arch-chroot /mnt /home/$user/.dotfiles/setup-system.sh
arch-chroot /mnt sudo -u $user /home/$user/.dotfiles/setup-user.sh
echo -e "\n### DONE - reboot and re-run both ~/.local/share/chezmoi/setup-*.sh scripts"

View file

@ -38,7 +38,7 @@ copy() {
if [ -z "$reverse" ]; then if [ -z "$reverse" ]; then
[ -n "$2" ] && chmod "$2" "$dest_file" [ -n "$2" ] && chmod "$2" "$dest_file"
else else
chown -R tobias "$dest_file" chown -R $USER "$dest_file"
fi fi
echo "$dest_file <= $orig_file" echo "$dest_file <= $orig_file"
} }
@ -67,7 +67,7 @@ copy "etc/kernel/cmdline"
copy "etc/sysctl.d/20-quiet-printk.conf" copy "etc/sysctl.d/20-quiet-printk.conf"
copy "etc/modprobe.d/i915.conf" copy "etc/modprobe.d/i915.conf"
#copy "etc/aurutils/pacman-x86_64.conf" #copy "etc/aurutils/pacman-x86_64.conf"
#copy "etc/bluetooth/main.conf" copy "etc/bluetooth/main.conf"
#copy "etc/conf.d/snapper" #copy "etc/conf.d/snapper"
#copy "etc/default/earlyoom" #copy "etc/default/earlyoom"
#copy "etc/docker/daemon.json" #copy "etc/docker/daemon.json"
@ -113,7 +113,7 @@ echo "================================="
sysctl --system > /dev/null sysctl --system > /dev/null
systemctl daemon-reload systemctl daemon-reload
#systemctl_enable_start "bluetooth.service" systemctl_enable_start "bluetooth.service"
#systemctl_enable_start "btrfs-scrub@-.timer" #systemctl_enable_start "btrfs-scrub@-.timer"
#systemctl_enable_start "btrfs-scrub@mnt-btrfs\x2droot.timer" #systemctl_enable_start "btrfs-scrub@mnt-btrfs\x2droot.timer"
#systemctl_enable_start "btrfs-scrub@home.timer" #systemctl_enable_start "btrfs-scrub@home.timer"
@ -126,8 +126,8 @@ systemctl daemon-reload
#systemctl_enable_start "btrfs-scrub@var-lib-docker.timer" #systemctl_enable_start "btrfs-scrub@var-lib-docker.timer"
#systemctl_enable_start "docker.socket" #systemctl_enable_start "docker.socket"
#systemctl_enable_start "earlyoom.service" #systemctl_enable_start "earlyoom.service"
#systemctl_enable_start "fstrim.timer" systemctl_enable_start "fstrim.timer"
#systemctl_enable_start "iwd.service" systemctl_enable_start "iwd.service"
#systemctl_enable_start "linux-modules-cleanup.service" #systemctl_enable_start "linux-modules-cleanup.service"
#systemctl_enable_start "lenovo_fix.service" #systemctl_enable_start "lenovo_fix.service"
#systemctl_enable_start "nftables.service" #systemctl_enable_start "nftables.service"
@ -135,8 +135,9 @@ systemctl daemon-reload
#systemctl_enable_start "reflector.timer" #systemctl_enable_start "reflector.timer"
#systemctl_enable_start "snapper-cleanup.timer" #systemctl_enable_start "snapper-cleanup.timer"
#systemctl_enable_start "system-dotfiles-sync.timer" #systemctl_enable_start "system-dotfiles-sync.timer"
#systemctl_enable_start "systemd-networkd.socket" systemctl_enable_start "systemd-networkd.socket"
#systemctl_enable_start "systemd-resolved.service" systemctl_enable_start "systemd-resolved.service"
systemctl_enable_start "systemd-timesyncd"
#systemctl_enable_start "tlp.service" #systemctl_enable_start "tlp.service"
#if [ ! -s "/etc/usbguard/rules.conf" ]; then #if [ ! -s "/etc/usbguard/rules.conf" ]; then
@ -176,16 +177,30 @@ timedatectl set-ntp true
echo "Configuring aurutils" echo "Configuring aurutils"
ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf
echo "Configuring plymouth" PLYMOUTH_THEME="spinner"
plymouth-set-default-theme -R spinner && arch-secure-boot generate-efi if [ "$(plymouth-set-default-theme)" != "$PLYMOUTH_THEME" ]; then
echo "Configuring plymouth"
plymouth-set-default-theme "$PLYMOUTH_THEME"
fi
echo "Preparing KeyTool to allow install PK key" echo "Configuring mkinitcpio + secure boot"
mkdir -p /efi/EFI/secureboot
sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi
cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth
mount="$(findmnt -n -o SOURCE -T "/efi")"
partition="${mount##*[!0-9]}"
entry="/EFI/secureboot/KeyTool-signed.efi"
efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool"
echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI" mkinitcpio -P
if [ ! -s "/etc/arch-secure-boot/keys/PK.auth" ]; then
arch-secure-boot initial-setup
else
arch-secure-boot generate-efi
fi
if [ ! -f /efi/EFI/secureboot/KeyTool-signed.efi ]; then
echo "Preparing KeyTool to allow install PK key"
mkdir -p /efi/EFI/secureboot
sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi
cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth
mount="$(findmnt -n -o SOURCE -T "/efi")"
partition="${mount##*[!0-9]}"
entry="/EFI/secureboot/KeyTool-signed.efi"
efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool"
echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI"
fi