add bluetooth + move to run_once scripts
This commit is contained in:
parent
70c042bf6a
commit
a8c59e69cb
6 changed files with 336 additions and 413 deletions
328
bootstrap.sh
328
bootstrap.sh
|
@ -1,328 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
#
|
|
||||||
# Arch Linux installation
|
|
||||||
#
|
|
||||||
# Bootable USB:
|
|
||||||
# - [Download](https://archlinux.org/download/) ISO and GPG files
|
|
||||||
# - Verify the ISO file: `$ pacman-key -v archlinux-<version>-x86_64.iso.sig`
|
|
||||||
# - Create a bootable USB with: `# dd if=archlinux*.iso of=/dev/sdX && sync`
|
|
||||||
#
|
|
||||||
# UEFI setup:
|
|
||||||
#
|
|
||||||
# - Set boot mode to UEFI, disable Legacy mode entirely.
|
|
||||||
# - Temporarily disable Secure Boot.
|
|
||||||
# - Make sure a strong UEFI administrator password is set.
|
|
||||||
# - Delete preloaded OEM keys for Secure Boot, allow custom ones.
|
|
||||||
# - Set SATA operation to AHCI mode.
|
|
||||||
#
|
|
||||||
# Run installation:
|
|
||||||
#
|
|
||||||
# - Connect to wifi via: `# iwctl station wlan0 connect WIFI-NETWORK`
|
|
||||||
# - Run: `# bash <(curl -sL https://link.rafe.li/dot)`
|
|
||||||
#
|
|
||||||
# WARNING: this script will destroy data on the selected disk.
|
|
||||||
#
|
|
||||||
|
|
||||||
set -uo pipefail
|
|
||||||
trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
|
|
||||||
|
|
||||||
exec 1> >(tee "stdout.log")
|
|
||||||
exec 2> >(tee "stderr.log" >&2)
|
|
||||||
|
|
||||||
export SNAP_PAC_SKIP=y
|
|
||||||
|
|
||||||
# Dialog
|
|
||||||
BACKTITLE="Arch Linux installation"
|
|
||||||
|
|
||||||
get_input() {
|
|
||||||
title="$1"
|
|
||||||
description="$2"
|
|
||||||
|
|
||||||
input=$(dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --inputbox "$description" 0 0)
|
|
||||||
echo "$input"
|
|
||||||
}
|
|
||||||
|
|
||||||
get_password() {
|
|
||||||
title="$1"
|
|
||||||
description="$2"
|
|
||||||
while : ; do
|
|
||||||
init_pass=$(dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --passwordbox "$description" 0 0)
|
|
||||||
: "${init_pass:?dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --msgbox "Password cannot be empty.\nTry again." 0 0}"
|
|
||||||
|
|
||||||
test_pass=$(dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --passwordbox "$description again" 0 0)
|
|
||||||
if [[ "$init_pass" != "$test_pass" ]]; then
|
|
||||||
dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --msgbox "Passwords did not match.\nTry again." 0 0
|
|
||||||
else
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
echo "$init_pass"
|
|
||||||
}
|
|
||||||
|
|
||||||
get_choice() {
|
|
||||||
title="$1"
|
|
||||||
description="$2"
|
|
||||||
shift 2
|
|
||||||
options=("$@")
|
|
||||||
dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --menu "$description" 0 0 0 "${options[@]}"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
echo -e "\n### Checking UEFI boot mode"
|
|
||||||
if [ ! -f /sys/firmware/efi/fw_platform_size ]; then
|
|
||||||
echo >&2 "You must boot in UEFI mode to continue"
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo -e "\n### Ensure the system clock is accurate"
|
|
||||||
timedatectl set-ntp true
|
|
||||||
hwclock --systohc --utc
|
|
||||||
|
|
||||||
echo -e "\n### Setting keyboard layout to de-latin1"
|
|
||||||
loadkeys de-latin1
|
|
||||||
|
|
||||||
echo -e "\n### Installing additional tools"
|
|
||||||
pacman -Sy --noconfirm --needed git reflector terminus-font dialog wget
|
|
||||||
|
|
||||||
echo -e "\n### HiDPI screens"
|
|
||||||
noyes=("Yes" "The font is too small" "No" "The font size is just fine")
|
|
||||||
hidpi=$(get_choice "Font size" "Is your screen HiDPI?" "${noyes[@]}") || exit 1
|
|
||||||
clear
|
|
||||||
[[ "$hidpi" == "Yes" ]] && font="ter-132n" || font="ter-716n"
|
|
||||||
setfont "$font"
|
|
||||||
|
|
||||||
hostname=$(get_input "Hostname" "Enter hostname") || exit 1
|
|
||||||
clear
|
|
||||||
: "${hostname:?"hostname cannot be empty"}"
|
|
||||||
|
|
||||||
user=$(get_input "User" "Enter username") || exit 1
|
|
||||||
clear
|
|
||||||
: "${user:?"user cannot be empty"}"
|
|
||||||
|
|
||||||
password=$(get_password "User" "Enter password") || exit 1
|
|
||||||
clear
|
|
||||||
: "${password:?"password cannot be empty"}"
|
|
||||||
|
|
||||||
devicelist=$(lsblk -dplnx size -o name,size | grep -Ev "boot|rpmb|loop" | tac | tr '\n' ' ')
|
|
||||||
read -r -a devicelist <<< "$devicelist"
|
|
||||||
|
|
||||||
device=$(get_choice "Installation" "Select installation disk" "${devicelist[@]}") || exit 1
|
|
||||||
|
|
||||||
clear
|
|
||||||
|
|
||||||
echo -e "\n### Setting up fastest mirrors"
|
|
||||||
reflector --country 'Germany,France,' --protocol https --sort rate --save /etc/pacman.d/mirrorlist
|
|
||||||
|
|
||||||
echo -e "\n### Setting up partitions"
|
|
||||||
umount -R /mnt 2> /dev/null || true
|
|
||||||
cryptsetup luksClose luks 2> /dev/null || true
|
|
||||||
|
|
||||||
lsblk -plnx size -o name "${device}" | xargs -n1 wipefs --all
|
|
||||||
sgdisk --clear "${device}" --new 1::-551MiB "${device}" --new 2::0 --typecode 2:ef00 "${device}"
|
|
||||||
sgdisk --change-name=1:primary --change-name=2:ESP "${device}"
|
|
||||||
|
|
||||||
part_root="$(ls "${device}"* | grep -E "^${device}p?1$")"
|
|
||||||
part_boot="$(ls "${device}"* | grep -E "^${device}p?2$")"
|
|
||||||
|
|
||||||
echo -e "\n### Formatting partitions"
|
|
||||||
mkfs.vfat -n "EFI" -F 32 "${part_boot}"
|
|
||||||
echo -n "${password}" | cryptsetup luksFormat --type luks2 --pbkdf argon2id --label luks "${part_root}"
|
|
||||||
echo -n "${password}" | cryptsetup luksOpen --allow-discards --persistent "${part_root}" luks
|
|
||||||
mkfs.btrfs -L btrfs /dev/mapper/luks
|
|
||||||
|
|
||||||
echo -e "\n### Setting up BTRFS subvolumes"
|
|
||||||
mount /dev/mapper/luks /mnt
|
|
||||||
btrfs subvolume create /mnt/root
|
|
||||||
btrfs subvolume create /mnt/home
|
|
||||||
btrfs subvolume create /mnt/pkgs
|
|
||||||
btrfs subvolume create /mnt/aurbuild
|
|
||||||
btrfs subvolume create /mnt/archbuild
|
|
||||||
btrfs subvolume create /mnt/docker
|
|
||||||
btrfs subvolume create /mnt/logs
|
|
||||||
btrfs subvolume create /mnt/temp
|
|
||||||
btrfs subvolume create /mnt/swap
|
|
||||||
btrfs subvolume create /mnt/snapshots
|
|
||||||
umount /mnt
|
|
||||||
|
|
||||||
mount -o noatime,compress=zstd,subvol=root /dev/mapper/luks /mnt
|
|
||||||
mkdir -p /mnt/{mnt/btrfs-root,efi,home,var/{cache/pacman,log,tmp,lib/{aurbuild,archbuild,docker}},swap,.snapshots}
|
|
||||||
mount "${part_boot}" /mnt/efi
|
|
||||||
mount -o noatime,compress=zstd,subvol=/ /dev/mapper/luks /mnt/mnt/btrfs-root
|
|
||||||
mount -o noatime,compress=zstd,subvol=home /dev/mapper/luks /mnt/home
|
|
||||||
mount -o noatime,compress=zstd,subvol=pkgs /dev/mapper/luks /mnt/var/cache/pacman
|
|
||||||
mount -o noatime,compress=zstd,subvol=aurbuild /dev/mapper/luks /mnt/var/lib/aurbuild
|
|
||||||
mount -o noatime,compress=zstd,subvol=archbuild /dev/mapper/luks /mnt/var/lib/archbuild
|
|
||||||
mount -o noatime,compress=zstd,subvol=docker /dev/mapper/luks /mnt/var/lib/docker
|
|
||||||
mount -o noatime,compress=zstd,subvol=logs /dev/mapper/luks /mnt/var/log
|
|
||||||
mount -o noatime,compress=zstd,subvol=temp /dev/mapper/luks /mnt/var/tmp
|
|
||||||
mount -o noatime,compress=zstd,subvol=swap /dev/mapper/luks /mnt/swap
|
|
||||||
mount -o noatime,compress=zstd,subvol=snapshots /dev/mapper/luks /mnt/.snapshots
|
|
||||||
|
|
||||||
echo -e "\n### Configuring custom repo"
|
|
||||||
mkdir "/mnt/var/cache/pacman/${user}-local"
|
|
||||||
|
|
||||||
# if [[ "${user}" == "maximbaz" && "${hostname}" == "home-"* ]]; then
|
|
||||||
# wget -m -nH -np -q --show-progress --progress=bar:force --reject='index.html*' --cut-dirs=2 -P "/mnt/var/cache/pacman/${user}-local" 'https://pkgbuild.com/~maximbaz/repo/'
|
|
||||||
# rename -- 'maximbaz.' "${user}-local." "/mnt/var/cache/pacman/${user}-local"/*
|
|
||||||
# else
|
|
||||||
repo-add "/mnt/var/cache/pacman/${user}-local/${user}-local.db.tar"
|
|
||||||
# fi
|
|
||||||
|
|
||||||
if ! grep "${user}" /etc/pacman.conf > /dev/null; then
|
|
||||||
cat >> /etc/pacman.conf << EOF
|
|
||||||
|
|
||||||
[${user}-local]
|
|
||||||
Server = file:///mnt/var/cache/pacman/${user}-local
|
|
||||||
|
|
||||||
[maximbaz]
|
|
||||||
Server = https://pkgbuild.com/~maximbaz/repo
|
|
||||||
|
|
||||||
[options]
|
|
||||||
CacheDir = /mnt/var/cache/pacman/pkg
|
|
||||||
CacheDir = /mnt/var/cache/pacman/${user}-local
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo -e "\n### Installing packages"
|
|
||||||
kernel_packages=(
|
|
||||||
"linux"
|
|
||||||
"linux-headers"
|
|
||||||
"linux-lts"
|
|
||||||
"linux-firmware"
|
|
||||||
"intel-ucode"
|
|
||||||
)
|
|
||||||
fs_packages=(
|
|
||||||
"btrfs-progs"
|
|
||||||
"dosfstools"
|
|
||||||
"e2fsprogs"
|
|
||||||
)
|
|
||||||
network_packages=(
|
|
||||||
"iwd"
|
|
||||||
"systemd-resolvconf"
|
|
||||||
)
|
|
||||||
basic_packages=(
|
|
||||||
"man-db"
|
|
||||||
"man-pages"
|
|
||||||
"pacman-contrib"
|
|
||||||
"neovim"
|
|
||||||
"bash-completion"
|
|
||||||
"git"
|
|
||||||
"rsync"
|
|
||||||
"openssh"
|
|
||||||
"htop"
|
|
||||||
"fzf"
|
|
||||||
"sudo"
|
|
||||||
)
|
|
||||||
all_packages=(
|
|
||||||
${kernel_packages[@]}
|
|
||||||
${fs_packages[@]}
|
|
||||||
${network_packages[@]}
|
|
||||||
${basic_packages[@]}
|
|
||||||
)
|
|
||||||
|
|
||||||
pacstrap /mnt base base-devel arch-secure-boot ${all_packages[@]}
|
|
||||||
|
|
||||||
echo -e "\n### Generating base config files"
|
|
||||||
echo "cryptdevice=PARTLABEL=primary:luks:allow-discards root=LABEL=btrfs rootflags=subvol=root rw quiet mem_sleep_default=deep" > /mnt/etc/kernel/cmdline
|
|
||||||
|
|
||||||
genfstab -L /mnt >> /mnt/etc/fstab
|
|
||||||
|
|
||||||
echo "FONT=$font" > /mnt/etc/vconsole.conf
|
|
||||||
echo "KEYMAP=de-latin1" >> /mnt/etc/vconsole.conf
|
|
||||||
echo "${hostname}" > /mnt/etc/hostname
|
|
||||||
sed -i 's/^#en_US\.UTF-8/en_US\.UTF-8/' /mnt/etc/locale.gen
|
|
||||||
sed -i 's/^#de_DE\.UTF-8/de_DE\.UTF-8/' /mnt/etc/locale.gen
|
|
||||||
echo "LANG=en_US.UTF-8" > /mnt/etc/locale.conf
|
|
||||||
arch-chroot /mnt locale-gen
|
|
||||||
|
|
||||||
ln -sf /usr/share/zoneinfo/Europe/Berlin /mnt/etc/localtime
|
|
||||||
|
|
||||||
echo "$hostname" > /mnt/etc/hostname
|
|
||||||
echo -e "127.0.0.1\tlocalhost" >>/mnt/etc/hosts
|
|
||||||
echo -e "127.0.1.1\t$hostname" >>/mnt/etc/hosts
|
|
||||||
echo -e "\n::1\tlocalhost" >>/mnt/etc/hosts
|
|
||||||
|
|
||||||
# Propagate the systemd-resolved managed configuration to all clients (stub mode)
|
|
||||||
ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf
|
|
||||||
|
|
||||||
cat >/mnt/etc/systemd/network/20-wired.network <<EOF
|
|
||||||
[Match]
|
|
||||||
Name=en*
|
|
||||||
|
|
||||||
[Network]
|
|
||||||
DHCP=yes
|
|
||||||
|
|
||||||
[DHCPv4]
|
|
||||||
RouteMetric=10
|
|
||||||
UseDomains=true
|
|
||||||
|
|
||||||
[IPv6AcceptRA]
|
|
||||||
RouteMetric=10
|
|
||||||
UseDomains=yes
|
|
||||||
EOF
|
|
||||||
|
|
||||||
cat >/mnt/etc/systemd/network/25-wireless.network <<EOF
|
|
||||||
[Match]
|
|
||||||
Name=wl*
|
|
||||||
|
|
||||||
[Network]
|
|
||||||
DHCP=yes
|
|
||||||
|
|
||||||
[DHCPv4]
|
|
||||||
RouteMetric=20
|
|
||||||
UseDomains=true
|
|
||||||
|
|
||||||
[IPv6AcceptRA]
|
|
||||||
RouteMetric=20
|
|
||||||
UseDomains=yes
|
|
||||||
EOF
|
|
||||||
|
|
||||||
mkdir -p /mnt/etc/iwd
|
|
||||||
cat >/mnt/etc/iwd/main.conf <<EOF
|
|
||||||
[General]
|
|
||||||
EnableNetworkConfiguration=true
|
|
||||||
|
|
||||||
[Network]
|
|
||||||
EnableIPv6=true
|
|
||||||
EOF
|
|
||||||
|
|
||||||
arch-chroot /mnt systemctl enable systemd-timesyncd fstrim.timer systemd-networkd systemd-resolved iwd
|
|
||||||
|
|
||||||
cat >/mnt/etc/mkinitcpio.conf <<EOF
|
|
||||||
MODULES=(i915)
|
|
||||||
BINARIES=(/usr/bin/btrfs)
|
|
||||||
FILES=()
|
|
||||||
HOOKS=(base consolefont udev autodetect keyboard keymap modconf block encrypt filesystems fsck shutdown)
|
|
||||||
EOF
|
|
||||||
|
|
||||||
arch-chroot /mnt mkinitcpio -p linux
|
|
||||||
arch-chroot /mnt arch-secure-boot initial-setup
|
|
||||||
|
|
||||||
echo -e "\n### Configuring swap file"
|
|
||||||
swap_size=$(free --mebi | awk '/Mem:/ {print $2}')
|
|
||||||
swap_end=$(( $swap_size + 129 + 1 ))MiB
|
|
||||||
truncate -s 0 /mnt/swap/swapfile
|
|
||||||
chattr +C /mnt/swap/swapfile
|
|
||||||
btrfs property set /mnt/swap/swapfile compression none
|
|
||||||
fallocate -l $swap_end /mnt/swap/swapfile
|
|
||||||
chmod 600 /mnt/swap/swapfile
|
|
||||||
mkswap /mnt/swap/swapfile
|
|
||||||
echo "/swap/swapfile none swap defaults 0 0" >> /mnt/etc/fstab
|
|
||||||
|
|
||||||
# sudo
|
|
||||||
#sed -i 's/# \(%wheel ALL=(ALL:ALL) ALL\)/\1/' /mnt/etc/sudoers
|
|
||||||
|
|
||||||
echo -e "\n### Creating user"
|
|
||||||
arch-chroot /mnt useradd -m "$user"
|
|
||||||
for group in wheel network video audio input storage power; do
|
|
||||||
arch-chroot /mnt groupadd -rf "$group"
|
|
||||||
arch-chroot /mnt gpasswd -a "$user" "$group"
|
|
||||||
done
|
|
||||||
echo "$user:$password" | arch-chroot /mnt chpasswd
|
|
||||||
# disable root login
|
|
||||||
arch-chroot /mnt passwd -dl root
|
|
||||||
|
|
||||||
echo -e "\n### Setting permissions on the custom repo"
|
|
||||||
arch-chroot /mnt chown -R "$user:$user" "/var/cache/pacman/${user}-local/"
|
|
||||||
|
|
||||||
echo -e "\n### Reboot now, and after power off remember to unplug the installation USB"
|
|
|
@ -36,9 +36,9 @@ output * bg /usr/share/backgrounds/sway/Sway_Wallpaper_Blue_1920x1080.png fill
|
||||||
# Example configuration:
|
# Example configuration:
|
||||||
#
|
#
|
||||||
exec swayidle -w \
|
exec swayidle -w \
|
||||||
timeout 300 'swaylock -f -c 3c3c3c' \
|
timeout 300 'swaylock -f -c 1e1e1e' \
|
||||||
timeout 600 'swaymsg "output * dpms off"' resume 'swaymsg "output * dpms on"' \
|
timeout 600 'swaymsg "output * dpms off"' resume 'swaymsg "output * dpms on"' \
|
||||||
before-sleep 'swaylock -f -c 3c3c3c'
|
before-sleep 'swaylock -f -c 1e1e1e'
|
||||||
#
|
#
|
||||||
# This will lock your screen after 300 seconds of inactivity, then turn off
|
# This will lock your screen after 300 seconds of inactivity, then turn off
|
||||||
# your displays after another 300 seconds, and turn your screens back on when
|
# your displays after another 300 seconds, and turn your screens back on when
|
||||||
|
|
294
etc/bluetooth/main.conf
Normal file
294
etc/bluetooth/main.conf
Normal file
|
@ -0,0 +1,294 @@
|
||||||
|
[General]
|
||||||
|
|
||||||
|
# Default adapter name
|
||||||
|
# Defaults to 'BlueZ X.YZ'
|
||||||
|
#Name = BlueZ
|
||||||
|
|
||||||
|
# Default device class. Only the major and minor device class bits are
|
||||||
|
# considered. Defaults to '0x000000'.
|
||||||
|
#Class = 0x000100
|
||||||
|
|
||||||
|
# How long to stay in discoverable mode before going back to non-discoverable
|
||||||
|
# The value is in seconds. Default is 180, i.e. 3 minutes.
|
||||||
|
# 0 = disable timer, i.e. stay discoverable forever
|
||||||
|
#DiscoverableTimeout = 0
|
||||||
|
|
||||||
|
# Always allow pairing even if there are no agent registered
|
||||||
|
# Possible values: true, false
|
||||||
|
# Default: false
|
||||||
|
#AlwaysPairable = false
|
||||||
|
|
||||||
|
# How long to stay in pairable mode before going back to non-discoverable
|
||||||
|
# The value is in seconds. Default is 0.
|
||||||
|
# 0 = disable timer, i.e. stay pairable forever
|
||||||
|
#PairableTimeout = 0
|
||||||
|
|
||||||
|
# Use vendor id source (assigner), vendor, product and version information for
|
||||||
|
# DID profile support. The values are separated by ":" and assigner, VID, PID
|
||||||
|
# and version.
|
||||||
|
# Possible vendor id source values: bluetooth, usb (default) or false (disabled)
|
||||||
|
#DeviceID = bluetooth:1234:5678:abcd
|
||||||
|
|
||||||
|
# Do reverse service discovery for previously unknown devices that connect to
|
||||||
|
# us. For BR/EDR this option is really only needed for qualification since the
|
||||||
|
# BITE tester doesn't like us doing reverse SDP for some test cases, for LE
|
||||||
|
# this disables the GATT client functionally so it can be used in system which
|
||||||
|
# can only operate as peripheral.
|
||||||
|
# Defaults to 'true'.
|
||||||
|
#ReverseServiceDiscovery = true
|
||||||
|
|
||||||
|
# Enable name resolving after inquiry. Set it to 'false' if you don't need
|
||||||
|
# remote devices name and want shorter discovery cycle. Defaults to 'true'.
|
||||||
|
#NameResolving = true
|
||||||
|
|
||||||
|
# Enable runtime persistency of debug link keys. Default is false which
|
||||||
|
# makes debug link keys valid only for the duration of the connection
|
||||||
|
# that they were created for.
|
||||||
|
#DebugKeys = false
|
||||||
|
|
||||||
|
# Restricts all controllers to the specified transport. Default value
|
||||||
|
# is "dual", i.e. both BR/EDR and LE enabled (when supported by the HW).
|
||||||
|
# Possible values: "dual", "bredr", "le"
|
||||||
|
#ControllerMode = dual
|
||||||
|
|
||||||
|
# Enables Multi Profile Specification support. This allows to specify if
|
||||||
|
# system supports only Multiple Profiles Single Device (MPSD) configuration
|
||||||
|
# or both Multiple Profiles Single Device (MPSD) and Multiple Profiles Multiple
|
||||||
|
# Devices (MPMD) configurations.
|
||||||
|
# Possible values: "off", "single", "multiple"
|
||||||
|
#MultiProfile = off
|
||||||
|
|
||||||
|
# Permanently enables the Fast Connectable setting for adapters that
|
||||||
|
# support it. When enabled other devices can connect faster to us,
|
||||||
|
# however the tradeoff is increased power consumptions. This feature
|
||||||
|
# will fully work only on kernel version 4.1 and newer. Defaults to
|
||||||
|
# 'false'.
|
||||||
|
FastConnectable = true
|
||||||
|
|
||||||
|
# Default privacy setting.
|
||||||
|
# Enables use of private address.
|
||||||
|
# Possible values for LE mode: "off", "network/on", "device"
|
||||||
|
# Possible values for Dual mode: "off", "network/on", "device",
|
||||||
|
# "limited-network", "limited-device"
|
||||||
|
#
|
||||||
|
# - off: Local privacy disabled.
|
||||||
|
#
|
||||||
|
# - network/on: A device will only accept advertising packets from peer
|
||||||
|
# devices that contain private addresses. It may not be compatible with some
|
||||||
|
# legacy devices since it requires the use of RPA(s) all the time.
|
||||||
|
#
|
||||||
|
# - device: A device in device privacy mode is only concerned about the
|
||||||
|
# privacy of the device and will accept advertising packets from peer devices
|
||||||
|
# that contain their Identity Address as well as ones that contain a private
|
||||||
|
# address, even if the peer device has distributed its IRK in the past.
|
||||||
|
|
||||||
|
# - limited-network: Apply Limited Discoverable Mode to advertising, which
|
||||||
|
# follows the same policy as to BR/EDR that publishes the identity address when
|
||||||
|
# discoverable, and Network Privacy Mode for scanning.
|
||||||
|
#
|
||||||
|
# - limited-device: Apply Limited Discoverable Mode to advertising, which
|
||||||
|
# follows the same policy as to BR/EDR that publishes the identity address when
|
||||||
|
# discoverable, and Device Privacy Mode for scanning.
|
||||||
|
#
|
||||||
|
# Defaults to "off"
|
||||||
|
#Privacy = off
|
||||||
|
|
||||||
|
# Specify the policy to the JUST-WORKS repairing initiated by peer
|
||||||
|
# Possible values: "never", "confirm", "always"
|
||||||
|
# Defaults to "never"
|
||||||
|
#JustWorksRepairing = never
|
||||||
|
|
||||||
|
# How long to keep temporary devices around
|
||||||
|
# The value is in seconds. Default is 30.
|
||||||
|
# 0 = disable timer, i.e. never keep temporary devices
|
||||||
|
#TemporaryTimeout = 30
|
||||||
|
|
||||||
|
# Enables the device to issue an SDP request to update known services when
|
||||||
|
# profile is connected. Defaults to true.
|
||||||
|
#RefreshDiscovery = true
|
||||||
|
|
||||||
|
# Enables experimental features and interfaces, alternatively a list of UUIDs
|
||||||
|
# can be given.
|
||||||
|
# Possible values: true,false,<UUID List>
|
||||||
|
# Possible UUIDS:
|
||||||
|
# d4992530-b9ec-469f-ab01-6c481c47da1c (BlueZ Experimental Debug)
|
||||||
|
# 671b10b5-42c0-4696-9227-eb28d1b049d6 (BlueZ Experimental Simultaneous Central and Peripheral)
|
||||||
|
# 15c0a148-c273-11ea-b3de-0242ac130004 (BlueZ Experimental LL privacy)
|
||||||
|
# 330859bc-7506-492d-9370-9a6f0614037f (BlueZ Experimental Bluetooth Quality Report)
|
||||||
|
# a6695ace-ee7f-4fb9-881a-5fac66c629af (BlueZ Experimental Offload Codecs)
|
||||||
|
# Defaults to false.
|
||||||
|
#Experimental = false
|
||||||
|
|
||||||
|
# The duration to avoid retrying to resolve a peer's name, if the previous
|
||||||
|
# try failed.
|
||||||
|
# The value is in seconds. Default is 300, i.e. 5 minutes.
|
||||||
|
#RemoteNameRequestRetryDelay = 300
|
||||||
|
|
||||||
|
[BR]
|
||||||
|
# The following values are used to load default adapter parameters for BR/EDR.
|
||||||
|
# BlueZ loads the values into the kernel before the adapter is powered if the
|
||||||
|
# kernel supports the MGMT_LOAD_DEFAULT_PARAMETERS command. If a value isn't
|
||||||
|
# provided, the kernel will be initialized to it's default value. The actual
|
||||||
|
# value will vary based on the kernel version and thus aren't provided here.
|
||||||
|
# The Bluetooth Core Specification should be consulted for the meaning and valid
|
||||||
|
# domain of each of these values.
|
||||||
|
|
||||||
|
# BR/EDR Page scan activity configuration
|
||||||
|
#PageScanType=
|
||||||
|
#PageScanInterval=
|
||||||
|
#PageScanWindow=
|
||||||
|
|
||||||
|
# BR/EDR Inquiry scan activity configuration
|
||||||
|
#InquiryScanType=
|
||||||
|
#InquiryScanInterval=
|
||||||
|
#InquiryScanWindow=
|
||||||
|
|
||||||
|
# BR/EDR Link supervision timeout
|
||||||
|
#LinkSupervisionTimeout=
|
||||||
|
|
||||||
|
# BR/EDR Page Timeout
|
||||||
|
#PageTimeout=
|
||||||
|
|
||||||
|
# BR/EDR Sniff Intervals
|
||||||
|
#MinSniffInterval=
|
||||||
|
#MaxSniffInterval=
|
||||||
|
|
||||||
|
[LE]
|
||||||
|
# The following values are used to load default adapter parameters for LE.
|
||||||
|
# BlueZ loads the values into the kernel before the adapter is powered if the
|
||||||
|
# kernel supports the MGMT_LOAD_DEFAULT_PARAMETERS command. If a value isn't
|
||||||
|
# provided, the kernel will be initialized to it's default value. The actual
|
||||||
|
# value will vary based on the kernel version and thus aren't provided here.
|
||||||
|
# The Bluetooth Core Specification should be consulted for the meaning and valid
|
||||||
|
# domain of each of these values.
|
||||||
|
# LE advertisement interval (used for legacy advertisement interface only)
|
||||||
|
#MinAdvertisementInterval=
|
||||||
|
#MaxAdvertisementInterval=
|
||||||
|
#MultiAdvertisementRotationInterval=
|
||||||
|
|
||||||
|
# LE scanning parameters used for passive scanning supporting auto connect
|
||||||
|
# scenarios
|
||||||
|
#ScanIntervalAutoConnect=
|
||||||
|
#ScanWindowAutoConnect=
|
||||||
|
|
||||||
|
# LE scanning parameters used for passive scanning supporting wake from suspend
|
||||||
|
# scenarios
|
||||||
|
#ScanIntervalSuspend=
|
||||||
|
#ScanWindowSuspend=
|
||||||
|
|
||||||
|
# LE scanning parameters used for active scanning supporting discovery
|
||||||
|
# proceedure
|
||||||
|
#ScanIntervalDiscovery=
|
||||||
|
#ScanWindowDiscovery=
|
||||||
|
|
||||||
|
# LE scanning parameters used for passive scanning supporting the advertisement
|
||||||
|
# monitor Apis
|
||||||
|
#ScanIntervalAdvMonitor=
|
||||||
|
#ScanWindowAdvMonitor=
|
||||||
|
|
||||||
|
# LE scanning parameters used for connection establishment.
|
||||||
|
#ScanIntervalConnect=
|
||||||
|
#ScanWindowConnect=
|
||||||
|
|
||||||
|
# LE default connection parameters. These values are superceeded by any
|
||||||
|
# specific values provided via the Load Connection Parameters interface
|
||||||
|
#MinConnectionInterval=
|
||||||
|
#MaxConnectionInterval=
|
||||||
|
#ConnectionLatency=
|
||||||
|
#ConnectionSupervisionTimeout=
|
||||||
|
#Autoconnecttimeout=
|
||||||
|
|
||||||
|
# Scan duration during interleaving scan. Only used when scanning for ADV
|
||||||
|
# monitors. The units are msec.
|
||||||
|
# Default: 300
|
||||||
|
#AdvMonAllowlistScanDuration=
|
||||||
|
# Default: 500
|
||||||
|
#AdvMonNoFilterScanDuration=
|
||||||
|
|
||||||
|
# Enable/Disable Advertisement Monitor interleave scan for power saving.
|
||||||
|
# 0: disable
|
||||||
|
# 1: enable
|
||||||
|
# Defaults to 1
|
||||||
|
#EnableAdvMonInterleaveScan=
|
||||||
|
|
||||||
|
[GATT]
|
||||||
|
# GATT attribute cache.
|
||||||
|
# Possible values:
|
||||||
|
# always: Always cache attributes even for devices not paired, this is
|
||||||
|
# recommended as it is best for interoperability, with more consistent
|
||||||
|
# reconnection times and enables proper tracking of notifications for all
|
||||||
|
# devices.
|
||||||
|
# yes: Only cache attributes of paired devices.
|
||||||
|
# no: Never cache attributes
|
||||||
|
# Default: always
|
||||||
|
#Cache = always
|
||||||
|
|
||||||
|
# Minimum required Encryption Key Size for accessing secured characteristics.
|
||||||
|
# Possible values: 0 and 7-16. 0 means don't care.
|
||||||
|
# Defaults to 0
|
||||||
|
#KeySize = 0
|
||||||
|
|
||||||
|
# Exchange MTU size.
|
||||||
|
# Possible values: 23-517
|
||||||
|
# Defaults to 517
|
||||||
|
#ExchangeMTU = 517
|
||||||
|
|
||||||
|
# Number of ATT channels
|
||||||
|
# Possible values: 1-5 (1 disables EATT)
|
||||||
|
# Default to 3
|
||||||
|
#Channels = 3
|
||||||
|
|
||||||
|
[AVDTP]
|
||||||
|
# AVDTP L2CAP Signalling Channel Mode.
|
||||||
|
# Possible values:
|
||||||
|
# basic: Use L2CAP Basic Mode
|
||||||
|
# ertm: Use L2CAP Enhanced Retransmission Mode
|
||||||
|
#SessionMode = basic
|
||||||
|
|
||||||
|
# AVDTP L2CAP Transport Channel Mode.
|
||||||
|
# Possible values:
|
||||||
|
# basic: Use L2CAP Basic Mode
|
||||||
|
# streaming: Use L2CAP Streaming Mode
|
||||||
|
#StreamMode = basic
|
||||||
|
|
||||||
|
[Policy]
|
||||||
|
#
|
||||||
|
# The ReconnectUUIDs defines the set of remote services that should try
|
||||||
|
# to be reconnected to in case of a link loss (link supervision
|
||||||
|
# timeout). The policy plugin should contain a sane set of values by
|
||||||
|
# default, but this list can be overridden here. By setting the list to
|
||||||
|
# empty the reconnection feature gets disabled.
|
||||||
|
#ReconnectUUIDs=00001112-0000-1000-8000-00805f9b34fb,0000111f-0000-1000-8000-00805f9b34fb,0000110a-0000-1000-8000-00805f9b34fb,0000110b-0000-1000-8000-00805f9b34fb
|
||||||
|
|
||||||
|
# ReconnectAttempts define the number of attempts to reconnect after a link
|
||||||
|
# lost. Setting the value to 0 disables reconnecting feature.
|
||||||
|
#ReconnectAttempts=7
|
||||||
|
|
||||||
|
# ReconnectIntervals define the set of intervals in seconds to use in between
|
||||||
|
# attempts.
|
||||||
|
# If the number of attempts defined in ReconnectAttempts is bigger than the
|
||||||
|
# set of intervals the last interval is repeated until the last attempt.
|
||||||
|
#ReconnectIntervals=1,2,4,8,16,32,64
|
||||||
|
|
||||||
|
# AutoEnable defines option to enable all controllers when they are found.
|
||||||
|
# This includes adapters present on start as well as adapters that are plugged
|
||||||
|
# in later on. Defaults to 'false'.
|
||||||
|
AutoEnable=true
|
||||||
|
|
||||||
|
# Audio devices that were disconnected due to suspend will be reconnected on
|
||||||
|
# resume. ResumeDelay determines the delay between when the controller
|
||||||
|
# resumes from suspend and a connection attempt is made. A longer delay is
|
||||||
|
# better for better co-existence with Wi-Fi.
|
||||||
|
# The value is in seconds.
|
||||||
|
# Default: 2
|
||||||
|
#ResumeDelay = 2
|
||||||
|
|
||||||
|
[AdvMon]
|
||||||
|
# Default RSSI Sampling Period. This is used when a client registers an
|
||||||
|
# advertisement monitor and leaves the RSSISamplingPeriod unset.
|
||||||
|
# Possible values:
|
||||||
|
# 0x00 Report all advertisements
|
||||||
|
# N = 0xXX Report advertisements every N x 100 msec (range: 0x01 to 0xFE)
|
||||||
|
# 0xFF Report only one advertisement per device during monitoring period
|
||||||
|
# Default: 0xFF
|
||||||
|
#RSSISamplingPeriod=0xFF
|
72
install.sh
72
install.sh
|
@ -225,6 +225,9 @@ basic_packages=(
|
||||||
"docbook-xls" # depenency of plymouth-git
|
"docbook-xls" # depenency of plymouth-git
|
||||||
"efitools" # provides KeyTool
|
"efitools" # provides KeyTool
|
||||||
"libfido2" # for systemd-cryptenroll
|
"libfido2" # for systemd-cryptenroll
|
||||||
|
"bluez"
|
||||||
|
"bluez-utils"
|
||||||
|
"usbutils" # for lsusb
|
||||||
)
|
)
|
||||||
all_packages=(
|
all_packages=(
|
||||||
${kernel_packages[@]}
|
${kernel_packages[@]}
|
||||||
|
@ -233,10 +236,9 @@ all_packages=(
|
||||||
${basic_packages[@]}
|
${basic_packages[@]}
|
||||||
)
|
)
|
||||||
|
|
||||||
pacstrap /mnt base base-devel arch-secure-boot ${all_packages[@]}
|
pacstrap /mnt base base-devel arch-secure-boot chezmoi ${all_packages[@]}
|
||||||
|
|
||||||
echo -e "\n### Generating base config files"
|
echo -e "\n### Generating base config files"
|
||||||
echo "cryptdevice=PARTLABEL=primary:luks:allow-discards root=LABEL=btrfs rootflags=subvol=root rw quiet mem_sleep_default=deep" > /mnt/etc/kernel/cmdline
|
|
||||||
|
|
||||||
genfstab -L /mnt >> /mnt/etc/fstab
|
genfstab -L /mnt >> /mnt/etc/fstab
|
||||||
|
|
||||||
|
@ -255,62 +257,6 @@ echo -e "127.0.0.1\tlocalhost" >>/mnt/etc/hosts
|
||||||
echo -e "127.0.1.1\t$hostname" >>/mnt/etc/hosts
|
echo -e "127.0.1.1\t$hostname" >>/mnt/etc/hosts
|
||||||
echo -e "\n::1\tlocalhost" >>/mnt/etc/hosts
|
echo -e "\n::1\tlocalhost" >>/mnt/etc/hosts
|
||||||
|
|
||||||
# Propagate the systemd-resolved managed configuration to all clients (stub mode)
|
|
||||||
ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf
|
|
||||||
|
|
||||||
cat >/mnt/etc/systemd/network/20-wired.network <<EOF
|
|
||||||
[Match]
|
|
||||||
Name=en*
|
|
||||||
|
|
||||||
[Network]
|
|
||||||
DHCP=yes
|
|
||||||
|
|
||||||
[DHCPv4]
|
|
||||||
RouteMetric=10
|
|
||||||
UseDomains=true
|
|
||||||
|
|
||||||
[IPv6AcceptRA]
|
|
||||||
RouteMetric=10
|
|
||||||
UseDomains=yes
|
|
||||||
EOF
|
|
||||||
|
|
||||||
cat >/mnt/etc/systemd/network/25-wireless.network <<EOF
|
|
||||||
[Match]
|
|
||||||
Name=wl*
|
|
||||||
|
|
||||||
[Network]
|
|
||||||
DHCP=yes
|
|
||||||
|
|
||||||
[DHCPv4]
|
|
||||||
RouteMetric=20
|
|
||||||
UseDomains=true
|
|
||||||
|
|
||||||
[IPv6AcceptRA]
|
|
||||||
RouteMetric=20
|
|
||||||
UseDomains=yes
|
|
||||||
EOF
|
|
||||||
|
|
||||||
mkdir -p /mnt/etc/iwd
|
|
||||||
cat >/mnt/etc/iwd/main.conf <<EOF
|
|
||||||
[General]
|
|
||||||
EnableNetworkConfiguration=true
|
|
||||||
|
|
||||||
[Network]
|
|
||||||
EnableIPv6=true
|
|
||||||
EOF
|
|
||||||
|
|
||||||
arch-chroot /mnt systemctl enable systemd-timesyncd fstrim.timer systemd-networkd systemd-resolved iwd
|
|
||||||
|
|
||||||
cat >/mnt/etc/mkinitcpio.conf <<EOF
|
|
||||||
MODULES=(i915)
|
|
||||||
BINARIES=(/usr/bin/btrfs)
|
|
||||||
FILES=()
|
|
||||||
HOOKS=(base consolefont udev autodetect keyboard keymap modconf block encrypt filesystems fsck shutdown)
|
|
||||||
EOF
|
|
||||||
|
|
||||||
arch-chroot /mnt mkinitcpio -p linux
|
|
||||||
arch-chroot /mnt arch-secure-boot initial-setup
|
|
||||||
|
|
||||||
echo -e "\n### Configuring swap file"
|
echo -e "\n### Configuring swap file"
|
||||||
swap_size=$(free --mebi | awk '/Mem:/ {print $2}')
|
swap_size=$(free --mebi | awk '/Mem:/ {print $2}')
|
||||||
swap_end=$(( $swap_size + 129 + 1 ))MiB
|
swap_end=$(( $swap_size + 129 + 1 ))MiB
|
||||||
|
@ -336,11 +282,7 @@ arch-chroot /mnt passwd -dl root
|
||||||
echo -e "\n### Setting permissions on the custom repo"
|
echo -e "\n### Setting permissions on the custom repo"
|
||||||
arch-chroot /mnt chown -R "$user:$user" "/var/cache/pacman/${user}-local/"
|
arch-chroot /mnt chown -R "$user:$user" "/var/cache/pacman/${user}-local/"
|
||||||
|
|
||||||
echo -e "\n### Cloning dotfiles"
|
echo -e "\n### Cloning dotfiles and running initial setup"
|
||||||
arch-chroot /mnt sudo -u $user bash -c 'git clone --recursive https://code.strobeto.de/strobeltobias/dotfiles.git ~/.dotfiles'
|
arch-chroot /mnt sudo -u $user sh -c 'chezmoi init --apply https://code.strobeto.de/strobeltobias/dotfiles.git && chezmoi state delete-bucket --bucket=scriptState'
|
||||||
|
|
||||||
echo -e "\n### Running initial setup"
|
echo -e "\n### DONE - reboot and re-run 'chezmoi apply' to complete system setup"
|
||||||
arch-chroot /mnt /home/$user/.dotfiles/setup-system.sh
|
|
||||||
arch-chroot /mnt sudo -u $user /home/$user/.dotfiles/setup-user.sh
|
|
||||||
|
|
||||||
echo -e "\n### DONE - reboot and re-run both ~/.local/share/chezmoi/setup-*.sh scripts"
|
|
||||||
|
|
|
@ -38,7 +38,7 @@ copy() {
|
||||||
if [ -z "$reverse" ]; then
|
if [ -z "$reverse" ]; then
|
||||||
[ -n "$2" ] && chmod "$2" "$dest_file"
|
[ -n "$2" ] && chmod "$2" "$dest_file"
|
||||||
else
|
else
|
||||||
chown -R tobias "$dest_file"
|
chown -R $USER "$dest_file"
|
||||||
fi
|
fi
|
||||||
echo "$dest_file <= $orig_file"
|
echo "$dest_file <= $orig_file"
|
||||||
}
|
}
|
||||||
|
@ -67,7 +67,7 @@ copy "etc/kernel/cmdline"
|
||||||
copy "etc/sysctl.d/20-quiet-printk.conf"
|
copy "etc/sysctl.d/20-quiet-printk.conf"
|
||||||
copy "etc/modprobe.d/i915.conf"
|
copy "etc/modprobe.d/i915.conf"
|
||||||
#copy "etc/aurutils/pacman-x86_64.conf"
|
#copy "etc/aurutils/pacman-x86_64.conf"
|
||||||
#copy "etc/bluetooth/main.conf"
|
copy "etc/bluetooth/main.conf"
|
||||||
#copy "etc/conf.d/snapper"
|
#copy "etc/conf.d/snapper"
|
||||||
#copy "etc/default/earlyoom"
|
#copy "etc/default/earlyoom"
|
||||||
#copy "etc/docker/daemon.json"
|
#copy "etc/docker/daemon.json"
|
||||||
|
@ -113,7 +113,7 @@ echo "================================="
|
||||||
sysctl --system > /dev/null
|
sysctl --system > /dev/null
|
||||||
|
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
#systemctl_enable_start "bluetooth.service"
|
systemctl_enable_start "bluetooth.service"
|
||||||
#systemctl_enable_start "btrfs-scrub@-.timer"
|
#systemctl_enable_start "btrfs-scrub@-.timer"
|
||||||
#systemctl_enable_start "btrfs-scrub@mnt-btrfs\x2droot.timer"
|
#systemctl_enable_start "btrfs-scrub@mnt-btrfs\x2droot.timer"
|
||||||
#systemctl_enable_start "btrfs-scrub@home.timer"
|
#systemctl_enable_start "btrfs-scrub@home.timer"
|
||||||
|
@ -126,8 +126,8 @@ systemctl daemon-reload
|
||||||
#systemctl_enable_start "btrfs-scrub@var-lib-docker.timer"
|
#systemctl_enable_start "btrfs-scrub@var-lib-docker.timer"
|
||||||
#systemctl_enable_start "docker.socket"
|
#systemctl_enable_start "docker.socket"
|
||||||
#systemctl_enable_start "earlyoom.service"
|
#systemctl_enable_start "earlyoom.service"
|
||||||
#systemctl_enable_start "fstrim.timer"
|
systemctl_enable_start "fstrim.timer"
|
||||||
#systemctl_enable_start "iwd.service"
|
systemctl_enable_start "iwd.service"
|
||||||
#systemctl_enable_start "linux-modules-cleanup.service"
|
#systemctl_enable_start "linux-modules-cleanup.service"
|
||||||
#systemctl_enable_start "lenovo_fix.service"
|
#systemctl_enable_start "lenovo_fix.service"
|
||||||
#systemctl_enable_start "nftables.service"
|
#systemctl_enable_start "nftables.service"
|
||||||
|
@ -135,8 +135,9 @@ systemctl daemon-reload
|
||||||
#systemctl_enable_start "reflector.timer"
|
#systemctl_enable_start "reflector.timer"
|
||||||
#systemctl_enable_start "snapper-cleanup.timer"
|
#systemctl_enable_start "snapper-cleanup.timer"
|
||||||
#systemctl_enable_start "system-dotfiles-sync.timer"
|
#systemctl_enable_start "system-dotfiles-sync.timer"
|
||||||
#systemctl_enable_start "systemd-networkd.socket"
|
systemctl_enable_start "systemd-networkd.socket"
|
||||||
#systemctl_enable_start "systemd-resolved.service"
|
systemctl_enable_start "systemd-resolved.service"
|
||||||
|
systemctl_enable_start "systemd-timesyncd"
|
||||||
#systemctl_enable_start "tlp.service"
|
#systemctl_enable_start "tlp.service"
|
||||||
|
|
||||||
#if [ ! -s "/etc/usbguard/rules.conf" ]; then
|
#if [ ! -s "/etc/usbguard/rules.conf" ]; then
|
||||||
|
@ -176,16 +177,30 @@ timedatectl set-ntp true
|
||||||
echo "Configuring aurutils"
|
echo "Configuring aurutils"
|
||||||
ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf
|
ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf
|
||||||
|
|
||||||
echo "Configuring plymouth"
|
PLYMOUTH_THEME="spinner"
|
||||||
plymouth-set-default-theme -R spinner && arch-secure-boot generate-efi
|
if [ "$(plymouth-set-default-theme)" != "$PLYMOUTH_THEME" ]; then
|
||||||
|
echo "Configuring plymouth"
|
||||||
|
plymouth-set-default-theme "$PLYMOUTH_THEME"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Preparing KeyTool to allow install PK key"
|
echo "Configuring mkinitcpio + secure boot"
|
||||||
mkdir -p /efi/EFI/secureboot
|
|
||||||
sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi
|
|
||||||
cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth
|
|
||||||
mount="$(findmnt -n -o SOURCE -T "/efi")"
|
|
||||||
partition="${mount##*[!0-9]}"
|
|
||||||
entry="/EFI/secureboot/KeyTool-signed.efi"
|
|
||||||
efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool"
|
|
||||||
|
|
||||||
echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI"
|
mkinitcpio -P
|
||||||
|
|
||||||
|
if [ ! -s "/etc/arch-secure-boot/keys/PK.auth" ]; then
|
||||||
|
arch-secure-boot initial-setup
|
||||||
|
else
|
||||||
|
arch-secure-boot generate-efi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f /efi/EFI/secureboot/KeyTool-signed.efi ]; then
|
||||||
|
echo "Preparing KeyTool to allow install PK key"
|
||||||
|
mkdir -p /efi/EFI/secureboot
|
||||||
|
sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi
|
||||||
|
cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth
|
||||||
|
mount="$(findmnt -n -o SOURCE -T "/efi")"
|
||||||
|
partition="${mount##*[!0-9]}"
|
||||||
|
entry="/EFI/secureboot/KeyTool-signed.efi"
|
||||||
|
efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool"
|
||||||
|
echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI"
|
||||||
|
fi
|
||||||
|
|
Loading…
Reference in a new issue