You are not logged in.

#1 2021-11-04 04:53:09

Soultrigger
Member
From: Brazil
Registered: 2021-11-04
Posts: 31

Offer Feedback on my Install "script" (guide for myself), please?

Hi all,

I am a noob when it comes to linux. I installed Arch a few years ago, and had tons of fun with it. I could do everything I do in other Oses, even gaming and so on. I have it on dual boot ever since.

I decided to make a "Arch Live USB", so I researched everything again and wrote a guide for myself. The installation in the USB Stick was flawless, but I dont know if I could call it a Live USB since it is just a standard install on a USB.

I plan to reinstall my Arch Linux for fun, so I would like your feedback if everything I choose to do is fine. Also if I shouldn't do something or if there is something else that matters that I should do. I would like also to get some feedback on others apps and stuff that aren't in the "script", if it isn't there, I dont know about it. (I already have a question, is there a sddm pure wayland or another display manager for kde that is?).

Thanks for all the help you can offer. (I am brazillian, so sorry if my english is too poor. Some commands are focused on my locale).

Remember echo value >> file

#Before arch-chroot
    #Keyboard Layout
        ls /usr/share/kbd/keymaps/**/*.map.gz | grep br
        localectl list-keymaps | grep br
        loadkeys br-abnt2
    #Is EFI?
        ls /sys/firmware/efi/efivars
    #Pacstrap Parallel Download
        nano /etc/pacman.conf
            ParallelsDownload = 50
                uncomment / add the live above
    #Do we have internet?
        ip link ou ip a
        ping site
    #Do we need Wifi?
        iwctl
        [iwd]#device list
        [iwd]#station device scan
        [iwd]#station device get-networks
        [iwd]#station device connect SSID
        [iwd]#exit
            reminder you can also iwctl --passphrase passphrrase station device connect SSID
            reminder for liver (networkmanager) nmtui (wifi)
    #time and date
        timedatectl set-ntp true
    #Partition Scheme
        lsblk
        fdisk /dev/sdx ou cfdisk /dev/sdx
        mkfs.ex4 /dev/root ou home
        mkfs.fat -F32 /dev/boot
            this last one to format the EFI partition in case you need (Dont do it if you have windows or another so installed)
        mkswap /dev/swap
        #USB Live
            mkfs.ex4 -O "ĥas_journal" /dev/root ou home
                So that we get a ext4 without journaling
    #Mounting Partitions
        mount /dev/sdx /mnt
        mkdir /mnt/boot
        mkdir /mnt/home
        mount /dev/sdx /mnt/boot
        mount /dev/sdx /mnt/home
        swapon /dev/sdx
            beware that you need to mount the root partition first and then create the boot or home directory so it actually creates them in the partition, if you create them before it will screw up the partition scheme and bug out the boot (EFI/ESP partition) and so on.
    #USB Live - Doing a RAM journaling
        mkdir /etc/systemd/journald.conf.d
        /etc/systemd/journald.conf.d/usbstick.conf
            [Journal]
            Storage=volatile
            RuntimeMaxUse=30M
                So we get a 30MB Journal in RAM. We need to do proper shutdown so we dont get data loss or damage the partition.
    #Pacstrap
        pacstrap /mnt base base-devel linux linux-firmware linux-headers amd-ucode nano sudo
    #Generate Fstab
        genfstab -U /mnt >> /mnt/etc/fstab
        cat /mnt/etc/fstab
    #Chroot
        arch-chroot /mnt

#After arch-chroot
    #Set up timezone
        timedatectl list-timezones | grep Sao
        ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
        hwclock -w
    #Set up locale
        nano /etc/locale.gen
            pt_BR.UTF-8 UTF-8
                uncomment line
        locale-gen
        nano /etc/locale.conf
            LANG=pt_BR.UTF-8
        nano /etc/vconsole.conf
            KEYMAP=br-abnt2
    #Hostname / Hosts
        nano /etc/hostname
            soul
        nano /etc/hosts
            127.0.0.1   localhost
            ::1         localhost
            127.0.1.1   soul.localdomanin   soul
    #Boot - systemd bootloader
        #Install
            bootctl install
        #Set up Loader
            sudo -e /boot/loader/loader.conf
                default arch
                timeout 0
                console-mode max
                editor no
        #Set up Menu Entry
            blkid
            echo UUID=rootUUID >> /boot/loader/entries/arch.conf
            sudo -e /boot/loader/entries/arch.conf
                title Arch Linux
                linux /vmlinuz-linux
                initrd /amd-ucode.img
                initrd /initramfs-linux.img
                options root=UUID=rootUUID resume=UUID=swapUUID rw
                    if you dont want to suspend and resume, dont use the resume= option, but do keep the rw (read/write for your root partition).
        #Set up Hook to auto update loader
            sudo -e /etc/pacman.d/hooks/100-systemd-boot.hook
                [Trigger]
                Type = Package
                Operation = Upgrade
                Target = systemd

                [Action]
                Description = Updating systemd-boot
                When = PostTransaction
                Exec = /usr/bin/bootctl update
        #Troubleshooting
            #UEFI didnt update loader entry - Fix
                pacman -S efibootmgr
                efibootmgr -c -d /dev/vda -p 1 -l '\EFI\systemd\systemd-bootx64.efi' -L 'Arch Linux'
                    where vda and 1 are device and partition with ESP (EFI Partition)
                efibootmgr -c -d /dev/vda -p 1 -l '\vmlinuz-linux root=/dev/vda2 initrd=\amd-ucode.img \initrd=initramfs-linux.img' -v
                    the same rules applys, but loads the kernel as an EFI executable, so no need to use a boot loader, on a fast test adding amd-ucode failed, so you might need to leave just initramfs. Root can be device, UUID or LABEL.
            #UEFI menu entry removal
                efibootmgr -b 0000 -B                
            #Reinstall Kernel/AMD-ucode
                mkinitcpio -P ou pacman -S linux ou pacman -S amd-ucode
    #Root passwd
        passwd
    #Activate basic network and reboot to test boot and load locale variables    
        pacman -S networkmanager
        systemctl enable networkmanager
        exit
        umount -R /mnt
        reboot
            if everything works out fine, you should get to a login prompt. Now type root and your password.
        nmtui
            to connect to wifi if you need it (graphical interface to connect to wifi)
    #Creating user
        #Installing user variables and folders
            pacman -S xdg-utils xdg-user-dirs
                Add user variables and folders
        #Adding user
            useradd -mUG adm,wheel soultrigger
                this will create the home folder (m), also a group with your user name (U) and add you to adm and wheel groups (G). If you just did adduser soultrigger it would create just your user and soultrigger group and would not create your home folder or add you to any other group.
        #User password
            passwd soultrigger
    #Secure Editor
        nano /etc/sudoers
            Defaults editor=/usr/bin/rnano
                If you like nano like me this will make so that we use a restricted nano version to edit files, since doing EDITOR=nano visudo will run nano as root allowing to use malicious code (big security flaw). There is also an added feature, you will run rnano as a normal user (will ask for sudoer password anyway), and when you save the file it will save to a temporary one, then sudo will elevate the privilegies to copy the tmp file over the file we wanted to edit, so we will have a far more secure environment. After this change edit files with sudo -e /path/file, it will call rnano for you automatically. If it fails to overwrite the destined file, it will notify you and you will have both files (the original and the temporary one).
    #Sudoers
        sudo -e /etc/sudoers.d/01_soultrigger
            soultrigger ALL=(ALL) ALL
    #Pacman Parallel Download
        sudo -e /etc/pacman.conf
            ParallelsDownload = 50
                uncomment / add the above line
    
    #Graphic Driver & Gaming - AMD / Vulkan
        #Activate Multilib
            sudo -e /etc/pacman.conf
                [multilib]
                Include = /etc/pacman.d/mirrorlist
                    uncomment lines
            pacman -Syu
                you need to update the system to actually ativate it or the next pacman command will fail
        #Driver and Vulkan
            pacman -S mesa lib32-mesa xf86-video-amdgpu vulkan-radeon lib32-vulkan-radeon libva-mesa-driver lib32-libva-mesa-driver mesa-vdpau lib32-mesa-vdpau vulkan-tools
        #Loading driver / Support Southern Islands
            mkdir /etc/mobprobe.d
            sudo -e /etc/mobprobe.d/amdgpu.conf
                options amdgpu si_support=1
                options amdgpu cik_support=0
            sudo -e /etc/mobprobe.d/radeon.conf
                options amdgpu si_support=0
                options amdgpu cik_support=0
            sudo -e /etc/mkinitcpio.conf
                HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)
                    Hook sample, you need to make sure modconf is on this line
    #Audio - Alsa / Pipewire
        pacman -S pipewire xdg-desktop-portal xdg-desktop-portal-kde
            Para suporte adicional instale pipewire-alsa pipewire-pulse pipewire-jack (para o pipewire funcionar como esses outros servidores)
            For 32 bit support lib32-pipewire and lib32-pipewire-jack
            Alsa is within the kernel.
            xdg-desktop-* to add screen/sound sharing for browsers in wayland/pipewire
    #Network - Bluetooth - Printer - Security
        pacman -S networkmanager network-manager-applet wpa_supplicant bluez bluez-utils cups cups-pdf firewalld firejail 
        systemctl enable NetworkManager
        systemctl enable bluetooth
        systemctl enable firewalld
        sudo firecfg
        sudo -e /etc/pacman.d/hooks/firejail.hook
            [Trigger]
            Type = Path
            Operation = Install
            Operation = Upgrade
            Operation = Remove
            Target = usr/bin/*
            Target = usr/local/bin/*
            Target = usr/share/applications/*.desktop

            [Action]
            Description = Configure symlinks in /usr/local/bin based on firecfg.config...
            When = PostTransaction
            Depends = firejail
            Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
                Hook to auto update firejail config each time pacman changes the system
        #File Sharing - Samba
            pacman -S nfs-utils sshfs dnsmasq samba
            systemctl enable dnsmasq
                samba seems to require some fine work to configure, I advise looking at the archwiki
    #Virtualization - KVM / QEMU / Libvirt
        pacman -S virt-manager qemu ebtables iptables-nft bridge-utils openbsd-netcat dnsmasq dmidecode ovmf
            qemu-arch-extra add other foreign architetures, unfortunately there is not a package split for each architeture as arm64
        sudo usermod -G libvirt -a soultrigger
            sudo -e /etc/libvit/libvitd.conf (This one prevented libvirt to run on my live system, so you might want to skip this change)
                #unix_sock_group = "libvirt"
                #unix_sock_ro_perms = "0777"  # set to 0770 to deny non-group libvirt users
                #unix_sock_rw_perms = "0770"
                #auth_unix_ro = "none"
                #auth_unix_rw = "none"
                    uncomment these lines and change values, the point of this is to run as file security based system instead of polkit, but failed on my live system, I had to revert these change to libvirt load and activate properly
        systemctl enable ebtables
        systemctl enable dnsmasq
        systemctl enable libvirtd
    #KDE - DE
        pacman -S plasma plasma-wayland-session sddm akregator ark dolphin dolphin-plugins elisa filelight gwenview kalarm kamoso kate kbackup kcalc kcharselect kcolorchooser kdeconnect kdenlive kdf kdialog kfind khelpcenter kleopatra kmag kmail knotes kolourpaint kompare konsole konversation korganizer krdc krfb ksystemlog ktimer ktorrent kwalletmanager kwave okular partitionmanager print-manager skanlite spectacle sweeper yakuake okteta ffmpegthumbs kdegraphics-mobipocket kdegraphics-thumbnailers kdenetwork-filesharing kdesdk-thumbnailers zeroconf-ioslave ksysguard qt5-virtualkeyboard packagekit-qt5 kde-gtk-config
        systemctl enable sddm
            Theme Arc Dark Icon Papirus-Dark sddm Crown-Blue
    #Applications - Outside KDE base
        pacman -S dialog man-db man-pages bash-completion rsync reflector neofetch efibootmgr firefox chromium calibre discord gimp krita libreoffice-fresh lutris steam wine winetricks qbittorrent vlc onboard avahi nss-mdns ntfs-3g fzf
        sudo -e /etc/xdg/reflector/reflector.conf
            --save /etc/pacman.d/mirrorlist
            --country Brazil
            --protocol https
            --latest 5
            --sort rate
        systemctl enable reflector.timer
    #USB stick multi video driver support
        pacman -S xf86-video-vesa xf86-video-ati xf86-video-amdgpu xf86-video-intel xf86-video-nouveau
    #USB stick prevention of useless writes
        pacman -S libeatmydata
        eatmydata firefox
            the point of this command is to prevent firefox from doing non essential data writes
    #Security
        #Storage Encryption?
            I need to research this
        #Limit Su to Wheel Group
            sudo -e /etc/pam.d/su
                auth required pam_wheel.so use_uid
                    uncomment the line
                    enforces that only the members of wheel group can call the SU command
        #Delay on Login Attempt
            sudo -e /etc/pam.d/system-login
                auth optional pam_faildelay.so delay=4000000
                    Adds 4 secons after failed login attemp, useful?
        #Limit Amount of Processes?
            sudo -e /etc/security/limits.conf
                * soft nproc 100
                * hard nproc 200
                    the point is to prevent an exploit by an unknow user (hack) to load processes on your system beyond what you usually do, you will be limited to the soft, but you can go to the hard limit with prlimit
        #Wayland instead of Xorg
            Use Wayland instead of Xorg (usually xorg runs as root, which is a big major security flaw. It seems xorg can run now as a normal user as of what pacman says nowadays when you install it. Nonethless I believe SDDM still runs under xorg, even though with systemd it seems he uses normal user privileges. Hopefully we will get a wayland only SDDM soon)
        #Secure Editor (already done above)
            nano /etc/sudoers
                Defaults editor=/usr/bin/rnano
                    If you like nano like me this will make so that we use a restricted nano version to edit files, since doing EDITOR=nano visudo will run nano as root allowing to use malicious code (big security flaw). There is also an added feature, you will run rnano as a normal user (will ask for sudoer password anyway), and when you save the file it will save to a temporary one, then sudo will elevate the privilegies to copy the tmp file over the file we wanted to edit, so we will have a far more secure environment. After this change edit files with sudo -e /path/file, it will call rnano for you automatically. If it fails to overwrite the destined file, it will notify you and you will have both files (the original and the temporary one).
        #Disables SSH login without tty
            sudo -e /etc/sudoers
                # Disable "ssh hostname sudo <cmd>", because it will show the password in clear text. You have to run "ssh -t hostname sudo <cmd>".
                #
                Defaults    requiretty
                    Enforces you can only connect with a console tty on SSH, if this was not the case you could compromise your sudoer password. (it would show your password as you type it)
        #Disable SSH root login
            sudo -e /etc/ssh/sshd_config
                PermitRootLogin no
                    Enforces you cant login as root trough SSH
        #Limits Login Schemes
            sudo -e /etc/security/access.conf
                +:root:LOCAL
                -:root:ALL
                +:soultrigger:LOCAL
                +:(wheel):LOCAL
                +:(adm):LOCAL
                -:ALL:ALL
                    Limits login access schemes, the first proper match excutes and ignores the rest, so that we will have majorly local logins and prevents to login remotely, also rejects all attempts by the users not specified here. If you will use remote access remember to change it later.
        *****Learn SSH, you damn noob (talking to myself)*****
        #ACL for aditional security?
            ACL can increase security, adds extra options to the linux permission system. It is part of systemd. The partition needs to be mounted with ACL enabled to work. Initially I didnt see a reason to use it on my local domestic machine. There is also a MAC system (mandatory access control), but seemed way too troublesome to use.
        #Disable Kexec (allows to change the kernel in execution)
            sudo -e /etc/sysctl.d/51-kexec-restrict.conf
                kernel.kexec_load_disabled = 1
                    Disable Kexec (allows to change the kernel in execution, so you prevent a foreigner user to change your machine in a major way).
                    
    #Packages
        arch-install-scripts
        fontforge
        tlp
        lkrg
        usbguard
        pacman-contrib (scripts for pacman - paccache)
        pkgfile (searchs the file in the package repository (pkgfile -u to sync and pkgfile file to search -l to search all)
        
    #Pacman
        #System update
            pacman -Syu (updates the system, dont use partial updates)
        #Package Install
            pacman -S package (installs the package and if a group package you get options like below)
                Enter a selection (default=all): 1-10 15 (installs 1 trough 10 and 15)
                Enter a selection (default=all): ^5-8 ^2 (installs all except 5 trough 8 and 2)
            pacman -S --needed package (installs package, but only the unique packages not installed yet)
            pacman -S --needed - < pkglist.txt (installs the packages in the list)
            pacman -S --needed $(comm -12 <(pacman -Slq | sort) <(sort pkglist.txt)) (installs the packages in the list and removes the AUR or locally installed ones)
            pacman -Qqn | pacman -S - (reinstalls all packages)
            pacman -S --asdeps package_name (pacman installs the explicitly (package name) as a dependency if you use this option) 
        #Package Searchs / Info
            pacman -Sg package (shows the packages that are part of the package group)
            pacman -Si package (shows more details about the package)
            pacman -Qi package (same as above, but only about the installed packages)
            pacman -Qii package (adds information about backups)
            pacman -Ql package (lists all files installed by the package)
            pacman -Qk package (verifies if the package files are installed (verifies errors). -Qkk for a more extensive verification)
            pacman -Qo /path/file (shows what package the file is a part of)
            pacman -Qtd (verifies packages without any dependencies (orphans))
            pacman -Qet (same as above, but for dependencies explicitly installed, but without use/connection)
            pacman -Qe (list packages installed explicitly) e -Qd (lists packages installed implicityly) (pacman can change a explicitly installed to implicitly if you use the --asdeps when you install) (fore reference, explicitly are the ones you put in the pacman command line and the implictly ones are the dependencies thoses packages asked for)
            pacman -Fx package (x = variable for all the above basically, but it is for remote packages)
            pacman -F file.extension (searchs for a package that contains the file)
            pacman -Qqm (lists packages from AUR)
        #Package Removal
            pacman -Rs package (removes the package and all its dependencies not used by other packages - it is the right way to do it)
            pacman -Rsu package (removes the package and all its dependencies even if needed by another package - use it if the above one fails)
            pacman -Rdd package (you should not use this one, huge chances to break the system (beware some people puts it in tutorials)
            pacman -Rn (prevents packman to make a backup of configurations when it removes it as .pacsave. Pacman doesnt remove .config from home)
            pacman -Qtdq | pacman -Rns - (in theory removes the orphaned packages)
            pacman -Rsu $(comm -23 <(pacman -Qq | sort) <(sort pkglist.txt)) (removes packages not in the list)
        #Clean Cache
            pacman -Sc (clean the package cache (backup copies of older versions), it will let the most up to date backup copy of each package though. -Scc to force to clean all packages in the cache)
            paccache -r (removes all old packages (backups in the cache) when pacman updates. -rkl to let the most up to date backup still there)
        #Package Download without Install
            pacman -Sw package (downloads the package without installing it)
        #AUR / Local Package Install
            pacman -U /path/to/package/package_name-version.pkg.tar.zst (install the package locally, usually a AUR one)
            pacman -U http://www.example.com/repo/example.pkg.tar.zst (same as above, but remotely)
        #Package install reason change
            pacman -D --asdeps package (changes the install reason from explicitly to implicitly --asexplicit to revert it)
            (dont use the option above with -Syu, changes all linked packages)
        #Syncs database
            pacman -Fy (synchronizes the database)
        #Unlocks database
            rm /var/lib/pacman/db.lck (removes the lock in the databse, happens sometimes when for some reason pacman gets interrupted by user or another reason)
        
        #Package Lists
            pacman -Qqe > pkglist.txt
            LC_ALL=C pacman -Qi | awk '/^Name/{name=$3} /^Installed Size/{print $4$5, name}' | sort -h (list packages and its size)
            expac (list package by size and description)
            expac -H M "%011m\t%-20n\t%10d" $(comm -23 <(pacman -Qqen | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort | uniq)) | sort -n
            fzf pacman -Qq | fzf --preview 'pacman -Qil {}' --layout=reverse --bind 'enter:execute(pacman -Qil {} | less)' (browse packages)

Offline

Board footer

Powered by FluxBB