Skip to content

Incompleteusern/arch-dotfiles

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

412 Commits
.config
.config
 
 
old
old
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
chrony.conf
chrony.conf
 
 

Repository files navigation

This is a work in progress.

Current computer: 83DJ (Yoga 7 2-in-1 14IML9)

"Allegiances"

  • Pacman Wrapper: paru
  • Networking: networkmanager
  • Window Manager: Hyprland
  • Text Editor: a mess really, vscode and jetbrains and nvim are all good except for I am too lazy for nvim
  • Color Scheme: catppuccin
  • Terminal: alacritty
  • More allegiances to come in the future :|

References

This has the arch install guide as a reference as well as https://jpetazzo.github.io/2024/02/23/archlinux-luks-tpm-secureboot-install/ https://github.com/joelmathewthomas/archinstall-luks2-lvm2-secureboot-tpm2 https://gist.github.com/michaelb081988/0e3f1bbd3bb04fb34c0726e28da2a934 [https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6#mount-efi-partition](and here).

Pre-installation

Partitioning

Partition Size fdisk Type PARTLABEL File System
EFI System N/A N/A N/A
Linux Extended Boot 1 GB xbootldr BOOT fat32
Linux Partition Remainder fd cryptlvm volume

Make partitions with fdisk or cfdisk, and label them with gdisk.

Note

I reuse my already existing EFI partition for bootloading.

Filesystems

This is roughly isomorphic to https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS and merges a few others:

We first overrwrite the Linux Partition with random data for security reasons:

dd if=/dev/urandom of=/dev/disk/by-partlabel/cryptlvm bs=1M status=progress

where of is the desired disk to outout to.

Warning

Check the existing of beforehand!

Now, we set up the luks container.

# cryptsetup benchmark # benchmark cryptsetup if you want

cryptsetup -v luksFormat /dev/disk/by-partlabel/cryptlvm # create luks container, use an actual password ideally?
cryptsetup luksHeaderBackup /dev/disk/by-partlabel/cryptlvm --header-backup-file header.img # backup the header somewhere, since if the header gets destroyed the data is inaccessible
cryptsetup open /dev/disk/by-partlabel/cryptlvm lvm # open the container at /dev/mapper/lvm

Here's the plan for the logical volume:

Logical Volume Size File System
Root 32 GB ext4
Swap 16 GB swap
Home Remaining - 256 MiB ext4

Let's now create our lvm volume and populate it:

pvcreate /dev/mapper/lvm # Create a physical volume
vgcreate VolGroup /dev/mapper/lvm # Create a volume group to add to

# Create all your logical volumes on the volume group:
lvcreate -L 32G VolGroup -n root
lvcreate -L 16G VolGroup -n swap
lvcreate -l 100%FREE VolGroup -n home
lvreduce -L -256M VolGroup/home # Since we format a logical volume with ext4, we leave at least 256 MiB free space in the volume group to allow using e2scrub.

We then make our file systems (making an EFS separately if necessart)

mkfs.ext4 /dev/VolGroup/root
mkfs.ext4 /dev/VolGroup/home
mkswap /dev/VolGroup/swap
mkfs.vfat -n BOOT /dev/disk/by-partlabel/boot

and then mount them

mount /dev/VolGroup/root /mnt
mount --mkdir /dev/VolGroup/home /mnt/home
swapon /dev/VolGroup/swap
mount --mkdir /dev/disk/by-partlabel/<EFI> /mnt/efi
mount --mkdir /dev/disk/by-partlabel/BOOT /mnt/boot

Installation

Standard

Change some pacman things and then pacstrap a bunch of things (here, <CHIP> is intel or amd depending on what chip type you use)

sed -i "s/^#ParallelDownloads/ParallelDownloads/" /etc/pacman.conf 
sed -i "s/^#Color/Color/" /etc/pacman.conf # colors :D

reflector --save /etc/pacman.d/mirrorlist \
--protocol https --latest 5 --sort age

pacstrap -K /mnt base linux linux-firmware linux-headers <CHIP>-ucode nano efibootmgr sudo networkmanager vim man-db man-pages

Then generate an fstab

genfstab -U /mnt >> /mnt/etc/fstab # -L also works

We can now arch chroot and follow the arch wiki's steps pretty bat for bat up till the initramfs step

arch-chroot /mnt
ln -sf /usr/share/zoneinfo/<Region>/<City> /etc/localtime 
hwclock --systohc
sed -i "s/^#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/" /etc/locale.gen
locale-gen
echo "KEYMAP=us" >> /etc/vconsole.conf # replace with corresponding keymap
echo "<hostname>" >> /etc/hostname # and corresponding hostname

passwd # set root password

Warning

If you forget to set the root password, you won't have a way to boot in to your system!

Booting

I use systemd-boot so let's install that, and also install lvm2 for later.

bootctl install --boot-path=/boot --esp-path=/efi # omit arguments if no extended boot dir
pacman -S lvm2

and then make a default <ESP>/loader/loader.conf (<ESP> = /boot here for dual booting)

console-mode auto
default @saved
timeout 10
editor no

Make a copy of /etc/mkinitcpio.conf and then edit the HOOKS= line

HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block lvm2 filesystems fsck)

adding systemd, keyboard, sd-vconsole, sd-encrypt, lvm2 where sd-vconsole is optional if you aren't using standard /etc/vconsole.conf.

We can now create a basic <ESP>/loader/entries/arch.conf

title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options rd.luks.name=<DEVICE-UUID>=lvm root=/dev/VolGroup/root rw

(here, <DEVICE-UUID> is the uuid for the root partition) (Though by virtue of automounting, specifying the root and resume may be unnecessary).

Finally, run mkinitcpio -p linux and we should be all good for now. Run

efibootmgr

and it should show the boot manager, if not run the following:

# efibootmgr --create --disk /dev/<sdX> --part <Y> --loader '\EFI\systemd\systemd-bootx64.efi' --label "Linux Boot Manager" --unicode

where <sdX> <Y> is the EFI partition.

Rebooting here should be fine (use space to access our arch linux entry specifically).

exit
umount -R /mnt
reboot

Post-Installation

Unified Kernel Image

Some actual things for /etc/cmdline.d/root.conf:

rd.luks.name=<DEVICE-UUID>=lvm root=/dev/VolGroup/root resume=/dev/VolGroup/swap rw splash audit=0 bgrt_disable rd.shell=0 rd.emergency=reboot

Edit /etc/mkinitcpio.d/linux.preset uncommenting the default_uki and fallback_uki options, storing things in /boot preferably. Uncomment default_options too.

Now arch.conf is unnecessary and can be removed. Rebuild mkinitcpio -P.

Secure Boot

Before this, disable secure boot / put it in setup mode.

Install pacman -S sbctl sbsigntools and then ensure sbctl status outputs Setup Mode as enabled.

Then create signing keys and enroll them

sbctl create-keys
sbctl enroll-keys --microsoft # needed for dual booting
sbctl verify
sbctl verify | sed 's/âś— /sbctl sign -s /e' # for each of the earlier files, microsoft not being signed is fine. -s creates a hook for signing this file
sbctl list-files

Regenerate initramfs after this and re-enable secure boot.

TPM

We can now enroll our luks key into TPM to not need to enter our password each time. Secure boot should be on for this.

Make sure cat /sys/class/tpm/tpm0/tpm_version_major outputs 2.

pacman -S tpm2-tools # Install the TPM tools

We then run the following

systemd-cryptenroll --tpm2-device=list # Check the name of the kernel module for our TPM
systemd-cryptenroll --recovery-key /dev/disk/by-partlabel/cryptlvm # Generate a recovery key
systemd-cryptenroll --tpm2-device=auto /dev/disk/by-partlabel/cryptlvm --tpm2-pcrs=0+7 # 0 can be omitted
# systemd-cryptenroll /dev/disk/by-partlabel/cryptlvm --wipe-slot=password # wipe the password if necessary

Warning

TPM isn't 100% guarentee safety or whatever, see the documentation for security if you ccre about that. Choosing other PCRs might guarentee more safety, unsure.

Afterwards, add rd.luks.options=<DEVICE-UUID>=tpm2-device=auto to the entries to avoid entering the password again (editting crypttab.initramfs is an alternative). Add the kernel module to MODULES=, like below

MODULES=(tpm_crb)

If the state of secure boot or firmware changes, running

systemd-cryptenroll --wipe-slot=tpm2 /dev/disk/by-partlabel/cryptlvm --tpm2-pcrs=0+7

wipes the slot which allows for it to be re-enrolled.

User

useradd -m <user>
passwd <user>

sudoedit /etc/sudoers # uncomment %wheel ALL=(ALL:ALL) ALL, add Defaults insults, pwfeedback
usermod -G wheel <user>

Pacman

We multithread makepkg. Change /etc/makepkg.conf to have

-j<cores> -l<cores>

where <cores> is the output of nproc.

We then install reflector and then write in /etc/xdg/reflector/reflector.conf:

--save /etc/pacman.d/mirrorlist
--protocol https
--country US
--latest 5

and then start reflector.timer and reflector.service.

And now we install paru.

sudo pacman -S --needed git base-devel
git clone https://aur.archlinux.org/paru.git
cd paru
makepkg -si
cd ..
rm -rf paru

From here on we omit installing the package itself, and just write | !package-name (other-package) to indicate a package or two.

  • () indicates that this repository has my local files for
  • ! indicates that this package has catppuccin support.
  • # indicates this package has install steps beside package manager.

We now install some other helpers to clean the pacman cache and force reading update notes respectively | paccache informant

systemctl enable paccache.timer
usermod -aG informant <user>

Finally, we now enable Color, VerbosePkgLists, ParallelDownloads and add ILoveCandy (if you haven't already) in /etc/pacman.conf and include multilib.

Git

We set up a gpg / ssh key (though reuse is pretty possible), | openssh git github-cli

gh auth login # use ssh
ssh-keygen -t ed25519 -C "$email"; ssh-add ~/.ssh/id_ed25519
gh ssh-key add ~/.ssh/id_ed25519.pub --title $hostname
gpg --full-generate-key
gpg --list-secret-keys --keyid-format=long
git config --global user.signingkey $KEY
git config --global commit.gpgsign true
git config --global user.email "$email"
git config --global user.name "$name"

Operating System

We enable some SSD things here in our encrypted environment.,

cryptsetup --allow-discards --persistent  --perf-no_read_workqueue --perf-no_write_workqueue refresh lvm
cryptsetup luksDump /dev/disk/by-partlabel/cryptlvm | grep Flags # confirm
systemctl enable fstrim.timer

[!INFO] TPM2 doesn't seem to work for these commands, so keeping a password is likely best. See this link and this one for security info.

Intel

Follows here, a decent amount of this is likely platform dependent shrug.

We first install some drivers for intel | mesa lib32-mesa vulkan-intel lib32-vulkan-intel and then add the following to /etc/modprobe.d/i1915.conf

options i915 enable_guc=3 enable_fbc=1

For hardware acceleration, use here to find the packages | intel-media-driver libvdpau-va-gl libva-utils vdpauinfo Afterwards, add export LIBVA_DRIVER_NAME=iHD and export VDPAU_DRIVER=va_gl to /etc/environment.

Power Saving

We install a temperature and power manager | thermald tlp

systemctl enable thermald tlp.service
systemctl mask systemd-rfkill.service systemd-rfkill.socket # for tlp

We also hibernate when battery is less than 3%, see here with appending the following to /etc/udev/rules.d/99-lowbat.rules

# Suspend the system when battery level drops to 5% or lower
SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="/usr/bin/systemctl hibernate"

Time Sync

We use chrony for time sync as a laptop | (chrony) networkmanager-dispatcher-chrony

systemctl enable chronyd.service
usermod -aG chrony <user>

Networking

We implement https://wiki.archlinux.org/title/Network_configuration#localhost_is_resolved_over_the_network by adding the following to /etc/hosts:

127.0.0.1        localhost
::1              localhost

We will use systemd-resolved

systemctl enable systemd-resolved.service
ln -sf ../run/systemd/resolve/stub-resolv.conf /etc/resolv

which has nice enough defaults.

We also set up mac address randomization in /etc/NetworkManager/conf.d/wifi_rand_mac.conf

[device-mac-randomization]
wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random

Desktop

We use hyprland as our WM

  • Pipewire pipewire wireplumber pipewure-jack pipewire-pulse pipewire-alsa
  • Control | brightnessctl playerctl
  • Wallpapers | #hyprpaper (swww for fancier?)
  • Compositor | hyprland qt5-wayland qt6-wayland
  • XDG Integration | xdg-utils xdg-desktop-portal-hyprland
  • Idler and Session Locker | (hypridle) (hyprlock)
  • Color Temperature | glaze hyprsunset
  • Other | hyprsysteminfo hyprpicker hyprspace
  • Polkit | hyprpolkitagent
  • Screenshots | wl-copy grimblast-git
todo idk

TODO set up color temperature

  • Status Bars | aylurs-gtk-shell-git
  • Notification System | dunst libnotify TODO replace ags?
  • Font Input | TODO look into fcitx5 fcitx5-chinese-addons fcitx5-configtool fcitx-gtk fcitx5-pinyin-zhwiki fcitx5-qt mozc
  • App Launcher | TODO look into, replace with ags?
  • Display Manager | TODO
  • Color Temperature | hyprsunset
  • Booting Animation | TODO how does this work plymouth

hyprsunset

https://archlinux.org/packages/?name=nm-connection-editor?

  • Fonts | noto-fonts-cjk ttf-jetbrains-mono ttf-jetbrains-mono-nerd
    • Add chinese as a local
  • Set Chinese as font priority

Command Line

For our terminal, we use alacritty. | !(alacritty) We then install oh-my-zsh and some plugins and theme pure (though this might become p10k) | (zsh)

sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
# rm .bash_history .bash_logout .bash_profile .bashrc

cd ~/.oh-my-zsh/custom/plugins/
git clone https://github.com/zsh-users/zsh-autosuggestions.git
git clone https://github.com/zsh-users/zsh-syntax-highlighting.git
git clone https://github.com/zsh-users/zsh-completions.git

cd ../themes # yes ig this doesn't belong here but idrc
git clone https://github.com/sindresorhus/pure.git

We now add these plugins and more to .zshrc

plugins=(git zsh-autosuggestions zsh-syntax-highlighting zsh-completions zsh-autosuggestions colored-man-pages sudo)

# pure
fpath+=($HOME/.zsh/pure)
autoload -U promptinit; promptinit
prompt pure

Here's a list of some other commands

  • cat replacement | !bat
  • ls replacement | !eza #vivid
    • add LS_COLORS=$(vivid generate catppiccin mocha) to .zshrc, needs nerdfont
  • Find | fzf ripgrep
  • System Info | onefetch git-delta fastfetch hyfetch
  • Requests | httpie
  • Ping | gping
  • Command Info | tldr man-db
  • Downloading | yt-dlp wget
  • Git Info | !#git-delta
    • Add the following to .gitconfig and install catppuccin
[core]
        pager = delta
[interactive]
        diffFilter = delta --color-only
[delta]
        navigate = true
        side-by-side = true
[merge]
        conflictStyle = zdiff3
[include]
        path = ~/.config/delta/themes/catppuccin.gitconfig
[delta]
        features = catppuccin-mocha
  • System Information | htop duf #bandwhich
  • Silly commands | cowsay fortune-modcbonsai pipes.sh cava

And now we set some aliases in $ZSH_CUSTOM/alias.zsh

alias ez="eza -lah --no-user --icons=always --group-directories-first"
alias neofetch="neowofetch"

alias hibernate="sudo systemctl hibernate"
alias sleep="sudo systemctl suspend"
alias poweroff="sudo systemctl poweroff"
alias restart="sudo systemctl reboot"

Applications

Not much to say

  • firefox | firefox
  • vlc | vlc

TODO

copy /etc/chrony.conf copy new .zshrc

look into tearing

look into fingerprint

boot change protections look into chkboot look into backups

  • firewall

todo vi

cava conf

override mod+shift+s to screenshots

try blurring things again

look into fonts

papirus folders

papirus-folders -C pink --theme Papirus

enable plymouth mocha

plymouth-set-default-theme -R catppuccin-mocha

enable spicetify mocha

chmod 777 /opt/spotify chmod 777 -R /opt/spotify/Apps

spicetify backup spicetify config current_theme catppuccin-mocha spicetify config color_scheme lavender spicetify config inject_css 1 replace_colors 1 overwrite_assets 1 spicetify config extensions catppuccin-mocha.js

market place

curl -fsSL https://raw.githubusercontent.com/spicetify/spicetify-marketplace/main/resources/install.sh | sh

von

#git clone https://github.com/Incompleteusern/von/

More to process

Thanks to

  • scotus-1 for format and what to use
  • flick-0 for various configs, old waybar
  • Saimoomedits for the top bar
    • Modified for catppuccin theming, hyprland and spotify
    • TODO archive fork
  • catppuccin for the pastel theming over basically everything possible
    • For rofi, Deathmonic specficially is used
  • ayamir for nvim reference

TODO

TODO:

Desktop

TODO

Manual

  • Add sd-plymouth hook when sd-encrypt actually used
    • Configure /etc/mkinitcpio.conf, and add systemd keyboard sd-vconsole sd-encrypt presence
      HOOKS=(base udev systemd sd-plymouth keyboard autodetect modconf kms sd-vconsole block sd-encrypt filesystems fsck)

Auto

Applications

Manual

  • Firefox
    • Use duckduckgo, ublock origin, h26ify, stylus
    • Startup > Open previous windows and tabs
    • Enable HTTPS-Only mode
    • Set media.ffmpeg.vaapi.enabled to true

For printer stuff, I use #cups cups-pdf. This consists of following the steps here, then running systemctl start cups.service and using the localhost page to find my printer.

Auto

  • Firefox | !firefox
  • Discord | discord-electron-bin discord-update-skip
  • Prism Launcher | prismlauncher
  • Steam | steam
  • Vs Code | visual-studio-code-bin
  • VPN | openvpn protonvpn-gui networkmanager-openvpn
  • Spotify |spotify spotifywm spicetify
  • Neovim | nvim (TODO nvimdots)
  • Intellij | intellij-idea-community-edition
  • File Manager | thunar gvfs rmtrash trash-cli thunar-archive-plugin thunar-media-tags-plugin thunar-volman (check out dolphin)
  • Tor | tor torbrowser-launcher
  • krita | krita
  • Libreoffice | libreoffice-fresh

Theming

Manual

I use catpuccin for theming, specifically mocha pink.

Here's a mess of links to what they have:

Auto

  • Theming Tools | qt5ct qt6ct nwg-look
  • Papirus | papirus-folders-catppuccin-git papirus-icon-theme-git
  • Cursors | phinger-cursors

About

When I Brick My Install Again Simulator

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages