hidingcherry / ansible-archlinux-encrypted-root Goto Github PK

This would require to complicate the script - it would be easier to fork and make the necessary changes.

untested yet

You need to reset the IPMI.
Please reboot on rescue mode (Ubuntu 18).
Then execute this command:

sudo ipmitool mc reset cold

Wait 5 min, reboot the server on normal mode and create a new IPMI session.
The issue should be fixed.

Different server cababilities allows different feature-sets
If we assume that the basic server has less than 6GB ram, on top of the basic features a 6GB ram server could handle:

• ~/.cache in tmpfs

If we assume that the basic server has AES-NI, but not a different server:

• use serpent-xts with 512b

If the server has UEFI

• Add uefi (partition) support with systemd-boot and xbootldr partition and it's hook

I removed it temporarily, if it is not needed

It's enough to install the nano package and remove the vi(m) package.
Otherwise the administrator will be lost forever inside the vim editor until someone tells him how to leave it.

too much tasks in one file - I should split them

This would complicate things up - but it would still make more sense.

• https://wiki.archlinux.org/title/reflector
• reflector.service

and

# /etc/pacman.d/hooks/mirrorupgrade.hook
[Trigger]
Operation = Upgrade
Type = Package
Target = pacman-mirrorlist

[Action]
Description = Updating pacman-mirrorlist with reflector and removing pacnew...
When = PostTransaction
Depends = reflector
Exec = /bin/sh -c 'systemctl start reflector.service; if [ -f /etc/pacman.d/mirrorlist.pacnew ]; then rm /etc/pacman.d/mirrorlist.pacnew; fi'

not in here yet - but I have the lines saved for removal

https://github.com/MartinX3-AdministrativeDevelopment/ansible-archlinux-encrypted-root/blob/358f5f585d029d3c5b353a9c803e98cd95192be0/roles/install/tasks/62-grub.yml#L16

We love an optimized buildtime

# /etc/profile.d/makepkg.sh
export PATH="/usr/lib/ccache/bin/:$PATH"
export PATH="/usr/lib/colorgcc/bin/:$PATH"    # As per usual colorgcc installation, leave unchanged (don't add ccache)
export CCACHE_PATH="/usr/bin"                 # Tell ccache to only use compilers here

And the optimizations of /etc/makepkg.conf here: https://wiki.archlinux.org/title/Makepkg#Tips_and_tricks

https://github.com/MartinX3-AdministrativeDevelopment/ansible-archlinux-encrypted-root/blob/358f5f585d029d3c5b353a9c803e98cd95192be0/roles/install/tasks/62-grub.yml#L22

Currently I assume that only one device is used for root and the bootloader.
This might need some change.

Currently subvolumes for rootfs are necessary, they are not optional.

I use part_infos.partitions[1] instead of e.g. part_infos.partitions['rootfs'] - that's badly readable.

Add and configure the btrfsmaintenance package

• https://aur.archlinux.org/packages/btrfsmaintenance
• https://github.com/kdave/btrfsmaintenance

I haven't really noted the kernel modules.
If the system has special devices, which require some modules on boot - they need to be added into the host_vars/MyHostname.yml file, so the initrd contains the required files and can boot/load the devices accordingly.

This should be tested first - but it shouldn't be an issue.

current: 5min

I am heavily against it, I consider to use sudo/wheel group instead of something custom.

The discard option is evil for any encryption - I enabled it for a smaller VM image footprint.
fstrim needs discard on cryptsetup open and it needs the filesystem to be mounted with the discard option.

I can test it through a VM - but this has low priority due to no usecase for now.

Currently /etc/securetty is being wiped - no login over any tty is possible anymore (my goal is a safe headless server).
This is probably not liked on a server at home - or frequent(?) direct access.

Network interface names (e.g. eno0 eth1) should be defined only once for each host.

If pacdiff is needed the update process of pacman or paru should hint conflicts in changed files and we should have a good terminal diff app by default

# /etc/profile.d/diffprog.sh
# Used as diff app for apps like pacdiff (for .pacnew files)
export DIFFPROG=colordiff

and

# /etc/pacman.d/hooks/pacdiff.hook
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Package
Target = *
[Action]
Description = Runs pacdiff utility
When = PostTransaction
Exec = /usr/bin/pacdiff

Currently I use part_infos.mountPath - this is defined in a host_vars variable.

Add AUR helper

sudo pacman -S --needed base-devel
git clone https://aur.archlinux.org/paru.git
cd paru
makepkg -si
paru -Syu paru-bin

And optimize its config

# /etc/paru.conf
Devel
#RemoveMake
CleanAfter
NewsOnUpgrade
SkipReview

The user password is defined as a variable (uh, bad bad bad) - it is better to ask for the password at the beginning of the task.

As example Check for uefi firmware exist twice

For zram:
https://wiki.archlinux.org/title/Improving_performance#zram_or_zswap
zram-generator <- systemd package
/etc/systemd/zram-generator.conf <- config
No need to enable something with systemctl - it will be started during boot.

In case zram is being used, add kernel cmd for disabling zswap:
zswap.enabled=0
https://wiki.archlinux.org/title/Zswap#Toggling_zswap
Maybe use a module parameter (/etc/modprobe.d) instead?
needs testing

I need a manual to use this project

• dependencies
• bash commands
• env variables
• etc

It's important to know a list of parameter we should, must or need to change

localdomain is mostly used for local networks - useless for servers in the internet

Is sgdisk totally necessary or can we lower the bloat by using sfdisk?
Check syntax/parameters and features.

currently it is being removed

Probably by using

• https://github.com/solarkennedy/ipmi-kvm-docker
• https://registry.hub.docker.com/u/solarkennedy/ipmi-kvm-docker/

We do not want to route packets from one route to another.
https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/
https://wiki.archlinux.org/title/simple_stateful_firewall#Protection_against_spoofing_attacks

currently hardcoded

it would create bloat - but still better than always edit the tasks

not done yet - untested