hidingcherry / ansible-archlinux-encrypted-root Goto Github PK
View Code? Open in Web Editor NEWansible script to install a fully encrypted archlinux system
License: GNU Affero General Public License v3.0
ansible script to install a fully encrypted archlinux system
License: GNU Affero General Public License v3.0
# /etc/sudoers
Defaults editor=/usr/bin/rnano
This would require to complicate the script - it would be easier to fork and make the necessary changes.
untested yet
You need to reset the IPMI.
Please reboot on rescue mode (Ubuntu 18).
Then execute this command:
sudo ipmitool mc reset cold
Wait 5 min, reboot the server on normal mode and create a new IPMI session.
The issue should be fixed.
Different server cababilities allows different feature-sets
If we assume that the basic server has less than 6GB ram, on top of the basic features a 6GB ram server could handle:
~/.cache
in tmpfs
If we assume that the basic server has AES-NI, but not a different server:
serpent-xts
with 512b
If the server has UEFI
systemd-boot
and xbootldr
partition and it's hookI removed it temporarily, if it is not needed
It's enough to install the nano
package and remove the vi(m)
package.
Otherwise the administrator will be lost forever inside the vim editor until someone tells him how to leave it.
too much tasks in one file - I should split them
This would complicate things up - but it would still make more sense.
reflector.service
and
# /etc/pacman.d/hooks/mirrorupgrade.hook
[Trigger]
Operation = Upgrade
Type = Package
Target = pacman-mirrorlist
[Action]
Description = Updating pacman-mirrorlist with reflector and removing pacnew...
When = PostTransaction
Depends = reflector
Exec = /bin/sh -c 'systemctl start reflector.service; if [ -f /etc/pacman.d/mirrorlist.pacnew ]; then rm /etc/pacman.d/mirrorlist.pacnew; fi'
not in here yet - but I have the lines saved for removal
We love an optimized buildtime
# /etc/profile.d/makepkg.sh
export PATH="/usr/lib/ccache/bin/:$PATH"
export PATH="/usr/lib/colorgcc/bin/:$PATH" # As per usual colorgcc installation, leave unchanged (don't add ccache)
export CCACHE_PATH="/usr/bin" # Tell ccache to only use compilers here
And the optimizations of /etc/makepkg.conf
here: https://wiki.archlinux.org/title/Makepkg#Tips_and_tricks
Currently I assume that only one device is used for root and the bootloader.
This might need some change.
Currently subvolumes for rootfs are necessary, they are not optional.
I use part_infos.partitions[1]
instead of e.g. part_infos.partitions['rootfs']
- that's badly readable.
Add and configure the btrfsmaintenance
package
I haven't really noted the kernel modules.
If the system has special devices, which require some modules on boot - they need to be added into the host_vars/MyHostname.yml file, so the initrd contains the required files and can boot/load the devices accordingly.
This should be tested first - but it shouldn't be an issue.
current: 5min
I am heavily against it, I consider to use sudo/wheel group instead of something custom.
The discard option is evil for any encryption - I enabled it for a smaller VM image footprint.
fstrim needs discard on cryptsetup open and it needs the filesystem to be mounted with the discard option.
I can test it through a VM - but this has low priority due to no usecase for now.
Currently /etc/securetty is being wiped - no login over any tty is possible anymore (my goal is a safe headless server).
This is probably not liked on a server at home - or frequent(?) direct access.
Network interface names (e.g. eno0 eth1) should be defined only once for each host.
If pacdiff is needed the update process of pacman or paru should hint conflicts in changed files and we should have a good terminal diff app by default
# /etc/profile.d/diffprog.sh
# Used as diff app for apps like pacdiff (for .pacnew files)
export DIFFPROG=colordiff
and
# /etc/pacman.d/hooks/pacdiff.hook
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Package
Target = *
[Action]
Description = Runs pacdiff utility
When = PostTransaction
Exec = /usr/bin/pacdiff
Currently I use part_infos.mountPath
- this is defined in a host_vars variable.
Add AUR helper
sudo pacman -S --needed base-devel
git clone https://aur.archlinux.org/paru.git
cd paru
makepkg -si
paru -Syu paru-bin
And optimize its config
# /etc/paru.conf
Devel
#RemoveMake
CleanAfter
NewsOnUpgrade
SkipReview
# /etc/pacman.conf
# Misc options
ILoveCandy
The user password is defined as a variable (uh, bad bad bad) - it is better to ask for the password at the beginning of the task.
As example Check for uefi firmware
exist twice
For zram:
https://wiki.archlinux.org/title/Improving_performance#zram_or_zswap
zram-generator <- systemd package
/etc/systemd/zram-generator.conf <- config
No need to enable something with systemctl - it will be started during boot.
In case zram is being used, add kernel cmd for disabling zswap:
zswap.enabled=0
https://wiki.archlinux.org/title/Zswap#Toggling_zswap
Maybe use a module parameter (/etc/modprobe.d) instead?
needs testing
# /etc/pacman.d/hooks/microcode_reload.hook
[Trigger]
Operation = Upgrade
Type = Path
Target = usr/lib/firmware/amd-ucode/*
[Action]
Description = Applying CPU microcode updates...
When = PostTransaction
Depends = sh
Exec = /bin/sh -c 'echo 1 > /sys/devices/system/cpu/microcode/reload'
I need a manual to use this project
It's important to know a list of parameter we should, must or need to change
localdomain
is mostly used for local networks - useless for servers in the internet
Is sgdisk totally necessary or can we lower the bloat by using sfdisk?
Check syntax/parameters and features.
currently it is being removed
We do not want to route packets from one route to another.
https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/
https://wiki.archlinux.org/title/simple_stateful_firewall#Protection_against_spoofing_attacks
currently hardcoded
it would create bloat - but still better than always edit the tasks
not done yet - untested
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.