Arch-Setup-Script/README.md

### Introduction
This is my fork of [easy-arch](https://github.com/classy-giraffe/easy-arch), a **script** made in order to boostrap a basic **Arch Linux** environment with **snapshots** and **encryption** by using a fully automated process.

This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.

### How does it work?
1. Download an Arch Linux ISO from [here](https://archlinux.org/download/)
2. Flash the ISO onto an [USB Flash Drive](https://wiki.archlinux.org/index.php/USB_flash_installation_medium).
3. Boot the live environment.
4. Connect to the internet.
5. `git clone https://github.com/tommytran732/Arch-Setup-Script/`
6. `cd Arch-Setup-Script`
7. `chmod u+x ./install.sh && ./install.sh`

### Snapper behavior
The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎
1. Snapper rollback <number> works! You will no longer need to manually rollback from a live USB like you would with the @ and @home layout suggested in the Arch Wiki.
2. You can boot into a readonly snapshot! GDM and other services will start normally so you can get in and verify that everything works before rolling back.
3. Automatic snapshots on pacman install/update operations
4. Directories such as /boot, /boot/efi, /var/log, /var/crash, /var/tmp, /var/spool, /var/lib/libvirt/images are excluded from the snapshots as they either should be persistent or are just temporary files. /cryptkey is excluded as we do not want the encryption key to be included in the snapshots, which could be sent to another device as a backup.
5. GRUB will boot into the default BTRFS snapshot set by snapper. Like on SUSE, your running system will always be a read-write snapshot in @/.snapshots/X/snapshot. 

### Changes to the original project
1. Encrypted /boot
2. SUSE - like partition layout
3. Snapper snapshots & rollback
4. Default umask to 077
5. Firewalld is enabled by default
6. Minimally setup GNOME 40 with pipewire
7. Randomize Mac Address and disable Connectivity Check for privacy
8. Blacklisted Firewire SBP2 (As recommended by https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/ubuntu-18-04-lts)
9. Add some kernel/grub settings from https://github.com/Whonix/security-misc/tree/master/etc/default


### Partitions layout 

| Partition/Subvolume | Label                        | Mountpoint               | Notes                       |
|---------------------|------------------------------|--------------------------|-----------------------------|
| 1                   | ESP                          | /boot/efi                | Unencrypted FAT32           |
| 2                   | @/.snapshots/X/snapshot      | /                        | Encrypted BTRFS             |
| 3                   | @/boot                       | /boot/                   | Encrypted BTRFS (nodatacow) |
| 4                   | @/root                       | /root                    | Encrypted BTRFS             |
| 5                   | @/home                       | /home                    | Encrypted BTRFS             |
| 6                   | @/.snapshots                 | /.snapshots              | Encrypted BTRFS             |
| 7                   | @/srv                        | /srv                     | Encrypted BTRFS (nodatacow) |
| 8                   | @/var_log                    | /var/log                 | Encrypted BTRFS (nodatacow) |
| 9                   | @/var_crash                  | /var/crash               | Encrypted BTRFS (nodatacow) |
| 10                  | @/var_cache                  | /var/cache               | Encrypted BTRFS (nodatacow) |
| 11                  | @/var_tmp                    | /var/tmp                 | Encrypted BTRFS (nodatacow) |
| 12                  | @/var_spool                  | /var/spool               | Encrypted BTRFS (nodatacow) |
| 13                  | @/var_lib_libvirt_images     | /var/lib/libvirt/images  | Encrypted BTRFS (nodatacow) |
| 14                  | @/var_lib_machines           | /var/lib/machines        | Encrypted BTRFS (nodatacow) |
| 15                  | @/var_lib_gdm                | /var/lib/gdm             | Encrypted BTRFS (nodatacow) |
| 16                  | @/var_lib_AccountsService    | /var/lib/AccountsService | Encrypted BTRFS (nodatacow) |
| 17                  | @/cryptkey                   | /cryptkey                | Encrypted BTRFS (nodatacow) |

### To do
1. Install yay and setup opensnitch
2. Reduce the number of password prompts
3. Automatic secure boot setup with your own keys (no, we are not using shim).
4. Optional Nvidia driver installation 
5. Automatic zram setup
Typo. 2021-02-01 07:18:08 -05:00			`### Introduction`
Update README.md 2021-04-10 17:40:40 -04:00			`This is my fork of [easy-arch](https://github.com/classy-giraffe/easy-arch), a script made in order to boostrap a basic Arch Linux environment with snapshots and encryption by using a fully automated process.`
Introduction. 2021-02-01 07:16:56 -05:00
Update README.md 2021-04-23 16:18:03 -04:00			`This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.`

Update README.md 2021-02-03 02:04:07 -05:00			`### How does it work?`
			`1. Download an Arch Linux ISO from [here](https://archlinux.org/download/)`
			`2. Flash the ISO onto an [USB Flash Drive](https://wiki.archlinux.org/index.php/USB_flash_installation_medium).`
			`3. Boot the live environment.`
Update README.md 2021-04-10 17:26:27 -04:00			`4. Connect to the internet.`
Update README.md 2021-04-23 16:18:03 -04:00			5. `git clone https://github.com/tommytran732/Arch-Setup-Script/`
Update README.md 2021-04-10 17:40:40 -04:00			6. `cd Arch-Setup-Script`
Update README.md 2021-04-14 00:41:25 -04:00			7. `chmod u+x ./install.sh && ./install.sh`
Update README.md 2021-04-23 16:18:03 -04:00
			`### Snapper behavior`
			`The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎`
Update README.md 2021-06-23 13:25:31 -04:00			`1. Snapper rollback <number> works! You will no longer need to manually rollback from a live USB like you would with the @ and @home layout suggested in the Arch Wiki.`
Update README.md 2021-04-23 16:18:03 -04:00			`2. You can boot into a readonly snapshot! GDM and other services will start normally so you can get in and verify that everything works before rolling back.`
			`3. Automatic snapshots on pacman install/update operations`
Update README.md 2021-06-23 19:03:34 -04:00			`4. Directories such as /boot, /boot/efi, /var/log, /var/crash, /var/tmp, /var/spool, /var/lib/libvirt/images are excluded from the snapshots as they either should be persistent or are just temporary files. /cryptkey is excluded as we do not want the encryption key to be included in the snapshots, which could be sent to another device as a backup.`
Update README.md 2021-06-23 13:24:08 -04:00			`5. GRUB will boot into the default BTRFS snapshot set by snapper. Like on SUSE, your running system will always be a read-write snapshot in @/.snapshots/X/snapshot.`
Update README.md 2021-02-03 02:04:07 -05:00
Update README.md 2021-04-10 17:49:18 -04:00			`### Changes to the original project`
Update README.md 2021-06-14 19:37:13 -04:00			`1. Encrypted /boot`
Update README.md 2021-04-23 16:18:03 -04:00			`2. SUSE - like partition layout`
			`3. Snapper snapshots & rollback`
			`4. Default umask to 077`
			`5. Firewalld is enabled by default`
Update README.md 2021-05-11 06:07:21 -04:00			`6. Minimally setup GNOME 40 with pipewire`
Update README.md 2021-07-09 03:44:10 -04:00			`7. Randomize Mac Address and disable Connectivity Check for privacy`
			`8. Blacklisted Firewire SBP2 (As recommended by https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/ubuntu-18-04-lts)`
Update README.md 2021-07-25 03:04:27 -04:00			`9. Add some kernel/grub settings from https://github.com/Whonix/security-misc/tree/master/etc/default`

Update README.md 2021-04-10 17:33:58 -04:00
Better documentation. 2021-02-01 05:43:36 -05:00			`### Partitions layout`
Documentation. 2021-02-01 05:20:58 -05:00
Update README.md 2021-04-23 16:40:58 -04:00			`\| Partition/Subvolume \| Label \| Mountpoint \| Notes \|`
			`\|---------------------\|------------------------------\|--------------------------\|-----------------------------\|`
			`\| 1 \| ESP \| /boot/efi \| Unencrypted FAT32 \|`
			`\| 2 \| @/.snapshots/X/snapshot \| / \| Encrypted BTRFS \|`
Update README.md 2021-05-11 06:07:21 -04:00			`\| 3 \| @/boot \| /boot/ \| Encrypted BTRFS (nodatacow) \|`
Update README.md 2021-04-23 16:40:58 -04:00			`\| 4 \| @/root \| /root \| Encrypted BTRFS \|`
			`\| 5 \| @/home \| /home \| Encrypted BTRFS \|`
			`\| 6 \| @/.snapshots \| /.snapshots \| Encrypted BTRFS \|`
			`\| 7 \| @/srv \| /srv \| Encrypted BTRFS (nodatacow) \|`
Update README.md 2021-06-23 19:04:21 -04:00			`\| 8 \| @/var_log \| /var/log \| Encrypted BTRFS (nodatacow) \|`
Update README.md 2021-07-08 08:45:46 -04:00			`\| 9 \| @/var_crash \| /var/crash \| Encrypted BTRFS (nodatacow) \|`
Update README.md 2021-06-23 19:04:21 -04:00			`\| 10 \| @/var_cache \| /var/cache \| Encrypted BTRFS (nodatacow) \|`
			`\| 11 \| @/var_tmp \| /var/tmp \| Encrypted BTRFS (nodatacow) \|`
			`\| 12 \| @/var_spool \| /var/spool \| Encrypted BTRFS (nodatacow) \|`
			`\| 13 \| @/var_lib_libvirt_images \| /var/lib/libvirt/images \| Encrypted BTRFS (nodatacow) \|`
Update README.md 2021-07-08 08:45:46 -04:00			`\| 14 \| @/var_lib_machines \| /var/lib/machines \| Encrypted BTRFS (nodatacow) \|`
Update README.md 2021-07-11 10:47:04 -04:00			`\| 15 \| @/var_lib_gdm \| /var/lib/gdm \| Encrypted BTRFS (nodatacow) \|`
			`\| 16 \| @/var_lib_AccountsService \| /var/lib/AccountsService \| Encrypted BTRFS (nodatacow) \|`
			`\| 17 \| @/cryptkey \| /cryptkey \| Encrypted BTRFS (nodatacow) \|`
Update README.md 2021-04-23 16:40:58 -04:00
Update README.md 2021-04-23 16:18:03 -04:00			`### To do`
Update README.md 2021-07-25 02:50:02 -04:00			`1. Install yay and setup opensnitch`
			`2. Reduce the number of password prompts`
			`3. Automatic secure boot setup with your own keys (no, we are not using shim).`
			`4. Optional Nvidia driver installation`
			`5. Automatic zram setup`