1
0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-11-09 04:01:33 -05:00
Arch-Setup-Script/README.md

35 lines
2.8 KiB
Markdown
Raw Normal View History

2021-02-01 07:18:08 -05:00
### Introduction
[![ShellCheck](https://github.com/TommyTran732/Arch-Setup-Script/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/TommyTran732/Arch-Setup-Script/actions/workflows/shellcheck.yml)
This is my installer for Arch Linux. It sets up a BTRFS system with encrypted `/boot` and full snapper support (both snapshotting and rollback work!). It also includes various system hardening configurations.
2021-02-01 07:16:56 -05:00
The script is based on [easy-arch](https://github.com/classy-giraffe/easy-arch). However, it diverges substantially from the original project does not follow its development.
2021-04-23 16:18:03 -04:00
Visit my Matrix group: https://invite.arcticfoxes.net/#/#tommy:arcticfoxes.net
2021-09-18 15:47:50 -04:00
### How to use it?
2021-02-03 02:04:07 -05:00
1. Download an Arch Linux ISO from [here](https://archlinux.org/download/)
2. Flash the ISO onto an [USB Flash Drive](https://wiki.archlinux.org/index.php/USB_flash_installation_medium).
3. Boot the live environment.
2021-04-10 17:26:27 -04:00
4. Connect to the internet.
2021-04-23 16:18:03 -04:00
5. `git clone https://github.com/tommytran732/Arch-Setup-Script/`
2021-04-10 17:40:40 -04:00
6. `cd Arch-Setup-Script`
7. `chmod u+x ./install.sh`
8. `./install.sh`
2021-07-25 04:33:40 -04:00
2021-04-23 16:18:03 -04:00
### Snapper behavior
The partition layout I use allows us to replicate the behavior found in openSUSE 🦎
2021-06-23 13:25:31 -04:00
1. Snapper rollback <number> works! You will no longer need to manually rollback from a live USB like you would with the @ and @home layout suggested in the Arch Wiki.
2021-04-23 16:18:03 -04:00
2. You can boot into a readonly snapshot! GDM and other services will start normally so you can get in and verify that everything works before rolling back.
2021-07-25 04:58:46 -04:00
3. Automatic snapshots on pacman install/update/remove operations
4. Directories such as `/boot`, `/boot/efi`, `/var/log`, `/var/crash`, `/var/tmp`, `/var/spool`, /`var/lib/libvirt/images` are excluded from the snapshots as they either should be persistent or are just temporary files. `/cryptkey` is excluded as we do not want the encryption key to be included in the snapshots, which could be sent to another device as a backup.
5. GRUB will boot into the default BTRFS snapshot set by snapper. Like on openSUSE, your running system will always be a read-write snapshot in `@/.snapshots/X/snapshot`.
2021-07-25 07:08:41 -04:00
### Security considerations
2021-07-25 07:08:41 -04:00
Since this is an encrypted `/boot` setup, GRUB will prompt you for your encryption password and decrypt the drive so that it can access the kernel and initramfs. I am unaware of any way to make it use a TPM + PIN setup.
2021-07-25 07:08:41 -04:00
The implication of this is that an attacker can change your secure boot state with a programmer, replace your grubx64.efi and it will not be detected until its too late.
2021-07-25 07:08:41 -04:00
This type of attack can theoratically be solved by splitting /boot out to a seperate partition and encrypt the root filesystem separately. The key protector for the root filesystem can then be sealed to a TPM with PCR 0+1+2+3+5+7+14. It is a bit more complicated to set up so my installer does not support this (yet!).