1
0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-11-09 12:11:33 -05:00
Arch-Setup-Script/README.md
2022-08-27 03:13:41 -04:00

4.4 KiB

Introduction

This is my fork of easy-arch, a script made in order to boostrap a basic Arch Linux environment with snapshots and encryption by using a fully automated process.

This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.

How does it work?

  1. Download an Arch Linux ISO from here
  2. Flash the ISO onto an USB Flash Drive.
  3. Boot the live environment.
  4. Connect to the internet.
  5. git clone https://github.com/tommytran732/Arch-Setup-Script/
  6. cd Arch-Setup-Script
  7. chmod u+x ./install.sh && ./install.sh

Changes to the original project

  1. Encrypted /boot with LUKS1
  2. SUSE - like partition layout and fully working snapper snapshots & rollback
  3. Minimally setup GNOME 40 with pipewire
  4. AppArmor and Firewalld enabled by default
  5. Defaulting umask to 077
  6. Randomize Mac Address and disable Connectivity Check for privacy
  7. Added some kernel/grub settings from https://github.com/Whonix/security-misc/tree/master/etc/default
  8. Added udev rules from https://gitlab.com/garuda-linux/themes-and-settings/settings/garuda-common-settings/-/tree/master/etc/udev/rules.d

Snapper behavior

The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎

  1. Snapper rollback works! You will no longer need to manually rollback from a live USB like you would with the @ and @home layout suggested in the Arch Wiki.
  2. You can boot into a readonly snapshot! GDM and other services will start normally so you can get in and verify that everything works before rolling back.
  3. Automatic snapshots on pacman install/update operations
  4. Directories such as /boot, /boot/efi, /var/log, /var/crash, /var/tmp, /var/spool, /var/lib/libvirt/images are excluded from the snapshots as they either should be persistent or are just temporary files. /cryptkey is excluded as we do not want the encryption key to be included in the snapshots, which could be sent to another device as a backup.
  5. GRUB will boot into the default BTRFS snapshot set by snapper. Like on SUSE, your running system will always be a read-write snapshot in @/.snapshots/X/snapshot.

Partitions layout

Partition/Subvolume Label Mountpoint Notes
1 ESP /boot/efi Unencrypted FAT32
2 @/.snapshots/X/snapshot / Encrypted BTRFS
3 @/boot /boot/ Encrypted BTRFS (nodatacow)
4 @/root /root Encrypted BTRFS
5 @/home /home Encrypted BTRFS
6 @/.snapshots /.snapshots Encrypted BTRFS
7 @/srv /srv Encrypted BTRFS (nodatacow)
8 @/var_log /var/log Encrypted BTRFS (nodatacow)
9 @/var_crash /var/crash Encrypted BTRFS (nodatacow)
10 @/var_cache /var/cache Encrypted BTRFS (nodatacow)
11 @/var_tmp /var/tmp Encrypted BTRFS (nodatacow)
12 @/var_spool /var/spool Encrypted BTRFS (nodatacow)
13 @/var_lib_libvirt_images /var/lib/libvirt/images Encrypted BTRFS (nodatacow)
14 @/var_lib_machines /var/lib/machines Encrypted BTRFS (nodatacow)
15 @/var_lib_gdm /var/lib/gdm Encrypted BTRFS (nodatacow)
16 @/var_lib_AccountsService /var/lib/AccountsService Encrypted BTRFS (nodatacow)
17 @/cryptkey /cryptkey Encrypted BTRFS (nodatacow)