mirror of
https://github.com/tommytran732/Arch-Setup-Script
synced 2024-12-22 23:11:33 -05:00
Setting up Arch Linux with BTRFS, snapshots and full disk encryption including /boot (UEFI only).
f202bd0a6f
earlyoom is not needed since systemd already provides that |
||
---|---|---|
.github/ISSUE_TEMPLATE | ||
install.sh | ||
LICENSE | ||
README.md |
Introduction
This is my fork of easy-arch, a script made in order to boostrap a basic Arch Linux environment with snapshots and encryption by using a fully automated process.
This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.
How does it work?
- Download an Arch Linux ISO from here
- Flash the ISO onto an USB Flash Drive.
- Boot the live environment.
- Connect to the internet.
git clone https://github.com/tommytran732/Arch-Setup-Script/
cd Arch-Setup-Script
chmod u+x ./install.sh && ./install.sh
- do
arch-chroot /mnt
and create your wheel user once the script is done. Remember to give the wheel group priviledges invisudo
.
Snapper behavior
The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎
- Snapper rollback works! You will no longer need to manually rollback from a live USB like you would with the @ and @home layout suggested in the Arch Wiki.
- You can boot into a readonly snapshot! GDM and other services will start normally so you can get in and verify that everything works before rolling back.
- Automatic snapshots on pacman install/update operations
- Directories such as /boot, /boot/efi, /var/log, /var/crash, /var/tmp, /var/spool, /var/lib/libvirt/images are excluded from the snapshots as they either should be persistent or are just temporary files. /cryptkey is excluded as we do not want the encryption key to be included in the snapshots, which could be sent to another device as a backup.
- GRUB will boot into the default BTRFS snapshot set by snapper. Like on SUSE, your running system will always be a read-write snapshot in @/.snapshots/X/snapshot.
Changes to the original project
- Encrypted /boot
- SUSE - like partition layout
- Snapper snapshots & rollback
- Default umask to 077
- Firewalld is enabled by default
- Minimally setup GNOME 40 with pipewire
- Randomize Mac Address and disable Connectivity Check for privacy
- Blacklisted Firewire SBP2 (As recommended by https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/ubuntu-18-04-lts)
- Kernel security settings
Partitions layout
Partition/Subvolume | Label | Mountpoint | Notes |
---|---|---|---|
1 | ESP | /boot/efi | Unencrypted FAT32 |
2 | @/.snapshots/X/snapshot | / | Encrypted BTRFS |
3 | @/boot | /boot/ | Encrypted BTRFS (nodatacow) |
4 | @/root | /root | Encrypted BTRFS |
5 | @/home | /home | Encrypted BTRFS |
6 | @/.snapshots | /.snapshots | Encrypted BTRFS |
7 | @/srv | /srv | Encrypted BTRFS (nodatacow) |
8 | @/var_log | /var/log | Encrypted BTRFS (nodatacow) |
9 | @/var_crash | /var/crash | Encrypted BTRFS (nodatacow) |
10 | @/var_cache | /var/cache | Encrypted BTRFS (nodatacow) |
11 | @/var_tmp | /var/tmp | Encrypted BTRFS (nodatacow) |
12 | @/var_spool | /var/spool | Encrypted BTRFS (nodatacow) |
13 | @/var_lib_libvirt_images | /var/lib/libvirt/images | Encrypted BTRFS (nodatacow) |
14 | @/var_lib_machines | /var/lib/machines | Encrypted BTRFS (nodatacow) |
15 | @/var_lib_gdm | /var/lib/gdm | Encrypted BTRFS (nodatacow) |
16 | @/var_lib_AccountsService | /var/lib/AccountsService | Encrypted BTRFS (nodatacow) |
17 | @/cryptkey | /cryptkey | Encrypted BTRFS (nodatacow) |
To do
- Automate wheel user setup
- Install yay and setup opensnitch
- Reduce the number of password prompts
- Automatic secure boot setup with your own keys (no, we are not using shim).
- Optional Nvidia driver installation
- Automatic zram setup