mirror of
https://github.com/tommytran732/Arch-Setup-Script
synced 2024-11-09 12:11:33 -05:00
4.6 KiB
4.6 KiB
Introduction
This is my fork of easy-arch, a script made in order to boostrap a basic Arch Linux environment with snapshots and encryption by using a fully automated process.
This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.
How does it work?
- Download an Arch Linux ISO from here
- Flash the ISO onto an USB Flash Drive.
- Boot the live environment.
- Connect to the internet.
git clone https://github.com/tommytran732/Arch-Setup-Script/cd Arch-Setup-Scriptchmod u+x ./install.sh && ./install.sh
Snapper behavior
The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎
- Snapper rollback works! You will no longer need to manually rollback from a live USB like you would with the @ and @home layout suggested in the Arch Wiki.
- You can boot into a readonly snapshot! GDM and other services will start normally so you can get in and verify that everything works before rolling back.
- Automatic snapshots on pacman install/update operations
- Directories such as /boot, /boot/efi, /var/log, /var/crash, /var/tmp, /var/spool, /var/lib/libvirt/images are excluded from the snapshots as they either should be persistent or are just temporary files. /cryptkey is excluded as we do not want the encryption key to be included in the snapshots, which could be sent to another device as a backup.
- GRUB will boot into the default BTRFS snapshot set by snapper. Like on SUSE, your running system will always be a read-write snapshot in @/.snapshots/X/snapshot.
Changes to the original project
- Encrypted /boot
- SUSE - like partition layout
- Snapper snapshots & rollback
- Default umask to 077
- Firewalld is enabled by default
- Minimally setup GNOME 40 with pipewire
- Randomize Mac Address and disable Connectivity Check for privacy
- Blacklisted Firewire SBP2 (As recommended by https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/ubuntu-18-04-lts)
- Added some kernel/grub settings from https://github.com/Whonix/security-misc/tree/master/etc/default
Partitions layout
| Partition/Subvolume | Label | Mountpoint | Notes |
|---|---|---|---|
| 1 | ESP | /boot/efi | Unencrypted FAT32 |
| 2 | @/.snapshots/X/snapshot | / | Encrypted BTRFS |
| 3 | @/boot | /boot/ | Encrypted BTRFS (nodatacow) |
| 4 | @/root | /root | Encrypted BTRFS |
| 5 | @/home | /home | Encrypted BTRFS |
| 6 | @/.snapshots | /.snapshots | Encrypted BTRFS |
| 7 | @/srv | /srv | Encrypted BTRFS (nodatacow) |
| 8 | @/var_log | /var/log | Encrypted BTRFS (nodatacow) |
| 9 | @/var_crash | /var/crash | Encrypted BTRFS (nodatacow) |
| 10 | @/var_cache | /var/cache | Encrypted BTRFS (nodatacow) |
| 11 | @/var_tmp | /var/tmp | Encrypted BTRFS (nodatacow) |
| 12 | @/var_spool | /var/spool | Encrypted BTRFS (nodatacow) |
| 13 | @/var_lib_libvirt_images | /var/lib/libvirt/images | Encrypted BTRFS (nodatacow) |
| 14 | @/var_lib_machines | /var/lib/machines | Encrypted BTRFS (nodatacow) |
| 15 | @/var_lib_gdm | /var/lib/gdm | Encrypted BTRFS (nodatacow) |
| 16 | @/var_lib_AccountsService | /var/lib/AccountsService | Encrypted BTRFS (nodatacow) |
| 17 | @/cryptkey | /cryptkey | Encrypted BTRFS (nodatacow) |
To do
- Install yay and setup opensnitch
- Reduce the number of password prompts
- Automatic secure boot setup with your own keys (no, we are not using shim).
- Optional Nvidia driver installation
- Automatic zram setup