Skip to content

Instantly share code, notes, and snippets.

@techapj

techapj/arch-linux-installation-guide.md

Created December 20, 2013 02:09
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save techapj/8049455 to your computer and use it in GitHub Desktop.
Save techapj/8049455 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
arch-linux-installation-guide.md

Asus N56VZ - Arch Linux installation guide

  • Date: August 2013
  • Instalation ISO: archlinux-2013.07.01-dual.iso

TOC

Introduction

Note:

  • Typos are possible
  • Looks like most of the issues (battery state problem, multimedia keys, wired connection etc.) are resolved as of BIOS firmware 217 and Linux kernel 3.10

Legend:

  • <variable> - change to suit your needs

Philosophy

  • Install as less as possible - YAGNI
  • Configure and modify as less as possible - KISS

Hardware

  • Laptop model: Asus N56VZ (BIOS firmware version 216)
  • Primary VGA adapter: Intel HD Graphics 4000
  • Secondary VGA adpater: nVidia GeForce 650M (NVE0 GK107, Kepler)
  • Primary disk: Samsung 840 PRO 128 GB SSD (sda)
  • Secondary disk: Western Digital Scorpio Black WDC WD7500BPKT 750 GB (sdb)

Features

  • OS: Arch Linux
  • Unified Extensible Firmware Interface (UEFI)
  • GUID Partition Table (GPT)
  • rEFInd boot manager
  • Encrypted home (performance over security)

TOC

Preparation

Flash BIOS

  • Check current BIOS version: Enter BIOS (F2) => Main => Version
  • Save current BIOS configuration (pen & paper)
  • Download the latest BIOS firmware from Asus support website
  • Unpack downloaded zip file and save the N56VZAS.<version> file to FAT 32 formatted USB flash drive
  • Shut down laptop, plug battery, AC and USB flash drive (unplug everything else)
  • Turn on laptop => enter BIOS (F2) => Advanced => Start Easy Flash => Follow instructions
  • Re-configure BIOS

Prepare installation medium

Mount instalation ISO.

# mkdir -p /mnt/iso
# mount -o loop archlinux-<release>-dual.iso /mnt/iso

Obtain <label> from /mnt/iso/loader/entries/archiso-x86_64.conf.

Prepare USB media with partition (GUID) and filesystem (FAT32).

# gdisc /dev/sdX
# mkfs.vfat -F32 /dev/sdX1 -n <label>

Mount USB media and copy the contents of the installation media to the USB media.

# mkdir -p /mnt/usb
# mount /dev/sdX1 /mnt/usb
# cp -a /mnt/iso/* /mnt/usb
# sync
# umount /mnt/{usb,iso}

Boot the installation medium

To test if you have booted into UEFI mode check if directory /sys/firmware/efi has been created

# ls -1 /sys/firmware/efi

TOC

Installation

Establish an internet connection

# ip link set wlp3s0 up
# wifi-menu wlp3s0
# ping -c 3 www.google.com

Partitioning

sda

  • SSD NAND erase block size: 1024 KB (1048576 B)
  • SSD NAND page size: 8 KB (8192 B)
  • Filesystem block size: 4 KB (4096 B)
stride = SSD erase block size / filesystem block size = 1024 / 4 = 256
stripe-width = stride * N (the number of data-bearing disks i.e. 1 in this case) = stride * 1 = 256

Partition table

# gdisk /dev/sda
Number  Start (sector)    End (sector)  Size       Code  Name               Mount point
   1            2048         1050623   512.0 MiB   EF00  EFI System         /boot/efi (UEFI boot)
   2         1050624         1574911   256.0 MiB   8300  Linux filesystem   /boot
   3         1574912       135792639   64.0 GiB    8300  Linux filesystem   /
~54.5 GiB left unallocated

sdb

# gdisk /dev/sdb
Number  Start (sector)    End (sector)  Size       Code  Name               Mount point
   1            2048       536872959   256.0 GiB   8300  Linux filesystem   /home
   2       536872960      1375733759   400.0 GiB   8300  Linux filesystem   /dump
   3      1375733760      1442842623   32.0 GiB    8300  Linux filesystem   /var
~10.6 GiB left unallocated

Filesystem

Create filesystems

# mkfs -t vfat -F 32 /dev/sda1
# mkfs -t ext4 -b 4096 -E stride=256,stripe-width=256 /dev/sda2
# mkfs -t ext4 -b 4096 -E stride=256,stripe-width=256 /dev/sda3

# mkfs -t ext4 -b 4096 /dev/sdb2
# mkfs -t ext4 -b 4096 /dev/sdb3

Disk labels

# dosfslabel /dev/sda1 efi
# e2label /dev/sda2 boot
# e2label /dev/sda3 root

# e2label /dev/sdb2 dump
# e2label /dev/sdb3 var

Mounting the partitions

# mount /dev/sda3 /mnt

# mkdir /mnt/boot
# mount /dev/sda2 /mnt/boot

# mkdir /mnt/boot/efi
# mount /dev/sda1 /mnt/boot/efi

# mkdir /mnt/home

# mkdir /mnt/dump
# mount /dev/sdb2 /mnt/dump

# mkdir /mnt/var
# mount /dev/sdb3 /mnt/var

Installing the base system

Install system

Edit /etc/pacman.d/mirrorlist (use HTTP mirrors)

# vi /etc/pacman.d/mirrorlist
...

# pacstrap -i /mnt base

Generate a fstab

# genfstab -U -p /mnt >> /mnt/etc/fstab

Chroot

# arch-chroot /mnt /bin/bash

Base configuration

Locale

# vi /etc/locale.gen
...
en_US.UTF-8 UTF-8
...

# vi /etc/locale.conf
...
LANG="en_US.UTF-8"
LC_COLLATE="C"
...

# export LANG=en_US.UTF-8
# locale-gen

Time

# ln -s /usr/share/zoneinfo/<Country>/<City> /etc/localtime
# hwclock --systohc --utc
# date -s <hh>:<mm>:<ss>

Hostname

# echo <hostname> > /etc/hostname

Network

# pacman -S iw wpa_supplicant wpa_actiond
# pacman -S dialog

Set the root password

# passwd

Install and configure a bootloader (rEFInd)

Install rEFInd boot loader

# pacman -S refind-efi

# mkdir -p /boot/efi/EFI/refind
# cp /usr/share/refind/refind_x64.efi /boot/efi/EFI/refind/
# cp /usr/share/refind/refind.conf-sample /boot/efi/EFI/refind/refind.conf
# cp -Rv /usr/share/refind/icons /boot/efi/EFI/refind/
# cp -Rv /usr/share/refind/drivers_x86 /boot/efi/EFI/refind/drivers

# ls -l /dev/disk/by-partuuid/ | grep sda3

# vi /boot/efi/EFI/refind/refind.conf
...
timeout 3
textonly 1
showtools reboot, shutdown, firmware
scanfor external, optical, manual
menuentry "Arch Linux" {
	volume boot
	loader vmlinuz-linux
	initrd initramfs-linux.img
	options "root=PARTUUID=<partuuid> rootfstype=ext4 rw systemd.unit=graphical.target"

	submenuentry "Boot to terminal" {
		options "root=PARTUUID=<partuuid> rootfstype=ext4 rw systemd.unit=multi-user.target"
	}

	submenuentry "Boot fallback image" {
		initrd initramfs-linux-fallback.img
		options "root=PARTUUID=<partuuid> rootfstype=ext4 rw systemd.unit=multi-user.target"
	}
}
...

Add EFI boot entry

# pacman -S efibootmgr
# modprobe efivars

# efibootmgr -c -d /dev/sda -p 1 -l "\EFI\refind\refind_x64.efi" -L "rEFInd" -T
# efibootmgr -v

Unmount the partitions and reboot

# exit

# umount /mnt/{home,dump,var}
# umount /mnt/boot/efi
# umount /mnt/boot
# umount /mnt/

# reboot

TOC

Post-installation

Security

Crypted home partition

# cat /dev/zero > /dev/sdb1

# modprobe dm_mod
# cryptsetup -c twofish-xts-plain64 -s 256 -h sha256 --use-random -y luksFormat /dev/sdb1
# cryptsetup -y luksAddKey /dev/sdb1
# cryptsetup luksDump /dev/sdb1

# cryptsetup luksOpen /dev/sdb1 home
# mkfs -t ext4 -b 4096 /dev/mapper/home
# e2label /dev/mapper/home home
# mount /dev/mapper/home /home

# cryptsetup luksUUID /dev/sdb1
# vi /etc/crypttab
...
home    UUID=<luks-uuid>    none    luks
...

# vi /etc/fstab
...
/dev/mapper/home    /home    ext4    rw,relatime,data=ordered    0 2
...

Auto mount home on login

Note: Work in progress

Does not work properly for all users/scenarios (user 1 login, user 1 logout, user 2 login, su, etc.)

# vi /etc/crypttab
...
home    UUID=<luks-uuid>    none    luks,noauto
...

# vi /etc/fstab
...
# /dev/mapper/home    /home    ext4    rw,relatime,data=ordered    0 2
...

# pacman -S pam_mount

# vi /etc/security/pam_mount.conf.xml
...
<volume pgrp="users" fstype="auto" path="/dev/sdb1" mountpoint="/home" options="rw,relatime,data=ordered" />
<mkmountpoint enable="1" remove="true" />

</pam_mount>
...

# vi /etc/pam.d/system-auth
...
#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so
auth      optional  pam_mount.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so
password  optional  pam_mount.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so
session   required  pam_env.so
session   optional  pam_mount.so
...

TOMOYO Linux

# pacman -S tomoyo-tools

# vi /boot/efi/EFI/refind/refind.conf
...
menuentry "Arch Linux" {
	volume ARCH_BOOT
	loader vmlinuz-linux
	initrd initramfs-linux.img
	options "root=PARTUUID=<partuuid> rootfstype=ext4 rw systemd.unit=graphical.target security=tomoyo TOMOYO_trigger=/sbin/init"

	submenuentry "Boot to terminal" {
		options "root=PARTUUID=<partuuid> rootfstype=ext4 rw systemd.unit=multi-user.target"
	}

	submenuentry "Boot fallback image" {
		initrd initramfs-linux-fallback.img
		options "root=PARTUUID=<partuuid> rootfstype=ext4 rw systemd.unit=multi-user.target"
	}
}
...

# /usr/lib/tomoyo/init_policy

# vi /usr/lib/systemd/system/tomoyo-savepolicy.service
...
[Unit]
Description=Tomoyo savepolicy

[Service]
Type=oneshot
ExecStart=/usr/sbin/tomoyo-savepolicy
StandardInput=tty
RemainAfterExit=yes

[Install]
WantedBy=shutdown.target
...

# vi /usr/lib/systemd/system/tomoyo-auditd.service
...
[Unit]
Description=TOMOYO Linux Auditing Daemon

[Service]
Type=forking
ExecStart=/usr/sbin/tomoyo-auditd
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
...

start/stop or enable/disable tomoyo-savepolicy and tomoyo-auditd services as needed.

Firewall

# iptables-restore < /etc/iptables/empty.rules

# iptables -N TCP
# iptables -N UDP
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

# iptables-save > /etc/iptables/iptables.rules
# systemctl enable iptables.service
# systemctl start iptables.service
# systemctl status iptables.service

Kernel parameters

# vi /etc/sysctl.d/99-sysctl.conf

...
net.ipv4.tcp_syncookies = 1
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
...

Basics

Directory tree

# mkdir /dump/{misc,music,videos,vdi}
# chgrp users /dump/{misc,music,videos,vdi}
# chmod g+w /dump/{misc,music,videos,vdi}
# mkdir /mnt/{backup,media}
# mkdir /mnt/sdcrd
# mkdir /mnt/usbfd{1,2}

SSD/HDD scheduler

# vi /etc/udev/rules.d/60-schedulers.rules
...
# Set "noop" scheduler for non-rotating disks
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="noop"

# Set "cfq" scheduler for rotating disks
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="cfq"
...

SMART

Enable SMART if needed

# pacman -S smartmontools
# smartctl -i /dev/sdb
# smartctl -s on /dev/sdb

HDD APC

HDD spins down too often (TODO: Better handling with PM and/or systemd)

# pacman -S hdparm

# vi /etc/udev/rules.d/75-hdparm.rules
...
ACTION=="add", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", RUN+="/usr/bin/hdparm -B 254 /dev/$kernel"
...

Fstab

# vi /etc/fstab
...
UUID=<uuid>         /            ext4    rw,relatime,stripe=256,data=ordered,discard    0 1
UUID=<uuid>         /boot        ext4    rw,relatime,stripe=256,data=ordered,discard    0 2
UUID=<uuid>         /boot/efi    vfat     rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro    0 2
/dev/mapper/home    /home        ext4    rw,relatime,data=ordered    0 2
UUID=<uuid>         /dump        ext4    rw,relatime,data=ordered    0 2
UUID=<uuid>         /var         ext4    rw,relatime,data=ordered    0 2
tmpfs               /tmp         tmpfs    defaults,noatime,mode=1777,size=4G    0 0
...

Resume network after resume from standby

# systemctl enable netctl-sleep.service

Users

# useradd -m -g users -s /bin/bash <username1>
# useradd -m -g users -s /bin/bash <username2>

# passwd <username1>
# passwd <username2>

Update package DB

# pacman -Syy

X

Install Xorg server

# pacman -S xorg-server xorg-server-utils xorg-xinit
# pacman -S mesa

Video drivers

# pacman -S xf86-video-intel intel-dri
# pacman -Rdd mesa-libgl
# pacman -S nvidia nvidia-utils

# pacman -S bumblebee bbswitch primus
# usermod -a -G bumblebee <username>
# systemctl enable bumblebeed

# vi /etc/bumblebee/bumblebee.conf
...
Driver=nvidia
...

# vi /etc/bumblebee/xorg.conf.nvidia
...
    BusID "PCI:01:00:0"
...

# pacman -S libva-intel-driver libva-vdpau-driver

Sound

# pacman -S alsa-utils

# vi /etc/modprobe.d/alsa-base.conf
...
options snd-hda-intel model=asus-mode4
...

Touchpad

# pacman -S xf86-input-synaptics

Fonts

# pacman -S ttf-dejavu

LM/WM/DE

Login manager / Window manager / Desktop environment

# pacman -S slim
# systemctl enable slim.service

(TODO) # pacman -S i3

# pacman -S xfce4
# pacman -S gamin
# pacman -S xfce4-notifyd

# pacman -S gnome-themes-standard gtk-engine-murrine
# pacman -U zukitwo-themes (https://aur.archlinux.org/packages.php?ID=49377)
# pacman -U arch-start-icons (https://aur.archlinux.org/packages/arch-start-icons/)
# pacman -S faenza-icon-theme faience-icon-theme
# for THEME in `find /usr/share/icons -maxdepth 1 -mindepth 1 -type d`; do gtk-update-icon-cache -t -f $THEME; done;

# su - <username>
$ cp /etc/skel/.xinitrc ~
$ vi ~/.xinitrc
...
exec <session-command>
...

Multimedia (extra) keys

They should work, just map them to commands.

If needed configure module loading

# vi /etc/modules-load.d/asus-nb-wmi.conf
...
asus-nb-wmi
...

Software

Basic

# pacman -S base-devel
# pacman -S bash-completion
# pacman -S gptfdisk
# pacman -S ntfs-3g
# pacman -S rxvt-unicode
# pacman -S htop
# pacman -S strace
# pacman -S jre7-openjdk
# pacman -S zip unzip p7zip unrar
# pacman -S openssh
# pacman -S git
# pacman -S subversion
# pacman -S dnsutils

Editors

# pacman -S vim
# pacman -S gedit

VirtualBox

# pacman -S virtualbox
# pacman -S virtualbox-guest-iso
# pacman -S net-tools
# gpasswd -a <username> vboxusers
# modprobe vboxdrv
# depmod -a

# vi /etc/modules-load.d/virtualbox.conf
...
vboxdrv
vboxnetadp
vboxnetflt
...

Development

# pacman -S php php-pear xdebug
# pacman -S ack
# pacman -S dos2unix
# pacman -S mariadb-clients
# pacman -S geany geany-plugins
# pacman -S eclipse
# pacman -S netbeans
# pacman -U jmeter
# pacman -S python2-pyopenssl python2-lxml python2-setuptools twisted
# pacman -U python2-w3lib python2-queuelib scrapy

# pear config-set auto_discover 1
# pear install pear.phpunit.de/PHPUnit
# vi /etc/php/php.ini
...
open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/:/usr/bin
...

Internet

# pacman -S firefox
# pacman -S chromium
# pacman -S flashplugin
# pacman -S filezilla

Graphics

# pacman -S imagemagick
# pacman -S geeqie
# pacman -S ristretto
# pacman -S gimp

Multimedia

# pacman -S mpv

Office

# pacman -S mupdf
# pacman -S zathura zathura-ps zathura-djvu (zathura-pdf-mupdf ?)
# pacman -S apvlv
# pacman -S evince

Misc

# pacman -S arch-wiki-docs

Skype

Enable multilib repository.

# vi /etc/pacman.conf
...
[multilib]
Include = /etc/pacman.d/mirrorlist
...

# pacman -Syy
# pacman -S skype
:: There are 3 providers available for lib32-libgl:
Select: 3) lib32-nvidia-libgl

# mkdir /dump/misc/skype
# chgrp users /dump/misc/skype
# chmod g+w /dump/misc/skype

Set default Skype download directory to /dump/misc/skype in Skype options.

# vi /etc/tomoyo/exception_policy.conf
...
path_group SKYPE_DIRS /home/\*/.Skype/
path_group SKYPE_DIRS /home/\*/.Skype/\{\*\}/
path_group SKYPE_DIRS /home/\*/.config/Skype/\{\*\}/
path_group SKYPE_DIRS /usr/share/skype/\{\*\}/
path_group SKYPE_DIRS /dump/misc/skype/\{\*\}/
path_group SKYPE_FILES /home/\*/.Skype/\{\*\}/\*
path_group SKYPE_FILES /home/\*/.config/Skype/\{\*\}/\*
path_group SKYPE_FILES /usr/share/skype/\{\*\}/\*
path_group SKYPE_FILES /dump/misc/skype/\{\*\}/\*
path_group SKYPE_FILES /home/\*/.Skype/\*
path_group SKYPE_FILES /home/\*/.config/Skype/\*
path_group SKYPE_FILES /usr/share/skype/\*
path_group SKYPE_FILES /dump/misc/skype/\*
path_group ICONS_DIRS /usr/share/icons/\{\*\}/
path_group ICONS_FILES /usr/share/icons/\{\*\}/\*
path_group ICONS_FILES /usr/share/icons/\*
initialize_domain /usr/bin/skype from any
initialize_domain /usr/lib32/skype/skype from any
...

# vi /etc/tomoyo/domain_policy.conf
...
<kernel> /usr/bin/skype
use_profile 3
use_group 0

misc env \*
file read /bin/bash
file read /usr/bin/bash
file read/write /dev/tty
file read /usr/lib/locale/locale-archive
file read /usr/lib/gconv/gconv-modules
file read /usr/bin/skype
file read /usr/lib32/skype/skype
file execute /usr/lib32/skype/skype exec.realpath="/usr/lib32/skype/skype" exec.argv[0]="/usr/lib32/skype/skype"

<kernel> /usr/lib32/skype/skype
use_profile 3
use_group 0

file append /dev/snd/pcm\*
file chmod /home/\*/.Skype/ 0700
file create /home/\*/.cache/fontconfig/\* 0600-0666
file create /tmp/qtsingleapp-\*-lockfile 0600-0666
file create @SKYPE_FILES 0600-0666
file execute /usr/bin/firefox
file execute /usr/bin/gnome-open
file execute /usr/bin/notify-send
file execute /usr/bin/opera
file execute /usr/bin/xdg-open
file ioctl /dev/snd/\* 0-0xFFFFFFFFFFFFFFFF
file ioctl /dev/video0 0-0xFFFFFFFFFFFFFFFF
file ioctl anon_inode:inotify 0x541B
file ioctl socket:[family=1:type=2:protocol=0] 0x8910
file ioctl socket:[family=1:type=2:protocol=0] 0x8933
file ioctl socket:[family=2:type=1:protocol=6] 0x541B
file ioctl socket:[family=2:type=2:protocol=17] 0x541B
file ioctl socket:[family=2:type=2:protocol=17] 0x8912
file ioctl socket:[family=2:type=2:protocol=17] 0x8927
file ioctl socket:[family=2:type=2:protocol=17] 0x8B01
file link /home/\*/.cache/fontconfig/\* /home/\*/.cache/fontconfig/\*
file mkdir /home/\*/.cache/fontconfig/\* 0600
file mkdir @SKYPE_DIRS 0700-0777
file mksock /tmp/qtsingleapp-\* 0755
file read /dev/urandom
file read /etc/fonts/conf.avail/\*.conf
file read /etc/fonts/conf.d/\*.conf
file read /etc/fonts/fonts.conf
file read /etc/group
file read /etc/host.conf
file read /etc/hosts
file read /etc/machine-id
file read /etc/nsswitch.conf
file read /etc/passwd
file read /etc/resolv.conf
file read /home/\*/.ICEauthority
file read /home/\*/.XCompose
file read /home/\*/.Xauthority
file read /home/\*/.Xdefaults
file read /home/\*/.fontconfig/\*
file read /home/\*/.config/fontconfig/\*
file read /usr/lib/locale/locale-archive
file read /url/lib32/lib\*.so\*
file read /usr/lib32/gconv/UTF-16.so
file read /usr/lib32/gconv/gconv-modules
file read /usr/lib32/libv4l/v4l2convert.so
file read /usr/lib32/qt/plugins/bearer/libq\*bearer.so
file read /usr/lib32/qt/plugins/iconengines/libqsvgicon.so
file read /usr/lib32/qt/plugins/imageformats/libq\*.so
file read /usr/lib32/qt/plugins/inputmethods/libqimsw-multi.so
file read /usr/lib32/skype/skype
file read /usr/share/X11/locale/\*/Compose
file read /usr/share/X11/locale/\*/XLC_LOCALE
file read /usr/share/X11/locale/compose.dir
file read /usr/share/X11/locale/locale.alias
file read /usr/share/X11/locale/locale.dir
file read /usr/share/alsa/alsa.conf
file read /usr/share/alsa/cards/\*.conf
file read /usr/share/alsa/pcm/\*.conf
file read /usr/share/fonts/\*/\*/\*
file read @ICONS_FILES
file read proc:/cpuinfo
file read proc:/stat
file read proc:/sys/kernel/osrelease
file read proc:/sys/kernel/ostype
file read sysfs:/devices/\*/\*/\*/\*/\*/\*/modalias
file read sysfs:/devices/\*/\*/\*/\*/\*/\*/video4linux/video0/dev
file read sysfs:/devices/\*/\*/\*/\*/\*/idProduct
file read sysfs:/devices/\*/\*/\*/\*/\*/idVendor
file read sysfs:/devices/\*/\*/\*/\*/\*/speed
file read sysfs:/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
file read sysfs:/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
file read sysfs:/devices/system/cpu/online
file read/write /dev/snd/\*
file read/write /dev/video0
file read/write/truncate /home/\*/.config/Trolltech.conf
file read/write/unlink /home/\*/.cache/fontconfig/\*
file read/write/unlink /tmp/qtsingleapp-\*
file read/write/unlink/truncate @SKYPE_FILES
file rename /home/\*/.cache/fontconfig/\* /home/\*/.cache/fontconfig/\*
file rename @SKYPE_DIRS @SKYPE_DIRS
file rename @SKYPE_FILES @SKYPE_FILES
file rmdir @SKYPE_DIRS
misc env \*
network inet dgram bind 0.0.0.0 0-65535
network inet dgram bind 127.0.0.1 0
network inet dgram bind/send 0.0.0.0-255.255.255.255 0-65535
network inet stream bind/listen 0.0.0.0 0-65535
network inet stream connect 0.0.0.0-255.255.255.255 0-65535
network unix stream bind/listen /tmp/qtsingleapp-\*
network unix stream connect /tmp/.ICE-unix/\*
network unix stream connect /tmp/qtsingleapp-\*
network unix stream connect /var/run/dbus/system_bus_socket
network unix stream connect /var/run/nscd/socket
network unix stream connect \000/tmp/.ICE-unix/\*
network unix stream connect \000/tmp/.X11-unix/X0
network unix stream connect \000/tmp/dbus-\*

<kernel> /usr/lib32/skype/skype /usr/bin/xdg-open
use_profile 0
use_group 0


<kernel> /usr/lib32/skype/skype /usr/bin/gnome-open
use_profile 0
use_group 0

<kernel> /usr/lib32/skype/skype /usr/bin/notify-send
use_profile 0
use_group 0
...

# tomoyo-loadpolicy -df < /etc/tomoyo/domain_policy.conf
# tomoyo-loadpolicy -ef < /etc/tomoyo/exception_policy.conf

Backup strategy

-- placeholder --

TOC

TODO

  • Mobile internet
  • ! Implement backup strategy (data, LUKS headers)
  • Netctl (wifi-menu) passphrase obfuscation (256-bit PSK)
  • pam_mount with login (started)
  • Wide boot screen framebuffer
  • Log boot/shutdown messages
  • Check journalctl log (journalctl -xb ???)
  • ! Log boot/shutdown messages and troubleshoot/fix errors/warnings
  • ! Troubleshot "Failed unmounting /var" error
  • Troubleshoot "Failed unmounting /var" error
  • Troubleshoot docfslabel /dev/sda1 - Dirty bit is set. Fs was not properly unmounted...
  • Post synaptic config
  • Post Geany config
  • Post /etc/adobe/mms.cfg config
  • Post /etc/pacman.conf
  • Post ~/.config/xfce4/ configs
  • Post .bash_profile, ~/.bashrc for user and root
  • Post .mpv/config
  • "/dump" dir - set proper umask for sub dirs; use gsid, group sticky bit or acl (already installed)
  • Post ~/.config/user-dirs.dirs
  • Install Tor
  • Troubleshot "mei_me 0000:00:16.0: reset: init clients timeout hbm_state = 1." https://bugs.archlinux.org/task/36288?dev=162
  • Looks like Mod4 + Shift + <key> doesn't work as Xfce keyboard shorcut
  • Sandbox more application with TOMOYO (Firefox, Chromium, Evince, etc.)
  • Ignore /home, /media, /mnt, etc. for updatedb (/etc/updatedb.conf)

  • pacman -S xfce4-goodies ???

  • https://bbs.archlinux.org/viewtopic.php?id=105431
  • Check warnings (on kernel upgrade): [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: bfa [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: aic94xx [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: smsmdtv
  • Tweak SSH
  • Compare /usr/lib/sysctl.d/50-default.conf and /etc/sysctl.d/99-sysctl.conf
  • If possible, create (wifi-menu generate) new netctl profile with default timeout values higher (30 sec)
  • https://wiki.archlinux.org/index.php/xfce#Menu_applet_replacement
  • https://wiki.archlinux.org/index.php/xfce#Removing_entries_from_the_System_menu
  • Pimp Geany (plugins, preferences)
  • Test automatic SSD trim
  • Try Ranger file manager http://nongnu.org/ranger/
  • Power management
    • Commands (standby/poweroff): systemd (sleep/resume hooks supported; PM hooks handled by TLP)
    • Power management: TLP (pm-utils not a dependency as of 3.10; udev tiggers sleep/resume events as of 3.10)
  • hdparm PM setting (set by udev rule) resets after wake up from standby
  • WiFi LED indicator is off after wake up from standby
  • BIOS security section - Check doc how to configure
  • Migrate /usr/local/bin scripts and publish them to dotfiles repo

TOC

References

Installation

Configuration

Bootloader

Pacman

Security

Networking

Graphics

Sound

Touchpad

Extra (function/multimedia) keys

Software

Performance

Power management

Misc

Backup

Post guide here :)

TOC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment