Created
October 5, 2019 18:28
-
-
Save ymatsiuk/ce26df974335fb96731c54236310aad6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
setfont latarcyrheb-sun32 | |
wifi-menu | |
timedatectl set-ntp 1 | |
timedatectl set-timezone Europe/Amsterdam | |
hwclock --systohc --utc | |
gdisk /dev/nvme0n1 | |
cryptsetup luksFormat --type=luks2 --verbose -c aes-xts-plain64 -y --use-random /dev/nvme0n1p2 | |
lsblk | |
mkfs.vfat -F32 /dev/nvme0n1p1 | |
cryptsetup open /dev/nvme0n1p2 luks | |
pvcreate /dev/mapper/luks | |
vgcreate xps /dev/mapper/luks | |
lvcreate -L 16G xps -n swap | |
lvcreate -L 32G xps -n root | |
lvcreate -L 64G xps -n docker | |
lvcreate -l 100%FREE xps -n home | |
mkfs.ext4 /dev/xps/root | |
mkfs.ext4 /dev/xps/docker | |
mkfs.ext4 /dev/xps/home | |
mkswap /dev/xps/swap | |
mount /dev/xps/root /mnt | |
mkdir -p /mnt/{home,boot} | |
mount /dev/xps/home /mnt/home | |
mount /dev/nvme0n1p1 /mnt/boot | |
swapon /dev/xps/swap | |
pacstrap /mnt base base-devel zsh vim git efibootmgr dialog wpa_supplicant | |
genfstab -L /mnt >> /mnt/etc/fstab | |
arch-bootstrap | |
ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime | |
hwclock --systohc | |
vim /etc/locale.gen | |
locale-gen | |
echo 'LANG=en_US.UTF-8' > /etc/locale.conf | |
echo 'KEYMAP=us' > etc/vconsole.conf | |
echo 'FONT=latarcyrheb-sun32' >> /etc/vconsole.conf | |
echo xps > /etc/hostname | |
hostnamectl | |
passwd | |
# edit /etc/mkinitcpio.conf | |
mkinitcpio -p linux | |
bootctl --path=/boot install | |
pacman -S intel-microcode | |
pacman -S intel-ucode | |
cryptsetup luksUUID /dev/nvme0n1p2 >> /boot/loader/entries/arch.conf | |
vim /boot/loader/entries/arch.conf | |
title Arch | |
linux /vmlinuz-linux | |
initrd /intel-ucode.img | |
initrd /initramfs-linux.img | |
options rw luks.name=_<UUID>_=luks root=/dev/xps/root resume=/dev/xps/swap mem_sleep_default=deep rng_core.default_quality=1000 | |
vim /boot/loader/loader.conf | |
default arch | |
# /etc/mkinitcpio.conf | |
HOOKS=(base systemd autodetect sd-tpm2 modconf block keyboard sd-vconsole sd-encrypt sd-lvm2 filesystems) | |
# Boot into clean system | |
wifi-menu | |
vim /etc/pacman.d/mirrorlist | |
pacman -Syu | |
pacman -S iproute2 | |
pacman -S tpm2-tools | |
# Setup tpm2 | |
dd if=/dev/random of=luks.key iflag=fullblock count=1 bs=32 | |
cryptsetup luksAddKey /dev/nvme0n1p2 /root/luks.key --verbose | |
chmod 000 luks.key | |
tpm2_pcrread | |
# Script for readding the key if PCR is changed | |
#!/bin/bash | |
#Clear old key | |
tpm2_evictcontrol -c 0x81000000 | |
tpm2_createpolicy --policy-pcr -l sha1:0,1,2,3,4,5,6,7 -L policy.digest | |
tpm2_createprimary -c primary.ctx | |
tpm2_create -C primary.ctx -u obj.pub -r obj.priv -L policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i luks.key | |
tpm2_flushcontext -t | |
tpm2_load -C primary.ctx -u obj.pub -r obj.priv -c load.ctx | |
tpm2_evictcontrol -c load.ctx | |
tpm2_flushcontext -t | |
tpm2_getcap handles-persistent | |
rm load.ctx obj.p* policy.digest primary.ctx | |
pacman -S fwupd throttled | |
# Add the following into /etc/initcpio/install/sd-tpm2 | |
#!/bin/bash | |
build() { | |
local mod | |
add_module "tpm_crb" | |
add_module "tpm_tis" | |
add_binary "tpm2_unseal" | |
add_binary "/usr/lib/libtss2-tcti-device.so" | |
add_systemd_unit "cryptsetup-pre.target" | |
add_systemd_unit "tpm2-unseal.service" | |
add_symlink "/usr/lib/systemd/system/sysinit.target.wants/cryptsetup-pre.service" "../cryptsetup-pre.target" | |
add_symlink "/usr/lib/systemd/system/sysinit.target.wants/tpm2-unseal.service" "../tpm2-unseal.service" | |
} | |
help() { | |
cat <<HELPEOF | |
This hook allows for reading the encryption key from TPM. | |
HELPEOF | |
} | |
# Create systemd service /usr/lib/systemd/system/tpm2-unseal.service | |
[Unit] | |
Description=Get key from TPM | |
Before=cryptsetup-pre.target | |
DefaultDependencies=no | |
[Service] | |
Type=oneshot | |
RemainAfterExit=yes | |
ExecStartPre=/usr/bin/modprobe -a -q tpm_crb tpm_tis | |
ExecStart=/usr/bin/tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /luks | |
pacman -S docker networkmanager | |
systemctl enable NetworkManager | |
systemctl enable docker | |
useradd -m -G wheel -s /bin/zsh ymatsiuk | |
systemctl enable systemd-resolved | |
systemctl enable lenovo_fix.service | |
su - ymatsiuk | |
cd /tmp | |
git clone https://aur.archlinux.org/yay.git | |
cd yay/ | |
makepkg -si | |
yay -S s-tui-git | |
pacman -S xf86-video-intel jq termite termite-terminfo | |
yay -S ttf-font-awesome-4 | |
yay -S firefox | |
yay -S vulkan-intel | |
yay -S i3blocks pactl lastpass-cli gnome-keyring htop keybase keybase-gui slack-desktop code | |
sudo usermod -aG video,audio,docker ymatsiuk | |
yay -S acpi sysstat | |
yay -S pulseaudio pulseaudio-alsa | |
yay -S strace | |
yay -S i3-gaps i3blocks i3status i3lock dmenu alsa-utils feh compton xorg-xbacklight arandr playerctl lightdm lightdm-gtk-greeter | |
pacman -S xterm xorg-server xorg-apps xf86-video-intel xorg-xinit | |
yay -S ttf-mac-fonts ttf-bitstream-vera ttf-croscore ttf-dejavu ttf-droid ttf-roboto noto-fonts ttf-liberation ttf-ubuntu-font-family xdotool wmctrl ttf-google-fonts-git ttf-ms-fonts adobe-source-code-pro-fonts noto-fonts-emoji otf-ipafont ttf-hanazono ttf-inconsolata ttf-mac-fonts | |
yay -S openvpn bind-tools xorg-xbacklight kubectl ffmpeg network-manager-applet zathura nvme-cli systemd-swap util-linux lshw dmidecode spotify | |
sudo systemctl enable lightdm | |
sudo systemctl enable docker | |
fwupdmgr get-updates | |
yay -S scrot xcursor-themes wget wireless_tools dunst unzip awless howdy | |
/etc/systemd/resolved.conf | |
/etc/X11/xorg.conf.d/90-monitor.conf | |
/etc/X11/xorg.conf.d/20-intel.conf | |
mkdir ~/bin | |
cd ~/bin && wget https://raw.githubusercontent.com/lastpass/lastpass-cli/master/contrib/examples/git-credential-lastpass && wget https://releases.hashicorp.com/terraform/0.11.14/terraform_0.11.14_linux_amd64.zip && wget vault | |
git config --global credential.helper lastpass | |
cp /usr/lib/security/howdy/config.ini | |
add howdy into /etc/pam.d/sudo | |
sudo cat /sys/kernel/debug/dri/0/i915_huc_load_status | |
sudo cat /sys/kernel/debug/dri/0/i915_guc_load_status | |
### | |
### Secure boot | |
uuidgen --random > GUID.txt | |
openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Platform Key/" -out PK.crt | |
openssl x509 -outform DER -in PK.crt -out PK.cer | |
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl | |
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth | |
sign-efi-sig-list -g "$(< GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth | |
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt | |
openssl x509 -outform DER -in KEK.crt -out KEK.cer | |
cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl | |
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth | |
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=my Signature Database key/" -out db.crt | |
openssl x509 -outform DER -in db.crt -out db.cer | |
cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl | |
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth | |
sudo sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux | |
sudo sbsign --key db.key --cert db.crt --output /boot/EFI/boot/bootx64.efi /boot/EFI/boot/bootx64.efi | |
sudo mkfs.vfat -F32 /dev/mmcblk0p1 | |
sudo mount /dev/mmcblk0p1 /tmp/disk | |
sudo cp *.cer *.esl *.auth /tmp/disk | |
sudo systemctl reboot --firmware | |
cat /usr/lib/systemd/system/i3lock@.service | |
[Unit] | |
Description = Lock screen when going to sleep/suspend/hibernate | |
[Service] | |
User=%I | |
Type=simple | |
Environment=DISPLAY=:0 | |
ExecStart=/usr/bin/lock.sh | |
TimeoutSec=infinity | |
[Install] | |
WantedBy=sleep.target | |
WantedBy=suspend.target | |
WantedBy=hibernate.target | |
sudo mv screen-lock.sh /usr/bin/lock.sh | |
sudo systemctl enable i3lock@ymatsiuk |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment