hidingcherry / ansible-archlinux-encrypted-root Goto Github PK
View Code? Open in Web Editor NEWansible script to install a fully encrypted archlinux system
License: GNU Affero General Public License v3.0
ansible script to install a fully encrypted archlinux system
License: GNU Affero General Public License v3.0
current: 5min
it would create bloat - but still better than always edit the tasks
We do not want to route packets from one route to another.
https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/
https://wiki.archlinux.org/title/simple_stateful_firewall#Protection_against_spoofing_attacks
It's enough to install the nano
package and remove the vi(m)
package.
Otherwise the administrator will be lost forever inside the vim editor until someone tells him how to leave it.
currently hardcoded
reflector.service
and
# /etc/pacman.d/hooks/mirrorupgrade.hook
[Trigger]
Operation = Upgrade
Type = Package
Target = pacman-mirrorlist
[Action]
Description = Updating pacman-mirrorlist with reflector and removing pacnew...
When = PostTransaction
Depends = reflector
Exec = /bin/sh -c 'systemctl start reflector.service; if [ -f /etc/pacman.d/mirrorlist.pacnew ]; then rm /etc/pacman.d/mirrorlist.pacnew; fi'
You need to reset the IPMI.
Please reboot on rescue mode (Ubuntu 18).
Then execute this command:
sudo ipmitool mc reset cold
Wait 5 min, reboot the server on normal mode and create a new IPMI session.
The issue should be fixed.
I use part_infos.partitions[1]
instead of e.g. part_infos.partitions['rootfs']
- that's badly readable.
currently it is being removed
This would complicate things up - but it would still make more sense.
# /etc/sudoers
Defaults editor=/usr/bin/rnano
Currently subvolumes for rootfs are necessary, they are not optional.
not in here yet - but I have the lines saved for removal
Currently I assume that only one device is used for root and the bootloader.
This might need some change.
Is sgdisk totally necessary or can we lower the bloat by using sfdisk?
Check syntax/parameters and features.
Network interface names (e.g. eno0 eth1) should be defined only once for each host.
untested yet
Different server cababilities allows different feature-sets
If we assume that the basic server has less than 6GB ram, on top of the basic features a 6GB ram server could handle:
~/.cache
in tmpfs
If we assume that the basic server has AES-NI, but not a different server:
serpent-xts
with 512b
If the server has UEFI
systemd-boot
and xbootldr
partition and it's hooktoo much tasks in one file - I should split them
Currently /etc/securetty is being wiped - no login over any tty is possible anymore (my goal is a safe headless server).
This is probably not liked on a server at home - or frequent(?) direct access.
localdomain
is mostly used for local networks - useless for servers in the internet
This should be tested first - but it shouldn't be an issue.
# /etc/pacman.d/hooks/microcode_reload.hook
[Trigger]
Operation = Upgrade
Type = Path
Target = usr/lib/firmware/amd-ucode/*
[Action]
Description = Applying CPU microcode updates...
When = PostTransaction
Depends = sh
Exec = /bin/sh -c 'echo 1 > /sys/devices/system/cpu/microcode/reload'
This would require to complicate the script - it would be easier to fork and make the necessary changes.
I can test it through a VM - but this has low priority due to no usecase for now.
I am heavily against it, I consider to use sudo/wheel group instead of something custom.
The discard option is evil for any encryption - I enabled it for a smaller VM image footprint.
fstrim needs discard on cryptsetup open and it needs the filesystem to be mounted with the discard option.
For zram:
https://wiki.archlinux.org/title/Improving_performance#zram_or_zswap
zram-generator <- systemd package
/etc/systemd/zram-generator.conf <- config
No need to enable something with systemctl - it will be started during boot.
In case zram is being used, add kernel cmd for disabling zswap:
zswap.enabled=0
https://wiki.archlinux.org/title/Zswap#Toggling_zswap
Maybe use a module parameter (/etc/modprobe.d) instead?
needs testing
I haven't really noted the kernel modules.
If the system has special devices, which require some modules on boot - they need to be added into the host_vars/MyHostname.yml file, so the initrd contains the required files and can boot/load the devices accordingly.
I removed it temporarily, if it is not needed
Add and configure the btrfsmaintenance
package
As example Check for uefi firmware
exist twice
Add AUR helper
sudo pacman -S --needed base-devel
git clone https://aur.archlinux.org/paru.git
cd paru
makepkg -si
paru -Syu paru-bin
And optimize its config
# /etc/paru.conf
Devel
#RemoveMake
CleanAfter
NewsOnUpgrade
SkipReview
not done yet - untested
We love an optimized buildtime
# /etc/profile.d/makepkg.sh
export PATH="/usr/lib/ccache/bin/:$PATH"
export PATH="/usr/lib/colorgcc/bin/:$PATH" # As per usual colorgcc installation, leave unchanged (don't add ccache)
export CCACHE_PATH="/usr/bin" # Tell ccache to only use compilers here
And the optimizations of /etc/makepkg.conf
here: https://wiki.archlinux.org/title/Makepkg#Tips_and_tricks
If pacdiff is needed the update process of pacman or paru should hint conflicts in changed files and we should have a good terminal diff app by default
# /etc/profile.d/diffprog.sh
# Used as diff app for apps like pacdiff (for .pacnew files)
export DIFFPROG=colordiff
and
# /etc/pacman.d/hooks/pacdiff.hook
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Package
Target = *
[Action]
Description = Runs pacdiff utility
When = PostTransaction
Exec = /usr/bin/pacdiff
I need a manual to use this project
It's important to know a list of parameter we should, must or need to change
Currently I use part_infos.mountPath
- this is defined in a host_vars variable.
# /etc/pacman.conf
# Misc options
ILoveCandy
The user password is defined as a variable (uh, bad bad bad) - it is better to ask for the password at the beginning of the task.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.