From 08fc78c6c222951c18aac6f3b10351d273627a30 Mon Sep 17 00:00:00 2001 From: "this.ven" Date: Sun, 31 Mar 2024 20:15:33 +0200 Subject: [PATCH] Add computer documentation --- content/docs/_index.md | 4 +- content/docs/computer/_index.md | 36 ++ .../computer/system-preparation/_index.md | 447 ++++++++++++++++++ .../system-preparation/img/nvme-lsblk.png | 3 + .../music/inconvenient-ep/influenca/hidden | 2 +- hugo.yaml | 5 +- themes/hextra | 2 +- 7 files changed, 495 insertions(+), 4 deletions(-) create mode 100644 content/docs/computer/_index.md create mode 100644 content/docs/computer/system-preparation/_index.md create mode 100644 content/docs/computer/system-preparation/img/nvme-lsblk.png diff --git a/content/docs/_index.md b/content/docs/_index.md index b5d6f16..60d527d 100644 --- a/content/docs/_index.md +++ b/content/docs/_index.md @@ -1,6 +1,6 @@ --- title: 'Docs' -date: 2024-01-01T19:41:48+01:00 +date: 2024-03-31T17:26:41+02:00 draft: true --- @@ -8,6 +8,8 @@ This is the documentation of my approaches for realizing the this.ven project. You can find the field of endeavour in the left pane and below. {{< cards >}} + {{< card link="computer/" title="Computer" icon="desktop-computer" + subtitle="General setup and tweaking" >}} {{< card link="graphics/" title="Graphics" icon="photograph" subtitle="Graphics design and editing" >}} {{< card link="infrastructure/" title="Infrastructure" icon="cog" diff --git a/content/docs/computer/_index.md b/content/docs/computer/_index.md new file mode 100644 index 0000000..0f48d69 --- /dev/null +++ b/content/docs/computer/_index.md @@ -0,0 +1,36 @@ +--- +title: 'Computer' +date: 2024-03-31T17:27:21+02:00 +draft: true +--- + +By the way, I use + +> a lightweight and flexible Linux® distribution that tries to Keep It Simple. +> — Arch Linux[^1] + +The Arch Linux principles[^2] render it an ideal foundation for fine-tuning a +system to personal needs. Though this requires using the command-line interface +and get involved with technology details, you are one step closer to know your +system inside out. + +{{< callout type="warning" >}} + From my experience Arch Linux is not a beginner's choice. For this reason, you + may consider [Manjaro](https://manjaro.org/), which is based on Arch Linux. + For certain use cases [Ubuntu Studio](https://ubuntustudio.org/) (Pro audio), + [Kali Linux](https://www.kali.org/) (Pentesting and IT security evaluation), + or [Tails](https://tails.boum.org/) (Privacy and activism) are better options. +{{< /callout >}} + +This collection of guides documents my installation and system setup. + +{{< cards >}} + {{< card link="system-preparation/" title="System preparation" + image="system-preparation/img/nvme-lsblk.png" + imageStyle="aspect-ratio: 16/9; object-fit:contain;" + subtitle="Notes on the official Arch Linux installation guide" >}} +{{< /cards >}} + +[^1]: A quote from the [Arch Linux](https://archlinux.org/) website +[^2]: The [principles](https://wiki.archlinux.org/title/Arch_Linux#Principles) +of Arch Linux in the ArchWiki \ No newline at end of file diff --git a/content/docs/computer/system-preparation/_index.md b/content/docs/computer/system-preparation/_index.md new file mode 100644 index 0000000..733e2d0 --- /dev/null +++ b/content/docs/computer/system-preparation/_index.md @@ -0,0 +1,447 @@ +--- +title: 'System preparation' +date: 2024-03-31T18:03:41+02:00 +draft: true +--- + +These notes expand from the *Boot the live environment* to the *Reboot* section +in the [install guide](https://wiki.archlinux.org/title/Installation_guide). +Due to hardware specifics and different environmental conditions, such as the +Internet connection, you may need to adapt and troubleshoot on your own. + +## Booting the target machine + +I connect the target machine using wired ethernet and insert an installation +medium (USB flash) prepared earlier to boot the installation system. This way +I can avoid troubleshooting of missing drivers and unsupported wireless NIC[^1] +hardware. + +## Changing crucial UEFI settings + +### Disable Secure Boot + +For most computers it is necessary to disable Secure Boot[^2] in order to boot the +installation system from an installation medium, such as an USB flash drive. On +my hardware this has already been turned off. + +### Switch RAID mode off + +Some computers provide a RAID[^3] mode for storage devices, which is mostly not +detected by Linux due to proprietary drivers. I use the UEFI settings to switch +the storage settings to *AHCI* (or *SATA*) mode instead of any RAID mode. + +## Live environment setup + +In the live environment, I set a German console keymap using the command: + +```bash +loadkeys de-latin1 +``` + +I list the *UEFI variables* to verify the UEFI boot mode by issueing: + +```bash +ls /sys/firmware/efi/efivars +``` + +I ensure networking by querying the link status and verify the connection with a +ping to the `archlinux.org` site: + +```bash +ip link +ping archlinux.org +``` + +I synchronize the system clock via NTP[^4]: + +```bash +timedatectl set-ntp true +``` + +## Disk partition layout + +I [partition](https://wiki.archlinux.org/title/Partitioning) the disk and +encrypt the partitions to protect data at rest. The first partition is used as +*EFI system partition* mounted at `/boot`. Partition 2 will become a LUKS2[^5] +encrypted partition carrying a *Logical Volume Group* (LVG) managed by LVM[^6]. +The LVG consists of three logical volumes for Swap[^7] space, `/home` and `/` +(root). This layout is known as *LVM on LUKS* and illustrated below: + + +``` ++----------------+ +-----------------------------------------------------------+ +| Boot partition | | Logical volume 1 | Logical volume 2 | Logical volume 3 | +| | | | | | +| /boot | | [Swap] | / | /home | +| | | | | | +| | | /dev/lvg/swap | /dev/lvg/root | /dev/lvg/home | +| | |_ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _| +| | | | +| | | LUKS2 encrypted partition | +| /dev/nvme0n1p1 | | /dev/nvme0n1p2 | ++----------------+ +-----------------------------------------------------------+ +``` + +### Partitioning + +I identify the block device (e.g. `/dev/nvme0n1`) using `lsblk` and modify the +partitions as follows: + +```bash +fdisk /dev/nvme0n1 +``` + +I create two partitions: + +1. *EFI system partition*, 940 MB, type ID: 1 +2. *Linux filesystem partition*, remaining space, type ID: 20 (default) + +The [fdisk](https://wiki.archlinux.org/title/Fdisk) command sequence for an +unpartitioned disk is: + +- g (use [GPT](https://wiki.archlinux.org/title/GPT)) +- n +- 1 (default, you can also use `Return`) +- `Return` (as it typically defaults to disk sector 2048) +- +940M +- t +- 1 (default, you can also use `Return`) +- 1 +- n +- 2 (default, you can also use `Return`) +- `Return` (as it defaults to first disk sector) +- `Return` (as it defaults to last disk sector) +- w + +### Encryption and LVM + +I encrypt the second partition as a LUKS container by using a strong passphrase: + +```bash +cryptsetup luksFormat /dev/nvme0n1p2 +``` + +Next, I open this container using `lvg` as the device mapper name: + +```bash +cryptsetup open /dev/nvme0n1p2 lvg +``` + +I create a *Physical Volume* (PV) on top of the container at `/dev/mapper/lvg`: + +```bash +pvcreate /dev/mapper/lvg +``` + +I create a *Volume Group* (VG) `lvg` and add the previously created PV to it: + +```bash +vgcreate lvg /dev/mapper/lvg +``` + +I create a *Logical Volume* (LV) for each filesystem (`/`, `/home`, and Swap): + +```bash +lvcreate -L 16G lvg -n swap +lvcreate -L 40G lvg -n root +lvcreate -l 100%FREE lvg -n home +``` +{{< callout type="info" >}} + The size of the first LV depends on the amount of memory of your hardware + configuration. If you have more than 16 GB of memory, create a swap space + accordingly in order to use [hibernation](https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation). +{{< /callout >}} + +### Formatting and mounting + +I format the LVs with [ext4](https://wiki.archlinux.org/title/Ext4) and a +[swap](https://wiki.archlinux.org/title/Swap) filesystem (FS), respectively: + +```bash +mkfs.ext4 /dev/lvg/root +mkfs.ext4 /dev/lvg/home +mkswap /dev/lvg/swap +``` + +The boot partition uses a [FAT32](https://wiki.archlinux.org/title/FAT) FS: + +```bash +mkfs.fat -F32 /dev/nvme0n1p1 +``` + +I mount the filesystems at `/mnt`: + +```bash +mount /dev/lvg/root /mnt +mount /dev/lvg/home /mnt/home +mount --mkdir /dev/nvme0n1p1 /mnt/boot +``` + +And I activate the Swap partition: + +```bash +swapon /dev/lvg/swap +``` + +At this time I can check the layout of my storage device using `lsblk`. + +{{< figure src="img/nvme-lsblk.png" alt="NVMe lsblk" + caption="The layout of the NVMe storage after partitioning and formatting" +>}} + +## System initialization + +Now I can install the essential packages into the previously mounted location: + +```bash +pacstrap /mnt base linux linux-firmware lvm2 vim +``` + +{{< callout type="info" >}} + The package [lvm2](https://archlinux.org/packages/?name=lvm2) is necessary for + mounting the LVs and [vim](https://archlinux.org/packages/?name=vim) is my + favorite text editor. You may want to use another one found in the + [List of applications](https://wiki.archlinux.org/title/List_of_applications). +{{< /callout >}} + +I generate a [fstab](https://wiki.archlinux.org/title/Fstab) file by using +[UUID](https://wiki.archlinux.org/title/UUID)s: + +```bash +genfstab -U /mnt >> /mnt/etc/fstab +``` + +{{< callout type="warning" >}} + If you are using a SSD, you may want to adjust `/etc/fstab` to use `noatime` + for the filesystems instead of `discard`) for security reasons. See this + [section in the ArchWiki article on Dm-crypt Specialties](https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD)). + + I use `vim /etc/fstab` to open and edit the file accordingly. +{{< /callout >}} + +I [change root](https://wiki.archlinux.org/title/Change_root) into the new +system: + +```bash +arch-chroot /mnt +``` + +Next, I first change the root password using the command: + +```bash +passwd +``` + +## Localization + +I set the timezone for Germany (CET[^8]) and sync the hardware clock: + +```bash +ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime +hwclock --systohc +``` + +For the [locale](https://wiki.archlinux.org/title/Locale), I uncomment the line +`de_DE.UTF-8 UTF-8` and `en_US.UTF-8 UTF-8` in the `/etc/locale.gen` file and +run: + +```bash +locale-gen +``` + +I create the file `/etc/locale.conf` to set the system locale accordingly and +make the console keyboard layout persistent via a `/etc/vconsole.conf` file: + +```bash +echo "LANG=de_DE.UTF-8" > /etc/locale.conf +echo "KEYMAP=de-latin1" > /etc/vconsole.conf +``` + +## Initramfs configuration + +I edit `/etc/mkinitcpio.conf` inserting `encrypt`, `lvm2`, and `resume` (for +suspend and hibernate) into the `HOOKS` variable to match the following order: + +``` +HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont modconf block encrypt lvm2 resume filesystems fsck) +``` + +Afterwards a manual generatation of the image is necessary: + +```bash +mkinitcpio -P +``` + +{{< callout type="info" >}} + Any warnings about *possibly missing firmware* can be safely ignored as long + as there's no critical device shown. +{{< /callout >}} + +## Systemd-boot installation + +I use `bootctl` with the `/boot` partition to install the UEFI boot manager +[Systemd-boot](https://wiki.archlinux.org/title/Systemd-boot): + +``` +bootctl --path=/boot install +``` + +I create a loader configuration at `/boot/loader/loader.conf` containing: + +```{filename="/boot/loader/loader.conf"} +default linux +timeout 0 +editor no +``` + +I create the loader file `/boot/loader/entries/linux.conf` containing: + +```{filename="/boot/loader/entries/linux.conf"} +title Linux +linux /vmlinuz-linux +initrd /initramfs-linux.img +options cryptdevice=UUID=MyUuid:lvg resume=/dev/lvg/swap root=/dev/lvg/root quiet rw +``` + +{{< callout type="info" >}} + The `resume` parameter is used for suspend and hibernate. +{{< /callout >}} + +Next, I identify the UUID of the LUKS partition (TYPE="crypto\_LUKS") created in +the [Encryption and LVM](#encryption-and-lvm) step by using `blkid`. The +following command conveniently saves it to the `$MyUuid` variable: + +```bash +MyUuid=$(blkid | grep crypto_LUKS \ +| cut --delimiter=' ' --field=2 | sed 's/[^a-z0-9\\-]//g') +``` + +I edit `/boot/loader/entries/linux.conf` and replace *MyUuid* with the `$MyUUID` +value in the string `cryptdevice=UUID=MyUUID:lvg` using the following command: + +```bash +sed -i "s/MyUuid/$MyUuid/" /boot/loader/entries/linux.conf +``` + +I check the boot loader entry to contain the correct UUID. Otherwise the system +is unable to boot from the correct device and fall back to an emergency shell. +If this happens to you, refer to [Boot problems](https://wiki.archlinux.org/title/General_troubleshooting#Boot_problems). + +## Networking + +I set the hostname in a `/etc/hostname` file to *arch-studio24*, for example: + +```bash +echo "arch-studio24" > /etc/hostname +``` + +And I complete the network configuration using Systemd-networkd and +Systemd-resolvd. + +For this, I retrieve and note the [udev](https://wiki.archlinux.org/title/Udev) +assigned names of the network interfaces using the utility: + +```bash +ip link +``` + +I configure a wired adapter using DHCP by creating a new file at the location +`/etc/systemd/network/20-wired.network` and providing the udev name +(*enp0s13f0u1* is used in the following example): + +```{filename="/etc/systemd/network/20-wired.network"} +[Match] +Name=enp0s13f0u1 + +[Network] +DHCP=yes +``` + +I enable the `systemd-networkd.service` to activate it at system startup: + +```bash +systemctl enable systemd-networkd.service +``` + +I create the Systemd-resolved configuration directory: + +```bash +mkdir /etc/systemd/resolved.conf.d +``` + +I [manually](https://wiki.archlinux.org/title/Systemd-resolved#Manually) set a +censorship-free DNS[^9] server such as [dnsforge.de](https://dnsforge.de) by +creating `/etc/systemd/resolved.conf.d/dns_servers.conf` with the content: + +```{filename="/etc/systemd/resolved.conf.d/dns_servers.conf"} +[Resolve] +DNS=176.9.93.198 +Domains=~. +``` + +Additionally, I setup [fdns2.dismail.de](https://dismail.de/info.html#dns) via +`/etc/systemd/resolved.conf.d/fallback_dns.conf` as fallback DNS containing: + +```{filename="/etc/systemd/resolved.conf.d/fallback_dns.conf"} +[Resolve] +FallbackDNS=159.69.114.157 +``` + +I enable `systemd-resolved.service` to activate it at system startup: + +```bash +systemctl enable systemd-resolved.service +``` + +I backup the Glibc resolver file and use Systemd-resolved in stub mode: + +```bash +cp /etc/resolv.conf /etc/resolv.conf.bkp +``` + +Next, I exit the arch-chroot (using `exit` or the key combination +``) to create the resolv.conf symlink: + +```bash +ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf +``` + +{{< callout type="warning" >}} + Creating the symlink inside an arch-chroot is not possible since the file is + bind-mounted from the live-environment, see the note in + [Systemd-resolvd#DNS](https://wiki.archlinux.org/title/Systemd-resolved#DNS). +{{< /callout >}} + +## Reboot + +Finally, I can unmount all partitions to ensure none of them is busy, and +reboot into the installed system: + +```bash +umount -R /mnt +reboot +``` + +{{< callout type="info" >}} + You may have to remove the installation media or change the boot sequence to + boot from the storage device chosen in [Partitioning](#partitioning) step. +{{< /callout >}} + +After the reboot I can login into the new system as root user and proceed with +the [basic configuration](../basic_configuration/) of the installed system. + +[^1]: [Network interface controller](https://en.wikipedia.org/wiki/Network_interface_controller) +in the Wikipedia +[^2]: [Disabling Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Disabling_Secure_Boot) +in the ArchWiki +[^3]: [RAID](https://en.wikipedia.org/wiki/RAID) in the Wikipedia +[^4]: [NTP](https://wiki.archlinux.org/title/Network_Time_Protocol_daemon) in +the ArchWiki +[^5]: [Dm-crypt](https://wiki.archlinux.org/title/Dm-crypt) in the ArchWiki +[^6]: [LVM](https://wiki.archlinux.org/title/LVM) in the ArchWiki +[^7]: [Swap](https://wiki.archlinux.org/title/Swap) in the ArchWiki +*atime* option explanation for SSDs in the ArchWiki +[^8]: [CET](https://en.wikipedia.org/wiki/Central_European_Time) in the +Wikipedia +[^9]: [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) in +the Wikipedia \ No newline at end of file diff --git a/content/docs/computer/system-preparation/img/nvme-lsblk.png b/content/docs/computer/system-preparation/img/nvme-lsblk.png new file mode 100644 index 0000000..f9514e4 --- /dev/null +++ b/content/docs/computer/system-preparation/img/nvme-lsblk.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:48ffd275f72bc3c0b0e93c12c53b6b5afc5a604fce958ca594417835374f3c37 +size 11735 diff --git a/content/music/inconvenient-ep/influenca/hidden b/content/music/inconvenient-ep/influenca/hidden index b8f240f..fc3a9b5 160000 --- a/content/music/inconvenient-ep/influenca/hidden +++ b/content/music/inconvenient-ep/influenca/hidden @@ -1 +1 @@ -Subproject commit b8f240ff66b79c2e79b4b7aad086d6e1197dd7a3 +Subproject commit fc3a9b5ca962f57632352d05210f78ebab4f49a2 diff --git a/hugo.yaml b/hugo.yaml index fb34174..f60b41c 100644 --- a/hugo.yaml +++ b/hugo.yaml @@ -4,7 +4,7 @@ title: this.ven theme: hextra params: - description: FLOSS musician, tinkerer and privacy advocate# + description: FLOSS musician, tinkerer and privacy advocate displayUpdatedDate: true editURL: enable: true @@ -22,6 +22,9 @@ params: footer: displayCopyright: true width: wide + blog: + list: + displayTags: true menu: main: diff --git a/themes/hextra b/themes/hextra index 5c7303b..24fb13b 160000 --- a/themes/hextra +++ b/themes/hextra @@ -1 +1 @@ -Subproject commit 5c7303bee7db6be24612541530e526fd77caf905 +Subproject commit 24fb13b221da34512fda402ff9fe7590a6f358c7