https://wiki.archlinux.org/api.php?action=feedcontributions&user=Enckse&feedformat=atom
ArchWiki - User contributions [en]
2024-03-29T14:04:34Z
User contributions
MediaWiki 1.41.0
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=553052
User:Enckse
2018-11-04T15:52:52Z
<p>Enckse: deprecating my user page</p>
<hr />
<div></div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=553051
User:Enckse/TipsAndTricks
2018-11-04T15:52:35Z
<p>Enckse: deprecated</p>
<hr />
<div></div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=553050
User:Enckse/TipsAndTricks
2018-11-04T15:52:14Z
<p>Enckse: /* libvirt */ also moved</p>
<hr />
<div>__TOC__<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=553049
User:Enckse/TipsAndTricks
2018-11-04T15:51:55Z
<p>Enckse: /* Commands */ moved elsewhere...again</p>
<hr />
<div>__TOC__<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=552993
User:Enckse/TipsAndTricks
2018-11-04T13:19:36Z
<p>Enckse: /* Commands */ these are documented elsewhere</p>
<hr />
<div>__TOC__<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=552992
User:Enckse/TipsAndTricks
2018-11-04T13:17:36Z
<p>Enckse: /* git */ have this aliases as reference now</p>
<hr />
<div>__TOC__<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=552991
User:Enckse/TipsAndTricks
2018-11-04T13:17:22Z
<p>Enckse: /* Commands */ remove command (not helpful)</p>
<hr />
<div>__TOC__<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=552990
User:Enckse/TipsAndTricks
2018-11-04T13:17:06Z
<p>Enckse: /* SSH */ drop section</p>
<hr />
<div>__TOC__<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=552620
User:Enckse/TipsAndTricks
2018-11-02T19:43:09Z
<p>Enckse: /* ubnt */ duplicated/obvious setup</p>
<hr />
<div>__TOC__<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=552619
User:Enckse/TipsAndTricks
2018-11-02T19:39:28Z
<p>Enckse: /* Containers */ more out-of-date content</p>
<hr />
<div>__TOC__<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
needs {{Pkg|minicom}}<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=552618
User:Enckse/TipsAndTricks
2018-11-02T19:38:45Z
<p>Enckse: /* Kerberos */ out-of-date</p>
<hr />
<div>__TOC__<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
=== CAC Card/Smartcard ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
needs {{Pkg|minicom}}<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=552617
User:Enckse
2018-11-02T19:29:37Z
<p>Enckse: Drop another outdated link</p>
<hr />
<div>* [https://aur.archlinux.org/packages/?O=0&SeB=M&K=enckse&outdated=&SB=n&SO=a&PP=50&do_Search=Go AUR packages]<br />
* [[User:Enckse/TipsAndTricks]]</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Arm&diff=552616
User:Enckse/Arm
2018-11-02T19:29:22Z
<p>Enckse: this page is also very outdated</p>
<hr />
<div></div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=552615
User:Enckse
2018-11-02T19:27:46Z
<p>Enckse: Remove link</p>
<hr />
<div>* [https://aur.archlinux.org/packages/?O=0&SeB=M&K=enckse&outdated=&SB=n&SO=a&PP=50&do_Search=Go AUR packages]<br />
* [[User:Enckse/Arm]]<br />
* [[User:Enckse/TipsAndTricks]]</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=552614
User:Enckse/Install
2018-11-02T19:27:34Z
<p>Enckse: this page is full of outdated information</p>
<hr />
<div></div>
Enckse
https://wiki.archlinux.org/index.php?title=AUR_helpers&diff=551888
AUR helpers
2018-10-29T04:03:19Z
<p>Enckse: /* Download and build */ as creator/maintainer of naaman I have discontinued efforts on it</p>
<hr />
<div>[[Category:Package management]]<br />
[[Category:Software comparisons]]<br />
[[de:AUR Hilfsprogramme]]<br />
[[es:AUR helpers]]<br />
[[fr:Assistants AUR]]<br />
[[ja:AUR ヘルパー]]<br />
[[pt:AUR helpers]]<br />
[[ru:AUR helpers]]<br />
[[zh-hans:AUR helpers]]<br />
{{Archive|Due to administrative reasons the content of this page has moved to github. [https://github.com/aurdc/helpers]|section=Outsourcing to GitHub}}<br />
{{Warning|1=AUR helpers are '''not supported''' by Arch Linux. You should become familiar with the [[Arch User Repository#Installing packages|manual build process]] in order to be prepared to troubleshoot problems.}}<br />
{{Note|Do not edit this article prior to discussion in [[Talk:AUR helpers]].}}<br />
<br />
AUR helpers automate certain usage of the [[Arch User Repository]]. Most AUR helpers can search for packages in the AUR and retrieve their [[PKGBUILD]]s – others additionally assist with the build and install process.<br />
<br />
[[Pacman]] only handles updates for pre-built packages in its repositories. AUR packages are redistributed in form of [[PKGBUILD]]s and need an AUR helper to automate the re-build process. However, keep in mind that a rebuild of package may be required when its shared library dependencies are updated, not only when the package itself is updated.<br />
<br />
Since AUR helpers are unsupported, they are not present in the [[official repositories]].<br />
<br />
== Legend ==<br />
<br />
The columns have the following meaning:<br />
<br />
;File review: Does not [[source]] the PKGBUILD at all by default; or, alerts the user and offers the opportunity to inspect the PKGBUILD manually before it is sourced. Some helpers are known to source PKGBUILDs before the user can inspect them, '''allowing malicious code to be executed'''. ''Optional'' means that there is a command line flag or configuration option to prevent the automatic sourcing before viewing.<br />
;Diff view: Ability to view package differences on inspection. Besides the PKGBUILD, this includes changes to files such as {{ic|.install}} or {{ic|.patch}} files.<br />
;Git clone: Uses {{man|1|git-clone}} by default to retrieve build files from the AUR.<br />
;Reliable parser: Ability to handle complex packages by using the provided metadata (RPC/.SRCINFO) instead of PKGBUILD [[w:Parsing#Parser|parsing]], such as {{AUR|aws-cli-git}}.<br />
;Reliable solver: Ability to correctly solve and build complex dependency chains, such as {{AUR|ros-lunar-desktop}}.<br />
;Split packages: Ability to correctly build and install:<br />
:* Multiple packages from the same package base, without rebuilding or reinstalling multiple times, such as {{AUR|clion}}<br />
:* Split packages which depend on a package from the same package base, such as {{AUR|libc++}} and {{AUR|libc++abi}}.<br />
:* Split packages independently, such as {{AUR|python-pyalsaaudio}} and {{AUR|python2-pyalsaaudio}}.<br />
;Clean build: Does not export new variables that can prevent a successful build process.<br />
;Batch interaction: Ability to prompt before the build process, in particular:<br />
:# Inspection of package files or their differences;<br />
:# Summary of package upgrades;<br />
:# Resolution of package conflicts and installations.<br />
:An asterisk denotes functionality specifically enabled by the user.<br />
;Shell completion: [[w:Command-line_completion|Tab completion]] is available for the listed [[shell]]s.<br />
<br />
{{Note|<br />
* Table rows are sorted by column values, where ''Yes'' or ''N/A'' take precedence over ''Partial'' or ''Optional'' and ''No'', or alphabetically if values are equal.<br />
* ''Optional'' means that a feature is available, but only through a command-line argument or configuration option. ''Partial'' means that a feature is not fully implemented, or that it partially deviates from the given criteria.}}<br />
<br />
== Search and download ==<br />
<br />
{| class="wikitable sortable" style="text-align: center;"<br />
! Name !! Written in !! File review !! Git clone !! Reliable parser !! Reliable solver !! Shell completion !! Specificity<br />
|-<br />
! {{AUR|auracle-git}}<br />
| C++ || {{Yes}} || {{Yes|https://github.com/falconindy/auracle/commit/c73bbee}} || {{Yes}} || {{Yes}} || bash || {{L|print build order}}<br />
|-<br />
! {{AUR|pbget}}<br />
| Python || {{Yes}} || {{Yes}} || {{Yes}} || {{-}} || {{-}} || {{-}}<br />
|-<br />
! {{AUR|yaah}}<br />
| Bash || {{Yes}} || {{Y|Optional}} || {{Yes}} || {{-}} || bash || {{-}}<br />
|-<br />
! {{AUR|cower}}<br />
| C || {{Yes}} || {{No}} || {{Yes}} || {{-}} || bash, zsh || {{L|regex support, sort by votes/popularity}}<br />
|-<br />
! {{AUR|package-query}}<br />
| C || {{Yes}} || {{-}} || {{No|https://github.com/archlinuxfr/package-query/issues/135}} || {{-}} || {{-}} || {{L|search only}}<br />
|-<br />
! {{AUR|repoctl}}<br />
| Go || {{Yes}} || {{No}} || {{Yes|https://github.com/goulash/pacman/blob/master/aur/aur.go}} || {{-}} || zsh || {{L|local repository support}}<br />
|-<br />
! {{Grey|1={{AUR|aurel}} <br> <small>([https://bbs.archlinux.org/viewtopic.php?pid=1522459#p1522459 discontinued])</small>}}<br />
| Emacs Lisp || {{Yes}} || {{No}} || {{Yes}} || {{-}} || {{-}} || {{L|Emacs integration}}<br />
|}<br />
<br />
== Download and build ==<br />
<br />
{| class="wikitable sortable" style="text-align: center;"<br />
! Name !! Written in !! File review !! Diff view !! Git clone !! Reliable parser !! Reliable solver !! Split packages !! Clean build !! Batch interaction || Shell completion !! Specificity<br />
|-<br />
! {{AUR|aurutils}}<br />
| Bash/C || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || 1 || zsh || {{L|[[vifm]], [[local repository]], [[package signing]], [[DeveloperWiki:Building_in_a_Clean_Chroot|clean chroot]] support, sort by votes/popularity}}<br />
|-<br />
! {{AUR|bauerbill}}<br />
| Python || {{Yes}} || {{No}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || 1 || bash, zsh || {{L|trust management, [[ABS]] support, extends ''powerpill'', {{ic|bb-wrapper}} for ''pacman'' wrapping}}<br />
|-<br />
! {{AUR|PKGBUILDer}}<br />
| Python || {{Y|Optional}} || {{No|https://github.com/Kwpolska/pkgbuilder/issues/36}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Y|[https://github.com/Kwpolska/pkgbuilder/issues/39 Partial]}} || {{Yes}} || 1* || {{-}} || {{L|automatic builds by default, use {{ic|-F}} to disable; multilingual, {{ic|pb-wrapper}} for ''pacman'' wrapping}}<br />
|-<br />
! {{AUR|repofish}}<br />
| Bash || {{Y|Optional}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{Yes}} || 1* || {{-}} || {{L|automatic builds by default, use {{ic|check}} or {{ic|update}} to disable; [[local repository]] support}}<br />
|-<br />
! {{AUR|aurget}}<br />
| Bash || {{Y|Optional}} || {{No|https://github.com/pbrisbin/aurget/issues/41}} || {{No}} || {{No}} || {{No}} || {{No|https://github.com/pbrisbin/aurget/issues/40}} || {{Yes}} || {{-}} || bash, zsh || {{L|sort by votes}}<br />
|-<br />
! {{Grey|{{AUR|naaman}} <br> <small>([https://github.com/enckse/naaman/issues/20#issuecomment-433781874 discontinued])</small>}}<br />
| Python || {{Y|Optional}} || {{No}} || {{Yes}} || {{Yes}} || {{Y|[https://github.com/enckse/naaman/issues/19 Partial]}} || {{Y|[https://github.com/enckse/naaman/issues/20 Partial]}} || {{Yes}} || 1* || bash || {{L|automatic builds by default, use {{ic|--fetch}} to disable; use {{ic|-d}} to enable the solver}}<br />
|-<br />
! {{Grey|{{AUR|spinach}} <br> <small>([https://github.com/floft/spinach discontinued])</small>}}<br />
| Bash || {{Yes|https://github.com/floft/spinach/commit/5455747}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{-}} || {{-}} || {{-}}<br />
|-<br />
! {{Grey|{{AUR|burgaur}} <br> <small>([https://github.com/m45t3r/burgaur/issues/7#issuecomment-365599675 discontinued])</small>}}<br />
| Python/C || {{Y|Optional}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{-}} || {{-}} || {{L|wrapper for ''cower''}}<br />
|}<br />
<br />
== Pacman wrappers ==<br />
<br />
{{Warning|{{man|8|pacman}} wrappers abstract the work of the package manager. They may (optionally or by default) introduce [[System_maintenance#Avoid_certain_pacman_commands|unsafe flags]], or other unexpected behavior leading to a defective system.}}<br />
<br />
{| class="wikitable sortable" style="text-align: center;"<br />
! Name !! Written in !! File review !! Diff view !! Git clone !! Reliable parser !! Reliable solver !! Split packages !! Clean build !! Unsafe flags !! Batch interaction !! Shell completion !! Specificity<br />
|-<br />
! {{AUR|pakku}}<br />
| Nim || {{Yes}} || {{Yes|https://github.com/kitsunyan/pakku/commit/396e9f4}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes|https://github.com/kitsunyan/pakku/commit/864cc03}} || [https://github.com/kitsunyan/pakku/wiki/Native-Pacman-Explanation -Sy] || 1 || bash, zsh || {{L|[[ABS]] support, AUR comments, fetch PGP keys}}<br />
|-<br />
! {{AUR|pikaur}}<br />
| Python || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes|https://github.com/actionless/pikaur/commit/d409b95}} || {{Yes}} || [https://github.com/actionless/pikaur#pikaur -Sy] || 1, 2, 3 || bash, fish, zsh || {{L|[http://0pointer.net/blog/dynamic-users-with-systemd.html dynamic users], [https://github.com/actionless/pikaur/tree/master/locale multilingual], sort by votes/popularity, print news, [https://github.com/actionless/pikaur/commit/3688d82 ignore errors]}}<br />
|-<br />
! {{AUR|yay}}<br />
| Go || {{Yes}} || {{Yes|https://github.com/Jguer/yay/pull/447}} || {{Yes|https://github.com/Jguer/yay/pull/297}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || [https://github.com/Jguer/yay/commit/3bdb534 -Sy*]<br>[https://github.com/Jguer/yay/commit/ea5a94e --ask*] || 1, [https://github.com/Jguer/yay/commit/3bdb534 2*], [https://github.com/Jguer/yay/commit/ea5a94e 3*] || bash, fish, zsh || {{L|fetch PGP keys, sort by votes/popularity, [https://github.com/Jguer/yay/commit/4bcd3a6 prompt architecture]}}<br />
|-<br />
! {{AUR|trizen}}<br />
| Perl || {{Yes}} || {{Yes}} ||{{Yes|https://github.com/trizen/trizen/commit/6fb0cc9}} || {{Yes|https://github.com/trizen/trizen/commit/7ab7ee5f}} || {{Yes}} || {{Y|[https://github.com/trizen/trizen/issues/46 Partial]}} || {{Yes}} || {{Y|[https://github.com/trizen/trizen/commit/9e7b40e -Ud*] || 1* || bash, fish, zsh || {{L|automatic builds by default, use {{ic|-G}} to disable; AUR comments}}<br />
|-<br />
! {{AUR|aura}}<br />
| Haskell || {{Y|Optional}} || {{Y|[https://github.com/aurapm/aura/blob/89bf702/aura/src/Aura/Pkgbuild/Records.hs Partial]}} || {{No|https://github.com/aurapm/aura/pull/346}} || {{Yes|https://github.com/aurapm/aura/commit/7848e983}} || {{No}} || {{No|https://github.com/aurapm/aura/issues/353}} || {{Yes}} || {{-}} || 1* || bash, zsh || {{L|automatic builds by default, use {{ic|--dryrun}} to disable; [[downgrade]] support, multilingual}}<br />
|-<br />
! {{Grey|{{AUR|aurman}} <br> <small>([https://github.com/polygamma/aurman#stopped-development-for-public-use no&nbsp;user&nbsp;support])</small>}}<br />
| Python || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes|https://github.com/polygamma/aurman/wiki/Description-of-the-aurman-dependency-solving}} || {{Yes}} || {{Yes}} || [https://github.com/polygamma/aurman/commit/6c02ba3 -Sy*]<br>[https://github.com/polygamma/aurman#make-use-of-the-undocumented---ask-flag-of-pacman --ask*] || 1, [https://github.com/polygamma/aurman#question-6 2*, 3*] || bash, fish || {{L|fetch PGP keys, sort by votes/popularity, print news}}<br />
|-<br />
! {{Grey|1={{AUR|pacaur}} <br> <small>([https://bbs.archlinux.org/viewtopic.php?pid=1755144#p1755144 discontinued])</small>}}<br />
| Bash/C || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || [https://github.com/rmarquis/pacaur/commit/d8f4918 -Ud]<br>[https://github.com/rmarquis/pacaur/commit/12707cc --ask] || 1, 3 || bash, zsh || {{L|multilingual, sort by votes/popularity}}<br />
|-<br />
! {{Grey|{{AUR|wrapaur}} <br> <small>(stalled)</small>}}<br />
| Bash || {{Yes}} || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{-}} || {{-}} || {{-}} || {{L|mirror updates, print news and AUR comments}}<br />
|-<br />
! {{Grey|{{AUR|packer-aur}} <br> <small>(stalled)</small>}}<br />
| Bash || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{-}} || {{-}} || {{-}} || {{-}}<br />
|-<br />
! {{Grey|{{AUR|yaourt}} <br> <small>(stalled)</small>}}<br />
| Bash/C || {{No|https://github.com/archlinuxfr/yaourt/blob/34b5c0b/src/lib/aur.sh#L54-L72}} || {{Y|Optional}} || {{Y|Optional}} || {{No}} || {{No|https://github.com/archlinuxfr/yaourt/issues/186}} || {{No|https://github.com/archlinuxfr/yaourt/issues/85}} || {{No|https://lists.archlinux.org/pipermail/aur-general/2015-August/031314.html}} || [https://github.com/archlinuxfr/yaourt/blob/d30823e/yaourt/yaourt#L1773 -Sy] || 2 || bash, fish, zsh || {{L|ABS support, print AUR comments, multilingual}}<br />
|}<br />
<br />
== Graphical ==<br />
<br />
{{Warning|<br />
* Graphical AUR helpers are typically aimed at [[Arch-based distributions]]. Their use in [[Arch Linux]] may lead to a defective system, for example through unattended [[partial upgrades]].<br />
* If a helper has ''known'' problematic behavior, it is colored with a red entry.}}<br />
<br />
{| class="wikitable sortable" style="text-align: center;"<br />
! Name !! Written in !! GUI toolkit !! Notes<br />
|-<br />
! {{AUR|argon}}<br />
| Python<br />
| GTK+ 3<br />
| {{-}}<br />
|-<br />
! {{AUR|cylon}}<br />
| Bash<br />
| TUI<br />
| {{-}}<br />
|-<br />
! {{AUR|pamac-aur}}<br />
| Vala<br />
| GTK+ 3<br />
| uses {{man|3|libalpm}} instead of {{man|8|pacman}}<br />
|-<br />
! {{AUR|pakku-gui}}<br />
| Python<br />
| GTK+ 3<br />
| {{-}}<br />
|-<br />
! {{AUR|PkgBrowser}}<br />
| Python<br />
| Qt 5<br />
| read-only browser for repository packages and AUR<br />
|-<br />
! {{R|{{AUR|octopi}}}}<br />
| C++<br />
| Qt 5<br />
| {{R|[https://github.com/aarnt/octopi/blob/271c7e1/octopi.install enabled on install] notifier service regularly [https://github.com/aarnt/octopi/issues/134#issuecomment-142099266 performs partial upgrades]}}<br />
|}<br />
<br />
=== Update notifiers ===<br />
<br />
{| class="wikitable" style="text-align: center;"<br />
! Name !! Package !! Written in !! GUI toolkit<br />
|-<br />
! aarchup<br />
| {{AUR|aarchup}}<br />
| C<br />
| GTK+ 2<br />
|-<br />
! arch-update<br />
| {{AUR|gnome-shell-extension-arch-update}}<br />
| JavaScript<br />
| Clutter<br />
|-<br />
! kalu<br />
| {{AUR|kalu}}<br />
| C<br />
| GTK+ 3<br />
|-<br />
! pactray<br />
| {{AUR|pactray}}<br />
| Python<br />
| GTK+ 3<br />
|-<br />
! Arch Updater<br />
| {{AUR|plasma5-applets-kde-arch-update-notifier-git}}<br />
| C++/QML<br />
| Qt 5<br />
|-<br />
! updatehint<br />
| {{AUR|updatehint}}<br />
| Bash<br />
| GTK+ 3<br />
|}<br />
<br />
== Libraries ==<br />
<br />
* {{App|haskell-archlinux|Library to access the AUR and package metadata from the Haskell programming language.|http://hackage.haskell.org/package/archlinux|{{AUR|haskell-archlinux}}}}<br />
<br />
* {{App|python3-aur|Python 3 modules for accessing AUR package information and automating AUR interactions.|http://xyne.archlinux.ca/projects/python3-aur|{{AUR|python3-aur}}}}<br />
<br />
== Maintenance ==<br />
<br />
* {{App|aur-out-of-date|Uses hoster APIs to check AUR packages for upstream changes.|https://github.com/simon04/aur-out-of-date|{{AUR|aur-out-of-date}}}}<br />
<br />
* {{App|pkgbuild-watch|Looks for changes on the upstream web pages.|http://kmkeen.com/pkgbuild-watch|{{AUR|pkgbuild-watch}}}}<br />
<br />
* {{App|pkgbuildup|Helps AUR package maintainers automatically update PKGBUILD files. Supports a template variable syntax.|https://github.com/fasheng/pkgbuildup|{{AUR|pkgbuildup-git}}}}<br />
<br />
* {{App|pkgoutofdate|Parses the source URL from PKGBUILDs and tries to find new versions of packages by incrementing the version number and sending requests to the web server.|https://github.com/anatol/pkgoutofdate|{{AUR|pkgoutofdate-git}}}}<br />
<br />
== Uploading ==<br />
<br />
* [https://github.com/JonnyJD/PKGBUILDs/blob/master/_bin/aur4_import.sh aur4_import.sh] — Splits a package from a git repository with multiple packages, adding/updating {{ic|.SRCINFO}} for every commit<br />
* [https://github.com/JonnyJD/PKGBUILDs/blob/master/_bin/aur4_make_submodule.sh aur4_make_submodule.sh] — Replaces a package in a bigger git repository with an AUR 4 submodule, including {{ic|.SRCINFO}}<br />
* {{App|aurpublish|Helper script to manage and upload AUR packages using {{man|1|git-subtree}}. Uses {{man|5|githooks}} to verify the PKGBUILD integrity, generate .SRCINFO automatically, and create a commit message template.|https://github.com/eli-schwartz/aurpublish|{{Pkg|aurpublish}}}}</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=551866
User:Enckse/TipsAndTricks
2018-10-28T23:27:25Z
<p>Enckse: cleaning up deprecated information</p>
<hr />
<div>__TOC__<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
=== CAC Card/Smartcard ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== Kerberos ===<br />
<br />
If you need to login to an HPC using kerberos/ssh (e.g. https://centers.hpc.mil/users/) you should be able to do this using the latest/nightly/git versions of opensc (you should not have to fallback to coolkey) for smartcard authentication<br />
<br />
You will need to edit your opensc.conf to be ONLY THIS CONTENT (or create one and set OPENSC_CONF)<br />
{{hc|/etc/opensc.conf|2=<br />
app default {<br />
card_drivers = PIV-II;<br />
framework pkcs15 {<br />
pin_cache_ignore_user_consent = true;<br />
}<br />
}<br />
}}<br />
<br />
You will need to update the kerberos configuration to point to opensc (add this, you can remove all other ".so" pkinit_identities)<br />
{{hc|krb5.conf|2=<br />
pkinit_identities = PKCS11:/usr/lib/pkcs11/opensc-pkcs11.so<br />
}}<br />
<br />
At this point the general guidance to get a token and login should work<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
needs {{Pkg|minicom}}<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=551865
User:Enckse
2018-10-28T23:24:10Z
<p>Enckse: Condensing page</p>
<hr />
<div>* [https://aur.archlinux.org/packages/?O=0&SeB=M&K=enckse&outdated=&SB=n&SO=a&PP=50&do_Search=Go AUR packages]<br />
* [[User:Enckse/Install]]<br />
* [[User:Enckse/Arm]]<br />
* [[User:Enckse/TipsAndTricks]]</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=551863
User:Enckse
2018-10-28T23:22:00Z
<p>Enckse: /* arch notes */ link deprecated</p>
<hr />
<div>__TOC__<br />
<br />
== about ==<br />
<br />
more about me can be discovered [https://voidedtech.network here]<br />
<br />
* [https://aur.archlinux.org/packages/?O=0&SeB=M&K=enckse&outdated=&SB=n&SO=a&PP=50&do_Search=Go AUR packages]<br />
* [https://wiki.archlinux.org/index.php/Special:Contributions/Enckse wiki history]<br />
* [https://bugs.archlinux.org/user/23134 bugs]<br />
* [https://bbs.archlinux.org/profile.php?id=101519 bbs]<br />
<br />
== arch notes ==<br />
<br />
* [[User:Enckse/Install]]<br />
* [[User:Enckse/Arm]]<br />
* [[User:Enckse/TipsAndTricks]]</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Linode&diff=551860
User:Enckse/Linode
2018-10-28T23:20:07Z
<p>Enckse: this is outdated</p>
<hr />
<div></div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Linode&diff=541286
User:Enckse/Linode
2018-09-14T22:17:59Z
<p>Enckse: /* install */ rng-tools</p>
<hr />
<div>{{Warning|Proceed with installing raw arch (using LUKS) on a linode VPS at your own risk, these steps get you there but it requires some understanding of what you are attempting to do}}<br />
<br />
__TOC__<br />
<br />
{{Warning|to boot you'll have to ssh into the linode, get dumped into grub, and run this command to load the actual grub config (then enter LUKS password)<br />
configfile (hd0,1)/grub/grub.cfg<br />
}}<br />
<br />
== bootstrapping ==<br />
<br />
# You will need 2 disk images (1 for bootstrap, 1 for actual install as unformatted/raw)<br />
# Deploy the Linode arch image (I know, I know) to the bootstrap disk image<br />
# Follow directions [https://www.linode.com/docs/tools-reference/custom-kernels-distros/run-a-distribution-supplied-kernel-with-kvm]<br />
<br />
Summarized as install kernel, grub<br />
pacman -S linux grub<br />
<br />
configure grub for lish access<br />
{{hc|vim /etc/default/grub|2=<br />
GRUB_TIMEOUT=10<br />
GRUB_CMDLINE_LINUX="console=ttyS0,19200n8"<br />
GRUB_DISABLE_LINUX_UUID=true<br />
GRUB_SERIAL_COMMAND="serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1"<br />
GRUB_TERMINAL=serial<br />
}}<br />
<br />
setup grub<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
Change the Linode Kernel to "GRUB 2", make sure the raw/unformatted image is attached as well<br />
reboot<br />
<br />
{{Note|it's possible to lose network here, interface names change during this "update"}}<br />
<br />
== install ==<br />
<br />
prep disks and format<br />
{{hc|fdisk /dev/sdX (raw/unformatted image)|2=<br />
1 1G (83) (bootable)<br />
2 100% (83)<br />
}}<br />
<br />
{{Note|the boot directory is not encrypted}}<br />
<br />
setup LUKS<br />
mkfs.ext2 /dev/sdX1<br />
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX2<br />
cryptsetup luksOpen /dev/sdX2 vps<br />
<br />
and lvm<br />
pvcreate /dev/mapper/vps<br />
vgcreate vg /dev/mapper/vps<br />
lvcreate --size 1G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
create filesystems<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
and mount<br />
mount /dev/mapper/vg-root /mnt<br />
swapon /dev/mapper/vg-swap<br />
mkdir /mnt/boot<br />
mount /dev/sdX1 /mnt/boot<br />
<br />
perform the actual install steps<br />
pacman -S arch-install-scripts<br />
pacstrap /mnt base vim git<br />
<br />
for fstab setup:<br />
# review and remove any entries from /mnt/etc/fstab<br />
# copy anything from the host to the LUKS partition now!<br />
# also a good time to copy the Linode instructed grub changes!<br />
<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
arch-chroot /mnt /bin/bash<br />
<br />
system setup<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
echo "<machine>" > /etc/hostname<br />
<br />
{{hc|vim /etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
# then run<br />
locale-gen<br />
}}<br />
<br />
set locale LANG<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
set the root password<br />
passwd<br />
<br />
kernel setup<br />
{{hc|vim /etc/mkinitcpio.conf|2=<br />
# MODULES - add 'ext4'<br />
# HOOKS add 'encrypt' and 'lvm2' before 'filesystems'<br />
}}<br />
<br />
regen init<br />
mkinitcpio -p linux<br />
<br />
{{Note|one may want to install [[Rng-tools]] to make sure there is enough entropy on the system for any variety of secure operations}}<br />
<br />
== grub ==<br />
<br />
make sure grub is installed<br />
pacman -S grub<br />
<br />
{{hc|vim /etc/default/grub|2=<br />
# append to GRUB_CMDLINE_LINUX<br />
cryptdevice=UUID=</dev/sdX2>:vg<br />
}}<br />
<br />
make grub config<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
cleanup and reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== networking ==<br />
<br />
configured wired adapter<br />
{{hc|vim /etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
enable networkd and setup dns<br />
systemctl enable systemd-networkd<br />
systemctl start systemd-networkd<br />
<br />
{{hc|vim /etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameserver><br />
}}</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Linode&diff=541284
User:Enckse/Linode
2018-09-14T21:30:24Z
<p>Enckse: /* install */ note about haveged</p>
<hr />
<div>{{Warning|Proceed with installing raw arch (using LUKS) on a linode VPS at your own risk, these steps get you there but it requires some understanding of what you are attempting to do}}<br />
<br />
__TOC__<br />
<br />
{{Warning|to boot you'll have to ssh into the linode, get dumped into grub, and run this command to load the actual grub config (then enter LUKS password)<br />
configfile (hd0,1)/grub/grub.cfg<br />
}}<br />
<br />
== bootstrapping ==<br />
<br />
# You will need 2 disk images (1 for bootstrap, 1 for actual install as unformatted/raw)<br />
# Deploy the Linode arch image (I know, I know) to the bootstrap disk image<br />
# Follow directions [https://www.linode.com/docs/tools-reference/custom-kernels-distros/run-a-distribution-supplied-kernel-with-kvm]<br />
<br />
Summarized as install kernel, grub<br />
pacman -S linux grub<br />
<br />
configure grub for lish access<br />
{{hc|vim /etc/default/grub|2=<br />
GRUB_TIMEOUT=10<br />
GRUB_CMDLINE_LINUX="console=ttyS0,19200n8"<br />
GRUB_DISABLE_LINUX_UUID=true<br />
GRUB_SERIAL_COMMAND="serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1"<br />
GRUB_TERMINAL=serial<br />
}}<br />
<br />
setup grub<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
Change the Linode Kernel to "GRUB 2", make sure the raw/unformatted image is attached as well<br />
reboot<br />
<br />
{{Note|it's possible to lose network here, interface names change during this "update"}}<br />
<br />
== install ==<br />
<br />
prep disks and format<br />
{{hc|fdisk /dev/sdX (raw/unformatted image)|2=<br />
1 1G (83) (bootable)<br />
2 100% (83)<br />
}}<br />
<br />
{{Note|the boot directory is not encrypted}}<br />
<br />
setup LUKS<br />
mkfs.ext2 /dev/sdX1<br />
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX2<br />
cryptsetup luksOpen /dev/sdX2 vps<br />
<br />
and lvm<br />
pvcreate /dev/mapper/vps<br />
vgcreate vg /dev/mapper/vps<br />
lvcreate --size 1G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
create filesystems<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
and mount<br />
mount /dev/mapper/vg-root /mnt<br />
swapon /dev/mapper/vg-swap<br />
mkdir /mnt/boot<br />
mount /dev/sdX1 /mnt/boot<br />
<br />
perform the actual install steps<br />
pacman -S arch-install-scripts<br />
pacstrap /mnt base vim git<br />
<br />
for fstab setup:<br />
# review and remove any entries from /mnt/etc/fstab<br />
# copy anything from the host to the LUKS partition now!<br />
# also a good time to copy the Linode instructed grub changes!<br />
<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
arch-chroot /mnt /bin/bash<br />
<br />
system setup<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
echo "<machine>" > /etc/hostname<br />
<br />
{{hc|vim /etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
# then run<br />
locale-gen<br />
}}<br />
<br />
set locale LANG<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
set the root password<br />
passwd<br />
<br />
kernel setup<br />
{{hc|vim /etc/mkinitcpio.conf|2=<br />
# MODULES - add 'ext4'<br />
# HOOKS add 'encrypt' and 'lvm2' before 'filesystems'<br />
}}<br />
<br />
regen init<br />
mkinitcpio -p linux<br />
<br />
{{Note|one may want to install haveged to make sure there is enough entropy on the system for any variety of secure operations}}<br />
<br />
== grub ==<br />
<br />
make sure grub is installed<br />
pacman -S grub<br />
<br />
{{hc|vim /etc/default/grub|2=<br />
# append to GRUB_CMDLINE_LINUX<br />
cryptdevice=UUID=</dev/sdX2>:vg<br />
}}<br />
<br />
make grub config<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
cleanup and reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== networking ==<br />
<br />
configured wired adapter<br />
{{hc|vim /etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
enable networkd and setup dns<br />
systemctl enable systemd-networkd<br />
systemctl start systemd-networkd<br />
<br />
{{hc|vim /etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameserver><br />
}}</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=540197
User:Enckse
2018-09-06T17:00:13Z
<p>Enckse: /* about */ can be one link now</p>
<hr />
<div>__TOC__<br />
<br />
== about ==<br />
<br />
more about me can be discovered [https://voidedtech.network here]<br />
<br />
* [https://aur.archlinux.org/packages/?O=0&SeB=M&K=enckse&outdated=&SB=n&SO=a&PP=50&do_Search=Go AUR packages]<br />
* [https://wiki.archlinux.org/index.php/Special:Contributions/Enckse wiki history]<br />
* [https://bugs.archlinux.org/user/23134 bugs]<br />
* [https://bbs.archlinux.org/profile.php?id=101519 bbs]<br />
<br />
== arch notes ==<br />
<br />
* [[User:Enckse/Install]]<br />
* [[User:Enckse/Linode]]<br />
* [[User:Enckse/Arm]]<br />
* [[User:Enckse/TipsAndTricks]]</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=540010
User:Enckse/Install
2018-09-05T23:31:19Z
<p>Enckse: Updating some older information</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt bash-completion bzip2 coreutils diffutils file filesystem findutils gawk gcc-libs gettext glibc grep gzip inetutils iproute2 iputils less pacman pinentry-ng sed shadow systemd-sysvcompat tar util-linux lvm2 cryptsetup device-mapper man-db man-pages vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -U /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt<br />
<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
fstrim<br />
systemctl enable fstrim.timer<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinitcpio<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs ROOT-UUID /<br />
}}<br />
<br />
{{Note|install the mkinitcpio-validate (epiphyte) and linux-lts packages to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, umount, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel enck<br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
{{Note|Follow home.git README for dev environment}}<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc of smartcard utilization<br />
<br />
setup machinectl networking from [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== nftables ===<br />
<br />
{{hc|/etc/nftables.conf|2=<br />
add table ip filter<br />
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }<br />
add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }<br />
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }<br />
add chain ip filter TCP<br />
add chain ip filter UDP<br />
add rule ip filter INPUT ct state related,established counter accept<br />
add rule ip filter INPUT iifname lo counter accept<br />
add rule ip filter INPUT ct state invalid counter drop<br />
add rule ip filter INPUT icmp type echo-request ct state new counter accept<br />
add rule ip filter INPUT ip protocol udp ct state new counter jump UDP<br />
add rule ip filter INPUT tcp flags & (fin|syn|rst|ack) == syn ct state new counter jump TCP<br />
add rule ip filter INPUT ip protocol udp counter reject<br />
add rule ip filter INPUT ip protocol tcp counter reject with tcp reset<br />
add rule ip filter INPUT counter reject with icmp type prot-unreachable<br />
add rule ip filter TCP tcp dport <PORT> counter accept<br />
}}<br />
systemctl enable --now nftables<br />
<br />
== Core Server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get nftables rules setup<br />
pacman -S nftables<br />
# copy rules to /etc/nftables.conf<br />
systemctl enable --now nftables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=538239
User:Enckse/TipsAndTricks
2018-08-28T14:32:54Z
<p>Enckse: /* Kerberos */ opensc.conf should ONLY be this</p>
<hr />
<div>__TOC__<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
=== CAC Card/Smartcard ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== Kerberos ===<br />
<br />
If you need to login to an HPC using kerberos/ssh (e.g. https://centers.hpc.mil/users/) you should be able to do this using the latest/nightly/git versions of opensc (you should not have to fallback to coolkey) for smartcard authentication<br />
<br />
You will need to edit your opensc.conf to be ONLY THIS CONTENT (or create one and set OPENSC_CONF)<br />
{{hc|/etc/opensc.conf|2=<br />
app default {<br />
card_drivers = PIV-II;<br />
framework pkcs15 {<br />
pin_cache_ignore_user_consent = true;<br />
}<br />
}<br />
}}<br />
<br />
You will need to update the kerberos configuration to point to opensc (add this, you can remove all other ".so" pkinit_identities)<br />
{{hc|krb5.conf|2=<br />
pkinit_identities = PKCS11:/usr/lib/pkcs11/opensc-pkcs11.so<br />
}}<br />
<br />
At this point the general guidance to get a token and login should work<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Downgrading Packages ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
needs {{Pkg|minicom}}<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=538237
User:Enckse/TipsAndTricks
2018-08-28T14:31:46Z
<p>Enckse: /* SSH */ notes on kerberos</p>
<hr />
<div>__TOC__<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
=== CAC Card/Smartcard ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== Kerberos ===<br />
<br />
If you need to login to an HPC using kerberos/ssh (e.g. https://centers.hpc.mil/users/) you should be able to do this using the latest/nightly/git versions of opensc (you should not have to fallback to coolkey) for smartcard authentication<br />
<br />
You will need to edit your opensc.conf (or create one and set OPENSC_CONF)<br />
{{hc|/etc/opensc.conf|2=<br />
app default {<br />
card_drivers = PIV-II;<br />
framework pkcs15 {<br />
pin_cache_ignore_user_consent = true;<br />
}<br />
}<br />
}}<br />
<br />
You will need to update the kerberos configuration to point to opensc (add this, you can remove all other ".so" pkinit_identities)<br />
{{hc|krb5.conf|2=<br />
pkinit_identities = PKCS11:/usr/lib/pkcs11/opensc-pkcs11.so<br />
}}<br />
<br />
At this point the general guidance to get a token and login should work<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Downgrading Packages ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
needs {{Pkg|minicom}}<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=534315
User:Enckse/Install
2018-08-12T23:29:59Z
<p>Enckse: /* system settings */ fstrim.timer</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt base vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt /bin/bash<br />
<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
fstrim<br />
systemctl enable fstrim.timer<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinitcpio<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs ROOT-UUID /<br />
}}<br />
<br />
{{Note|install the mkinitcpio-validate (epiphyte) and linux-lts packages to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, umount, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel enck<br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
{{Note|Follow home.git README for dev environment}}<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc of smartcard utilization<br />
<br />
setup machinectl networking from [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== iptables ===<br />
<br />
{{hc|/etc/iptables/iptables.rules|2=<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
-A TCP -p tcp --dport <PORT> -j ACCEPT<br />
<br />
COMMIT<br />
}}<br />
systemctl enable --now iptables<br />
<br />
== Core Server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
remove nano<br />
pacman -R nano<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
at this point I should install naaman to help myself later and<br />
pacman -S tinyssh base-devel arch-install-scripts<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get iptables rules setup<br />
pacman -S iptables<br />
# copy rules to /etc/iptables/iptables.rules<br />
systemctl enable --now iptables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=534314
User:Enckse/Install
2018-08-12T23:29:03Z
<p>Enckse: /* booting */ fallbacks</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt base vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt /bin/bash<br />
<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinitcpio<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs ROOT-UUID /<br />
}}<br />
<br />
{{Note|install the mkinitcpio-validate (epiphyte) and linux-lts packages to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, umount, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel enck<br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
{{Note|Follow home.git README for dev environment}}<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc of smartcard utilization<br />
<br />
setup machinectl networking from [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== iptables ===<br />
<br />
{{hc|/etc/iptables/iptables.rules|2=<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
-A TCP -p tcp --dport <PORT> -j ACCEPT<br />
<br />
COMMIT<br />
}}<br />
systemctl enable --now iptables<br />
<br />
== Core Server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
remove nano<br />
pacman -R nano<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
at this point I should install naaman to help myself later and<br />
pacman -S tinyssh base-devel arch-install-scripts<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get iptables rules setup<br />
pacman -S iptables<br />
# copy rules to /etc/iptables/iptables.rules<br />
systemctl enable --now iptables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=528827
User:Enckse/TipsAndTricks
2018-07-04T20:51:53Z
<p>Enckse: /* Commands */ static ip with dhcpcd</p>
<hr />
<div>__TOC__<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
=== CAC Card/Smartcard ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Downgrading Packages ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
=== Static IP ===<br />
<br />
Get a static IP when you aren't using a normal manager for networks (e.g. network manager)<br />
<br />
utilize dhcpcd<br />
{{hc|/etc/dhcpcd.conf|2=<br />
interface enp0s31f6<br />
static ip_address=192.168.1.5/24<br />
static router=192.168.1.1<br />
}}<br />
<br />
start dhcpcd on interface<br />
systemctl start dhcpcd@enp0s31f6<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
needs {{Pkg|minicom}}<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=528182
User:Enckse
2018-06-29T21:42:17Z
<p>Enckse: /* about */ bbs</p>
<hr />
<div>__TOC__<br />
<br />
== about ==<br />
<br />
more about me can be discovered [https://voidedtech.network here]<br />
<br />
* [https://aur.archlinux.org/packages/?O=0&SeB=m&K=enckse&do_Search=Go Maintained] and [https://aur.archlinux.org/packages/?O=0&SeB=c&K=enckse&do_Search=Go Co-maintained] AUR packages<br />
* [https://wiki.archlinux.org/index.php/Special:Contributions/Enckse wiki history]<br />
* [https://bugs.archlinux.org/user/23134 bugs]<br />
* [https://bbs.archlinux.org/profile.php?id=101519 bbs]<br />
<br />
== arch notes ==<br />
<br />
* [[User:Enckse/Install]]<br />
* [[User:Enckse/Linode]]<br />
* [[User:Enckse/Arm]]<br />
* [[User:Enckse/TipsAndTricks]]</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=528045
User:Enckse
2018-06-29T06:19:13Z
<p>Enckse: /* warning */ one last comment</p>
<hr />
<div>__TOC__<br />
<br />
== about ==<br />
<br />
more about me can be discovered [https://voidedtech.network here]<br />
<br />
* [https://aur.archlinux.org/packages/?O=0&SeB=m&K=enckse&do_Search=Go Maintained] and [https://aur.archlinux.org/packages/?O=0&SeB=c&K=enckse&do_Search=Go Co-maintained] AUR packages<br />
* [https://wiki.archlinux.org/index.php/Special:Contributions/Enckse wiki history]<br />
* [https://bugs.archlinux.org/user/23134 bugs]<br />
<br />
== warning ==<br />
<br />
As an arch user for about ~2.5 years as of mid-2018 (and a user of many-a-distro before that), I'd advise anyone who has found this page to assess whether arch is really right for you (hint: it's not for me, it's probably not for you). I would not declare myself an above average packager (mainly PKGBUILD author) but I've been in this ecosystem long enough to grasp most of the concepts. I find understanding and utilizing the concepts will not help and you will get treated like a moron by many existing (but not all) TU/dev personnel of this distribution no matter what (yes yes, they are volunteers so they can behave however they'd like, clearly). Not only are you likely treated poorly, you've likely read the endless WARNINGS about the AUR. Rightfully so. It's user content, it could be garbage or insecure or something much more nefarious. What do you get from the developers/TUs in terms of packaging, though? You are expressly operating in a web-of-trust with them and assuming they are not going to do arbitrary things and that they will make logical decisions. This is a poor assumption, for example:<br />
<br />
* maybe you'd like your dm to [https://bugs.archlinux.org/task/58830 break] for a weeks? you should probably be using xinit anyway<br />
* maybe we should just pick random kernel flags from ubuntu, [https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/linux&id=cd8bb4aec3e99a54f54d11a60703cf069c84aaec right]? That won't cause any issues, [https://bugs.archlinux.org/task/57479 right]? it's just the kernel<br />
* maybe you'd rather your tools misuse features of the PKGBUILD to solve your problems and impact everyone else, [https://bugs.archlinux.org/task/59159 sound good]? "So what."<br />
<br />
This is a great place to enjoy a strange social experiment where there is some belief that there is power in being an arch developer or TU or support staff and everyone else is barely able to keep themselves from drooling everywhere they go. Hey, it's arch though, so I probably just can't computer properly and should rtfm until I can.<br />
<br />
Also nothing is newsworthy. I don't know why arch has news.<br />
<br />
== arch notes ==<br />
<br />
* [[User:Enckse/Install]]<br />
* [[User:Enckse/Linode]]<br />
* [[User:Enckse/Arm]]<br />
* [[User:Enckse/TipsAndTricks]]</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=528044
User:Enckse
2018-06-29T06:17:20Z
<p>Enckse: Writing this, arch can host it</p>
<hr />
<div>__TOC__<br />
<br />
== about ==<br />
<br />
more about me can be discovered [https://voidedtech.network here]<br />
<br />
* [https://aur.archlinux.org/packages/?O=0&SeB=m&K=enckse&do_Search=Go Maintained] and [https://aur.archlinux.org/packages/?O=0&SeB=c&K=enckse&do_Search=Go Co-maintained] AUR packages<br />
* [https://wiki.archlinux.org/index.php/Special:Contributions/Enckse wiki history]<br />
* [https://bugs.archlinux.org/user/23134 bugs]<br />
<br />
== warning ==<br />
<br />
As an arch user for about ~2.5 years as of mid-2018 (and a user of many-a-distro before that), I'd advise anyone who has found this page to assess whether arch is really right for you (hint: it's not for me, it's probably not for you). I would not declare myself an above average packager (mainly PKGBUILD author) but I've been in this ecosystem long enough to grasp most of the concepts. I find understanding and utilizing the concepts will not help and you will get treated like a moron by many existing (but not all) TU/dev personnel of this distribution no matter what (yes yes, they are volunteers so they can behave however they'd like, clearly). Not only are you likely treated poorly, you've likely read the endless WARNINGS about the AUR. Rightfully so. It's user content, it could be garbage or insecure or something much more nefarious. What do you get from the developers/TUs in terms of packaging, though? You are expressly operating in a web-of-trust with them and assuming they are not going to do arbitrary things and that they will make logical decisions. This is a poor assumption, for example:<br />
<br />
* maybe you'd like your dm to [https://bugs.archlinux.org/task/58830 break] for a weeks? you should probably be using xinit anyway<br />
* maybe we should just pick random kernel flags from ubuntu, [https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/linux&id=cd8bb4aec3e99a54f54d11a60703cf069c84aaec right]? That won't cause any issues, [https://bugs.archlinux.org/task/57479 right]? it's just the kernel<br />
* maybe you'd rather your tools misuse features of the PKGBUILD to solve your problems and impact everyone else, [https://bugs.archlinux.org/task/59159 sound good]? "So what."<br />
<br />
This is a great place to enjoy a strange social experiment where there is some belief that there is power in being an arch developer or TU or support staff and everyone else is barely able to keep themselves from drooling everywhere they go. Hey, it's arch though, so I probably just can't computer properly and should rtfm until I can.<br />
<br />
== arch notes ==<br />
<br />
* [[User:Enckse/Install]]<br />
* [[User:Enckse/Linode]]<br />
* [[User:Enckse/Arm]]<br />
* [[User:Enckse/TipsAndTricks]]</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=527596
User:Enckse/TipsAndTricks
2018-06-24T14:10:21Z
<p>Enckse: /* ubnt */ minicom pkg</p>
<hr />
<div>__TOC__<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
=== CAC Card/Smartcard ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Downgrading Packages ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
needs {{Pkg|minicom}}<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=527595
User:Enckse/TipsAndTricks
2018-06-24T14:09:50Z
<p>Enckse: /* Commands */ setting some links</p>
<hr />
<div>__TOC__<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
=== CAC Card/Smartcard ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours (needs {{Pkg|smartmontools}})<br />
# change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Downgrading Packages ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
use minicom<br />
pacman -S minicom<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=Google_Authenticator&diff=527594
Google Authenticator
2018-06-24T14:07:26Z
<p>Enckse: /* Command line */ oath-toolkit is a package and can have a package link/reference</p>
<hr />
<div>[[Category:Secure Shell]]<br />
[[es:Google Authenticator]]<br />
[[ja:Google Authenticator]]<br />
[[ru:Google Authenticator]]<br />
[[zh-hans:Google Authenticator]]<br />
[https://github.com/google/google-authenticator Google Authenticator] provides a two-step authentication procedure using one-time passcodes ([[Wikipedia:One-time pad|OTP]]). The OTP generator application is available for iOS, Android and Blackberry. Similar to [[S/KEY Authentication]] the authentication mechanism integrates into the Linux [[PAM]] system. This guide shows the installation and configuration of this mechanism.<br />
<br />
For the reverse operation (generating codes compatible with Google Authenticator under Linux) see [[#Code generation]] below.<br />
==Installation==<br />
<br />
Install {{Pkg|libpam-google-authenticator}} package. Development version is also available with {{AUR|google-authenticator-libpam-git}}.<br />
<br />
==Setting up the PAM==<br />
<br />
{{Warning|If you do all configuration via SSH do not close the session before you tested that everything is working, else you may lock yourself out. Furthermore consider generating the key file before activating the PAM.}}<br />
<br />
Usually one demands two-pass authentication only for remote login. The corresponding PAM configuration file is {{ic|/etc/pam.d/sshd}}. In case you want to use Google Authenticator globally you would need to change {{ic|/etc/pam.d/system-auth}}, however, in this case proceed with extreme caution to not lock yourself out.<br />
In this guide we proceed with editing {{ic|/etc/pam.d/sshd}} which is most safely (but not necessarily) done in a local session.<br />
<br />
To enter both, your unix password and your OTP, add {{ic|pam_google_authenticator.so}} above the system-remote-login lines to {{ic|/etc/pam.d/sshd}}:<br />
<br />
'''auth required pam_google_authenticator.so'''<br />
auth include system-remote-login<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
<br />
This will ask for the OTP before prompting for your Unix password. Changing the order of the two modules will reverse this order.<br />
<br />
{{Warning|Only users that have generated a secret key file (see below) will be allowed to log in using SSH.}}<br />
<br />
To allow login with either the OTP or your Unix password use:<br />
<br />
auth '''sufficient''' pam_google_authenticator.so<br />
<br />
Enable challenge-response authentication in {{ic|/etc/ssh/'''sshd_config'''}}:<br />
ChallengeResponseAuthentication yes<br />
Finally, [[reload]] the {{ic|sshd}} service.<br />
<br />
{{Warning|OpenSSH will ignore all of this if you are authenticating with a SSH-key pair and have [[Secure Shell#Force public key authentication|disabled password logins]]. However, as of OpenSSH 6.2, you can add {{ic|AuthenticationMethods}} to allow both: two-factor and key-based authentication. See [[Secure Shell#Two-factor authentication and public keys]].}}<br />
<br />
==Generating a secret key file==<br />
{{Tip|Install {{Pkg|qrencode}} to generate a scannable QR. Scan the QR with the authenticator app to automatically configure the key.}}<br />
<br />
Every user who wants to use two-pass authentication needs to generate a secret key file in his home folder.<br />
This can very easily be done using ''google-authenticator'': <br />
<br />
$ google-authenticator<br />
Do you want authentication tokens to be time-based (y/n) y<br />
<Here you will see generated QR code><br />
Your new secret key is: ZVZG5UZU4D7MY4DH<br />
Your verification code is 269371<br />
Your emergency scratch codes are:<br />
70058954<br />
97277505<br />
99684896<br />
56514332<br />
82717798<br />
<br />
Do you want me to update your "/home/username/.google_authenticator" file (y/n) y<br />
<br />
Do you want to disallow multiple uses of the same authentication<br />
token? This restricts you to one login about every 30s, but it increases<br />
your chances to notice or even prevent man-in-the-middle attacks (y/n) y<br />
<br />
By default, tokens are good for 30 seconds and in order to compensate for<br />
possible time-skew between the client and the server, we allow an extra<br />
token before and after the current time. If you experience problems with poor<br />
time synchronization, you can increase the window from its default<br />
size of 1:30min to about 4min. Do you want to do so (y/n) n<br />
<br />
If the computer that you are logging into is not hardened against brute-force<br />
login attempts, you can enable rate-limiting for the authentication module.<br />
By default, this limits attackers to no more than 3 login attempts every 30s.<br />
Do you want to enable rate-limiting (y/n) y<br />
<br />
It is recommended to '''store the emergency scratch codes safely''' (print them out and keep them in a safe location) as they are your only way to log in (via SSH) when you lost your mobile phone (i.e. your OTP-generator). They are also stored in {{ic|~/.google_authenticator}}, so you can look them up any time as long as you are logged in.<br />
<br />
==Setting up your OTP-generator==<br />
Install generator application on your mobile phone from [http://m.google.com/authenticator Android market] (e.g. [https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp FreeOTP]) or from [https://f-droid.org/repository/browse/?fdfilter=google&fdid=com.google.android.apps.authenticator2 F-Droid].<br />
In the applications menu click the corresponding button to create a new account and either scan the QR code from the URL you were told when generating the secret key file, or enter the secret key (in the example above 'ZVZG5UZU4D7MY4DH') manually.<br />
<br />
Now you should see a new passcode token being generated every 30 seconds on your phone.<br />
<br />
==Testing==<br />
SSH to your host from another machine and/or from another terminal window:<br />
<br />
$ ssh hostname<br />
login as: <username><br />
Verification code: <generated/backup-code><br />
Password: <password><br />
$<br />
<br />
==Storage location==<br />
If you want to change the secret key files' storage path, you can use the flag {{ic|--secret}}:<br />
<br />
$ google-authenticator --secret="/'''PATH_FOLDER'''/'''USERNAME'''"<br />
<br />
Then, don't forget to change the location path for PAM, in {{ic|/etc/pam.d/sshd}}:<br />
<br />
{{hc|/etc/pam.d/sshd|2=<br />
auth required pam_google_authenticator.so user=root secret=/'''PATH_FOLDER'''/${USER}<br />
}}<br />
<br />
{{ic|user&#61;root}} is used to force PAM to search the file using root user.<br />
<br />
Also, take care with the permissions of the secret key file. Indeed, the file '''must''' be only-readable by the owner (chmod: {{ic|400}}). Here, the owner is root.<br />
<br />
$ chown root.root /'''PATH_FILE'''/'''SECRET_KEY_FILES'''<br />
chmod 400 /'''PATH_FILE'''/'''SECRET_KEY_FILES'''<br />
<br />
==Desktop logins==<br />
The Google Authenticator PAM plugin can also be used for console logins and with GDM. Just add the following to {{ic|/etc/pam.d/login}} or the {{ic|/etc/pam.d/gdm-password}} file:<br />
<br />
auth required pam_google_authenticator.so<br />
<br />
==Code generation==<br />
If you have Google Authenticator configured with other systems, then losing your device can prevent you from being able to log in to those systems. Having additional ways to generate the codes can be helpful.<br />
<br />
===Command line===<br />
The easiest way to generate codes is with {{ic|oath-tool}}. It is available in the {{Pkg|oath-toolkit}} package, and can be used as follows:<br />
<br />
oathtool --totp -b ABC123<br />
<br />
Where {{ic|ABC123}} is the secret key.<br />
<br />
On most Android systems with sufficient user access, the Google Authenticator database can be copied off the device and accessed directly, as it is an sqlite3 database. This shell script will read a Google Authenticator database and generate live codes for each key found:<br />
<br />
{{hc|google-authenticator.sh|2=<br />
#!/bin/sh<br />
<br />
# This is the path to the Google Authenticator app file. It's typically located<br />
# in /data under Android. Copy it to your PC in a safe location and specify the<br />
# path to it here.<br />
DB="/path/to/com.google.android.apps.authenticator/databases/databases"<br />
<br />
sqlite3 "$DB" 'SELECT email,secret FROM accounts;' {{!}} while read A<br />
do<br />
NAME=`echo "$A" {{!}} cut -d '{{!}}' -f 1`<br />
KEY=`echo "$A" {{!}} cut -d '{{!}}' -f 2`<br />
CODE=`oathtool --totp -b "$KEY"`<br />
echo -e "\e[1;32m$CODE\e[0m - \e[1;33m$NAME\e[0m"<br />
done<br />
}}</div>
Enckse
https://wiki.archlinux.org/index.php?title=Common_Access_Card&diff=527330
Common Access Card
2018-06-22T13:21:47Z
<p>Enckse: /* Enable pcscd */ pcscd uses socket activation</p>
<hr />
<div>[[Category:Other hardware]]<br />
{{Related articles start}}<br />
{{Related|Smartcards}}<br />
{{Related articles end}}<br />
{{Expansion|1=A short general article about [[Smartcards]] (or [[Smartcard readers]]) is lacking. This article could become the foundation for it; the CAC relevant/specific content being moved to a section. Further related {{Pkg|pcsc-tools}} exist (and contain supportability information), which can be helpful for identifying other smartcards.[https://wiki.archlinux.org/index.php?title=Lenovo_ThinkPad_T460s&diff=449830&oldid=449829]}}<br />
<br />
This page explains how to setup Arch to use a US Department of Defense [[wikipedia:Common_Access_Card|Common Access Card]] (CAC).<br />
<br />
== Installation ==<br />
<br />
Install {{Pkg|ccid}} and {{Pkg|opensc}} from [[official repositories]].<br />
<br />
=== Configuration ===<br />
<br />
{{Note|You should not have to edit your opensc configuration files by default. You should check all other setup items first (e.g. certificate imports)}}<br />
<br />
If your card reader does not have a pin pad, uncomment {{ic|enable_pinpad &#61; false}} in {{ic|/etc/opensc.conf}}.<br />
<br />
Sometimes {{Pkg|opensc}} can struggle to identify the proper driver for CAC, instead it may choose PIV or something else. You can force the CAC driver by editing {{ic|/etc/opensc.conf}} for {{ic|card_drivers &#61; cac}} and {{ic|force_card_driver &#61; cac}}<br />
<br />
== Enable pcscd ==<br />
<br />
[[Start]] and enable {{ic|pcscd.socket}}.<br />
<br />
== Configure browser ==<br />
<br />
1. Go to: http://iase.disa.mil/pki-pke/Pages/tools.aspx<br />
<br />
2. Download certs: "Trust Store" -> "PKI CA Certificate Bundles: PKCS#7" -> "For DoD PKI Only - Version 5.3" (ZIP Download)<br />
<br />
3. Unzip the DoD PKI zip<br />
<br />
4. Follow browser-specific instructions<br />
<br />
=== Firefox ===<br />
<br />
==== Load security device ====<br />
<br />
Navigate to Edit -> Preference -> Advanced -> Certificates -> Security Devices and click "Load" to load a module using {{ic|/usr/lib/opensc-pkcs11.so}} or {{ic|/usr/lib/pkcs11/opensc-pkcs11.so}}.<br />
<br />
{{Note|Firefox may report the module did not load correctly however you will have to check in the security devices to confirm whether the module properly loaded or not}}<br />
<br />
==== Import the DoD Certificates ====<br />
<br />
Install the certificates from the mentioned zip in _this_ order, by going to Edit -> Preference -> Advanced -> Certificates -> View Certificates -> Authorities -> Import (make sure to at-least check the box for "Trust this CA to identify websites"):<br />
<br />
{{Note|As of the 5.3 version of the certificate zip}}<br />
<br />
1. Certificates_PKCS7_v5.3_DoD.der.p7b<br />
<br />
2. Certificates_PKCS7_v5.3_DoD_DoD_Root_CA_2.der.p7b<br />
<br />
3. Certificates_PKCS7_v5.3_DoD_DoD_Root_CA_3.der.p7b<br />
<br />
4. Certificates_PKCS7_v5.3_DoD_DoD_Root_CA_4.der.p7b <br />
<br />
5. Certificates_PKCS7_v5.3_DoD_DoD_Root_CA_5.der.p7b<br />
<br />
6. Certificates_PKCS7_v5.3_DoD.pem.p7b<br />
<br />
=== Chromium/Google Chrome ===<br />
1. Ensure CAC is connected, [[Chromium]] is closed and enter the following in a terminal: <br />
{{ic|<nowiki>$ modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/opensc-pkcs11.so</nowiki>}}<br />
{{Note|You may see the message 'Failure to load dynamic library'. This can be ignored.}}<br />
<br />
2. Navigate (in a shell) to the location of the unzip DoD PKI files and install via:<br />
<br />
for n in $(ls * | grep Chrome); do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done<br />
<br />
==Testing==<br />
<br />
Visit your favorite CAC secured web page and you should be asked for the ''Master Password'' for your certificate. Enter it and if you get in, you know it's working.<br />
<br />
If some sites/pages seem to have a problem working correctly (e.g. outlook web access won't authenticate the session for DoD webmail) try using a private/incognito session to test validity of the cert chain and remove some variables.<br />
<br />
== Debugging ==<br />
<br />
=== opensc-tool ===<br />
Most of this information was found in a [http://blog.fkraiem.org/2013/03/13/linux-smart-card-authentication-howto/ blog post by Firas Kraïem]<br />
<br />
Verify opensc can see your reader<br />
{{hc|$ opensc-tool --list-readers |<br />
# Detected readers (pcsc)<br />
Nr. Card Features Name<br />
0 Yes Generic USB2.0-CRW [Smart Card Reader Interface] (20070818000000000) 00 00}} <br />
List plugged in card<br />
{{hc|$ opensc-tool --reader 0 --name |Personal Identity Verification Card}} <br />
List plugged in card and drive in use<br />
{{hc|$ opensc-tool --reader 0 --name -v|<br />
Connecting to card in reader Generic USB2.0-CRW [Smart Card Reader Interface] (20070818000000000) 00 00...<br />
Using card driver Personal Identity Verification Card.<br />
Card name: Personal Identity Verification Card}}<br />
<br />
=== pcsc-tools ===<br />
The {{Pkg|pcsc-tools}} package is also availabe in '''[community]'''. The program {{ic|pcsc_scan}} may be helpful<br />
<br />
[cceleri@ender ~]$ pcsc_scan <br />
PC/SC device scanner<br />
V 1.4.21 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr><br />
Compiled with PC/SC lite version: 1.8.6<br />
Using reader plug'n play mechanism<br />
Scanning present readers...<br />
0: Dell Dell Smart Card Reader Keyboard 00 00<br />
<br />
Thu Sep 5 10:41:53 2013<br />
Reader 0: Dell Dell Smart Card Reader Keyboard 00 00<br />
Card state: Card removed, <br />
<br />
Thu Sep 5 10:41:58 2013<br />
Reader 0: Dell Dell Smart Card Reader Keyboard 00 00<br />
Card state: Card inserted, <br />
ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80<br />
<br />
ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80<br />
+ TS = 3B --> Direct Convention<br />
+ T0 = DB, Y(1): 1101, K: 11 (historical bytes)<br />
TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU<br />
250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s<br />
TC(1) = 00 --> Extra guard time: 0<br />
TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 <br />
-----<br />
TD(2) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following <br />
-----<br />
TA(3) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V <br />
+ Historical bytes: 00 31 C0 64 B0 F3 10 00 07 90 00<br />
Category indicator byte: 00 (compact TLV data object)<br />
Tag: 3, len: 1 (card service data byte)<br />
Card service data byte: C0<br />
- Application selection: by full DF name<br />
- Application selection: by partial DF name<br />
- EF.DIR and EF.ATR access services: by GET RECORD(s) command<br />
- Card with MF<br />
Tag: 6, len: 4 (pre-issuing data)<br />
Data: B0 F3 10 00<br />
Mandatory status indicator (3 last bytes)<br />
LCS (life card cycle): 07 (Operational state (activated))<br />
SW: 9000 (Normal processing.)<br />
+ TCK = 80 (correct checksum)<br />
<br />
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):<br />
3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80<br />
DoD CAC, Oberthur ID One 128 v5.5 Dual</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse&diff=527272
User:Enckse
2018-06-22T02:46:37Z
<p>Enckse: cleaning up home</p>
<hr />
<div>__TOC__<br />
<br />
== about ==<br />
<br />
more about me can be discovered [https://voidedtech.network here]<br />
<br />
* [https://aur.archlinux.org/packages/?O=0&SeB=m&K=enckse&do_Search=Go Maintained] and [https://aur.archlinux.org/packages/?O=0&SeB=c&K=enckse&do_Search=Go Co-maintained] AUR packages<br />
* [https://wiki.archlinux.org/index.php/Special:Contributions/Enckse wiki history]<br />
* [https://bugs.archlinux.org/user/23134 bugs]<br />
<br />
== arch notes ==<br />
<br />
* [[User:Enckse/Install]]<br />
* [[User:Enckse/Linode]]<br />
* [[User:Enckse/Arm]]<br />
* [[User:Enckse/TipsAndTricks]]</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=527271
User:Enckse/Install
2018-06-22T02:43:11Z
<p>Enckse: /* System Configuration */ remove a word</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt base vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt /bin/bash<br />
<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinitcpio<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs ROOT-UUID /<br />
}}<br />
<br />
{{Note|install the linux-rotate (epiphyte) package to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, umount, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel enck<br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
{{Note|Follow home.git README for dev environment}}<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc of smartcard utilization<br />
<br />
setup machinectl networking from [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== iptables ===<br />
<br />
{{hc|/etc/iptables/iptables.rules|2=<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
-A TCP -p tcp --dport <PORT> -j ACCEPT<br />
<br />
COMMIT<br />
}}<br />
systemctl enable --now iptables<br />
<br />
== Core Server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
remove nano<br />
pacman -R nano<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
at this point I should install naaman to help myself later and<br />
pacman -S tinyssh base-devel arch-install-scripts<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get iptables rules setup<br />
pacman -S iptables<br />
# copy rules to /etc/iptables/iptables.rules<br />
systemctl enable --now iptables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=527270
User:Enckse/Install
2018-06-22T02:42:29Z
<p>Enckse: /* networking */ not really a section...</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt base vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt /bin/bash<br />
<br />
network<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinitcpio<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs ROOT-UUID /<br />
}}<br />
<br />
{{Note|install the linux-rotate (epiphyte) package to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, umount, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel enck<br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
{{Note|Follow home.git README for dev environment}}<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc of smartcard utilization<br />
<br />
setup machinectl networking from [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== iptables ===<br />
<br />
{{hc|/etc/iptables/iptables.rules|2=<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
-A TCP -p tcp --dport <PORT> -j ACCEPT<br />
<br />
COMMIT<br />
}}<br />
systemctl enable --now iptables<br />
<br />
== Core Server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
remove nano<br />
pacman -R nano<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
at this point I should install naaman to help myself later and<br />
pacman -S tinyssh base-devel arch-install-scripts<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get iptables rules setup<br />
pacman -S iptables<br />
# copy rules to /etc/iptables/iptables.rules<br />
systemctl enable --now iptables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=527269
User:Enckse/Install
2018-06-22T02:41:31Z
<p>Enckse: /* core server */ casing</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
=== networking ===<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt base vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt /bin/bash<br />
<br />
network<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinitcpio<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs ROOT-UUID /<br />
}}<br />
<br />
{{Note|install the linux-rotate (epiphyte) package to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, umount, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel enck<br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
{{Note|Follow home.git README for dev environment}}<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc of smartcard utilization<br />
<br />
setup machinectl networking from [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== iptables ===<br />
<br />
{{hc|/etc/iptables/iptables.rules|2=<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
-A TCP -p tcp --dport <PORT> -j ACCEPT<br />
<br />
COMMIT<br />
}}<br />
systemctl enable --now iptables<br />
<br />
== Core Server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
remove nano<br />
pacman -R nano<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
at this point I should install naaman to help myself later and<br />
pacman -S tinyssh base-devel arch-install-scripts<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get iptables rules setup<br />
pacman -S iptables<br />
# copy rules to /etc/iptables/iptables.rules<br />
systemctl enable --now iptables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=527268
User:Enckse/Install
2018-06-22T02:40:15Z
<p>Enckse: /* User Setup */ specify when to follow home.git</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
=== networking ===<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt base vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt /bin/bash<br />
<br />
network<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinitcpio<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs ROOT-UUID /<br />
}}<br />
<br />
{{Note|install the linux-rotate (epiphyte) package to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, umount, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel enck<br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
{{Note|Follow home.git README for dev environment}}<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc of smartcard utilization<br />
<br />
setup machinectl networking from [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== iptables ===<br />
<br />
{{hc|/etc/iptables/iptables.rules|2=<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
-A TCP -p tcp --dport <PORT> -j ACCEPT<br />
<br />
COMMIT<br />
}}<br />
systemctl enable --now iptables<br />
<br />
== core server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
remove nano<br />
pacman -R nano<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
at this point I should install naaman to help myself later and<br />
pacman -S tinyssh base-devel arch-install-scripts<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get iptables rules setup<br />
pacman -S iptables<br />
# copy rules to /etc/iptables/iptables.rules<br />
systemctl enable --now iptables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=527267
User:Enckse/TipsAndTricks
2018-06-22T02:39:15Z
<p>Enckse: more merging of sections</p>
<hr />
<div>__TOC__<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
=== CAC Card/Smartcard ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours<br />
# requires smartmontools, change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
cbr/cbz files: remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
=== Downgrading Packages ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
use minicom<br />
pacman -S minicom<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=527266
User:Enckse/TipsAndTricks
2018-06-22T02:37:52Z
<p>Enckse: /* git */ adding subsection</p>
<hr />
<div>__TOC__<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours<br />
# requires smartmontools, change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
=== Downgrading Packages ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
use minicom<br />
pacman -S minicom<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
=== multiple repos ===<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:<br />
<br />
== files ==<br />
<br />
=== cbr/cbz ===<br />
<br />
remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
== CAC Card/Smartcard ==<br />
<br />
=== Debugging/Container ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=527265
User:Enckse/TipsAndTricks
2018-06-22T02:37:23Z
<p>Enckse: /* Commands */ merging sections</p>
<hr />
<div>__TOC__<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
Drive power on hours<br />
# requires smartmontools, change "/1" in awk with "/24" for days or "/8765.81" for years<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
=== Downgrading Packages ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
use minicom<br />
pacman -S minicom<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:<br />
<br />
== files ==<br />
<br />
=== cbr/cbz ===<br />
<br />
remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
== CAC Card/Smartcard ==<br />
<br />
=== Debugging/Container ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=527264
User:Enckse/TipsAndTricks
2018-06-22T02:36:01Z
<p>Enckse: moving several things under commands</p>
<hr />
<div>__TOC__<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
=== Downgrading Packages ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
=== Drive Power on Hours ===<br />
<br />
required packages<br />
pacman -S smartmontools<br />
<br />
hours<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
{{Note|Replace "/1" in awk with "/24" for days or "/8765.81" for years}}<br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
use minicom<br />
pacman -S minicom<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:<br />
<br />
== files ==<br />
<br />
=== cbr/cbz ===<br />
<br />
remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
== CAC Card/Smartcard ==<br />
<br />
=== Debugging/Container ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/TipsAndTricks&diff=527263
User:Enckse/TipsAndTricks
2018-06-22T02:34:09Z
<p>Enckse: cleaning up</p>
<hr />
<div>__TOC__<br />
<br />
== Packages ==<br />
<br />
=== Downgrading ===<br />
<br />
start in the cache<br />
cd /var/cache/pacman/pkg<br />
ls -l | grep "<package>"<br />
<br />
find it in the [[Arch Linux Archive]] and download if you don't have it in the cache<br />
<br />
run downgrade<br />
pacman -U <package><br />
<br />
ignoring for a while (if needed)<br />
{{hc|/etc/pacman.conf|2=<br />
IgnorePkg = <package> <package2><br />
}}<br />
<br />
== Drives ==<br />
<br />
=== Power on Hours ===<br />
<br />
required packages<br />
pacman -S smartmontools<br />
<br />
hours<br />
smartctl --all /dev/sd[X] | grep "Power_On_Hours " | tr -s " " | cut -d " " -f 11 | awk '{print $0/1}'<br />
<br />
{{Note|Replace "/1" in awk with "/24" for days or "/8765.81" for years}}<br />
<br />
== X ==<br />
<br />
=== Large Cursor ===<br />
<br />
In some cases a GTK application will pull in Adwaita and that can cause a 'comically large' mouse cursor<br />
{{hc|/usr/share/icons/default/index.theme|2=<br />
#Comment out this line<br />
Inherits=Adwaita<br />
}}<br />
<br />
== Containers ==<br />
<br />
machinectl/systemd-nspawn container notes<br />
{{Warning|Always make sure to enable machines.target when expecting systemd to control machines at system start/stop}}<br />
<br />
=== Service ===<br />
<br />
Required target<br />
systemctl enable machines.target<br />
<br />
=== Shared networking ===<br />
{{hc|sudo systemctl edit systemd-nspawn@.service|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --machine=%I<br />
}}<br />
<br />
== SSH ==<br />
<br />
=== Usage ===<br />
<br />
no bashrc loading<br />
ssh -t <host> bash --norc --noprofile<br />
<br />
=== Config ===<br />
<br />
==== Matching ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
<nowiki><br />
Match exec "echo '%n' | grep -q -E '^(host1|host2|host3)$'"<br />
Port 1234<br />
<br />
Match exec "echo '%n' \| grep -q -E '^(host4|host2)$'"<br />
ForwardAgent yes<br />
</nowiki><br />
}}<br />
<br />
==== Proxying ====<br />
<br />
{{hc|~/.ssh/config|2=<br />
Host proxy<br />
HostName proxy.example.com<br />
RequestTTY force<br />
LocalCommand ssh dest.example.com<br />
PermitLocalCommand yes<br />
}}<br />
<br />
=== LUKS ===<br />
<br />
make sure we're up-to-date<br />
pacman -S tinyssh base-devel<br />
# install naaman<br />
naaman -S ucspi-tcp mkinitcpio-utils mkinitcpio-netconf mkinitcpio-tinyssh<br />
<br />
prep for use/boot<br />
cat /home/enck/.ssh/authorized_keys >> /etc/tinyssh/root_key<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
# HOOKS change 'encrypt' 'encryptssh' and add 'netconf' and 'tinyssh' before 'encryptssh'<br />
}}<br />
<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
# add to options<br />
ip=:::::eth0:dhcp<br />
}}<br />
<br />
rebuild<br />
mkinitcpio -p linux<br />
<br />
== Commands ==<br />
<br />
Useful commands<br />
<br />
Reset xorg brightness<br />
sudo tee /sys/class/backlight/intel_backlight/brightness <<< 2000<br />
<br />
Wireless ssid scan<br />
sudo iwlist wlp3s0 scanning essid<br />
<br />
Attach files using mutt<br />
mutt -s "<subject>" <to> < <email_text> -a <file1> -a <file2><br />
<br />
== libvirt ==<br />
<br />
Assumes using dnsmasq and ebtables for NAT'd networking on child VMs on the host. Also that we're only using dnsmasq for this purpose<br />
<br />
first make sure dnsmasq starts and binds only how we want<br />
{{hc|/etc/dnsmasq.conf|2=<br />
interface=host-interface-name<br />
# or listen-address=ip<br />
# and<br />
bind-interfaces<br />
}}<br />
<br />
start a 'virsh' session<br />
{{Note|virsh commands, assumes 'default' config name}}<br />
net-edit default<br />
<br />
add an entry after the dhcp/range path<br />
<host mac='vm-mac-address' name='vm-name' ip='static-ip' /><br />
<br />
back to 'virsh' session<br />
net-destroy default<br />
net-start default<br />
<br />
Should reboot the host just to pick everything up<br />
<br />
references<br />
http://wiki.libvirt.org/page/Libvirtd_and_dnsmasq<br />
http://www.cyberciti.biz/faq/linux-kvm-libvirt-dnsmasq-dhcp-static-ip-address-configuration-for-guest-os/<br />
<br />
== ubnt ==<br />
<br />
=== Serial ===<br />
<br />
use minicom<br />
pacman -S minicom<br />
sudo minicom -s<br />
<br />
Select "Serial port setup"<br />
verify that:<br />
Device: /dev/ttyUSB0<br />
Baud: 115200<br />
HW: Off<br />
<br />
Select "Save setup as dfl" and exit<br />
<br />
Back into minicom<br />
sudo minicom<br />
<br />
Using minicom<br />
<br />
Ctrl-A then Z -> Help<br />
Ctrl-A then M -> Init modem<br />
<br />
It takes time to load, it should prompt for user/pass<br />
> ? (for help)<br />
> enable (to get into 'normal' ubnt shell)<br />
# ?<br />
# help<br />
# exit<br />
> exit<br />
<br />
References: https://help.ubnt.com/hc/en-us/articles/205202630-EdgeMAX-Connect-to-serial-console-port-default-settings https://wiki.archlinux.org/index.php/working_with_the_serial_console<br />
<br />
== SSMTP ==<br />
<br />
Mapping entries in /etc/ssmtp/revaliases<br />
root:[username]@gmail.com:smtp.gmail.com:587<br />
<br />
General config and setting up ssmtp in /etc/ssmtp/ssmtp.conf<br />
root=[username]@gmail.com<br />
mailhub=smtp.gmail.com:587<br />
hostname=localhost<br />
UseSTARTTLS=YES<br />
AuthUser=[username]@gmail.com<br />
AuthPass=[password]<br />
FromLineOverride=YES<br />
UseTLS=YES<br />
rewriteDomain=gmail.com<br />
<br />
To map local users with a different 'To:' edit /etc/mail.rc<br />
alias user user<username@gmail.com><br />
<br />
Test via<br />
echo test | mail -v -s "testing ssmtp" <receiving@email.address.com><br />
<br />
References https://wiki.archlinux.org/index.php/SSMTP<br />
<br />
== git ==<br />
<br />
Storing multiple git repositories in a single directory (not using submodules). For this purpose there is a repository (1) which should be read/write and others that are read-only (that's important later).<br />
<br />
mv .git .git-repo1<br />
# now clone the second<br />
git clone <repo2><br />
mv .git .git-repo2<br />
mv .git-repo1 .git<br />
<br />
At this point repo1 (the read/write repo) is now going to respond to 'git' commands. To run against another repo<br />
git --git-dir=.git-repo2 <command><br />
<br />
There will be some difficulties with multiple .gitignore files but if only one repo (1) has an ignore file, it can have exclusions defined for the others repositories (since the others are read-only in this case)<br />
git --git-dir=.git-repo2 config core.excludefiles ".git-repo2-exclude"<br />
<br />
Of course the .git-repo2-exclude file would need to be included in repo1's repository.<br />
<br />
References: http://stackoverflow.com/questions/436125/two-git-repositories-in-one-directory<br />
<br />
=== remotes ===<br />
<br />
use a post-receive hook<br />
<br />
to push to something like github you must make sure the host is known<br />
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts<br />
<br />
you can push via post-receive hook<br />
git push --all git@github.com:<br />
<br />
== files ==<br />
<br />
=== cbr/cbz ===<br />
<br />
remove whitespace from names, cbr = unrar (unrar e <options>), cbz = unzip<br />
<br />
== CAC Card/Smartcard ==<br />
<br />
=== Debugging/Container ===<br />
<br />
{{Note|You must have the same version of pcsclite in the containers as you do on the host}}<br />
<br />
To troubleshoot in a clean(ish) environment in a container<br />
<br />
make sure X is shared on the host<br />
xhost +local:<br />
<br />
in the container<br />
DISPLAY=:0<br />
export DISPLAY<br />
<br />
bind the pcscd socket to the container in the nspawn file<br />
Bind=/var/run/pcscd/<br />
<br />
in the container install firefox, pcsclite, opensc (don't need ccid and you don't need to enable pcsclite as you are using the host socket). follow the cert install instructions for Common Access Cards<br />
<br />
now to test<br />
export PCSCLITE_CSOCK_NAME=/var/run/pcscd/pcscd.comm<br />
firefox</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Linode&diff=527262
User:Enckse/Linode
2018-06-22T02:30:49Z
<p>Enckse: cleaning up linode instructions</p>
<hr />
<div>{{Warning|Proceed with installing raw arch (using LUKS) on a linode VPS at your own risk, these steps get you there but it requires some understanding of what you are attempting to do}}<br />
<br />
__TOC__<br />
<br />
{{Warning|to boot you'll have to ssh into the linode, get dumped into grub, and run this command to load the actual grub config (then enter LUKS password)<br />
configfile (hd0,1)/grub/grub.cfg<br />
}}<br />
<br />
== bootstrapping ==<br />
<br />
# You will need 2 disk images (1 for bootstrap, 1 for actual install as unformatted/raw)<br />
# Deploy the Linode arch image (I know, I know) to the bootstrap disk image<br />
# Follow directions [https://www.linode.com/docs/tools-reference/custom-kernels-distros/run-a-distribution-supplied-kernel-with-kvm]<br />
<br />
Summarized as install kernel, grub<br />
pacman -S linux grub<br />
<br />
configure grub for lish access<br />
{{hc|vim /etc/default/grub|2=<br />
GRUB_TIMEOUT=10<br />
GRUB_CMDLINE_LINUX="console=ttyS0,19200n8"<br />
GRUB_DISABLE_LINUX_UUID=true<br />
GRUB_SERIAL_COMMAND="serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1"<br />
GRUB_TERMINAL=serial<br />
}}<br />
<br />
setup grub<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
Change the Linode Kernel to "GRUB 2", make sure the raw/unformatted image is attached as well<br />
reboot<br />
<br />
{{Note|it's possible to lose network here, interface names change during this "update"}}<br />
<br />
== install ==<br />
<br />
prep disks and format<br />
{{hc|fdisk /dev/sdX (raw/unformatted image)|2=<br />
1 1G (83) (bootable)<br />
2 100% (83)<br />
}}<br />
<br />
{{Note|the boot directory is not encrypted}}<br />
<br />
setup LUKS<br />
mkfs.ext2 /dev/sdX1<br />
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX2<br />
cryptsetup luksOpen /dev/sdX2 vps<br />
<br />
and lvm<br />
pvcreate /dev/mapper/vps<br />
vgcreate vg /dev/mapper/vps<br />
lvcreate --size 1G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
create filesystems<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
and mount<br />
mount /dev/mapper/vg-root /mnt<br />
swapon /dev/mapper/vg-swap<br />
mkdir /mnt/boot<br />
mount /dev/sdX1 /mnt/boot<br />
<br />
perform the actual install steps<br />
pacman -S arch-install-scripts<br />
pacstrap /mnt base vim git<br />
<br />
for fstab setup:<br />
# review and remove any entries from /mnt/etc/fstab<br />
# copy anything from the host to the LUKS partition now!<br />
# also a good time to copy the Linode instructed grub changes!<br />
<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
arch-chroot /mnt /bin/bash<br />
<br />
system setup<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
echo "<machine>" > /etc/hostname<br />
<br />
{{hc|vim /etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
# then run<br />
locale-gen<br />
}}<br />
<br />
set locale LANG<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
set the root password<br />
passwd<br />
<br />
kernel setup<br />
{{hc|vim /etc/mkinitcpio.conf|2=<br />
# MODULES - add 'ext4'<br />
# HOOKS add 'encrypt' and 'lvm2' before 'filesystems'<br />
}}<br />
<br />
regen init<br />
mkinitcpio -p linux<br />
<br />
== grub ==<br />
<br />
make sure grub is installed<br />
pacman -S grub<br />
<br />
{{hc|vim /etc/default/grub|2=<br />
# append to GRUB_CMDLINE_LINUX<br />
cryptdevice=UUID=</dev/sdX2>:vg<br />
}}<br />
<br />
make grub config<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
cleanup and reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== networking ==<br />
<br />
configured wired adapter<br />
{{hc|vim /etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
enable networkd and setup dns<br />
systemctl enable systemd-networkd<br />
systemctl start systemd-networkd<br />
<br />
{{hc|vim /etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameserver><br />
}}</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=527261
User:Enckse/Install
2018-06-22T02:28:38Z
<p>Enckse: cleaning up some various page items</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
=== networking ===<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt base vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt /bin/bash<br />
<br />
network<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinitcpio<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs ROOT-UUID /<br />
}}<br />
<br />
{{Note|install the linux-rotate (epiphyte) package to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, umount, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel enck<br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
{{Note|Follow home.git README}}<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc of smartcard utilization<br />
<br />
setup machinectl networking from [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== iptables ===<br />
<br />
{{hc|/etc/iptables/iptables.rules|2=<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
-A TCP -p tcp --dport <PORT> -j ACCEPT<br />
<br />
COMMIT<br />
}}<br />
systemctl enable --now iptables<br />
<br />
== core server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
remove nano<br />
pacman -R nano<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
at this point I should install naaman to help myself later and<br />
pacman -S tinyssh base-devel arch-install-scripts<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get iptables rules setup<br />
pacman -S iptables<br />
# copy rules to /etc/iptables/iptables.rules<br />
systemctl enable --now iptables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=527246
User:Enckse/Install
2018-06-21T23:24:37Z
<p>Enckse: /* User Setup */ most of this lives in the home.git repo now</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
=== networking ===<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt base vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt /bin/bash<br />
<br />
network<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinit<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid and YYYY uuid run<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs YYYY-... /<br />
}}<br />
<br />
{{Note|install the linux-rotate (epiphyte) package to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, stop mounts, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash <user><br />
passwd <user><br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel <user><br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
{{Note|Follow home README}}<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc.<br />
<br />
machinectl<br />
setup machinectl with anything from my [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== iptables ===<br />
<br />
{{hc|/etc/iptables/iptables.rules|2=<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
-A TCP -p tcp --dport <PORT> -j ACCEPT<br />
<br />
COMMIT<br />
}}<br />
systemctl enable iptables<br />
systemctl start iptables<br />
<br />
setup [https://github.com/enckse/clients]<br />
<br />
== core server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
create and setup a user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
pacman -S sudo<br />
usermod -G wheel enck<br />
visudo<br />
# uncomment %wheel ALL=(ALL) ALL<br />
<br />
remove nano<br />
pacman -R nano<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
at this point I should install naaman to help myself later and<br />
pacman -S tinyssh base-devel arch-install-scripts<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get iptables rules setup<br />
pacman -S iptables<br />
# copy rules to /etc/iptables/iptables.rules<br />
systemctl enable --now iptables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse
https://wiki.archlinux.org/index.php?title=User:Enckse/Install&diff=527226
User:Enckse/Install
2018-06-21T15:05:24Z
<p>Enckse: merging sections</p>
<hr />
<div>Personal page for installing arch on a variety of systems/configurations/etc.<br />
<br />
{{Warning|These are specific instructions for my own use, continue at your own risk}}<br />
<br />
<br />
__TOC__<br />
<br />
== Disk Setup ==<br />
<br />
=== partition ===<br />
<br />
use a scheme to create a big enough boot partition for EFI, otherwise everything else will be set for LVM (aka not boot) <br />
<br />
gdisk /dev/<disk><br />
<br />
following prompts (as needed) to convert to gpt (if not), then configure 2 partitions<br />
<br />
1 1GB EFI partition # hex ef00<br />
2 100% size partiton <br />
<br />
{{Warning|Any disk references here should match your system}}<br />
<br />
=== boot/efi ===<br />
<br />
yes, I know my boot partition isn't encrypted.<br />
<br />
mkfs.vfat -F32 /dev/<disk>1<br />
<br />
=== cryptsetup ===<br />
<br />
use cryptsetup on the 100% size partition to encrypt data there<br />
<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk>2<br />
cryptsetup luksOpen /dev/<disk>2 luks<br />
<br />
=== lvm ===<br />
<br />
going to create a volume group that is just root and swap<br />
<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg /dev/mapper/luks<br />
lvcreate --size 8G vg --name swap<br />
lvcreate -l +100%FREE vg --name root<br />
<br />
=== fs/mount ===<br />
<br />
using btrfs for root and obviously swap for swap, then mount all the things<br />
mkfs.btrfs /dev/mapper/vg-root<br />
mkswap /dev/mapper/vg-swap<br />
mount /dev/mapper/vg-root /mnt <br />
swapon /dev/mapper/vg-swap <br />
mkdir /mnt/boot<br />
mount /dev/<disk>1 /mnt/boot<br />
<br />
=== networking ===<br />
<br />
{{Note|For a radius-networked device, do the following to acquire a network connection<br />
{{hc|/etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf|2=<br />
ctrl_interface=/var/run/wpa_supplicant<br />
ap_scan=0<br />
network={<br />
key_mgmt=IEEE8021X<br />
eap=PEAP<br />
identity="''user_name''"<br />
password="''user_password''"<br />
phase2="autheap=MSCHAPV2"<br />
}<br />
}}<br />
ip link set ''adapter'' down<br />
systemctl start wpa_supplicant-wired@''adapter''.service<br />
systemctl start dhcpcd@''adapter''.service<br />
}}<br />
<br />
== System Configuration ==<br />
<br />
=== setup/chroot ===<br />
<br />
starting packages<br />
pacstrap /mnt base vim git btrfs-progs wpa_supplicant<br />
<br />
fstab<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
<br />
chroot<br />
arch-chroot /mnt /bin/bash<br />
<br />
network<br />
{{Note|For a radius-networked device, do the following to make networking later easier<br />
cp /etc/wpa_supplicant/wpa_supplicant-wired-''adapter''.conf /mnt/etc/wpa_supplicant/<br />
}}<br />
<br />
{{Note|For a headless server, do the following to get networking up sooner<br />
{{hc|/etc/systemd/network/wired.network|2=<br />
[Match]<br />
Name=<adapter><br />
<br />
[Network]<br />
DHCP=ipv4<br />
}}<br />
<br />
{{hc|/etc/resolv.conf|2=<br />
nameserver <local nameserver><br />
nameserver <public nameservers...><br />
}}<br />
<br />
systemctl enable systemd-networkd<br />
systemctl enable wpa_supplicant-wired@''adapter''.service<br />
}}<br />
<br />
=== system settings ===<br />
<br />
clock<br />
rm -f /etc/localtime<br />
ln -s /usr/share/zoneinfo/<zone_info> /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
hostname<br />
echo "<machine>" > /etc/hostname<br />
<br />
locale<br />
{{hc|/etc/locale.gen|2=<br />
# uncomment en_US.UTF-8 UTF-8 and/or others<br />
}}<br />
locale-gen<br />
<br />
lang<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
<br />
root password<br />
passwd<br />
<br />
=== booting ===<br />
<br />
luks/boot/mkinit<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(base udev autodetect modconf block fsck keymap encrypt lvm2 btrfs filesystems keyboard)<br />
}}<br />
<br />
mkinitcpio -p linux<br />
<br />
bootctl<br />
bootctl install<br />
<br />
entry<br />
{{hc|/boot/loader/entries/arch-encrypted.conf|2=<br />
title ArchLinux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options cryptdevice=UUID=XXXX:vg root=/dev/mapper/vg-root quiet rw<br />
}}<br />
<br />
{{Note|For XXXX uuid and YYYY uuid run<br />
lsblk -f<br />
---<br />
NAME FSTYPE LABEL UUID MOUNTPOINT<br />
nvme0n1 <br />
├─nvme0n1p1 vfat BOOT-UUID /boot<br />
└─nvme0n1p2 crypto_LUKS XXXX-... <br />
└─luks-XXXX-... LVM2_member LVM-UUID <br />
├─vg-swap swap SWAP-UUID [SWAP]<br />
└─vg-root btrfs YYYY-... /<br />
}}<br />
<br />
{{Note|install the linux-rotate (epiphyte) package to configure fallbacks/previous kernels}}<br />
<br />
=== cleaning up ===<br />
<br />
exit chroot, stop mounts, reboot<br />
exit<br />
umount -R /mnt<br />
swapoff -a<br />
reboot<br />
<br />
== User Setup ==<br />
<br />
temporary dhcp lease<br />
systemctl start dhcpcd@<adapter>.service<br />
<br />
create user<br />
useradd -m -s /bin/bash <user><br />
passwd <user><br />
<br />
sudo<br />
pacman -S sudo<br />
visudo<br />
#uncomment %wheel ALL=(ALL) ALL<br />
usermod -G wheel <user><br />
<br />
{{Note|For headless systems, go to the server section}}<br />
<br />
mountpoints<br />
sudo mkdir /mnt/usb<br />
<br />
copy data locally (via usb, share, etc.)<br />
<br />
user config<br />
mount /dev/<usb> /mnt/usb<br />
mv /mnt/usb/.synced ~<br />
chown -R <user>:<user> ~/.synced<br />
# move anything for /etc over (including .git and .gitignore)<br />
umount /mnt/usb<br />
<br />
setup home<br />
cd ~<br />
git init<br />
git remote add origin https://github.com/enckse/home.git<br />
git fetch<br />
rm .bash*<br />
git pull origin master<br />
ln -s ~/.synced/gnupg .gnupg<br />
git remote remove origin<br />
git remote add origin git@github.com:enckse/home.git<br />
cd ~<br />
mkdir Downloads<br />
mkdir .tmp<br />
<br />
symlinks<br />
cd ~<br />
mkdir -p ~/.cache<br />
mkdir -p ~/.config/epiphyte<br />
ln -s $HOME/.synced/configs/epiphyte.conf $HOME/.config/epiphyte/env<br />
sudo rm /etc/vimrc<br />
sudo ln -s ~/.vimrc /etc/vimrc<br />
<br />
timesyncd<br />
timedatectl set-ntp true<br />
<br />
update/cleanup<br />
# make sure pkgseed is installed<br />
sudo pacman -Syyu<br />
sudo pacman -Sc<br />
sudo pacman-key --refresh-key<br />
mkinitcpio -p linux<br />
# make sure gpg keys for epiphyte are in place<br />
pacman -S wsw wsw-applet<br />
# make sure configs are in place<br />
# install from ~/.config/home/packages (groups first)<br />
<br />
as root<br />
<br />
screen lock<br />
ln -s /home/<user>/.bin/locking /usr/local/bin/<br />
<br />
iptables<br />
systemctl enable iptables<br />
<br />
local scripts<br />
su enck<br />
<br />
now as user<br />
systemctl --user enable sync.timer<br />
systemctl --user enable maintain.timer<br />
<br />
prep configuration<br />
cd ~<br />
mkdir -p $HOME/.cache/helper_cache<br />
touch $HOME/.cache/helper_cache/tmp<br />
cd ~/.bin<br />
./helper_cache rebuild<br />
<br />
containers<br />
sudo mkdir -p /etc/systemd/nspawn<br />
<br />
Follow guidance within the [[Common Access Card]] page for browsers/debug/troubleshoot/etc.<br />
<br />
machinectl<br />
setup machinectl with anything from my [[User:Enckse/TipsAndTricks#Shared_networking]]<br />
<br />
network<br />
systemctl enable systemd-networkd<br />
systemctl enable wsw<br />
reboot<br />
<br />
== Server/Headless Setup ==<br />
<br />
additional packages<br />
pacman -S openssh wget bash-completion<br />
<br />
=== ssh ===<br />
<br />
{{hc|/etc/ssh/sshd_config|2=<br />
Port <PORT><br />
Protocol 2<br />
# may need to enable, for a moment, to copy keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
}}<br />
<br />
systemctl enable sshd<br />
systemctl start sshd<br />
<br />
at this point copy ssh keys<br />
<br />
=== iptables ===<br />
<br />
{{hc|/etc/iptables/iptables.rules|2=<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
-A TCP -p tcp --dport <PORT> -j ACCEPT<br />
<br />
COMMIT<br />
}}<br />
systemctl enable iptables<br />
systemctl start iptables<br />
<br />
setup [https://github.com/enckse/clients]<br />
<br />
== core server ==<br />
<br />
=== bootstrap ===<br />
<br />
we would like some utilties to bootstrap ourselves<br />
pacman openssh rsync<br />
<br />
enable sshd (permit root login) to get off of having to be "on" the physical system<br />
systemctl enable --now sshd<br />
<br />
now we can ssh and do what needs to be done<br />
<br />
=== data dirs ===<br />
<br />
for each data data, create a single linux type partition<br />
fdisk /dev/<disk><br />
<br />
crypt setup each drive<br />
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y --use-random luksFormat /dev/<disk><br />
cryptsetup luksOpen /dev/<disk> diskN<br />
mkfs.btrfs /dev/mapper/diskN<br />
<br />
setup a key<br />
dd if=/dev/urandom of=/etc/storage.key bs=512 count=8<br />
cryptsetup luksAddKey /dev/<disk> /etc/storage.key<br />
<br />
edit crypt tab<br />
disk1 UUID=lsblk -f <disk> /etc/storage.key<br />
disk2 UUID=lsblk -f <disk> /etc/storage.key <br />
<br />
and fstab<br />
/dev/mapper/disk1 /mnt/disk1 btrfs rw,ssd 0 0<br />
/dev/mapper/disk2 /mnt/disk2 btrfs rw,ssd 0 0<br />
<br />
now reboot and then<br />
mkdir -p /mnt/disk1/Storage<br />
mkdir -p /mnt/disk1/Archive<br />
mkdir -p /mnt/disk2/Nightly<br />
mkdir -p /mnt/disk2/Staging<br />
ln -s /mnt/disk1/Storage /mnt/Storage <br />
ln -s /mnt/disk2/Staging /mnt/Staging <br />
ln -s /mnt/disk1/Archive /mnt/Archive <br />
ln -s /mnt/disk2/Nightly /mnt/Nightly<br />
<br />
=== general usage ===<br />
<br />
create and setup a user<br />
useradd -m -s /bin/bash enck<br />
passwd enck<br />
pacman -S sudo<br />
usermod -G wheel enck<br />
visudo<br />
# uncomment %wheel ALL=(ALL) ALL<br />
<br />
remove nano<br />
pacman -R nano<br />
<br />
back to the story<br />
su enck<br />
cd ~<br />
mkdir .ssh<br />
chmod 700 .ssh<br />
# copy pub key<br />
chmod 600 .ssh/authorized_keys<br />
exit<br />
<br />
at this point I should install naaman to help myself later and<br />
pacman -S tinyssh base-devel arch-install-scripts<br />
<br />
configure the ssh config as we'd like at this point (set root password if still in simple setup mode), get iptables rules setup<br />
pacman -S iptables<br />
# copy rules to /etc/iptables/iptables.rules<br />
systemctl enable --now iptables<br />
<br />
now complete https://wiki.archlinux.org/index.php/User:Enckse/TipsAndTricks#LUKS for luks over ssh<br />
reboot<br />
<br />
=== data ===<br />
<br />
time to copy data<br />
pacman -S screen<br />
<br />
make sure we're forwarding our agent<br />
screen<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Storage /mnt/Storage<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Staging /mnt/Staging<br />
rsync -vrc -e "ssh -p <oldport>" <oldsystem>:/mnt/Archive /mnt/Archive<br />
<br />
Starting copying any previous configs from one system to another. start git controlling etc<br />
<br />
make sure to enable cronie<br />
systemctl enable --now cronie<br />
<br />
test ssmtp (after getting configs set)<br />
echo 'test' | mail -v -s "testing" <email@address><br />
<br />
=== managing ===<br />
<br />
clone core<br />
cd /opt<br />
git clone <path/to/core/repo><br />
<br />
setup user links<br />
su enck<br />
cd ~<br />
ln -s /mnt/Storage store<br />
ln -s /mnt/Storage/Git git<br />
<br />
install core-scripts and test scripts/validate cron/etc.</div>
Enckse