commit 56f79db515893a7f4fd523458823a0f1d2022065 Author: sad Date: Sun Oct 22 04:43:44 2023 +0000 blahblahkms diff --git a/Gentoo/README.md b/Gentoo/README.md new file mode 100644 index 0000000..0b7fdfd --- /dev/null +++ b/Gentoo/README.md @@ -0,0 +1,603 @@ +# Gentoo Linux Install +Goal is to be a super secure modern linux install for daily use +we will doing a super big brain install using [distcc](https://wikitest.gentoo.org/wiki/Distcc/en) (for faster compiling) + + +UEFI + GPT (for secure boot using grub2) +LUKS + btrfs + +needs to mute and hopefully pause any media on closing and and turned off and muted with webcam on boot + + + +## Hardware Configuration +This configuration is for my laptop: +**HOST:** 20Y70096US ThinkPad E14 Gen 3 +**CPU:** AMD Ryzen 7 5700U (16) @ 1.800GHz +https://wiki.archlinux.org/title/Lenovo_ThinkPad_E14_Gen_3_(AMD) + +https://github.com/ramaureirac/thinkpad-e14-linux + + + +## Pre Installation +### Installation Media Prep +Download the ISO from the [downlod link](https://www.gentoo.org/downloads/) +and then to verify the ISO import the correct key [signatures](https://www.gentoo.org/downloads/signatures/) +```bash +gpg --keyserver hkps://keys.gentoo.org --recv-keys 0xBB572E0E2D182910 +``` +or if you are using a Gentoo verified install +```bash +gpg --import /usr/share/openpgp-keys/gentoo-release.asc +``` +then verify the ISO +```bash +gpg --verify install-amd64-minimal-*.iso.asc +``` +next dd the ISO to the target live bootable device: +```bash +dd if=/path/to/image.iso of=/dev/sdX bs=4MB conv=fsync oflag=direct status=progress +``` +*Note: replace `/dev/sdX` with your target live boot device* + +Now go ahead and boot into the Live USB + +### Configure Network: +If you're connected via ethernet then the dhcp server should have assigned you a IP +```bash +ip -c a +``` +if you're connecting via wireless then you can setup with wpa_supplication + +you also may want to enable ssh if you want to access from another computer +```bash +rc-service sshd start +ip -c a +``` +### Partitioning +find your target drive using `lsblk` +lets use nvme1n1 as the drive we are installing on +- [ ] prep drives by random formating? this could be bad for the nvme make sure to set warnings on off boot types +| Partition | Filesystem | Size | Label | +|-----------|------------|------|-------------| +| /dev/nvme1n1p1 | fat32 | 512Mib | boot | +| /dev/nvme1n1p2 | LUKS | ALL | root | + +create the UEFI boot partion: +```bash +parted /dev/nvme1n1 mklabel gpt +parted /dev/nvme1n1 mkpart ESP fat32 1MiB 513MiB name boot +parted /dev/nvme1n1 set 1 esp on +parted /dev/nvme1n1 set 1 boot on +mkfs.fat -F32 /dev/nvme1n1p1 +``` +This creates a 512 MiB EFI System Partition (ESP) named `boot` at the beginning of the NVMe drive and formats it with the FAT32 filesystem. + +next create a the luks partition: +```bash +parted /dev/nvme1n1 mkpart primary 513MiB 100% +parted /dev/nvme1n1 name 2 root +``` +This creates a partition for the filesystem named `root` +now lets encrypt it: +```bash +cryptsetup luksFormat --iter-time=5000 --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 /dev/nvme1n1p2 +cryptsetup open /dev/nvme1n1p2 luks +``` +*Note: make sure to backup your luksheader to an encrypted usb drive aswell: * +```bash +cryptsetup luksOpen /dev/sda4 usb +mount /dev/mapper/usb /media/usb +cryptsetup luksHeaderBackup /dev/nvme1n1p2 --header-backup-file /media/usb/luksheader.bak +sync +umount /media/usb +``` +*note to self: add gpg encryption aswell and check if --allow-discards for trim is good on nvme1n1p1* [here](https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption) + +create the btrfs filesystem: +```bash +mkfs.btrfs /dev/mapper/luks +``` +this creates a btrfs filesystem on the encrypted patrition + +Mount the Btrfs filesystem and set up subvolumes: +```bash +mount /dev/mapper/luks /mnt/gentoo +btrfs subvolume create /mnt/gentoo/@ +btrfs subvolume create /mnt/gentoo/@home +btrfs subvolume create /mnt/gentoo/@snapshots +umount /mnt/gentoo +``` +*Note: setup so /var/log and /var/log/audit are on seperate partitions aswell as /tmp and /var/tmp* + +This creates three Btrfs subvolumes for the root filesystem, home directory, and snapshots. +```bash +mount -t btrfs -o noatime,relatime,compress=lzo,ssd,space_cache=v2,subvol=@ /dev/mapper/luksdev /mnt/gen +``` +*Note: we unmount /mnt/gentoo so we can use the btrfs subvolume `@`* + +# pre Installation +```bash +cd /mnt/gentoo/ +``` +check the date and setup ntpd +now we must wget our stage3 +```bash +wget https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/20230416T164657Z/stage3-amd64-hardened-openrc-20230416T164657Z.tar.xz +``` +*Note: Rewrite this to auto pull newest one* +```bash +sha512sum stage3-amd64-*.tar.xz +gpg --verify stage3-amd64-*.tar.xz{.DIGESTS.asc,} +``` +*The fingerprints of the OpenPGP keys used for signing release media can be found on the [release media signatures page](https://www.gentoo.org/downloads/signatures/) of the Gentoo webserver.* +we verify the signature then we can unpack it +```bash +tar xvpf stage3-amd64-*.tar.xz --xattrs-include='*.*' --numeric-owner +``` +now we must open /mnt/gentoo/etc/portage/make.conf and configure with our optimization and use variables +```bash +# These settings were set by the catalyst build script that automatically +# built this stage. +# Please consult /usr/share/portage/config/make.conf.example for a more +# detailed example. +COMMON_FLAGS="-march=native -O2 -pipe" + +MAKEOPTS="-j8 -l8" + +# DISTCC +#COMMON_FLAGS="-march=znver2 -O2 -pipe" +# 1 remote host with two cpus 6 cores each = 12 cores remote +# 1 local host with 8 cores = 8 cores local +# total number of cores is 20, so N = 2*20+1 and M=8 +#MAKEOPTS="-j41 -l8" +#FEATURES="distcc distcc-pump" + +CFLAGS="${COMMON_FLAGS}" +CXXFLAGS="${COMMON_FLAGS}" +FCFLAGS="${COMMON_FLAGS}" +FFLAGS="${COMMON_FLAGS}" + +# NOTE: This stage was built with the bindist Use flag enabled +CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" + +ACCEPT_KEYWORDS="~amd64" +ACCEPT_LICENSE="* -@EULA" + +EMERGE_DEFAULT_OPTS="--autounmask=n" + +VIDEO_CARDS="amdgpu radeonsi" +INPUT_DEVICES="libinput" + +USE="widgets screen tcl qml png jpg gtk3 spice jpeg icu gles2 haptic gtk dbus minizip -bindset x264 fontconfig truetype egl wayland x11-backend X threads gtk2 -qt4 -nvidia -gnome -kde -dvd -systemd elogind alsa amdgpu vulkan mesa radeon libinput postproc xinerama pulseaudio cups text abi_x86_32 script offensive" +# REORGANIZE ALL THIS AND SETUP PACKAGE.USE FLAGS +USE="-systemd offensive \ + cryptsetup hardened elogind\ + wayland xwayland X -kde -gnome -qt5 -gtk \ + alsa amdgpu vulkan lm-sensors\ + -nvidia -dvd \ +" + +#QEMU_SOFTMMU_TARGETS="arm x86_64 sparc" +#QEMU_USER_TARGETS="x86_64" +#RUBY_TARGETS="ruby31" + +# NOTE: This stage was built with the bindist Use flag enabled +PORTDIR="/var/db/repos/gentoo" +DISTDIR="/var/cache/distfiles" +PKGDIR="/var/cache/binpkgs" + +# This sets the language of build output to English. +# Please keep this setting intact when reporting bugs. +LC_MESSAGES=C + +GRUB_PLATFORMS="efi-64" +``` +*Note: check each and every one of these for very specific hardened setup* https://www.youtube.com/watch?v=NELUsKUn-1U&t=66s +*Note: setup for distcc* + +https://wiki.gentoo.org/wiki/Ryzen#Kernel (amd ryzen 7) +https://wiki.gentoo.org/wiki/AMDGPU (amdgpu radeonsi) https://wiki.gentoo.org/wiki/ATI_FAQ +https://wiki.gentoo.org/wiki/Vulkan (vulkan) +https://wiki.gentoo.org/wiki/Wayland (wayland) +https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Setting_up_the_GNOME_3_Desktop_under_OpenRC (wayland2) +https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features +check out userfetch +https://amedeos.github.io/gentoo/2021/04/25/Unlock-rootfs-with-fido2-key.html setup fido2 security +https://amedeos.github.io/backup/2021/08/18/Use-btrbk-for-backup-on-btrfs.html setup remote backups +https://amedeos.github.io/gentoo/2019/01/17/gentoo-signed-kernel-module.html setup signed kernels +https://github.com/d333rboy/portage_presets/blob/main/etc/portage/make.conf (hardened config) +https://www.youtube.com/watch?v=NQStgCyezz4&t=13s (hardened install) + +copy dns info +```bash +cp --dereference /etc/resolv.conf /mnt/gentoo/etc/ +``` + + +```bash +mount -t proc /proc /mnt/gentoo/proc +mount --rbind /sys /mnt/gentoo/sys +mount --make-rslave /mnt/gentoo/sys +mount --rbind /dev /mnt/gentoo/dev +mount --make-rslave /mnt/gentoo/dev +test -L /dev/shm && rm /dev/shm && mkdir /dev/shm +mount -t tmpfs -o nosuid,nodev,noexec shm /dev/shm +chmod 1777 /dev/shm +``` +*Note: check warnings https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base* + +now chroot +```bash +chroot /mnt/gentoo /bin/bash +source /etc/profile +export PS1="(chroot) ${PS1}" +``` +# Installation + +https://www.youtube.com/watch?v=J7W9MItUSGw (comfy install guide) +syncronise repositories +```bash +emerge --sync + +emerge --oneshot portage +``` + +now update world and set new use +```bash +eselect profile list +eselect profile set 3 +emerge --ask --verbose --update --deep --newuse @world +``` +write the timezone and locals if needed +```bash +echo "America/Denver" > /etc/timezone +emerge --config sys-libs/timezone-data +nano -w /etc/locale.gen +locale-gen +eselect locale list +eselect locale set 3 +env-update && source /etc/profile && export PS1="(chroot) ${PS1}" +``` + +now to emerge kernel sources and linux firmware +```bash +emerge -av sys-kernel/linux-firmware +emerge --ask sys-kernel/gentoo-sources +eselect kernel list +eselect kernel set 1 +``` +## Kernel Compiling and Initramfs +we can do this by installing pciutils: +```bash +emerge --ask sys-apps/pciutils +``` +then run `lspci` +```bash +lspci +``` +the output should look something like this: +``` +00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne Root Complex +00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne IOMMU +00:01.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe Dummy Host Bridge +00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe Dummy Host Bridge +00:02.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne PCIe GPP Bridge +00:02.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne PCIe GPP Bridge +00:02.3 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne PCIe GPP Bridge +00:02.4 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne PCIe GPP Bridge +00:08.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe Dummy Host Bridge +00:08.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir Internal PCIe GPP Bridge to Bus +00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller (rev 51) +00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge (rev 51) +00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 24: Function 0 +00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 24: Function 1 +00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 24: Function 2 +00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 24: Function 3 +00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 24: Function 4 +00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 24: Function 5 +00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 24: Function 6 +00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 24: Function 7 +01:00.0 Non-Volatile memory controller: Phison Electronics Corporation PS5013 E13 NVMe Controller (rev 01) +02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 10) +03:00.0 Network controller: Intel Corporation Wi-Fi 6 AX200 (rev 1a) +04:00.0 Non-Volatile memory controller: SK hynix Gold P31/PC711 NVMe Solid State Drive +05:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Lucienne (rev c1) +05:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Renoir Radeon High Definition Audio Controller +05:00.2 Encryption controller: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 10h-1fh) Platform Security Processor +05:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne USB 3.1 +05:00.4 USB controller: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne USB 3.1 +05:00.5 Multimedia controller: Advanced Micro Devices, Inc. [AMD] ACP/ACP3X/ACP6x Audio Coprocessor (rev 01) +05:00.6 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h/19h HD Audio Controller +``` +Then we should start building the kernel: +```bash +cd /usr/src/linux +make menuconfig +``` +Lets first enable OpenRC since we are using that +``` +Gentoo Linux ---> + Generic Driver Options ---> + [*] Gentoo Linux support + [*] Linux dynamic and persistent device naming (userspace devfs) support + [*] Select options required by Portage features + Support for init systems, system and service managers ---> + [*] OpenRC, runit and other script based systems and managers +``` +Next we should add NVME support: +``` +Device Drivers ---> + NVME Support ---> + <*> NVM Express block device + [*] NVMe multipath support + [*] NVMe hardware monitoring + NVM Express over Fabrics FC host driver + NVM Express over Fabrics TCP host driver + NVMe Target support + [*] NVMe Target Passthrough support + NVMe loopback device support + NVMe over Fabrics FC target driver + < > NVMe over Fabrics FC Transport Loopback Test driver (NEW) + NVMe over Fabrics TCP target support +``` +We will also need Filesystem support: +``` +File systems ---> + <*> Second extended fs support + <*> The Extended 3 (ext3) filesystem + <*> The Extended 4 (ext4) filesystem + <*> Btrfs filesystem support + DOS/FAT/NT Filesystems ---> + <*> MSDOS fs support + <*> VFAT (Windows-95) fs support + Pseudo Filesystems ---> + [*] /proc file system support + [*] Tmpfs virtual memory file system support (former shm fs) +``` +We also need to add support for our multicore system: +``` +Processor type and features ---> + [*] Symmetric multi-processing support +``` +Aswell as USB devices: +``` +Device Drivers ---> + HID support ---> + -*- HID bus support + <*> Generic HID driver + [*] Battery level reporting for HID devices + USB HID support ---> + <*> USB HID transport layer + [*] USB support ---> + <*> xHCI HCD (USB 3.0) support + <*> EHCI HCD (USB 2.0) support + <*> OHCI HCD (USB 1.1) support + <*> Unified support for USB4 and Thunderbolt ---> +``` +Now we need to add GPT support: +``` +-*- Enable the block layer ---> + Partition Types ---> + [*] Advanced partition selection + [*] EFI GUID Partition support +``` +aswell as UEFI: +``` +Processor type and features ---> + [*] EFI runtime service support + [*] EFI stub support + [*] EFI mixed-mode support + +Device Drivers + Firmware Drivers ---> + EFI (Extensible Firmware Interface) Support ---> + <*> EFI Variable Support via sysfs + Graphics support ---> + Frame buffer Devices ---> + <*> Support for frame buffer devices ---> + [*] EFI-based Framebuffer Support +``` +*Note: this all comes from the [gentoo guide](https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel) so we should double check everything else* +we also need to add initramfs support: +``` +General setup ---> + [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support +Device Drivers ---> + Generic Driver Options ---> + [*] Maintain a devtmpfs filesystem to mount at /dev +``` + +we also need to enable crypt support: +```kenel **Enabling device mapper and crypt target** +[*] Enable loadable module support + Device Drivers ---> + [*] Multiple devices driver support (RAID and LVM) ---> + <*> Device mapper support + <*> Crypt target support +``` + +```kernel **Enabling cryptographic API functions for the cipher you used** +[*] Cryptographic API ---> + <*> SHA224 and SHA256 digest algorithm + <*> XTS support + <*> AES cipher algorithms + <*> AES cipher algorithms (x86_64) +``` + + + +now we must build the kernel: +```bash +make -j9 && make modules_install && make install +``` +https://wiki.gentoo.org/wiki/Full_Encrypted_Btrfs/Native_System_Root_Guide +setup initramfs - [dracut](https://wiki.archlinux.org/title/Dracut) [readme](https://aj.immo/2021/11/gentoo-with-efistub-encrypted-btrfs/) [readme2](https://wstrm.dev/posts/gentoo_with_dm-crypt_luks/) +```bash +emerge --ask sys-kernel/dracut +``` +*Note: https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel#Optional:_Building_an_initramfs +https://wiki.gentoo.org/wiki/Kernel/Optimization +https://wiki.gentoo.org/wiki/Initramfs +https://forums.gentoo.org/viewtopic-t-1146237-view-previous.html +https://github.com/fraxgut/guia-instalacion-gentoo +https://gist.github.com/renich/90e0a5bed8c7c0de40d40ac9ccac6dfd* +we will now generate the initramfs: +```bash +dracut --hostonly --kver= +``` +*Note we need to double check for [dracut](https://wiki.gentoo.org/wiki/Dracut)* +we also should modify **`/etc/dracut.conf`** for the correct modules +```bash +# Equivalent to -H +hostonly="yes" + +# Equivalent to -m "module module module" +dracutmodules+=" bash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown " + +# Equivalent to -a "module" +add_dracutmodules+=" module " # Note leading and trailing spaces + +# Equivalent to -o "module" +omit_dracutmodules+=" module " # Note leading and trailing spaces + +# Equivalent to --drivers="module module module" +drivers+=" module module module " + +# Equivalent to --add-drivers +add_drivers+=" module " + +# Equivalent to --omit-drivers="module" +omit_drivers+=" module " + +# Equivalent to --filesystems="fs fs fs" +filesystems+=" fs fs fs " + +# Equivalent to --kmoddir="/lib/modules/fixed" +drivers_dir="/lib/modules/fixed" + +# Equivalent to --fwdir=":/lib/fw/alt:/lib/fw/alt2" +fw_dir+=":/lib/fw/alt:/lib/fw/alt2" +``` +- [ ] todo + - [ ] checkout crypt-gpt + - [ ] crypt + - [ ] uefi-lib + - [ ] +## fstab + +# Roadmap +https://github.com/dogoncouch/gentoo-laptop +https://github.com/kabiconfigs/Gentoo-Laptop-Config/blob/main/portage/make.conf +https://youtu.be/tkPDNLfmQZY +https://www.youtube.com/watch?v=oI_rpiqCHpU +https://www.youtube.com/watch?v=nOcS6mwZEGI (kernel) +- [ ] full disk encryption on root disk +- [ ] musl? + - [ ] https://www.youtube.com/watch?v=T-PTboW-GbQ gaming + - [ ] **Musl stages: consider the musl overlay**While the core system packages within the stage files work fine in the main gentoo repository, musl-specific fixes for additional packages can be found in the [musl overlay](https://gitweb.gentoo.org/proj/musl.git/). If you encounter problems, you may want to consider adding this overlay to your installation. Instructions how to do so can be found, e.g., on the [page of the Hardened musl project](https://wiki.gentoo.org/wiki/Project:Hardened_musl). Please file bugs! + - [ ] https://wiki.gentoo.org/wiki/Project:Musl + - [ ] +- [ ] partitioning +- [ ] encrypting btrfs https://wiki.archlinux.org/title/Btrfs add compression? +- [ ] swapfile encrypted +- [ ] uefi +- [ ] distcc - https://wiki.gentoo.org/wiki/Distcc#To_bootstrap +- [ ] initramfs!!! +- [ ] tpm secure boot? +- [ ] yubikey pam +- [ ] app armor? +- [ ] ftrim + trim https://wiki.archlinux.org/title/Solid_state_drive#TRIM https://bbs.archlinux.org/viewtopic.php?id=239160 +- [ ] make use flags!!! https://www.youtube.com/watch?v=BkpvZYDMX34 +- [ ] distcc setup (https://wiki.gentoo.org/wiki/Distcc) +- [ ] git setup +- [ ] zshrc +starship +- [ ] hardened firefox config +- [ ] hardened chromium config +- [ ] tor and i2p configuration +- [ ] wireguard security and vpn security and firehol +- [ ] proxychains +- [ ] weechat security +- [ ] power management +- [ ] nix configuration +- [ ] qemu with immo boot option +- [ ] ecryptfs on login https://wiki.archlinux.org/title/Data-at-rest_encryption#Block_device_vs_stacked_filesystem_encryption https://wiki.archlinux.org/title/ECryptfs https://sysphere.org/~anrxc/j/articles/ecryptfs/index.html https://wiki.gentoo.org/wiki/ECryptfs (supports tpm and gpg) +- [ ] https://wiki.gentoo.org/wiki/GLSA - security advisory +- [ ] +dispatch-conf (https://wiki.gentoo.org/wiki/Dispatch-conf) https://www.youtube.com/watch?v=en-aLJGXEqI +https://www.youtube.com/watch?v=nZLGvz9bMmc custom ebuild repository +tpm - https://wiki.gentoo.org/wiki/Trusted_Platform_Module +https://www.youtube.com/watch?v=jhfiDcrA8ZQ (post install) +https://resources.infosecinstitute.com/topic/gentoo-hardening-part-1-introduction-hardened-profile-2/ + +https://wiki.archlinux.org/title/OpenRC +https://old.calculate-linux.org/main/en/openrc_manuals +https://wiki.gentoo.org/wiki/OpenRC + + +!!! https://wiki.alpinelinux.org/wiki/Setting_up_a_laptop + +with mutar!!! gpu pass through https://www.youtube.com/watch?v=YUU7ahzDyOg IMMOU single gpu https://github.com/joeknock90/Single-GPU-Passthrough + +### ricing - https://www.youtube.com/watch?v=dFkGNe4oaKk +*Note: use stow for managing dotfiles* +https://arewewaylandyet.com/ +https://github.com/hyprland-community/awesome-hyprland +- [ ] wayland & [hyprland](https://github.com/hyprwm/Hyprland) also [seatd????](https://wiki.gentoo.org/wiki/Seatd) https://github.com/JaKooLit/Ja_HyprLanD-dots https://github.com/slchris/hyprland-dotfiles +- [ ] [kitty](https://github.com/kovidgoyal/kitty) gpu based terminal +- [ ] [helix](https://github.com/helix-editor/helix) vim alternative in rust +- [ ] https://github.com/sayanarijit/xplr file manager +- [ ] waybar - menu status bar +- [ ] [swww](https://github.com/Horus645/swww) for wallpaper +- [ ] [starship](https://github.com/starship/starship) shell prompt alternative to oh-my-zsh or oh-my-bash in rust for zsh or bash +- [ ] xdg base directory specific - https://github.com/b3nj5m1n/xdg-ninja https://wiki.archlinux.org/title/XDG_Base_Directory https://github.com/qarmin/czkawka +- [ ] [zoxide](https://github.com/ajeetdsouza/zoxide) smarter cd alternative in rust +- [ ] alternative coreutils in rust https://github.com/uutils/coreutils +- [ ] https://github.com/orhun/systeroid alternative syctl more powerful and in rust +- [ ] ripgrep instead of find and grep or atomic grep??? +- [ ] setup function keys +- [ ] https://github.com/sudofox/shell-mommy + + +srcs: +https://wiki.archlinux.org/title/Laptop#top-page +[Pratical Hardening Guide](https://github.com/trimstray/the-practical-linux-hardening-guide) +[Hardening Checklist](https://github.com/trimstray/linux-hardening-checklist) +https://wiki.gentoo.org/wiki/Power_management/Guide +https://linuxsecurity.expert/checklists/linux-security-and-system-hardening#hardware-security +setup yubikey pam: https://wiki.gentoo.org/wiki/YubiKey#plugdev +yubikey 2fa disk encryption: https://blog.mimacom.com/fde-with-yubikey/ +yubikey fulldisk encryption with gpg: https://wiki.archlinux.org/title/YubiKey#Full_disk_encryption_with_LUKS +quick shutdown +gpg keyfile on usb https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption +https://github.com/safing/portmaster - Block Mass Surveillance +luksNUKE: https://askubuntu.com/questions/821881/luks-and-nuke-key-installtion-on-ubuntu https://salsa.debian.org/pkg-security-team/cryptsetup-nuke-password + +https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch_Simplified +https://www.linuxcapable.com/install-clamav-on-fedora-linux/ (clamav) +https://wiki.gentoo.org/wiki/ClamAV https://wiki.archlinux.org/title/ClamAV +tpm https://wiki.gentoo.org/wiki/Trusted_Platform_Module +secureboot https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot_under_OpenRC + + +https://amedeos.github.io/gentoo/2020/12/26/install-gentoo-with-uefi-luks-btrfs-and-systemd.html + +https://www.reddit.com/r/Gentoo/comments/10e4a4l/installation_with_fulldisk_twofactor_encryption/ + +https://github.com/rememberYou/dotfiles/wiki/Installation +https://wiki.gentoo.org/wiki/Btrfs/Encrypted_Btrfs_System_Root_Guide +https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide +https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption +https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide + + +https://www.youtube.com/watch?v=I3uIl9w287g + + │15:14:21 @mss | https://git.adelielinux.org/adelie/gcompat │+garyOak + │15:14:21 @mss | https://github.com/ericonr/argp-standalone │+jiggawatt + │15:14:21 @mss | https://github.com/kaniini/libucontext │+kaizoku + │15:14:21 @mss | https://github.com/pikhq/musl-nscd │+kakama + │15:14:21 @mss | https://github.com/void-linux/musl-fts │+kayos + │15:14:21 @mss | https://github.com/void-linux/musl-obstack │+liszt_ + │15:14:21 @mss | https://skarnet.org/software/utmps/ \ No newline at end of file diff --git a/Gentoo/files/portage/package.license/kernel b/Gentoo/files/portage/package.license/kernel new file mode 100644 index 0000000..1b5b90a --- /dev/null +++ b/Gentoo/files/portage/package.license/kernel @@ -0,0 +1,2 @@ +app-arch/unrar unRAR +sys-kernel/linux-firmware @BINARY-REDISTRIBUTABLE diff --git a/Gentoo/files/portage/package.use/crypt b/Gentoo/files/portage/package.use/crypt new file mode 100644 index 0000000..49e80aa --- /dev/null +++ b/Gentoo/files/portage/package.use/crypt @@ -0,0 +1,8 @@ +# For grub +sys-boot/grub device-mapper + +# For Cryptsetup // this will need custom patching for nuke +sys-fs/cryptsetup static kernel + +# For Dracut +sys-kernel/dracut device-mapper diff --git a/Gentoo/files/portage/package.use/wine b/Gentoo/files/portage/package.use/wine new file mode 100644 index 0000000..ab4db96 --- /dev/null +++ b/Gentoo/files/portage/package.use/wine @@ -0,0 +1,2 @@ +# For proton support +virtual/wine proton diff --git a/Void/README.md b/Void/README.md new file mode 100644 index 0000000..b610f1a --- /dev/null +++ b/Void/README.md @@ -0,0 +1,65 @@ +``3# Void Linux Install + + + + +## Hardware Configuration +This configuration is for my Physical Server: +**HOST:** PowerEdge R710 +**CPU:** Intel Xeon L5640 (24) @ 2.262GHz (x2) +https://manualsdump.com/en/manuals/dell-idrac6/147859/193 + + +2x 1000w power supplys +gen1 motherboard + + +### Installation Media Prep +Download the ISO from the [downlod link](https://www.gentoo.org/downloads/) +and then to verify the ISO import the correct keys +```bash +gpg --keyserver hkps://keys.gentoo.org --recv-keys 0xBB572E0E2D182910 +``` +or if you are using a Gentoo verified install +```bash +gpg --import /usr/share/openpgp-keys/gentoo-release.asc +``` +then verify the ISO +```bash +gpg --verify install-amd64-minimal-*.iso.asc +``` +next dd the ISO to the target bootable drive: +```bash +dd if=/path/to/image.iso of=/dev/sdX bs=4MB conv=fsync oflag=direct status=progress +``` + + +# Roadmap +- [ ] full disk encryption on root disk +- [ ] partitions +- [ ] btrfs +- [ ] zfs https://www.stephenwagner.com/2020/06/06/freenas-truenas-zfs-optimizations-considerations-ssd-nvme/ + maybe we can have nvme/ssd caching with a 14tb parity/backup drive or 2 of them + https://arstechnica.com/information-technology/2020/05/zfs-101-understanding-zfs-storage-and-performance/ + https://superuser.com/questions/849235/beginner-backing-up-zfs-storage-pools#849300 +- [ ] selinux or app armor +- [ ] lxd on zfs with networking outside and inside of network +- [ ] firehol and iptable rules for putting it head of network + +## stack: +https://github.com/navilg/media-stack +Jellyfin, Radarr, Sonnar, Prowlerr or jackett + qbittorrent (over netherlands server for torrenting vpn) jellyfin on lan or over dns (zoa.sh or femboy.zip) +nextcloud (zoa.sh) +znc or another bouncer preferably something nice in rust (tcp.wiki or malware.social or femboy.zip) https://sr.ht/~emersion/soju/ + https://git.sr.ht/~emersion/gamja +matrix probably synapse in rust (malware.social and femboy.zip) https://conduit.rs/ +vault warden for protecting me and clients logins (set 2fa to required) https://github.com/dani-garcia/vaultwarden +gitea (with custom epic theme, mirror to github) https://github.com/go-gitea/gitea +(everything should be themed pretty epicly) +invoice ninja (invoice.cursed.tech) + +srcs: +[Pratical Hardening Guide](https://github.com/trimstray/the-practical-linux-hardening-guide) +[Hardening Checklist](https://github.com/trimstray/linux-hardening-checklist) +[DevSec Hardening](https://dev-sec.io/) and [DevSec Github](https://github.com/dev-sec/) + +data scrubbing: https://kb.synology.com/en-global/DSM/help/DSM/StorageManager/storage_pool_data_scrubbing?version=7 \ No newline at end of file diff --git a/Void/readme2.md b/Void/readme2.md new file mode 100644 index 0000000..e2c1b73 --- /dev/null +++ b/Void/readme2.md @@ -0,0 +1,78 @@ +What is it? null linux is a rebuild of [splitlinux](https://splitlinux.org) with modern features +*"Split Linux is a general operating system optimized for safely navigating hostile environments like the Internet and physical check points."* +![[Pasted image 20230714181622.png]] +Instead of logical volumes we use BTRFS +![[Pasted image 20230714182112.png]] +Instead of Xorg we will be using Wayland +as instead of DWM we will be using Hyprland + +we will also be using musl only + +first we will wipe the nvme namespaces with 0xffffffff +``` +nvme format -s1 /dev/nvme0n1 +``` +then create the UEFI boot partion: +```bash +parted /dev/nvme0n1 mklabel gpt +parted /dev/nvme0n1 mkpart ESP fat32 1MiB 513MiB name boot +parted /dev/nvme0n1 set 1 esp on +parted /dev/nvme0n1 set 1 boot on +mkfs.fat -F32 /dev/nvme0n1p1 +``` +This creates a 512 MiB EFI System Partition (ESP) named `boot` at the beginning of the NVMe drive and formats it with the FAT32 filesystem. +*Note: its best to keep boot on a seperate drive but for this alpha instructions we will be containing it on a separate partition* +next create a the luks partition: +```bash +parted /dev/nvme0n1 mkpart primary 513MiB 100% +parted /dev/nvme0n1 name 2 root +``` +This creates a partition for the filesystem named `root` +now lets encrypt it: +```bash +cryptsetup luksFormat --iter-time=5000 --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 /dev/nvme0n1p2 +cryptsetup open /dev/nvme0n1p2 luks +``` +*Note: make sure to backup your luksheader to an encrypted usb drive aswell: * + +*Note: I suggest a password with at least 16 characters, preferably more* + +```bash +cryptsetup luksOpen /dev/sda4 usb +mount /dev/mapper/usb /media/usb +cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file /media/usb/luksheader.bak +sync +umount /media/usb +``` +*note to self: add gpg encryption aswell and check if --allow-discards for trim is good on nvme0n1p1* + +create the btrfs filesystem: +```bash +mkfs.btrfs /dev/mapper/luks +``` +this creates a btrfs filesystem on the encrypted patrition + +Mount the Btrfs filesystem and set up subvolumes: +```bash +mkdir /mnt/null +mount /dev/mapper/luks /mnt/null +btrfs subvolume create /mnt/null/@ +btrfs subvolume create /mnt/null/@home +btrfs subvolume create /mnt/null/@snapshots +umount /mnt/null +``` +*Note: setup so /var/log and /var/log/audit are on seperate partitions aswell as /tmp and /var/tmp* + +This creates three Btrfs subvolumes for the root filesystem, home directory, and snapshots. +```bash +mount -t btrfs -o noatime,relatime,compress=lzo,ssd,space_cache=v2,subvol=@ /dev/mapper/luks /mnt/null +``` +*Note: we unmount /mnt/null so we can use the btrfs subvolume `@`* + + +```bash +cd /mnt/null +wget https://repo-default.voidlinux.org/live/current/void-x86_64-musl-ROOTFS-20230628.tar.xz +tar xvf void-<...>-ROOTFS.tar.xz -C /mnt/null +``` +https://gist.github.com/gbrlsnchs/9c9dc55cd0beb26e141ee3ea59f26e21 \ No newline at end of file