You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
377 lines
9.9 KiB
377 lines
9.9 KiB
***BTRFS***
|
|
|
|
gdisk /dev/sda
|
|
*delete partitions with d*
|
|
n
|
|
+512M
|
|
ef00
|
|
n
|
|
-100M
|
|
|
|
mkfs.fat -F 32 /dev/sda1
|
|
cryptsetup -y -v luksFormat /dev/sda2
|
|
cryptsetup open /dev/sda2 crypt
|
|
mkfs.btrfs /dev/mapper/crypt
|
|
mount /dev/mapper/crypt /mnt
|
|
|
|
cd /mnt
|
|
btrfs subvolume create @
|
|
btrfs subvolume create @home
|
|
btrfs subvolume create @snapshots
|
|
btrfs subvolume create @var_log
|
|
btrfs subvolume create @swap
|
|
|
|
cd
|
|
umount /mnt
|
|
mount -o noatime,compress=zstd,space_cache=v2,subvol=@ /dev/mapper/crypt /mnt
|
|
mkdir -p /mnt/{boot,home,.snapshots,var/log,swap}
|
|
mount -o noatime,compress=zstd,space_cache=v2,subvol=@home /dev/mapper/crypt /mnt/home
|
|
mount -o noatime,compress=zstd,space_cache=v2,subvol=@snapshots /dev/mapper/crypt /mnt/.snapshots
|
|
mount -o noatime,compress=zstd,space_cache=v2,subvol=@var_log /dev/mapper/crypt /mnt/var/log
|
|
mount -o noatime,subvol=@swap /dev/mapper/crypt /mnt/swap
|
|
mount /dev/sda1 /mnt/boot
|
|
|
|
cd /mnt/swap
|
|
chattr +C /mnt/swap
|
|
dd if=/dev/zero of=./swapfile bs=1M count=24576 status=progress
|
|
chmod 0600 ./swapfile
|
|
mkswap -U clear ./swapfile
|
|
swapon ./swapfile
|
|
|
|
cd
|
|
pacstrap /mnt base base-devel linux-hardened linux-firmware intel-ucode sudo vim nano git btrfs-progs dosfstools e2fsprogs exfat-utils smartmontools networkmanager dialog man-db man-pages texinfo os-prober
|
|
|
|
genfstab -U /mnt >> /mnt/etc/fstab
|
|
|
|
arch-chroot /mnt
|
|
ln -sf /usr/share/zoneinfo/UTC /etc/localtime
|
|
|
|
hwclock --systohc
|
|
nano /etc/locale.gen
|
|
locale-gen
|
|
nano /etc/locale.conf
|
|
LANG=en_US.UTF-8
|
|
nano /etc/hostname
|
|
*hostname*
|
|
passwd
|
|
|
|
pacman -S grub efibootmgr
|
|
nano /etc/mkinitcpio.conf
|
|
*add btrfs to modules*
|
|
*HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)*
|
|
mkinitcpio -p linux-hardened
|
|
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
|
|
blkid /dev/sda2
|
|
*UUID*
|
|
nano /etc/default/grub
|
|
*root=/dev/mapper/crypt cryptdevice=UUID=<UUID>:crypt*
|
|
grub-mkconfig -o /boot/grub/grub.cfg
|
|
|
|
pacman -Syu linux-hardened-headers dhcpcd openssh git sudo ntp nfs-utils rsync docker docker-compose
|
|
|
|
sudo EDITOR=nano visudo
|
|
#uncomment wheel
|
|
useradd -m -G wheel -s /bin/bash <username>
|
|
usermod -aG docker <user>
|
|
passwd <username>
|
|
systemctl enable dhcpcd.service
|
|
systemctl enable sshd
|
|
systemctl enable docker.service
|
|
|
|
|
|
**ZFS DKMS**
|
|
|
|
curl -L https://archzfs.com/archzfs.gpg | pacman-key -a -
|
|
pacman-key --lsign-key $(curl -L https://git.io/JsfVS)
|
|
curl -L https://git.io/Jsfw2 > /etc/pacman.d/mirrorlist-archzfs
|
|
|
|
***
|
|
tee -a /etc/pacman.conf <<- 'EOF'
|
|
|
|
#[archzfs-testing]
|
|
#Include = /etc/pacman.d/mirrorlist-archzfs
|
|
|
|
[archzfs]
|
|
Include = /etc/pacman.d/mirrorlist-archzfs
|
|
EOF
|
|
***
|
|
|
|
pacman -Sy
|
|
|
|
INST_LINVAR=linux-hardened
|
|
INST_LINVER=$(pacman -Qi ${INST_LINVAR} | grep Version | awk '{ print $3 }')
|
|
|
|
***
|
|
if [ "${INST_LINVER}" = \
|
|
"$(pacman -Si ${INST_LINVAR}-headers | grep Version | awk '{ print $3 }')" ]; then
|
|
pacman -S --noconfirm --needed ${INST_LINVAR}-headers
|
|
else
|
|
pacman -U --noconfirm --needed \
|
|
https://archive.archlinux.org/packages/l/${INST_LINVAR}-headers/${INST_LINVAR}-headers-${INST_LINVER}-x86_64.pkg.tar.zst
|
|
fi
|
|
***
|
|
|
|
pacman -Sy --needed --noconfirm zfs-dkms glibc
|
|
|
|
sed -i 's/#IgnorePkg/IgnorePkg/' /etc/pacman.conf
|
|
sed -i "/^IgnorePkg/ s/$/ ${INST_LINVAR} ${INST_LINVAR}-headers/" /etc/pacman.conf
|
|
|
|
exit
|
|
shutdown now
|
|
|
|
**Login at console**
|
|
sudo systemctl enable sshd
|
|
sudo systemctl start sshd
|
|
ip addr
|
|
|
|
ssh <username>@<ip>
|
|
modprobe zfs
|
|
zfs list
|
|
zpool list
|
|
|
|
***UPDATE ZFS***
|
|
INST_LINVAR=$(sed 's|.*linux|linux|' /proc/cmdline | sed 's|.img||g' | awk '{ print $1 }')
|
|
sudo pacman -Sy --needed $INST_LINVAR $INST_LINVAR-headers zfs-dkms glibc
|
|
|
|
**SNAPPER**
|
|
|
|
sudo pacman -S snapper
|
|
sudo umount /.snapshots
|
|
sudo rm -r /.snapshots
|
|
sudo snapper -c root create-config /
|
|
sudo btrfs subvolume list /
|
|
sudo btrfs subvolume delete /.snapshots
|
|
sudo mkdir /.snapshots
|
|
sudo mount -a
|
|
sudo chmod 750 /.snapshots
|
|
|
|
sudo nano /etc/snapper/configs/root
|
|
*ALLOW_USERS="<username>"*
|
|
**TIMELINE_MIN_AGE="1800"
|
|
TIMELINE_LIMIT_HOURLY="5"
|
|
TIMELINE_LIMIT_DAILY="7"
|
|
TIMELINE_LIMIT_WEEKLY="0"
|
|
TIMELINE_LIMIT_MONTHLY="0"
|
|
TIMELINE_LIMIT_YEARLY="0"**
|
|
|
|
sudo systemctl enable --now snapper-timeline.timer
|
|
sudo systemctl enable --now snapper-cleanup.timer
|
|
**IF SSD**
|
|
*sudo systemctl enable fstrim.timer*
|
|
|
|
git clone https://aur.archlinux.org/yay
|
|
cd yay
|
|
makepkg -si PKGBUILD
|
|
yay -S snap-pac-grub
|
|
|
|
sudo nano /etc/mkinitcpio.conf
|
|
*add grub-btrfs-overlayfs to HOOKS*
|
|
sudo mkinitcpio -P
|
|
sudo rsync -a --delete /boot /.bootbackup
|
|
sudo mkdir /etc/pacman.d/hooks
|
|
sudo nano /etc/pacman.d/hooks/50-bootbackup.hook
|
|
|
|
***
|
|
[Trigger]
|
|
Operation = Upgrade
|
|
Operation = Install
|
|
Operation = Remove
|
|
Type = Path
|
|
Target = usr/lib/modules/*/vmlinuz
|
|
|
|
[Action]
|
|
Depends = rsync
|
|
Description = Backing up /boot...
|
|
When = PostTransaction
|
|
Exec = /usr/bin/rsync -a --delete /boot /.bootbackup
|
|
***
|
|
|
|
sudo reboot
|
|
sudo snapper -c root create
|
|
snapper list
|
|
sudo snapper modify --d 'Clean BTRFS install with Snapper' <snapshot number>
|
|
|
|
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@ /dev/mapper/crypt /mnt
|
|
sudo mkdir -p /mnt/{boot,home,.snapshots,var/log,swap}
|
|
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@home /dev/mapper/crypt /mnt/home
|
|
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@snapshots /dev/mapper/crypt /mnt/.snapshots
|
|
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@var_log /dev/mapper/crypt /mnt/var/log
|
|
sudo mount -o noatime,subvol=@swap /dev/mapper/crypt /mnt/swap
|
|
|
|
sudo pacman -S gdisk
|
|
sudo gdisk /dev/sdb
|
|
d
|
|
n
|
|
1
|
|
+512M
|
|
n
|
|
-100M
|
|
w
|
|
|
|
sudo btrfs device add -f /dev/sdb2 /mnt
|
|
sudo btrfs fi balance start -dconvert=raid1 -mconvert=raid1 /mnt/
|
|
|
|
**https://unix.stackexchange.com/questions/309184/btrfs-convert-raid0-to-raid1**
|
|
** TO REMOVE **
|
|
btrfs balance start -f -sconvert=single -mconvert=single -dconvert=single <mount>
|
|
btrfs device remove <drive> <mount>
|
|
**
|
|
sudo snapper -c root create
|
|
snapper list
|
|
sudo snapper modify --d 'btrfs raid1' <snapshot number>
|
|
|
|
***ZFS***
|
|
|
|
sudo btrfs filesystem show
|
|
lsblk
|
|
ls /dev/disk/by-id/
|
|
|
|
sudo zpool create \
|
|
-o ashift=13 \
|
|
-o autoexpand=on \
|
|
-O encryption=aes-256-gcm \
|
|
-O keylocation=prompt \
|
|
-O keyformat=passphrase \
|
|
-m /zfs/tardis \
|
|
tardis mirror \
|
|
/dev/disk/by-id/scsi-35000c50056be1543 \
|
|
/dev/disk/by-id/scsi-35000c5008512fac3
|
|
|
|
|
|
sudo zpool set feature@encryption=enabled tardis
|
|
sudo zfs set compression=lz4 tardis
|
|
sudo zfs set atime=off tardis
|
|
sudo zfs set xattr=sa tardis
|
|
|
|
# Do not enable this on my spinning disks. This is for SSD/NVMe
|
|
# zpool set autotrim=on tardis
|
|
|
|
sudo zpool add tardis mirror \
|
|
/dev/disk/by-id/scsi-35000c500576d5abf \
|
|
/dev/disk/by-id/scsi-35000c500576d7fb3
|
|
|
|
sudo zpool add tardis mirror \
|
|
/dev/disk/by-id/scsi-35000c500576d7ff7 \
|
|
/dev/disk/by-id/scsi-35000c500576d8a93
|
|
|
|
sudo zpool status
|
|
sudo zpool status -x
|
|
sudo zpool get ashift
|
|
sudo zpool get autoexpand
|
|
sudo zpool get autotrim
|
|
|
|
sudo zfs list
|
|
sudo zfs get encryption
|
|
sudo zfs get compression
|
|
sudo zfs get xattr
|
|
|
|
sudo reboot
|
|
sudo zpool export tardis
|
|
sudo zpool import -l -d /dev/disk/by-id tardis
|
|
sudo zfs mount -a
|
|
sudo zpool set cachefile=/etc/zfs/zpool.cache <pool>
|
|
|
|
sudo systemctl enable zfs.target
|
|
sudo systemctl enable zfs-import-cache.service
|
|
sudo systemctl enable zfs-mount.service
|
|
sudo systemctl enable zfs-import.target
|
|
sudo systemctl start zfs.target
|
|
sudo systemctl start zfs-import-cache.service
|
|
sudo systemctl start zfs-mount.service
|
|
sudo systemctl start zfs-import.target
|
|
|
|
*CLIENT NTP*
|
|
sudo pacman -Syu openntpd
|
|
sudo nano /etc/ntpd.conf
|
|
*server ntp.example.org*
|
|
sudo ntpd -n
|
|
|
|
*SERVER NTP*
|
|
sudo pacman -Syu openntpd
|
|
sudo nano /etc/ntpd.conf
|
|
listen on *
|
|
sudo ntpd -n
|
|
|
|
sudo systemctl enable openntpd.service
|
|
sudo systemctl start openntpd.service
|
|
|
|
*** UPDATE KERNEL/ZFS ***
|
|
|
|
INST_LINVAR=$(sed 's|.*linux|linux|' /proc/cmdline | sed 's|.img||g' | awk '{ print $1 }')
|
|
|
|
pacman -Sy --needed $INST_LINVAR $INST_LINVAR-headers zfs-dkms glibc
|
|
|
|
*** IF DOWNGRADE NEEDED ***
|
|
|
|
INST_LINVAR=linux-hardened
|
|
|
|
DKMS_DATE=$(pacman -Syi zfs-dkms \
|
|
| grep 'Build Date' \
|
|
| sed 's/.*: //' \
|
|
| LC_ALL=C xargs -i{} date -d {} -u +%Y/%m/%d)
|
|
|
|
INST_LINVER=$(curl https://archive.archlinux.org/repos/${DKMS_DATE}/core/os/x86_64/ \
|
|
| grep \"${INST_LINVAR}-'[0-9]' \
|
|
| grep -v sig \
|
|
| sed "s|.*$INST_LINVAR-||" \
|
|
| sed "s|-x86_64.*||")
|
|
|
|
pacman -U \
|
|
https://archive.archlinux.org/packages/l/${INST_LINVAR}/${INST_LINVAR}-${INST_LINVER}-x86_64.pkg.tar.zst \
|
|
https://archive.archlinux.org/packages/l/${INST_LINVAR}-headers/${INST_LINVAR}-headers-${INST_LINVER}-x86_64.pkg.tar.zst
|
|
|
|
|
|
**MAINTENENCE**
|
|
|
|
sudo zpool scrub tardis
|
|
sudo zpool status
|
|
|
|
sudo btrfs scrub start /dev/mapper/crypt
|
|
sudo btrfs scrub status /dev/mapper/crypt
|
|
|
|
sudo docker stop $(docker ps -a -q)
|
|
sudo docker rm $(docker ps -a -q)
|
|
sudo docker container prune
|
|
sudo docker image prune
|
|
sudo docker volume prune
|
|
sudo docker system prune
|
|
sudo docker network create proxy
|
|
sudo docker-compose pull && docker-compose up -d
|
|
|
|
sudo cryptsetup open /dev/sda2 crypt
|
|
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@ /dev/mapper/crypt /mnt
|
|
sudo mkdir -p /mnt/{boot,home,.snapshots,var/log,swap}
|
|
sudo mount /dev/sda1 /mnt/boot
|
|
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@home /dev/mapper/crypt /mnt/home
|
|
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@snapshots /dev/mapper/crypt /mnt/.snapshots
|
|
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@var_log /dev/mapper/crypt /mnt/var/log
|
|
sudo mount -o noatime,subvol=@swap /dev/mapper/crypt /mnt/swap
|
|
|
|
sudo pacman -Syu
|
|
|
|
INST_LINVAR=$(sed 's|.*linux|linux|' /proc/cmdline | sed 's|.img||g' | awk '{ print $1 }')
|
|
|
|
sudo pacman -Sy --needed $INST_LINVAR $INST_LINVAR-headers zfs-dkms glibc
|
|
|
|
sudo pacman -S grub efibootmgr
|
|
nano /etc/mkinitcpio.conf
|
|
*add btrfs to modules*
|
|
*HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)*
|
|
mkinitcpio -p linux-hardened
|
|
lblkid /dev/sda2
|
|
*UUID*
|
|
nano /etc/default/grub
|
|
*root=/dev/mapper/crypt cryptdevice=UUID=<UUID>:crypt*
|
|
grub-mkconfig -o /boot/grub/grub.cfg
|
|
|
|
sudo zpool export tardis
|
|
sudo zpool import -l -d /dev/disk/by-id tardis
|
|
sudo zfs mount -a
|
|
|
|
sudo rsync --info=progress2 -auvz <target> <destination>
|
|
|
|
server
|
|
sudo zfs set sharenfs="rw=@<ip>,no_root_squash" tardis
|
|
client
|
|
sudo mount <ip>:/zfs/tardis /zfspool
|