parent
4c8f7e9bbc
commit
e24b963b7a
@ -0,0 +1,376 @@
|
||||
***BTRFS***
|
||||
|
||||
gdisk /dev/sda
|
||||
*delete partitions with d*
|
||||
n
|
||||
+512M
|
||||
ef00
|
||||
n
|
||||
-100M
|
||||
|
||||
mkfs.fat -F 32 /dev/sda1
|
||||
cryptsetup -y -v luksFormat /dev/sda2
|
||||
cryptsetup open /dev/sda2 crypt
|
||||
mkfs.btrfs /dev/mapper/crypt
|
||||
mount /dev/mapper/crypt /mnt
|
||||
|
||||
cd /mnt
|
||||
btrfs subvolume create @
|
||||
btrfs subvolume create @home
|
||||
btrfs subvolume create @snapshots
|
||||
btrfs subvolume create @var_log
|
||||
btrfs subvolume create @swap
|
||||
|
||||
cd
|
||||
umount /mnt
|
||||
mount -o noatime,compress=zstd,space_cache=v2,subvol=@ /dev/mapper/crypt /mnt
|
||||
mkdir -p /mnt/{boot,home,.snapshots,var/log,swap}
|
||||
mount -o noatime,compress=zstd,space_cache=v2,subvol=@home /dev/mapper/crypt /mnt/home
|
||||
mount -o noatime,compress=zstd,space_cache=v2,subvol=@snapshots /dev/mapper/crypt /mnt/.snapshots
|
||||
mount -o noatime,compress=zstd,space_cache=v2,subvol=@var_log /dev/mapper/crypt /mnt/var/log
|
||||
mount -o noatime,subvol=@swap /dev/mapper/crypt /mnt/swap
|
||||
mount /dev/sda1 /mnt/boot
|
||||
|
||||
cd /mnt/swap
|
||||
chattr +C /mnt/swap
|
||||
dd if=/dev/zero of=./swapfile bs=1M count=24576 status=progress
|
||||
chmod 0600 ./swapfile
|
||||
mkswap -U clear ./swapfile
|
||||
swapon ./swapfile
|
||||
|
||||
cd
|
||||
pacstrap /mnt base base-devel linux-hardened linux-firmware intel-ucode sudo vim nano git btrfs-progs dosfstools e2fsprogs exfat-utils smartmontools networkmanager dialog man-db man-pages texinfo os-prober
|
||||
|
||||
genfstab -U /mnt >> /mnt/etc/fstab
|
||||
|
||||
arch-chroot /mnt
|
||||
ln -sf /usr/share/zoneinfo/UTC /etc/localtime
|
||||
|
||||
hwclock --systohc
|
||||
nano /etc/locale.gen
|
||||
locale-gen
|
||||
nano /etc/locale.conf
|
||||
LANG=en_US.UTF-8
|
||||
nano /etc/hostname
|
||||
*hostname*
|
||||
passwd
|
||||
|
||||
pacman -S grub efibootmgr
|
||||
nano /etc/mkinitcpio.conf
|
||||
*add btrfs to modules*
|
||||
*HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)*
|
||||
mkinitcpio -p linux-hardened
|
||||
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
|
||||
blkid /dev/sda2
|
||||
*UUID*
|
||||
nano /etc/default/grub
|
||||
*root=/dev/mapper/crypt cryptdevice=UUID=<UUID>:crypt*
|
||||
grub-mkconfig -o /boot/grub/grub.cfg
|
||||
|
||||
pacman -Syu linux-hardened-headers dhcpcd openssh git sudo ntp nfs-utils rsync docker docker-compose
|
||||
|
||||
sudo EDITOR=nano visudo
|
||||
#uncomment wheel
|
||||
useradd -m -G wheel -s /bin/bash <username>
|
||||
usermod -aG docker <user>
|
||||
passwd <username>
|
||||
systemctl enable dhcpcd.service
|
||||
systemctl enable sshd
|
||||
systemctl enable docker.service
|
||||
|
||||
|
||||
**ZFS DKMS**
|
||||
|
||||
curl -L https://archzfs.com/archzfs.gpg | pacman-key -a -
|
||||
pacman-key --lsign-key $(curl -L https://git.io/JsfVS)
|
||||
curl -L https://git.io/Jsfw2 > /etc/pacman.d/mirrorlist-archzfs
|
||||
|
||||
***
|
||||
tee -a /etc/pacman.conf <<- 'EOF'
|
||||
|
||||
#[archzfs-testing]
|
||||
#Include = /etc/pacman.d/mirrorlist-archzfs
|
||||
|
||||
[archzfs]
|
||||
Include = /etc/pacman.d/mirrorlist-archzfs
|
||||
EOF
|
||||
***
|
||||
|
||||
pacman -Sy
|
||||
|
||||
INST_LINVAR=linux-hardened
|
||||
INST_LINVER=$(pacman -Qi ${INST_LINVAR} | grep Version | awk '{ print $3 }')
|
||||
|
||||
***
|
||||
if [ "${INST_LINVER}" = \
|
||||
"$(pacman -Si ${INST_LINVAR}-headers | grep Version | awk '{ print $3 }')" ]; then
|
||||
pacman -S --noconfirm --needed ${INST_LINVAR}-headers
|
||||
else
|
||||
pacman -U --noconfirm --needed \
|
||||
https://archive.archlinux.org/packages/l/${INST_LINVAR}-headers/${INST_LINVAR}-headers-${INST_LINVER}-x86_64.pkg.tar.zst
|
||||
fi
|
||||
***
|
||||
|
||||
pacman -Sy --needed --noconfirm zfs-dkms glibc
|
||||
|
||||
sed -i 's/#IgnorePkg/IgnorePkg/' /etc/pacman.conf
|
||||
sed -i "/^IgnorePkg/ s/$/ ${INST_LINVAR} ${INST_LINVAR}-headers/" /etc/pacman.conf
|
||||
|
||||
exit
|
||||
shutdown now
|
||||
|
||||
**Login at console**
|
||||
sudo systemctl enable sshd
|
||||
sudo systemctl start sshd
|
||||
ip addr
|
||||
|
||||
ssh <username>@<ip>
|
||||
modprobe zfs
|
||||
zfs list
|
||||
zpool list
|
||||
|
||||
***UPDATE ZFS***
|
||||
INST_LINVAR=$(sed 's|.*linux|linux|' /proc/cmdline | sed 's|.img||g' | awk '{ print $1 }')
|
||||
sudo pacman -Sy --needed $INST_LINVAR $INST_LINVAR-headers zfs-dkms glibc
|
||||
|
||||
**SNAPPER**
|
||||
|
||||
sudo pacman -S snapper
|
||||
sudo umount /.snapshots
|
||||
sudo rm -r /.snapshots
|
||||
sudo snapper -c root create-config /
|
||||
sudo btrfs subvolume list /
|
||||
sudo btrfs subvolume delete /.snapshots
|
||||
sudo mkdir /.snapshots
|
||||
sudo mount -a
|
||||
sudo chmod 750 /.snapshots
|
||||
|
||||
sudo nano /etc/snapper/configs/root
|
||||
*ALLOW_USERS="<username>"*
|
||||
**TIMELINE_MIN_AGE="1800"
|
||||
TIMELINE_LIMIT_HOURLY="5"
|
||||
TIMELINE_LIMIT_DAILY="7"
|
||||
TIMELINE_LIMIT_WEEKLY="0"
|
||||
TIMELINE_LIMIT_MONTHLY="0"
|
||||
TIMELINE_LIMIT_YEARLY="0"**
|
||||
|
||||
sudo systemctl enable --now snapper-timeline.timer
|
||||
sudo systemctl enable --now snapper-cleanup.timer
|
||||
**IF SSD**
|
||||
*sudo systemctl enable fstrim.timer*
|
||||
|
||||
git clone https://aur.archlinux.org/yay
|
||||
cd yay
|
||||
makepkg -si PKGBUILD
|
||||
yay -S snap-pac-grub
|
||||
|
||||
sudo nano /etc/mkinitcpio.conf
|
||||
*add grub-btrfs-overlayfs to HOOKS*
|
||||
sudo mkinitcpio -P
|
||||
sudo rsync -a --delete /boot /.bootbackup
|
||||
sudo mkdir /etc/pacman.d/hooks
|
||||
sudo nano /etc/pacman.d/hooks/50-bootbackup.hook
|
||||
|
||||
***
|
||||
[Trigger]
|
||||
Operation = Upgrade
|
||||
Operation = Install
|
||||
Operation = Remove
|
||||
Type = Path
|
||||
Target = usr/lib/modules/*/vmlinuz
|
||||
|
||||
[Action]
|
||||
Depends = rsync
|
||||
Description = Backing up /boot...
|
||||
When = PostTransaction
|
||||
Exec = /usr/bin/rsync -a --delete /boot /.bootbackup
|
||||
***
|
||||
|
||||
sudo reboot
|
||||
sudo snapper -c root create
|
||||
snapper list
|
||||
sudo snapper modify --d 'Clean BTRFS install with Snapper' <snapshot number>
|
||||
|
||||
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@ /dev/mapper/crypt /mnt
|
||||
sudo mkdir -p /mnt/{boot,home,.snapshots,var/log,swap}
|
||||
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@home /dev/mapper/crypt /mnt/home
|
||||
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@snapshots /dev/mapper/crypt /mnt/.snapshots
|
||||
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@var_log /dev/mapper/crypt /mnt/var/log
|
||||
sudo mount -o noatime,subvol=@swap /dev/mapper/crypt /mnt/swap
|
||||
|
||||
sudo pacman -S gdisk
|
||||
sudo gdisk /dev/sdb
|
||||
d
|
||||
n
|
||||
1
|
||||
+512M
|
||||
n
|
||||
-100M
|
||||
w
|
||||
|
||||
sudo btrfs device add -f /dev/sdb2 /mnt
|
||||
sudo btrfs fi balance start -dconvert=raid1 -mconvert=raid1 /mnt/
|
||||
|
||||
**https://unix.stackexchange.com/questions/309184/btrfs-convert-raid0-to-raid1**
|
||||
** TO REMOVE **
|
||||
btrfs balance start -f -sconvert=single -mconvert=single -dconvert=single <mount>
|
||||
btrfs device remove <drive> <mount>
|
||||
**
|
||||
sudo snapper -c root create
|
||||
snapper list
|
||||
sudo snapper modify --d 'btrfs raid1' <snapshot number>
|
||||
|
||||
***ZFS***
|
||||
|
||||
sudo btrfs filesystem show
|
||||
lsblk
|
||||
ls /dev/disk/by-id/
|
||||
|
||||
sudo zpool create \
|
||||
-o ashift=13 \
|
||||
-o autoexpand=on \
|
||||
-O encryption=aes-256-gcm \
|
||||
-O keylocation=prompt \
|
||||
-O keyformat=passphrase \
|
||||
-m /zfs/tardis \
|
||||
tardis mirror \
|
||||
/dev/disk/by-id/scsi-35000c50056be1543 \
|
||||
/dev/disk/by-id/scsi-35000c5008512fac3
|
||||
|
||||
|
||||
sudo zpool set feature@encryption=enabled tardis
|
||||
sudo zfs set compression=lz4 tardis
|
||||
sudo zfs set atime=off tardis
|
||||
sudo zfs set xattr=sa tardis
|
||||
|
||||
# Do not enable this on my spinning disks. This is for SSD/NVMe
|
||||
# zpool set autotrim=on tardis
|
||||
|
||||
sudo zpool add tardis mirror \
|
||||
/dev/disk/by-id/scsi-35000c500576d5abf \
|
||||
/dev/disk/by-id/scsi-35000c500576d7fb3
|
||||
|
||||
sudo zpool add tardis mirror \
|
||||
/dev/disk/by-id/scsi-35000c500576d7ff7 \
|
||||
/dev/disk/by-id/scsi-35000c500576d8a93
|
||||
|
||||
sudo zpool status
|
||||
sudo zpool status -x
|
||||
sudo zpool get ashift
|
||||
sudo zpool get autoexpand
|
||||
sudo zpool get autotrim
|
||||
|
||||
sudo zfs list
|
||||
sudo zfs get encryption
|
||||
sudo zfs get compression
|
||||
sudo zfs get xattr
|
||||
|
||||
sudo reboot
|
||||
sudo zpool export tardis
|
||||
sudo zpool import -l -d /dev/disk/by-id tardis
|
||||
sudo zfs mount -a
|
||||
sudo zpool set cachefile=/etc/zfs/zpool.cache <pool>
|
||||
|
||||
sudo systemctl enable zfs.target
|
||||
sudo systemctl enable zfs-import-cache.service
|
||||
sudo systemctl enable zfs-mount.service
|
||||
sudo systemctl enable zfs-import.target
|
||||
sudo systemctl start zfs.target
|
||||
sudo systemctl start zfs-import-cache.service
|
||||
sudo systemctl start zfs-mount.service
|
||||
sudo systemctl start zfs-import.target
|
||||
|
||||
*CLIENT NTP*
|
||||
sudo pacman -Syu openntpd
|
||||
sudo nano /etc/ntpd.conf
|
||||
*server ntp.example.org*
|
||||
sudo ntpd -n
|
||||
|
||||
*SERVER NTP*
|
||||
sudo pacman -Syu openntpd
|
||||
sudo nano /etc/ntpd.conf
|
||||
listen on *
|
||||
sudo ntpd -n
|
||||
|
||||
sudo systemctl enable openntpd.service
|
||||
sudo systemctl start openntpd.service
|
||||
|
||||
*** UPDATE KERNEL/ZFS ***
|
||||
|
||||
INST_LINVAR=$(sed 's|.*linux|linux|' /proc/cmdline | sed 's|.img||g' | awk '{ print $1 }')
|
||||
|
||||
pacman -Sy --needed $INST_LINVAR $INST_LINVAR-headers zfs-dkms glibc
|
||||
|
||||
*** IF DOWNGRADE NEEDED ***
|
||||
|
||||
INST_LINVAR=linux-hardened
|
||||
|
||||
DKMS_DATE=$(pacman -Syi zfs-dkms \
|
||||
| grep 'Build Date' \
|
||||
| sed 's/.*: //' \
|
||||
| LC_ALL=C xargs -i{} date -d {} -u +%Y/%m/%d)
|
||||
|
||||
INST_LINVER=$(curl https://archive.archlinux.org/repos/${DKMS_DATE}/core/os/x86_64/ \
|
||||
| grep \"${INST_LINVAR}-'[0-9]' \
|
||||
| grep -v sig \
|
||||
| sed "s|.*$INST_LINVAR-||" \
|
||||
| sed "s|-x86_64.*||")
|
||||
|
||||
pacman -U \
|
||||
https://archive.archlinux.org/packages/l/${INST_LINVAR}/${INST_LINVAR}-${INST_LINVER}-x86_64.pkg.tar.zst \
|
||||
https://archive.archlinux.org/packages/l/${INST_LINVAR}-headers/${INST_LINVAR}-headers-${INST_LINVER}-x86_64.pkg.tar.zst
|
||||
|
||||
|
||||
**MAINTENENCE**
|
||||
|
||||
sudo zpool scrub tardis
|
||||
sudo zpool status
|
||||
|
||||
sudo btrfs scrub start /dev/mapper/crypt
|
||||
sudo btrfs scrub status /dev/mapper/crypt
|
||||
|
||||
sudo docker stop $(docker ps -a -q)
|
||||
sudo docker rm $(docker ps -a -q)
|
||||
sudo docker container prune
|
||||
sudo docker image prune
|
||||
sudo docker volume prune
|
||||
sudo docker system prune
|
||||
sudo docker network create proxy
|
||||
sudo docker-compose pull && docker-compose up -d
|
||||
|
||||
sudo cryptsetup open /dev/sda2 crypt
|
||||
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@ /dev/mapper/crypt /mnt
|
||||
sudo mkdir -p /mnt/{boot,home,.snapshots,var/log,swap}
|
||||
sudo mount /dev/sda1 /mnt/boot
|
||||
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@home /dev/mapper/crypt /mnt/home
|
||||
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@snapshots /dev/mapper/crypt /mnt/.snapshots
|
||||
sudo mount -o noatime,compress=zstd,space_cache=v2,subvol=@var_log /dev/mapper/crypt /mnt/var/log
|
||||
sudo mount -o noatime,subvol=@swap /dev/mapper/crypt /mnt/swap
|
||||
|
||||
sudo pacman -Syu
|
||||
|
||||
INST_LINVAR=$(sed 's|.*linux|linux|' /proc/cmdline | sed 's|.img||g' | awk '{ print $1 }')
|
||||
|
||||
sudo pacman -Sy --needed $INST_LINVAR $INST_LINVAR-headers zfs-dkms glibc
|
||||
|
||||
sudo pacman -S grub efibootmgr
|
||||
nano /etc/mkinitcpio.conf
|
||||
*add btrfs to modules*
|
||||
*HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)*
|
||||
mkinitcpio -p linux-hardened
|
||||
lblkid /dev/sda2
|
||||
*UUID*
|
||||
nano /etc/default/grub
|
||||
*root=/dev/mapper/crypt cryptdevice=UUID=<UUID>:crypt*
|
||||
grub-mkconfig -o /boot/grub/grub.cfg
|
||||
|
||||
sudo zpool export tardis
|
||||
sudo zpool import -l -d /dev/disk/by-id tardis
|
||||
sudo zfs mount -a
|
||||
|
||||
sudo rsync --info=progress2 -auvz <target> <destination>
|
||||
|
||||
server
|
||||
sudo zfs set sharenfs="rw=@<ip>,no_root_squash" tardis
|
||||
client
|
||||
sudo mount <ip>:/zfs/tardis /zfspool
|
Loading…
Reference in new issue