Skip to content

README.md

Latest commit

 

History

History
167 lines (117 loc) · 4.93 KB

README.md

File metadata and controls

167 lines (117 loc) · 4.93 KB

dotfiles

My personal dotfiles for swaywm on Arch Linux.

Usage

Sway should be started from TTY with runsway, which will add some helpful environment variables.

Installation

Firefox

  1. Install firefox-user-autoconfig from AUR.
  2. Go to about:profiles and under Profile:default, click on Open Directory next to Root Directory.
  3. Open a terminal at that location and run the following: ln -s ../chrome

Encryption (LUKS)

Archinstall should be able to encrypt your root + other partitions. In case you want to encrypt a new partition:

# format + key the partition
cryptsetup luksFormat /dev/nvme0n1p4
cryptsetup luksOpen /dev/nvme0n1p4 nvme0n1p4_crypt

# add a filesystem of your choosing
mkfs.xfs -f /dev/mapper/nvme0n1p4_crypt

Make sure that the partition table knows it's encrypted:

sudo gdisk /dev/nvme0n1
# press t (to change partition type code), 4 (for the 4th partition), 8309 (short hex code for generic Linux LUKS), w (to write to partition table), Y (to confirm)

To automatically unlock it on decrypting your root partition:

# create a key
dd if=/dev/urandom of=/etc/cryptsetup-keys.d/ainstnvme0n1p4.key bs=512 count=1
chmod 400 /etc/cryptsetup-keys.d/ainstnvme0n1p4.key

# allow the partition to be unlocked by the key in addition to password
cryptsetup luksAddKey /dev/nvme0n1p4 /etc/cryptsetup-keys.d/ainstnvme0n1p4.key

# tell systemd which key to use
# no-read-workqueue,no-write-workqueue are performance optimizations for SSDs: https://wiki.archlinux.org/title/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
echo xfs /dev/nvme0n1p4 /etc/cryptsetup-keys.d/ainstnvme0n1p4.key luks,no-read-workqueue,no-write-workqueue >> /etc/crypttab

Docker

I use containerd image store:

sudo mkdir -p /etc/docker
echo '{                     
    "features": {
        "containerd-snapshotter": true
    }
}' | sudo tee /etc/docker/daemon.json

and /xfs as image store directory. Set root = '/xfs/containerd' in /etc/containerd/config.toml and create a directory owned by root:

sudo mkdir /xfs/containerd
sudo chmod 755 /xfs/containerd

If you want to move data from your old location, you can rsync it over:

sudo rsync -avxP /var/lib/containerd/ /xfs/containerd
rm -rf /var/lib/containerd/*

Additionally, systemd cgroup setting should be configured on cgroup v2 kernels:

[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options]
    SystemdCgroup = true

XFS is one of the better options for image store. It's pretty optimal out of the box, but you can add noatime,nodiratime options to your /etc/fstab.

Intel graphics

You can use the newer xe driver instead of the old i915 driver. Find the hex code of your device:

lspci -nnd ::03xx
# 00:02.0 VGA compatible controller [0300]: Intel Corporation Lunar Lake [Intel Arc Graphics 130V / 140V] [8086:64a0] (rev 04)

The hex code above is 64a0. Then, add the following to your kernel params (e.g. in /boot/loader/entries/foo.conf) and replace the nex code with yours: i915.force_probe=!64a0 xe.force_probe=64a0

Sandboxed IPFS Network

Using mullvad wireguard interface for sandboxing via firejail:

/usr/local/bin/firejail-bridge-up.sh

#!/bin/bash

# Bridge setup
ip link add br0 type bridge
ip addr add 10.10.20.1/24 dev br0
ip link set br0 up

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Forward rules for the bridge
iptables -A FORWARD -i br0 -o wg0-mullvad -j ACCEPT
iptables -A FORWARD -i wg0-mullvad -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# NAT through the VPN
iptables -t nat -A POSTROUTING -o wg0-mullvad -s 10.10.20.0/24 -j MASQUERADE

/usr/local/bin/firejail-bridge-down.sh

#!/bin/bash

iptables -D FORWARD -i br0 -o wg0-mullvad -j ACCEPT
iptables -D FORWARD -i wg0-mullvad -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -D POSTROUTING -o wg0-mullvad -s 10.10.20.0/24 -j MASQUERADE
ip link set br0 down
ip link del br0

/etc/systemd/system/firejail-bridge.service

[Unit]
Description=Firejail bridge for Mullvad
After=network-online.target wg-quick@wg0-mullvad.service
Wants=network-online.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/firejail-bridge-up.sh
ExecStop=/usr/local/bin/firejail-bridge-down.sh

[Install]
WantedBy=multi-user.target

Start the services

systemctl enable --now firejail-bridge
systemctl enable --now --user ipfs

Then, you'll have to use firejail (e.g. firejail --join= COMMAND) to access the IPFS daemon and RPC. The sfpi script in this repo will do this for you.

Credits

Other people's helpful dotfiles: