From aa89a46820f0a27df88a3717c987ac31cbb2f940 Mon Sep 17 00:00:00 2001 From: Craig Jennings Date: Tue, 27 Jan 2026 06:17:29 -0600 Subject: chore(assets): reorganize into outbox and wireguard-config Move processed inbox files to assets/outbox/, rename assets/wireguard to assets/wireguard-config, delete unused dwm.desktop. --- assets/2026-01-17-gvfs-smb-feature-request.txt | 6 - assets/2026-01-17-zfs-sanoid-feature-request.txt | 202 --------------------- assets/2026-01-19-remove-zfs-scripts-request.md | 29 --- assets/2026-01-20-console-display-issues.txt | 112 ------------ assets/2026-01-21-grub-timeout-request.txt | 4 - assets/2026-01-21-syncthing-service-conflict.org | 72 -------- assets/2026-01-23-avahi-mdns-fixes.org | 125 ------------- assets/dwm.desktop | 11 -- .../outbox/2026-01-17-gvfs-smb-feature-request.txt | 6 + ...1-17-security-and-hardening-recommendations.txt | 119 ++++++++++++ .../2026-01-17-zfs-sanoid-feature-request.txt | 202 +++++++++++++++++++++ .../2026-01-19-remove-zfs-scripts-request.md | 29 +++ .../outbox/2026-01-20-console-display-issues.txt | 112 ++++++++++++ assets/outbox/2026-01-21-grub-timeout-request.txt | 4 + .../2026-01-21-syncthing-service-conflict.org | 72 ++++++++ assets/outbox/2026-01-23-avahi-mdns-fixes.org | 125 +++++++++++++ assets/security-and-hardening-recommendations.txt | 119 ------------ assets/wireguard-config/USCALA.conf | 15 ++ assets/wireguard-config/USCASF.conf | 16 ++ assets/wireguard-config/USDC.conf | 15 ++ assets/wireguard-config/USGAAT.conf | 15 ++ assets/wireguard-config/USNY.conf | 16 ++ assets/wireguard-config/switzerlan-zurich1.conf | 15 ++ assets/wireguard-config/switzerlan-zurich2.conf | 15 ++ assets/wireguard/USCALA.conf | 15 -- assets/wireguard/USCASF.conf | 16 -- assets/wireguard/USDC.conf | 15 -- assets/wireguard/USGAAT.conf | 15 -- assets/wireguard/USNY.conf | 16 -- assets/wireguard/switzerlan-zurich1.conf | 15 -- assets/wireguard/switzerlan-zurich2.conf | 15 -- 31 files changed, 776 insertions(+), 787 deletions(-) delete mode 100644 assets/2026-01-17-gvfs-smb-feature-request.txt delete mode 100644 assets/2026-01-17-zfs-sanoid-feature-request.txt delete mode 100644 assets/2026-01-19-remove-zfs-scripts-request.md delete mode 100644 assets/2026-01-20-console-display-issues.txt delete mode 100644 assets/2026-01-21-grub-timeout-request.txt delete mode 100644 assets/2026-01-21-syncthing-service-conflict.org delete mode 100644 assets/2026-01-23-avahi-mdns-fixes.org delete mode 100644 assets/dwm.desktop create mode 100644 assets/outbox/2026-01-17-gvfs-smb-feature-request.txt create mode 100644 assets/outbox/2026-01-17-security-and-hardening-recommendations.txt create mode 100644 assets/outbox/2026-01-17-zfs-sanoid-feature-request.txt create mode 100644 assets/outbox/2026-01-19-remove-zfs-scripts-request.md create mode 100644 assets/outbox/2026-01-20-console-display-issues.txt create mode 100644 assets/outbox/2026-01-21-grub-timeout-request.txt create mode 100644 assets/outbox/2026-01-21-syncthing-service-conflict.org create mode 100644 assets/outbox/2026-01-23-avahi-mdns-fixes.org delete mode 100644 assets/security-and-hardening-recommendations.txt create mode 100644 assets/wireguard-config/USCALA.conf create mode 100644 assets/wireguard-config/USCASF.conf create mode 100644 assets/wireguard-config/USDC.conf create mode 100644 assets/wireguard-config/USGAAT.conf create mode 100644 assets/wireguard-config/USNY.conf create mode 100644 assets/wireguard-config/switzerlan-zurich1.conf create mode 100644 assets/wireguard-config/switzerlan-zurich2.conf delete mode 100644 assets/wireguard/USCALA.conf delete mode 100644 assets/wireguard/USCASF.conf delete mode 100644 assets/wireguard/USDC.conf delete mode 100644 assets/wireguard/USGAAT.conf delete mode 100644 assets/wireguard/USNY.conf delete mode 100644 assets/wireguard/switzerlan-zurich1.conf delete mode 100644 assets/wireguard/switzerlan-zurich2.conf diff --git a/assets/2026-01-17-gvfs-smb-feature-request.txt b/assets/2026-01-17-gvfs-smb-feature-request.txt deleted file mode 100644 index 79892f7..0000000 --- a/assets/2026-01-17-gvfs-smb-feature-request.txt +++ /dev/null @@ -1,6 +0,0 @@ -Install gvfs-smb for Thunar SMB network browsing - -Package: gvfs-smb -Install: sudo pacman -S gvfs-smb - -Without this package, Thunar cannot browse SMB/CIFS network shares. diff --git a/assets/2026-01-17-zfs-sanoid-feature-request.txt b/assets/2026-01-17-zfs-sanoid-feature-request.txt deleted file mode 100644 index 87207f2..0000000 --- a/assets/2026-01-17-zfs-sanoid-feature-request.txt +++ /dev/null @@ -1,202 +0,0 @@ -ZFS Detection and Sanoid Installation -====================================== - -When archsetup runs, it should detect if the system is on ZFS and install sanoid. - -Detection: -- Check if root filesystem is ZFS: `findmnt -n -o FSTYPE /` returns "zfs" -- Or check if zpool exists: `zpool list -H 2>/dev/null` - -If ZFS detected: -1. Install sanoid from AUR: `yay -S sanoid` -2. Create /etc/sanoid/sanoid.conf (see below) -3. Enable the timer: `systemctl enable --now sanoid.timer` -4. Create the syncoid replication script and systemd units (see below) - -Context: -- install-archzfs can't install sanoid (AUR package) -- archsetup already has AUR helper setup, so it's the right place to install it -- syncoid (for TrueNAS replication) comes with the sanoid package - -Added: 2026-01-17 - -================================================================================ -SANOID CONFIGURATION (/etc/sanoid/sanoid.conf) -================================================================================ - -# Sanoid configuration for ZFS snapshots -# Less aggressive - TrueNAS handles long-term backups - -############################# -# Templates -############################# - -[template_production] - # Local rollback capability - hourly = 6 - daily = 7 - weekly = 2 - monthly = 1 - autosnap = yes - autoprune = yes - -[template_backup] - # Less frequent for large/static data - hourly = 0 - daily = 3 - weekly = 2 - monthly = 1 - autosnap = yes - autoprune = yes - -[template_none] - autosnap = no - autoprune = yes - -############################# -# Datasets -############################# - -[zroot/ROOT/default] - use_template = production - -[zroot/home] - use_template = production - recursive = yes - -[zroot/media] - use_template = backup - -[zroot/vms] - use_template = backup - -[zroot/var/log] - use_template = production - -[zroot/var/lib/pacman] - use_template = production - -[zroot/var/cache] - use_template = none - -[zroot/var/tmp] - use_template = none - -[zroot/tmp] - use_template = none - -================================================================================ -SYNCOID REPLICATION SCRIPT (/usr/local/bin/zfs-replicate) -================================================================================ - -#!/bin/bash -# zfs-replicate - Replicate ZFS datasets to TrueNAS -# -# Usage: -# zfs-replicate # Replicate all configured datasets -# zfs-replicate [dataset] # Replicate specific dataset - -set -e - -# TrueNAS Configuration -# Try local network first, fall back to tailscale -TRUENAS_LOCAL="truenas.local" -TRUENAS_TAILSCALE="truenas" -TRUENAS_USER="root" -TRUENAS_POOL="vault" -BACKUP_PATH="backups" # TODO: Configure actual path - -# Datasets to replicate -DATASETS="zroot/ROOT/default zroot/home zroot/media zroot/vms" - -# Colors -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -RED='\033[0;31m' -NC='\033[0m' - -info() { echo -e "${GREEN}[INFO]${NC} $1"; } -warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } -error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; } - -command -v syncoid >/dev/null 2>&1 || error "syncoid not found. Install sanoid package." - -# Determine which host to use -determine_host() { - if ping -c 1 -W 2 "$TRUENAS_LOCAL" &>/dev/null; then - echo "$TRUENAS_LOCAL" - elif ping -c 1 -W 2 "$TRUENAS_TAILSCALE" &>/dev/null; then - echo "$TRUENAS_TAILSCALE" - else - error "Cannot reach TrueNAS at $TRUENAS_LOCAL or $TRUENAS_TAILSCALE" - fi -} - -TRUENAS_HOST=$(determine_host) -info "Using TrueNAS host: $TRUENAS_HOST" - -# Single dataset mode -if [[ -n "$1" ]]; then - dataset="$1" - dest="$TRUENAS_USER@$TRUENAS_HOST:$TRUENAS_POOL/$BACKUP_PATH/${dataset#zroot/}" - info "Replicating $dataset -> $dest" - syncoid --recursive "$dataset" "$dest" - exit 0 -fi - -# Full replication -info "Starting ZFS replication to $TRUENAS_HOST" -echo "" - -for dataset in $DATASETS; do - dest="$TRUENAS_USER@$TRUENAS_HOST:$TRUENAS_POOL/$BACKUP_PATH/${dataset#zroot/}" - info "Replicating $dataset -> $dest" - - if syncoid --recursive "$dataset" "$dest"; then - info " Success" - else - warn " Failed (will retry next run)" - fi - echo "" -done - -info "Replication complete." - -================================================================================ -SYSTEMD SERVICE (/etc/systemd/system/zfs-replicate.service) -================================================================================ - -[Unit] -Description=ZFS Replication to TrueNAS -After=network-online.target -Wants=network-online.target - -[Service] -Type=oneshot -ExecStart=/usr/local/bin/zfs-replicate -User=root - -[Install] -WantedBy=multi-user.target - -================================================================================ -SYSTEMD TIMER (/etc/systemd/system/zfs-replicate.timer) -================================================================================ - -[Unit] -Description=Run ZFS replication nightly - -[Timer] -OnCalendar=*-*-* 02:00:00 -RandomizedDelaySec=1800 -Persistent=true - -[Install] -WantedBy=timers.target - -================================================================================ -ENABLE REPLICATION -================================================================================ - -After SSH key auth is set up to TrueNAS: - systemctl enable --now zfs-replicate.timer diff --git a/assets/2026-01-19-remove-zfs-scripts-request.md b/assets/2026-01-19-remove-zfs-scripts-request.md deleted file mode 100644 index f67aa47..0000000 --- a/assets/2026-01-19-remove-zfs-scripts-request.md +++ /dev/null @@ -1,29 +0,0 @@ -# Task: Remove zfssnapshot and zfsrollback from archsetup - -## Summary -Remove the `zfssnapshot` and `zfsrollback` scripts from archsetup's dotfiles. These scripts are now provided by the archzfs ISO and installed to `/usr/local/bin/` during `install-archzfs`. - -## Files to Remove -- `dotfiles/system/.local/bin/zfssnapshot` -- `dotfiles/system/.local/bin/zfsrollback` - -## Reason for Change -These scripts need to be available immediately after a fresh install from the archzfs ISO, before archsetup runs. Key use cases: - -1. **Rescue scenarios**: Rolling back from live USB when the installed system won't boot -2. **Genesis rollback**: If archsetup fails mid-run, user can rollback to genesis and retry -3. **Script availability**: The scripts themselves must survive a genesis rollback (they're now part of genesis snapshot) - -By including them in the ISO and `install-archzfs`, they're guaranteed to be present from first boot, with fzf also installed as a dependency. - -## Changes Made in archzfs -- Added `custom/zfssnapshot` and `custom/zfsrollback` -- `build.sh` copies them to `/usr/local/bin/` on the ISO -- `install-archzfs` installs `fzf` to target system (required by zfsrollback) -- fzf was already in ISO package list - -## Note: Keep fzf in archsetup -Archsetup should continue to install `fzf` in its package list. Archsetup can run on vanilla Arch installs with ext4 or btrfs (not just ZFS from archzfs ISO), where `install-archzfs` would not have run and fzf wouldn't be present. - -## Date -2026-01-19 diff --git a/assets/2026-01-20-console-display-issues.txt b/assets/2026-01-20-console-display-issues.txt deleted file mode 100644 index f8dc710..0000000 --- a/assets/2026-01-20-console-display-issues.txt +++ /dev/null @@ -1,112 +0,0 @@ -Console Display Issues - Potential Causes in archsetup -====================================================== -Date: 2026-01-20 -Source: archzfs testing on ratio - console not showing after install - -SUMMARY -------- -After running install-archzfs and archsetup on ratio, the console stopped -displaying. The system boots but shows no console output. These are the -suspected culprits in archsetup. - -SUSPECTED ISSUES ----------------- - -1. Console Font Configuration (boot_ux, lines 1574-1579) - - File: archsetup - Lines: 1574-1579 - - Code: - if grep -q "^FONT=" /etc/vconsole.conf 2>/dev/null; then - sed -i 's/^FONT=.*/FONT=ter-132n/' /etc/vconsole.conf - else - echo "FONT=ter-132n" >> /etc/vconsole.conf - fi - - Problem: Sets console font to ter-132n (Terminus 32pt). If the font - is missing, corrupted, or incompatible with the framebuffer, the - console may fail to display anything. - - Fix: Verify terminus-font package is installed and font exists before - setting. Add fallback handling. - -2. mkinitcpio Hook Change (boot_ux, lines 1581-1583) - - File: archsetup - Lines: 1581-1583 - - Code: - sed -i '/^HOOKS=/ s/\budev\b/systemd/' /etc/mkinitcpio.conf - mkinitcpio -P - - Problem: Changes mkinitcpio from 'udev' to 'systemd' hook and - regenerates ALL initramfs images. This is a significant change that - affects early boot. If the systemd hook isn't properly configured - or conflicts with other hooks, boot may fail or console may not - initialize properly. - - Fix: Ensure all required systemd-related hooks are present. Consider - whether this change is necessary or could be made optional. - -3. GRUB Quiet Boot Settings (boot_ux, line 1624) - - File: archsetup - Line: 1624 - - Code: - sed -i "s/.*GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT=\"rw loglevel=2 rd.systemd.show_status=auto rd.udev.log_level=2 nvme.noacpi=1 mem_sleep_default=deep nowatchdog quiet splash\"/g" /etc/default/grub - - Problem: Adds 'quiet splash' and sets loglevel=2, which suppresses - most boot messages. If something goes wrong during boot, you won't - see any output. The 'splash' option may also interfere with console. - - Fix: Consider removing 'splash' or making quiet boot optional. - For debugging, temporarily remove 'quiet splash' from GRUB. - -4. Kernel Message Suppression (boot_ux, lines 1571-1572) - - File: archsetup - Lines: 1571-1572 - - Code: - echo "kernel.printk = 3 3 3 3" >/etc/sysctl.d/20-quiet-printk.conf - - Problem: Suppresses kernel messages to console. Combined with other - quiet settings, this could hide important boot information. - - Fix: For debugging, remove or adjust this setting. - -5. Xorg VT Switching Disabled (xorg, lines 1102-1107) - - File: archsetup - Lines: 1102-1107 - - Code: - cat << EOF > /etc/X11/xorg.conf.d/00-no-vt-or-zap.conf - Section "ServerFlags" - Option "DontVTSwitch" "True" - Option "DontZap" "True" - EndSection - EOF - - Problem: Disables VT switching when X is running. If X starts - automatically, you cannot switch to a text console with Ctrl+Alt+F2. - This is a security feature but makes debugging harder. - - Note: This only affects post-X boot, not early console display. - -DEBUGGING STEPS ---------------- -1. Boot with 'nomodeset' kernel parameter to rule out GPU/framebuffer issues -2. Remove 'quiet splash' from GRUB temporarily -3. Check if ter-132n font exists: ls /usr/share/kbd/consolefonts/ter-* -4. Review mkinitcpio.conf HOOKS line for conflicts -5. Check journalctl -b for boot errors - -RECOMMENDED CHANGES -------------------- -- Make quiet boot optional or add a debug boot menu entry -- Verify font exists before setting in vconsole.conf -- Document the udev->systemd hook change and its implications -- Consider adding a recovery boot option that skips quiet settings diff --git a/assets/2026-01-21-grub-timeout-request.txt b/assets/2026-01-21-grub-timeout-request.txt deleted file mode 100644 index fa03f62..0000000 --- a/assets/2026-01-21-grub-timeout-request.txt +++ /dev/null @@ -1,4 +0,0 @@ -* TODO Increase GRUB_TIMEOUT to 2 seconds -Currently setting GRUB_TIMEOUT=0 which doesn't give users time to access GRUB menu. -Change to GRUB_TIMEOUT=2 for a reasonable delay while keeping boot fast. - diff --git a/assets/2026-01-21-syncthing-service-conflict.org b/assets/2026-01-21-syncthing-service-conflict.org deleted file mode 100644 index 7f86b39..0000000 --- a/assets/2026-01-21-syncthing-service-conflict.org +++ /dev/null @@ -1,72 +0,0 @@ -#+TITLE: Syncthing Service Conflict Issue -#+DATE: 2026-01-21 - -* Problem - -archsetup enables the system service: -#+begin_src bash -systemctl enable "syncthing@$username.service" -#+end_src - -However, the user service can also get enabled (either by default or manually): -#+begin_src bash -systemctl --user enable syncthing.service -#+end_src - -When BOTH services are enabled, they fight over the same lock file: -=~/.local/state/syncthing/syncthing.lock= - -This causes one or both to fail with: -: Failed to acquire lock: is another Syncthing instance already running? - -* Symptoms - -- Syncthing fails to start or keeps crashing -- Lock file errors in journalctl -- Two syncthing processes running with different parent services -- Config changes don't persist (one service overwrites the other) - -* Recommendation - -Standardize on ONE service type. Options: - -** Option A: User Service (recommended for desktops) - -Runs when user logs in. Cleaner for desktop use. - -Change archsetup from: -#+begin_src bash -systemctl enable "syncthing@$username.service" -#+end_src - -To: -#+begin_src bash -# Enable user service (requires user session) -sudo -u "$username" systemctl --user enable syncthing.service -#+end_src - -Note: User services require lingering or an active session: -#+begin_src bash -loginctl enable-linger "$username" -#+end_src - -** Option B: System Service (recommended for headless/servers) - -Runs at boot without user login. Better for servers. - -Keep current archsetup config, but ensure user service is disabled: -#+begin_src bash -systemctl enable "syncthing@$username.service" -# Explicitly disable user service to prevent conflicts -sudo -u "$username" systemctl --user disable syncthing.service 2>/dev/null || true -#+end_src - -* Resolution on ratio (2026-01-21) - -Disabled system service, kept user service: -#+begin_src bash -sudo systemctl stop syncthing@cjennings.service -sudo systemctl disable syncthing@cjennings.service -systemctl --user enable syncthing.service -systemctl --user start syncthing.service -#+end_src diff --git a/assets/2026-01-23-avahi-mdns-fixes.org b/assets/2026-01-23-avahi-mdns-fixes.org deleted file mode 100644 index 89b005e..0000000 --- a/assets/2026-01-23-avahi-mdns-fixes.org +++ /dev/null @@ -1,125 +0,0 @@ -#+TITLE: Avahi/mDNS Configuration Fixes -#+DATE: 2026-01-23 - -* Problem Summary - -On velox, mDNS hostname resolution was not working correctly from other machines on the LAN (e.g., ratio). Attempting to access =http://velox.local:8384= (Syncthing web UI) failed, while accessing via IP address worked. - -* Issues Identified - -** Issue 1: Hostname Conflict (velox-3.local) - -*Symptom:* Avahi was running as =velox-3.local= instead of =velox.local= - -*Cause:* Avahi was publishing on multiple network interfaces including virtual ones: -- =enp0s13f0u3= (physical LAN - correct) -- =docker0= (Docker bridge) -- =virbr0= (libvirt bridge) -- =vnet0= (VM virtual NIC) -- =tailscale0= (Tailscale VPN) - -Each interface was effectively registering as a separate host, causing mDNS hostname conflicts with itself. - -*Solution:* Restrict Avahi to only the physical LAN interface. - -#+begin_src conf -# /etc/avahi/avahi-daemon.conf -[server] -allow-interfaces=enp0s13f0u3 -#+end_src - -** Issue 2: IPv6-Only Resolution - -*Symptom:* =velox.local= resolved to IPv6 link-local address (=fe80::...=) only, but Syncthing was listening on IPv4 only (=0.0.0.0:8384=). - -*Cause:* Default Avahi configuration does not publish A records (IPv4) in response to AAAA queries (IPv6). - -*Solution:* Enable =publish-a-on-ipv6= to ensure IPv4 addresses are returned. - -#+begin_src conf -# /etc/avahi/avahi-daemon.conf -[publish] -publish-a-on-ipv6=yes -#+end_src - -** Issue 3: Conflicting mDNS Stacks - -*Symptom:* Avahi logged warning: "Detected another IPv4 mDNS stack running on this host" - -*Cause:* Both =avahi-daemon= and =systemd-resolved= were configured to handle mDNS: - -#+begin_src conf -# /etc/systemd/resolved.conf (before fix) -[Resolve] -MulticastDNS=yes -#+end_src - -*Solution:* Disable mDNS in systemd-resolved, let Avahi handle it exclusively. - -#+begin_src conf -# /etc/systemd/resolved.conf -[Resolve] -Domains=~local -MulticastDNS=no -#+end_src - -* Complete Fix Applied - -** Files Modified - -*** /etc/avahi/avahi-daemon.conf - -Changes made: -#+begin_src diff --#allow-interfaces=eth0 -+allow-interfaces=enp0s13f0u3 - --#publish-a-on-ipv6=no -+publish-a-on-ipv6=yes -#+end_src - -*** /etc/systemd/resolved.conf - -Changes made: -#+begin_src diff --MulticastDNS=yes -+MulticastDNS=no -#+end_src - -** Services Restarted - -#+begin_src bash -sudo systemctl restart systemd-resolved -sudo systemctl restart avahi-daemon -#+end_src - -* Verification - -After fixes: -- Avahi runs as =velox.local= (not =velox-3.local=) -- No mDNS stack conflict warning -- From ratio: =avahi-resolve -n velox.local= returns =192.168.86.42= -- From ratio: =curl http://velox.local:8384/= returns HTTP 200 - -* Notes for archsetup - -These configurations should be added to the Arch setup scripts: - -1. Install avahi: =pacman -S avahi nss-mdns= - -2. Configure =/etc/avahi/avahi-daemon.conf=: - - Set =allow-interfaces= to physical LAN interface (determine dynamically or prompt user) - - Set =publish-a-on-ipv6=yes= - -3. Configure =/etc/systemd/resolved.conf=: - - Set =MulticastDNS=no= to avoid conflict with Avahi - -4. Enable and start avahi-daemon: - #+begin_src bash - systemctl enable --now avahi-daemon - #+end_src - -5. Ensure =/etc/nsswitch.conf= has mdns in hosts line: - #+begin_src conf - hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files dns - #+end_src diff --git a/assets/dwm.desktop b/assets/dwm.desktop deleted file mode 100644 index 16ba7b9..0000000 --- a/assets/dwm.desktop +++ /dev/null @@ -1,11 +0,0 @@ -[Desktop Entry] -Name=DWM -Comment=It's DWM, asshole -Terminal=false -Exec=/usr/local/bin/startdwm -TryExec=/usr/local/bin/startdwm -Icon=dwm -Type=Application - -[X-Window Manager] -SessionManaged=True \ No newline at end of file diff --git a/assets/outbox/2026-01-17-gvfs-smb-feature-request.txt b/assets/outbox/2026-01-17-gvfs-smb-feature-request.txt new file mode 100644 index 0000000..79892f7 --- /dev/null +++ b/assets/outbox/2026-01-17-gvfs-smb-feature-request.txt @@ -0,0 +1,6 @@ +Install gvfs-smb for Thunar SMB network browsing + +Package: gvfs-smb +Install: sudo pacman -S gvfs-smb + +Without this package, Thunar cannot browse SMB/CIFS network shares. diff --git a/assets/outbox/2026-01-17-security-and-hardening-recommendations.txt b/assets/outbox/2026-01-17-security-and-hardening-recommendations.txt new file mode 100644 index 0000000..22a0c53 --- /dev/null +++ b/assets/outbox/2026-01-17-security-and-hardening-recommendations.txt @@ -0,0 +1,119 @@ +# Security and Hardening Recommendations for archsetup + +These recommendations come from the install-archzfs base install. +The base system is minimal - archsetup should handle hardening. + +## SSH Hardening (Priority: High) + +If SSH was enabled during install (for headless servers), it uses password auth. +archsetup should: + +1. Install and configure fail2ban + - pacman -S fail2ban + - Enable sshd jail + - Configure ban times (suggested: 10m first offense, escalating) + - Consider integration with firewalld/nftables + +2. Switch to key-based authentication + - Prompt user for SSH public key or generate keypair + - Disable password authentication in /etc/ssh/sshd_config: + PasswordAuthentication no + PermitRootLogin prohibit-password (or 'no' for desktop) + +3. Consider changing default SSH port (optional, security through obscurity) + +## Firewall (Priority: High) + +Base install has no firewall configured. Options: + +1. firewalld (recommended for most users) + - pacman -S firewalld + - systemctl enable --now firewalld + - Default zone should block incoming except SSH + +2. nftables (for advanced users) + - Already installed as iptables backend + - Needs manual configuration + +3. ufw (simpler alternative) + - pacman -S ufw + - Good for users coming from Ubuntu + +## ZFS-Specific Recommendations + +1. Sanoid/Syncoid for automated snapshots + - pacman -S sanoid + - Configure /etc/sanoid/sanoid.conf for automatic snapshot retention + - Suggested policy: hourly for 24h, daily for 7d, monthly for 12m + +2. ZFS scrub timer + - systemctl enable zfs-scrub-weekly.timer + - Or create monthly timer for large pools + +3. ZED (ZFS Event Daemon) email alerts + - Configure /etc/zfs/zed.d/zed.rc + - Set ZED_EMAIL_ADDR for pool health notifications + +4. Consider zfs-auto-snapshot as alternative to sanoid + +## User Account Setup + +Base install only has root. archsetup should: + +1. Create primary user account with sudo access +2. Lock root account for direct login (sudo only) +3. Configure sudo timeout and logging + +## Package Manager Hardening + +1. Enable pacman hooks for security + - Verify package signatures (already default) + +2. Consider enabling reflector timer + - Keeps mirrorlist updated with fastest/most recent mirrors + +3. Install pacman-contrib for paccache + - Configure paccache.timer to clean old package cache + +## Automatic Updates (Optional) + +For servers that need unattended security updates: +- Consider pacman-auto-update or similar +- ZFS pre-pacman snapshots (already in install-archzfs) make this safer + +## AppArmor/SELinux (Optional, Advanced) + +For high-security environments: +- AppArmor is easier: pacman -S apparmor +- Requires kernel parameter: lsm=apparmor + +## Misc Recommendations + +1. Install and enable systemd-timesyncd or chrony for NTP + +2. Configure journald retention + - /etc/systemd/journald.conf + - SystemMaxUse=500M (or appropriate for system) + +3. Disable core dumps for security (optional) + - /etc/security/limits.conf: * hard core 0 + +4. Install lynis for security auditing + - pacman -S lynis + - Run: lynis audit system + +## Desktop-Specific (if applicable) + +1. Consider firejail for sandboxing applications +2. Install a password manager (pass, keepassxc) +3. Configure automatic screen lock + +## Server-Specific (if applicable) + +1. Install and configure logwatch or logrotate +2. Consider setting up centralized logging +3. Install monitoring (prometheus node_exporter, netdata, etc.) + +--- +Generated by install-archzfs build system +These are recommendations - implement based on your security requirements. diff --git a/assets/outbox/2026-01-17-zfs-sanoid-feature-request.txt b/assets/outbox/2026-01-17-zfs-sanoid-feature-request.txt new file mode 100644 index 0000000..87207f2 --- /dev/null +++ b/assets/outbox/2026-01-17-zfs-sanoid-feature-request.txt @@ -0,0 +1,202 @@ +ZFS Detection and Sanoid Installation +====================================== + +When archsetup runs, it should detect if the system is on ZFS and install sanoid. + +Detection: +- Check if root filesystem is ZFS: `findmnt -n -o FSTYPE /` returns "zfs" +- Or check if zpool exists: `zpool list -H 2>/dev/null` + +If ZFS detected: +1. Install sanoid from AUR: `yay -S sanoid` +2. Create /etc/sanoid/sanoid.conf (see below) +3. Enable the timer: `systemctl enable --now sanoid.timer` +4. Create the syncoid replication script and systemd units (see below) + +Context: +- install-archzfs can't install sanoid (AUR package) +- archsetup already has AUR helper setup, so it's the right place to install it +- syncoid (for TrueNAS replication) comes with the sanoid package + +Added: 2026-01-17 + +================================================================================ +SANOID CONFIGURATION (/etc/sanoid/sanoid.conf) +================================================================================ + +# Sanoid configuration for ZFS snapshots +# Less aggressive - TrueNAS handles long-term backups + +############################# +# Templates +############################# + +[template_production] + # Local rollback capability + hourly = 6 + daily = 7 + weekly = 2 + monthly = 1 + autosnap = yes + autoprune = yes + +[template_backup] + # Less frequent for large/static data + hourly = 0 + daily = 3 + weekly = 2 + monthly = 1 + autosnap = yes + autoprune = yes + +[template_none] + autosnap = no + autoprune = yes + +############################# +# Datasets +############################# + +[zroot/ROOT/default] + use_template = production + +[zroot/home] + use_template = production + recursive = yes + +[zroot/media] + use_template = backup + +[zroot/vms] + use_template = backup + +[zroot/var/log] + use_template = production + +[zroot/var/lib/pacman] + use_template = production + +[zroot/var/cache] + use_template = none + +[zroot/var/tmp] + use_template = none + +[zroot/tmp] + use_template = none + +================================================================================ +SYNCOID REPLICATION SCRIPT (/usr/local/bin/zfs-replicate) +================================================================================ + +#!/bin/bash +# zfs-replicate - Replicate ZFS datasets to TrueNAS +# +# Usage: +# zfs-replicate # Replicate all configured datasets +# zfs-replicate [dataset] # Replicate specific dataset + +set -e + +# TrueNAS Configuration +# Try local network first, fall back to tailscale +TRUENAS_LOCAL="truenas.local" +TRUENAS_TAILSCALE="truenas" +TRUENAS_USER="root" +TRUENAS_POOL="vault" +BACKUP_PATH="backups" # TODO: Configure actual path + +# Datasets to replicate +DATASETS="zroot/ROOT/default zroot/home zroot/media zroot/vms" + +# Colors +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +RED='\033[0;31m' +NC='\033[0m' + +info() { echo -e "${GREEN}[INFO]${NC} $1"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } +error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; } + +command -v syncoid >/dev/null 2>&1 || error "syncoid not found. Install sanoid package." + +# Determine which host to use +determine_host() { + if ping -c 1 -W 2 "$TRUENAS_LOCAL" &>/dev/null; then + echo "$TRUENAS_LOCAL" + elif ping -c 1 -W 2 "$TRUENAS_TAILSCALE" &>/dev/null; then + echo "$TRUENAS_TAILSCALE" + else + error "Cannot reach TrueNAS at $TRUENAS_LOCAL or $TRUENAS_TAILSCALE" + fi +} + +TRUENAS_HOST=$(determine_host) +info "Using TrueNAS host: $TRUENAS_HOST" + +# Single dataset mode +if [[ -n "$1" ]]; then + dataset="$1" + dest="$TRUENAS_USER@$TRUENAS_HOST:$TRUENAS_POOL/$BACKUP_PATH/${dataset#zroot/}" + info "Replicating $dataset -> $dest" + syncoid --recursive "$dataset" "$dest" + exit 0 +fi + +# Full replication +info "Starting ZFS replication to $TRUENAS_HOST" +echo "" + +for dataset in $DATASETS; do + dest="$TRUENAS_USER@$TRUENAS_HOST:$TRUENAS_POOL/$BACKUP_PATH/${dataset#zroot/}" + info "Replicating $dataset -> $dest" + + if syncoid --recursive "$dataset" "$dest"; then + info " Success" + else + warn " Failed (will retry next run)" + fi + echo "" +done + +info "Replication complete." + +================================================================================ +SYSTEMD SERVICE (/etc/systemd/system/zfs-replicate.service) +================================================================================ + +[Unit] +Description=ZFS Replication to TrueNAS +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/zfs-replicate +User=root + +[Install] +WantedBy=multi-user.target + +================================================================================ +SYSTEMD TIMER (/etc/systemd/system/zfs-replicate.timer) +================================================================================ + +[Unit] +Description=Run ZFS replication nightly + +[Timer] +OnCalendar=*-*-* 02:00:00 +RandomizedDelaySec=1800 +Persistent=true + +[Install] +WantedBy=timers.target + +================================================================================ +ENABLE REPLICATION +================================================================================ + +After SSH key auth is set up to TrueNAS: + systemctl enable --now zfs-replicate.timer diff --git a/assets/outbox/2026-01-19-remove-zfs-scripts-request.md b/assets/outbox/2026-01-19-remove-zfs-scripts-request.md new file mode 100644 index 0000000..f67aa47 --- /dev/null +++ b/assets/outbox/2026-01-19-remove-zfs-scripts-request.md @@ -0,0 +1,29 @@ +# Task: Remove zfssnapshot and zfsrollback from archsetup + +## Summary +Remove the `zfssnapshot` and `zfsrollback` scripts from archsetup's dotfiles. These scripts are now provided by the archzfs ISO and installed to `/usr/local/bin/` during `install-archzfs`. + +## Files to Remove +- `dotfiles/system/.local/bin/zfssnapshot` +- `dotfiles/system/.local/bin/zfsrollback` + +## Reason for Change +These scripts need to be available immediately after a fresh install from the archzfs ISO, before archsetup runs. Key use cases: + +1. **Rescue scenarios**: Rolling back from live USB when the installed system won't boot +2. **Genesis rollback**: If archsetup fails mid-run, user can rollback to genesis and retry +3. **Script availability**: The scripts themselves must survive a genesis rollback (they're now part of genesis snapshot) + +By including them in the ISO and `install-archzfs`, they're guaranteed to be present from first boot, with fzf also installed as a dependency. + +## Changes Made in archzfs +- Added `custom/zfssnapshot` and `custom/zfsrollback` +- `build.sh` copies them to `/usr/local/bin/` on the ISO +- `install-archzfs` installs `fzf` to target system (required by zfsrollback) +- fzf was already in ISO package list + +## Note: Keep fzf in archsetup +Archsetup should continue to install `fzf` in its package list. Archsetup can run on vanilla Arch installs with ext4 or btrfs (not just ZFS from archzfs ISO), where `install-archzfs` would not have run and fzf wouldn't be present. + +## Date +2026-01-19 diff --git a/assets/outbox/2026-01-20-console-display-issues.txt b/assets/outbox/2026-01-20-console-display-issues.txt new file mode 100644 index 0000000..f8dc710 --- /dev/null +++ b/assets/outbox/2026-01-20-console-display-issues.txt @@ -0,0 +1,112 @@ +Console Display Issues - Potential Causes in archsetup +====================================================== +Date: 2026-01-20 +Source: archzfs testing on ratio - console not showing after install + +SUMMARY +------- +After running install-archzfs and archsetup on ratio, the console stopped +displaying. The system boots but shows no console output. These are the +suspected culprits in archsetup. + +SUSPECTED ISSUES +---------------- + +1. Console Font Configuration (boot_ux, lines 1574-1579) + + File: archsetup + Lines: 1574-1579 + + Code: + if grep -q "^FONT=" /etc/vconsole.conf 2>/dev/null; then + sed -i 's/^FONT=.*/FONT=ter-132n/' /etc/vconsole.conf + else + echo "FONT=ter-132n" >> /etc/vconsole.conf + fi + + Problem: Sets console font to ter-132n (Terminus 32pt). If the font + is missing, corrupted, or incompatible with the framebuffer, the + console may fail to display anything. + + Fix: Verify terminus-font package is installed and font exists before + setting. Add fallback handling. + +2. mkinitcpio Hook Change (boot_ux, lines 1581-1583) + + File: archsetup + Lines: 1581-1583 + + Code: + sed -i '/^HOOKS=/ s/\budev\b/systemd/' /etc/mkinitcpio.conf + mkinitcpio -P + + Problem: Changes mkinitcpio from 'udev' to 'systemd' hook and + regenerates ALL initramfs images. This is a significant change that + affects early boot. If the systemd hook isn't properly configured + or conflicts with other hooks, boot may fail or console may not + initialize properly. + + Fix: Ensure all required systemd-related hooks are present. Consider + whether this change is necessary or could be made optional. + +3. GRUB Quiet Boot Settings (boot_ux, line 1624) + + File: archsetup + Line: 1624 + + Code: + sed -i "s/.*GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT=\"rw loglevel=2 rd.systemd.show_status=auto rd.udev.log_level=2 nvme.noacpi=1 mem_sleep_default=deep nowatchdog quiet splash\"/g" /etc/default/grub + + Problem: Adds 'quiet splash' and sets loglevel=2, which suppresses + most boot messages. If something goes wrong during boot, you won't + see any output. The 'splash' option may also interfere with console. + + Fix: Consider removing 'splash' or making quiet boot optional. + For debugging, temporarily remove 'quiet splash' from GRUB. + +4. Kernel Message Suppression (boot_ux, lines 1571-1572) + + File: archsetup + Lines: 1571-1572 + + Code: + echo "kernel.printk = 3 3 3 3" >/etc/sysctl.d/20-quiet-printk.conf + + Problem: Suppresses kernel messages to console. Combined with other + quiet settings, this could hide important boot information. + + Fix: For debugging, remove or adjust this setting. + +5. Xorg VT Switching Disabled (xorg, lines 1102-1107) + + File: archsetup + Lines: 1102-1107 + + Code: + cat << EOF > /etc/X11/xorg.conf.d/00-no-vt-or-zap.conf + Section "ServerFlags" + Option "DontVTSwitch" "True" + Option "DontZap" "True" + EndSection + EOF + + Problem: Disables VT switching when X is running. If X starts + automatically, you cannot switch to a text console with Ctrl+Alt+F2. + This is a security feature but makes debugging harder. + + Note: This only affects post-X boot, not early console display. + +DEBUGGING STEPS +--------------- +1. Boot with 'nomodeset' kernel parameter to rule out GPU/framebuffer issues +2. Remove 'quiet splash' from GRUB temporarily +3. Check if ter-132n font exists: ls /usr/share/kbd/consolefonts/ter-* +4. Review mkinitcpio.conf HOOKS line for conflicts +5. Check journalctl -b for boot errors + +RECOMMENDED CHANGES +------------------- +- Make quiet boot optional or add a debug boot menu entry +- Verify font exists before setting in vconsole.conf +- Document the udev->systemd hook change and its implications +- Consider adding a recovery boot option that skips quiet settings diff --git a/assets/outbox/2026-01-21-grub-timeout-request.txt b/assets/outbox/2026-01-21-grub-timeout-request.txt new file mode 100644 index 0000000..fa03f62 --- /dev/null +++ b/assets/outbox/2026-01-21-grub-timeout-request.txt @@ -0,0 +1,4 @@ +* TODO Increase GRUB_TIMEOUT to 2 seconds +Currently setting GRUB_TIMEOUT=0 which doesn't give users time to access GRUB menu. +Change to GRUB_TIMEOUT=2 for a reasonable delay while keeping boot fast. + diff --git a/assets/outbox/2026-01-21-syncthing-service-conflict.org b/assets/outbox/2026-01-21-syncthing-service-conflict.org new file mode 100644 index 0000000..7f86b39 --- /dev/null +++ b/assets/outbox/2026-01-21-syncthing-service-conflict.org @@ -0,0 +1,72 @@ +#+TITLE: Syncthing Service Conflict Issue +#+DATE: 2026-01-21 + +* Problem + +archsetup enables the system service: +#+begin_src bash +systemctl enable "syncthing@$username.service" +#+end_src + +However, the user service can also get enabled (either by default or manually): +#+begin_src bash +systemctl --user enable syncthing.service +#+end_src + +When BOTH services are enabled, they fight over the same lock file: +=~/.local/state/syncthing/syncthing.lock= + +This causes one or both to fail with: +: Failed to acquire lock: is another Syncthing instance already running? + +* Symptoms + +- Syncthing fails to start or keeps crashing +- Lock file errors in journalctl +- Two syncthing processes running with different parent services +- Config changes don't persist (one service overwrites the other) + +* Recommendation + +Standardize on ONE service type. Options: + +** Option A: User Service (recommended for desktops) + +Runs when user logs in. Cleaner for desktop use. + +Change archsetup from: +#+begin_src bash +systemctl enable "syncthing@$username.service" +#+end_src + +To: +#+begin_src bash +# Enable user service (requires user session) +sudo -u "$username" systemctl --user enable syncthing.service +#+end_src + +Note: User services require lingering or an active session: +#+begin_src bash +loginctl enable-linger "$username" +#+end_src + +** Option B: System Service (recommended for headless/servers) + +Runs at boot without user login. Better for servers. + +Keep current archsetup config, but ensure user service is disabled: +#+begin_src bash +systemctl enable "syncthing@$username.service" +# Explicitly disable user service to prevent conflicts +sudo -u "$username" systemctl --user disable syncthing.service 2>/dev/null || true +#+end_src + +* Resolution on ratio (2026-01-21) + +Disabled system service, kept user service: +#+begin_src bash +sudo systemctl stop syncthing@cjennings.service +sudo systemctl disable syncthing@cjennings.service +systemctl --user enable syncthing.service +systemctl --user start syncthing.service +#+end_src diff --git a/assets/outbox/2026-01-23-avahi-mdns-fixes.org b/assets/outbox/2026-01-23-avahi-mdns-fixes.org new file mode 100644 index 0000000..89b005e --- /dev/null +++ b/assets/outbox/2026-01-23-avahi-mdns-fixes.org @@ -0,0 +1,125 @@ +#+TITLE: Avahi/mDNS Configuration Fixes +#+DATE: 2026-01-23 + +* Problem Summary + +On velox, mDNS hostname resolution was not working correctly from other machines on the LAN (e.g., ratio). Attempting to access =http://velox.local:8384= (Syncthing web UI) failed, while accessing via IP address worked. + +* Issues Identified + +** Issue 1: Hostname Conflict (velox-3.local) + +*Symptom:* Avahi was running as =velox-3.local= instead of =velox.local= + +*Cause:* Avahi was publishing on multiple network interfaces including virtual ones: +- =enp0s13f0u3= (physical LAN - correct) +- =docker0= (Docker bridge) +- =virbr0= (libvirt bridge) +- =vnet0= (VM virtual NIC) +- =tailscale0= (Tailscale VPN) + +Each interface was effectively registering as a separate host, causing mDNS hostname conflicts with itself. + +*Solution:* Restrict Avahi to only the physical LAN interface. + +#+begin_src conf +# /etc/avahi/avahi-daemon.conf +[server] +allow-interfaces=enp0s13f0u3 +#+end_src + +** Issue 2: IPv6-Only Resolution + +*Symptom:* =velox.local= resolved to IPv6 link-local address (=fe80::...=) only, but Syncthing was listening on IPv4 only (=0.0.0.0:8384=). + +*Cause:* Default Avahi configuration does not publish A records (IPv4) in response to AAAA queries (IPv6). + +*Solution:* Enable =publish-a-on-ipv6= to ensure IPv4 addresses are returned. + +#+begin_src conf +# /etc/avahi/avahi-daemon.conf +[publish] +publish-a-on-ipv6=yes +#+end_src + +** Issue 3: Conflicting mDNS Stacks + +*Symptom:* Avahi logged warning: "Detected another IPv4 mDNS stack running on this host" + +*Cause:* Both =avahi-daemon= and =systemd-resolved= were configured to handle mDNS: + +#+begin_src conf +# /etc/systemd/resolved.conf (before fix) +[Resolve] +MulticastDNS=yes +#+end_src + +*Solution:* Disable mDNS in systemd-resolved, let Avahi handle it exclusively. + +#+begin_src conf +# /etc/systemd/resolved.conf +[Resolve] +Domains=~local +MulticastDNS=no +#+end_src + +* Complete Fix Applied + +** Files Modified + +*** /etc/avahi/avahi-daemon.conf + +Changes made: +#+begin_src diff +-#allow-interfaces=eth0 ++allow-interfaces=enp0s13f0u3 + +-#publish-a-on-ipv6=no ++publish-a-on-ipv6=yes +#+end_src + +*** /etc/systemd/resolved.conf + +Changes made: +#+begin_src diff +-MulticastDNS=yes ++MulticastDNS=no +#+end_src + +** Services Restarted + +#+begin_src bash +sudo systemctl restart systemd-resolved +sudo systemctl restart avahi-daemon +#+end_src + +* Verification + +After fixes: +- Avahi runs as =velox.local= (not =velox-3.local=) +- No mDNS stack conflict warning +- From ratio: =avahi-resolve -n velox.local= returns =192.168.86.42= +- From ratio: =curl http://velox.local:8384/= returns HTTP 200 + +* Notes for archsetup + +These configurations should be added to the Arch setup scripts: + +1. Install avahi: =pacman -S avahi nss-mdns= + +2. Configure =/etc/avahi/avahi-daemon.conf=: + - Set =allow-interfaces= to physical LAN interface (determine dynamically or prompt user) + - Set =publish-a-on-ipv6=yes= + +3. Configure =/etc/systemd/resolved.conf=: + - Set =MulticastDNS=no= to avoid conflict with Avahi + +4. Enable and start avahi-daemon: + #+begin_src bash + systemctl enable --now avahi-daemon + #+end_src + +5. Ensure =/etc/nsswitch.conf= has mdns in hosts line: + #+begin_src conf + hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files dns + #+end_src diff --git a/assets/security-and-hardening-recommendations.txt b/assets/security-and-hardening-recommendations.txt deleted file mode 100644 index 22a0c53..0000000 --- a/assets/security-and-hardening-recommendations.txt +++ /dev/null @@ -1,119 +0,0 @@ -# Security and Hardening Recommendations for archsetup - -These recommendations come from the install-archzfs base install. -The base system is minimal - archsetup should handle hardening. - -## SSH Hardening (Priority: High) - -If SSH was enabled during install (for headless servers), it uses password auth. -archsetup should: - -1. Install and configure fail2ban - - pacman -S fail2ban - - Enable sshd jail - - Configure ban times (suggested: 10m first offense, escalating) - - Consider integration with firewalld/nftables - -2. Switch to key-based authentication - - Prompt user for SSH public key or generate keypair - - Disable password authentication in /etc/ssh/sshd_config: - PasswordAuthentication no - PermitRootLogin prohibit-password (or 'no' for desktop) - -3. Consider changing default SSH port (optional, security through obscurity) - -## Firewall (Priority: High) - -Base install has no firewall configured. Options: - -1. firewalld (recommended for most users) - - pacman -S firewalld - - systemctl enable --now firewalld - - Default zone should block incoming except SSH - -2. nftables (for advanced users) - - Already installed as iptables backend - - Needs manual configuration - -3. ufw (simpler alternative) - - pacman -S ufw - - Good for users coming from Ubuntu - -## ZFS-Specific Recommendations - -1. Sanoid/Syncoid for automated snapshots - - pacman -S sanoid - - Configure /etc/sanoid/sanoid.conf for automatic snapshot retention - - Suggested policy: hourly for 24h, daily for 7d, monthly for 12m - -2. ZFS scrub timer - - systemctl enable zfs-scrub-weekly.timer - - Or create monthly timer for large pools - -3. ZED (ZFS Event Daemon) email alerts - - Configure /etc/zfs/zed.d/zed.rc - - Set ZED_EMAIL_ADDR for pool health notifications - -4. Consider zfs-auto-snapshot as alternative to sanoid - -## User Account Setup - -Base install only has root. archsetup should: - -1. Create primary user account with sudo access -2. Lock root account for direct login (sudo only) -3. Configure sudo timeout and logging - -## Package Manager Hardening - -1. Enable pacman hooks for security - - Verify package signatures (already default) - -2. Consider enabling reflector timer - - Keeps mirrorlist updated with fastest/most recent mirrors - -3. Install pacman-contrib for paccache - - Configure paccache.timer to clean old package cache - -## Automatic Updates (Optional) - -For servers that need unattended security updates: -- Consider pacman-auto-update or similar -- ZFS pre-pacman snapshots (already in install-archzfs) make this safer - -## AppArmor/SELinux (Optional, Advanced) - -For high-security environments: -- AppArmor is easier: pacman -S apparmor -- Requires kernel parameter: lsm=apparmor - -## Misc Recommendations - -1. Install and enable systemd-timesyncd or chrony for NTP - -2. Configure journald retention - - /etc/systemd/journald.conf - - SystemMaxUse=500M (or appropriate for system) - -3. Disable core dumps for security (optional) - - /etc/security/limits.conf: * hard core 0 - -4. Install lynis for security auditing - - pacman -S lynis - - Run: lynis audit system - -## Desktop-Specific (if applicable) - -1. Consider firejail for sandboxing applications -2. Install a password manager (pass, keepassxc) -3. Configure automatic screen lock - -## Server-Specific (if applicable) - -1. Install and configure logwatch or logrotate -2. Consider setting up centralized logging -3. Install monitoring (prometheus node_exporter, netdata, etc.) - ---- -Generated by install-archzfs build system -These are recommendations - implement based on your security requirements. diff --git a/assets/wireguard-config/USCALA.conf b/assets/wireguard-config/USCALA.conf new file mode 100644 index 0000000..7d902d4 --- /dev/null +++ b/assets/wireguard-config/USCALA.conf @@ -0,0 +1,15 @@ +[Interface] +# Bouncing = 8 +# NetShield = 1 +# Moderate NAT = on +# NAT-PMP (Port Forwarding) = off +# VPN Accelerator = on +PrivateKey = aDhBPBlyRGAtWz2eaP6mPmEC5e6uNJj/YFleWACZdEk= +Address = 10.2.0.2/32 +DNS = 10.2.0.1 + +[Peer] +# US-CA#187 +PublicKey = fXtINk5LcWvNoCxNwx9WkmHieyyw+zIcLiiRM6eyECc= +AllowedIPs = 0.0.0.0/0 +Endpoint = 146.70.174.162:51820 \ No newline at end of file diff --git a/assets/wireguard-config/USCASF.conf b/assets/wireguard-config/USCASF.conf new file mode 100644 index 0000000..7948ae4 --- /dev/null +++ b/assets/wireguard-config/USCASF.conf @@ -0,0 +1,16 @@ +[Interface] +# Key for velox +# Bouncing = 26 +# NetShield = 1 +# Moderate NAT = on +# NAT-PMP (Port Forwarding) = off +# VPN Accelerator = on +PrivateKey = 4Al9epK8qlWSiASFx1D8YPtqaqdUKUA6SRQhfhmL81g= +Address = 10.2.0.2/32 +DNS = 10.2.0.1 + +[Peer] +# US-CA#75 +PublicKey = xRu4XSIeCCNh4wQqit2w0PwAqzAs7JVA4zQqxGOhSSY= +AllowedIPs = 0.0.0.0/0 +Endpoint = 79.127.185.222:51820 \ No newline at end of file diff --git a/assets/wireguard-config/USDC.conf b/assets/wireguard-config/USDC.conf new file mode 100644 index 0000000..62ede76 --- /dev/null +++ b/assets/wireguard-config/USDC.conf @@ -0,0 +1,15 @@ +[Interface] +# Bouncing = 1 +# NetShield = 1 +# Moderate NAT = on +# NAT-PMP (Port Forwarding) = off +# VPN Accelerator = on +PrivateKey = ODgff/xOftY7+v64+J9vPs9C2ZK83xepaM9+OdJUong= +Address = 10.2.0.2/32 +DNS = 10.2.0.1 + +[Peer] +# US-DC#29 +PublicKey = 3Lz5VpqnS7wfnOWVYFNCFHl+JuuanJ/hB2TqOKQZxVI= +AllowedIPs = 0.0.0.0/0 +Endpoint = 185.247.68.50:51820 \ No newline at end of file diff --git a/assets/wireguard-config/USGAAT.conf b/assets/wireguard-config/USGAAT.conf new file mode 100644 index 0000000..b4cfc7d --- /dev/null +++ b/assets/wireguard-config/USGAAT.conf @@ -0,0 +1,15 @@ +[Interface] +# Bouncing = 0 +# NetShield = 1 +# Moderate NAT = on +# NAT-PMP (Port Forwarding) = off +# VPN Accelerator = on +PrivateKey = gMms305eLQY1Q/GTC1/nTffFh9ou4tIVzpQuWo0P6XU= +Address = 10.2.0.2/32 +DNS = 10.2.0.1 + +[Peer] +# US-GA#319 +PublicKey = vrQlzOff8/CWCDVaesXMZLfQaOE4qrdY2BJUjWeRHyA= +AllowedIPs = 0.0.0.0/0 +Endpoint = 149.22.94.113:51820 \ No newline at end of file diff --git a/assets/wireguard-config/USNY.conf b/assets/wireguard-config/USNY.conf new file mode 100644 index 0000000..ddf43a6 --- /dev/null +++ b/assets/wireguard-config/USNY.conf @@ -0,0 +1,16 @@ +[Interface] +# Key for New York +# Bouncing = 8 +# NetShield = 1 +# Moderate NAT = off +# NAT-PMP (Port Forwarding) = off +# VPN Accelerator = on +PrivateKey = APAkVGvrTIXjgSCy9fUM7q4B9Fgj4M8PVbakpVEQQnE= +Address = 10.2.0.2/32 +DNS = 10.2.0.1 + +[Peer] +# US-NY#524 +PublicKey = 8NeySGpnCMtwtgwVARpoCNonu9qxQxrE6hFztMcMDkA= +AllowedIPs = 0.0.0.0/0 +Endpoint = 146.70.72.130:51820 \ No newline at end of file diff --git a/assets/wireguard-config/switzerlan-zurich1.conf b/assets/wireguard-config/switzerlan-zurich1.conf new file mode 100644 index 0000000..4d7908e --- /dev/null +++ b/assets/wireguard-config/switzerlan-zurich1.conf @@ -0,0 +1,15 @@ +[Interface] +# Bouncing = 18 +# NetShield = 1 +# Moderate NAT = off +# NAT-PMP (Port Forwarding) = off +# VPN Accelerator = on +PrivateKey = CJSPw7zcMMBDJbQDYlwFvdVcXvvsGns592PiDHmhTks= +Address = 10.2.0.2/32 +DNS = 10.2.0.1 + +[Peer] +# CH#185 +PublicKey = XPVCz7LndzqWe7y3+WSo51hvNOX8nX5CTwVTWhzg8g8= +AllowedIPs = 0.0.0.0/0 +Endpoint = 149.88.27.234:51820 \ No newline at end of file diff --git a/assets/wireguard-config/switzerlan-zurich2.conf b/assets/wireguard-config/switzerlan-zurich2.conf new file mode 100644 index 0000000..c2d390f --- /dev/null +++ b/assets/wireguard-config/switzerlan-zurich2.conf @@ -0,0 +1,15 @@ +[Interface] +# Bouncing = 10 +# NetShield = 1 +# Moderate NAT = off +# NAT-PMP (Port Forwarding) = off +# VPN Accelerator = on +PrivateKey = ACCwCDY+Y+RlSH2dSt+IumCBYAo5Sk4an9eXZKt8jEE= +Address = 10.2.0.2/32 +DNS = 10.2.0.1 + +[Peer] +# CH#177 +PublicKey = XPVCz7LndzqWe7y3+WSo51hvNOX8nX5CTwVTWhzg8g8= +AllowedIPs = 0.0.0.0/0 +Endpoint = 149.88.27.234:51820 \ No newline at end of file diff --git a/assets/wireguard/USCALA.conf b/assets/wireguard/USCALA.conf deleted file mode 100644 index 7d902d4..0000000 --- a/assets/wireguard/USCALA.conf +++ /dev/null @@ -1,15 +0,0 @@ -[Interface] -# Bouncing = 8 -# NetShield = 1 -# Moderate NAT = on -# NAT-PMP (Port Forwarding) = off -# VPN Accelerator = on -PrivateKey = aDhBPBlyRGAtWz2eaP6mPmEC5e6uNJj/YFleWACZdEk= -Address = 10.2.0.2/32 -DNS = 10.2.0.1 - -[Peer] -# US-CA#187 -PublicKey = fXtINk5LcWvNoCxNwx9WkmHieyyw+zIcLiiRM6eyECc= -AllowedIPs = 0.0.0.0/0 -Endpoint = 146.70.174.162:51820 \ No newline at end of file diff --git a/assets/wireguard/USCASF.conf b/assets/wireguard/USCASF.conf deleted file mode 100644 index 7948ae4..0000000 --- a/assets/wireguard/USCASF.conf +++ /dev/null @@ -1,16 +0,0 @@ -[Interface] -# Key for velox -# Bouncing = 26 -# NetShield = 1 -# Moderate NAT = on -# NAT-PMP (Port Forwarding) = off -# VPN Accelerator = on -PrivateKey = 4Al9epK8qlWSiASFx1D8YPtqaqdUKUA6SRQhfhmL81g= -Address = 10.2.0.2/32 -DNS = 10.2.0.1 - -[Peer] -# US-CA#75 -PublicKey = xRu4XSIeCCNh4wQqit2w0PwAqzAs7JVA4zQqxGOhSSY= -AllowedIPs = 0.0.0.0/0 -Endpoint = 79.127.185.222:51820 \ No newline at end of file diff --git a/assets/wireguard/USDC.conf b/assets/wireguard/USDC.conf deleted file mode 100644 index 62ede76..0000000 --- a/assets/wireguard/USDC.conf +++ /dev/null @@ -1,15 +0,0 @@ -[Interface] -# Bouncing = 1 -# NetShield = 1 -# Moderate NAT = on -# NAT-PMP (Port Forwarding) = off -# VPN Accelerator = on -PrivateKey = ODgff/xOftY7+v64+J9vPs9C2ZK83xepaM9+OdJUong= -Address = 10.2.0.2/32 -DNS = 10.2.0.1 - -[Peer] -# US-DC#29 -PublicKey = 3Lz5VpqnS7wfnOWVYFNCFHl+JuuanJ/hB2TqOKQZxVI= -AllowedIPs = 0.0.0.0/0 -Endpoint = 185.247.68.50:51820 \ No newline at end of file diff --git a/assets/wireguard/USGAAT.conf b/assets/wireguard/USGAAT.conf deleted file mode 100644 index b4cfc7d..0000000 --- a/assets/wireguard/USGAAT.conf +++ /dev/null @@ -1,15 +0,0 @@ -[Interface] -# Bouncing = 0 -# NetShield = 1 -# Moderate NAT = on -# NAT-PMP (Port Forwarding) = off -# VPN Accelerator = on -PrivateKey = gMms305eLQY1Q/GTC1/nTffFh9ou4tIVzpQuWo0P6XU= -Address = 10.2.0.2/32 -DNS = 10.2.0.1 - -[Peer] -# US-GA#319 -PublicKey = vrQlzOff8/CWCDVaesXMZLfQaOE4qrdY2BJUjWeRHyA= -AllowedIPs = 0.0.0.0/0 -Endpoint = 149.22.94.113:51820 \ No newline at end of file diff --git a/assets/wireguard/USNY.conf b/assets/wireguard/USNY.conf deleted file mode 100644 index ddf43a6..0000000 --- a/assets/wireguard/USNY.conf +++ /dev/null @@ -1,16 +0,0 @@ -[Interface] -# Key for New York -# Bouncing = 8 -# NetShield = 1 -# Moderate NAT = off -# NAT-PMP (Port Forwarding) = off -# VPN Accelerator = on -PrivateKey = APAkVGvrTIXjgSCy9fUM7q4B9Fgj4M8PVbakpVEQQnE= -Address = 10.2.0.2/32 -DNS = 10.2.0.1 - -[Peer] -# US-NY#524 -PublicKey = 8NeySGpnCMtwtgwVARpoCNonu9qxQxrE6hFztMcMDkA= -AllowedIPs = 0.0.0.0/0 -Endpoint = 146.70.72.130:51820 \ No newline at end of file diff --git a/assets/wireguard/switzerlan-zurich1.conf b/assets/wireguard/switzerlan-zurich1.conf deleted file mode 100644 index 4d7908e..0000000 --- a/assets/wireguard/switzerlan-zurich1.conf +++ /dev/null @@ -1,15 +0,0 @@ -[Interface] -# Bouncing = 18 -# NetShield = 1 -# Moderate NAT = off -# NAT-PMP (Port Forwarding) = off -# VPN Accelerator = on -PrivateKey = CJSPw7zcMMBDJbQDYlwFvdVcXvvsGns592PiDHmhTks= -Address = 10.2.0.2/32 -DNS = 10.2.0.1 - -[Peer] -# CH#185 -PublicKey = XPVCz7LndzqWe7y3+WSo51hvNOX8nX5CTwVTWhzg8g8= -AllowedIPs = 0.0.0.0/0 -Endpoint = 149.88.27.234:51820 \ No newline at end of file diff --git a/assets/wireguard/switzerlan-zurich2.conf b/assets/wireguard/switzerlan-zurich2.conf deleted file mode 100644 index c2d390f..0000000 --- a/assets/wireguard/switzerlan-zurich2.conf +++ /dev/null @@ -1,15 +0,0 @@ -[Interface] -# Bouncing = 10 -# NetShield = 1 -# Moderate NAT = off -# NAT-PMP (Port Forwarding) = off -# VPN Accelerator = on -PrivateKey = ACCwCDY+Y+RlSH2dSt+IumCBYAo5Sk4an9eXZKt8jEE= -Address = 10.2.0.2/32 -DNS = 10.2.0.1 - -[Peer] -# CH#177 -PublicKey = XPVCz7LndzqWe7y3+WSo51hvNOX8nX5CTwVTWhzg8g8= -AllowedIPs = 0.0.0.0/0 -Endpoint = 149.88.27.234:51820 \ No newline at end of file -- cgit v1.2.3