lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity

Updated the post-install sections of alpine-desktop.

Browse source
This commit is contained in:
Luc Bijl 2024-07-10 22:26:12 +02:00
parent da9fd3498b
commit e6bae601d3
10 changed files with 64 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docs/alpine-desktop-setup/graphical-session/config-files.md
View file

@ -1,6 +1,6 @@
# Config files
To simplify the post installation and subsequent sections, reference is made to pre-made configuration files with `<config-files-repo>`.
To simplify the subsequent sections, reference is made to pre-made configuration files with `<config-files-repo>`.
A configuration files repository may be chosen to one's preference, by cloning them with the `git` command. It is recommended to do this once a user has been created.

19
docs/alpine-desktop-setup/post-install/automatic-decryption.md
View file

@ -1,22 +1,29 @@
# Automatic decryption
Our system can utilize it's TPM2 to automatically decrypt. This can be done because the bootchain is secure and it's a bit tedious to enter an encryption password everytime the system boots up.
TPM can be used to automatically decrypt the root partition. This can be done because the bootchain is secure and it is tedious to enter an encryption password everytime the system boots up.
If `home-manager` was installed correctly then it should have also installed both `clevis` and `tpm2-tools`. This allows for the binding of the LUKS volume to TPM with clevis:
Both `clevis` and `tpm2-tools` will be used and can be installed with `nix` by
```
$ nix-env -iA nixpkgs.clevis
$ nix-env -iA nixpkgs.tpm2-tools
```
This allows for the binding of the luks encrypted root partition to TPM with clevis:
```
# clevis luks bind -d /dev/<disk2> tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,5,7"}'
```
After rebooting it should automatically decrypt your disk.
After rebooting it should automatically decrypt the disk.
Clevis can be envoked again if you have made any changes to secureboot or to the system and it doesn't automatically decrypt the disk.
Clevis can be evoked again if automatic decryption has been disabled due to changes to secureboot or the system.
First find the keyslot clevis is using and then regenerate the key:
First find the keyslot `clevis` is using and then regenerate the key by:
```
# cryptsetup luksDump /dev/<disk2>
# clevis luks regen -d /dev/<disk2> -s <keyslot>
```
If done correctly it should now work again.
If done correctly it should work again.

2
docs/alpine-desktop-setup/post-install/drivers.md
View file

@ -1,6 +1,6 @@
# Firmware and drivers
Device firmware and drivers are necessary for graphics and also security. Luckily the graphics drivers have already been installed through `home-manager` which now only leaves the CPU firmware. For Intel systems install `intel-ucode` and for AMD systems install `amd-ucode`:
Device firmware and drivers are necessary for graphics and also security. Luckily the graphics drivers will be installed through `home-manager` which now only leaves the CPU firmware. For Intel systems install `intel-ucode` and for AMD systems install `amd-ucode`:
```
# apk add intel-ucode

13
docs/alpine-desktop-setup/post-install/init-system.md
View file

@ -1,12 +1,12 @@
# Initsystems
# Init system
## OpenRC
Alpine Linux uses OpenRC as init system which has a few configuration option that can be changed. Most options are already explained in the `/etc/rc.conf` file which has to be edited.
Alpine Linux uses OpenRC as init system which has a few configuration options that can be changed. Most options are already explained in the `/etc/rc.conf` file which has to be edited.
### Parallel services
The boot process can be sped up if services are launched parallel (do note that this *can* lead to small issues).
The boot process can be sped up if services are launched parallel (do note that this *can* potentially lock the boot process).
```
rc_parallel="YES"
@ -27,12 +27,11 @@ To also log the kernel add `klogd`.
# rc-update add klogd boot
```
You can view the logs in `/var/log/dmesg` and `/var/log/messages`
You can view the logs in `/var/log/dmesg` and `/var/log/messages`.
## User services using Runit
## User services using runit
If `home-manager` has been initialised and logged into the Wayfire session then it should have started a lot of services automatically. These are created and managed through `home-manager`.
The help and manual pages of runit explain how to use `sv` to manage the services.
The help and manual pages of `runit` explain how to use `sv` to manage the services.

10
docs/alpine-desktop-setup/post-install/network.md
View file

@ -1,8 +1,8 @@
# Network
## Using wifi
## Wi-Fi
Although `dhcp` will already work out of the box, wifi will not. Luckily there exists `wpa_supplicant`. Enable it in `/etc/NetworkManager/NetworkManager.conf`:
Although `dhcp` will already work out of the box, Wi-Fi will not. Luckily there exists `wpa_supplicant`, enable it in `/etc/NetworkManager/NetworkManager.conf`:
```
[main]
@ -17,7 +17,7 @@ wifi.scan-rand-mac-address=yes
wifi.backend=wpa_supplicant
```
Now restart the service and you should be able to connect with wifi.
Now restart the service, and you should be able to connect with Wi-Fi.
```
# rc-service networkmanager restart
@ -39,9 +39,9 @@ To make it possible for users to edit connections create the config file `/etc/N
auth-polkit=false
```
## Using a VPN
## VPN
NetworkManager can already use WireGuard but to use other VPN's it might be necessary to install their corresponding plugin. For OpenVPN that would be:
NetworkManager can already use WireGuard but to use other VPNs it might be necessary to install their corresponding plugin. For OpenVPN that would be:
```
# apk add networkmanager-openvpn

6
docs/alpine-desktop-setup/post-install/power-management.md
View file

@ -1,8 +1,8 @@
# Power management
## Acpi
## ACPI
During installation Busybox's `acpid` has already been replaced by the regular `acpid` which means that it has to be configured in `/etc/acpi/handler.sh`. The default configuration works but by default will not suspend the device if an AC adapter is connected even if the lid is closed. Therefore it's recommended in `button/lid:*:close:*` to change it to:
During installation Busybox's `acpid` has already been replaced by the regular `acpid` which means that it has to be configured in `/etc/acpi/handler.sh`. The default configuration works but by default will not suspend the device if an AC adapter is connected even if the lid is closed. Therefore it is recommended in `button/lid:*:close:*` to change it to:
```
#power-supply-ac || suspend
@ -11,7 +11,7 @@ suspend
## TLP
To optimise battery on the device it's recommend to install `tlp` and activate it's service:
To optimise device battery it is recommended to install `tlp` and activate its service:
```
# apk add tlp

4
docs/alpine-desktop-setup/post-install/swap.md
View file

@ -1,4 +1,4 @@
# Zram
# Swap
Because a Linux system requires swap to function properly install `zram-init`. To keep it simple, it will utilise RAM to store compressed swap.
@ -20,6 +20,6 @@ num_devices=1
size0=`LC_ALL=C free -m | awk '/^mem:/{print int($2/4)}'`
```
Now the size of the swap device will be a fourth of the ram size. Reboot the computer or restart the service to check if it works.
Now the size of the swap device will be one fourth of the ram size. Reboot the computer or restart the service to check if it works.
Also be sure to read the [ArchWiki](https://wiki.archlinux.org/title/Zram) for more information.

31
docs/alpine-desktop-setup/post-install/user-packages.md
View file

@ -1,6 +1,6 @@
# User packages
The *Nix package manager* is a package manager which allows for user independent packages and a whole lot more (although it is not necessarily minimal).
The *Nix package manager* is a package manager which allows for user independent packages and a whole lot more, although it is not necessarily minimal.
## Setup
@ -12,7 +12,7 @@ To set `nix` up install its package and activate its service:
# rc-service nix-daemon start
```
Don't forget to add your user to the nix group:
Do not forget to add your user to the nix group:
```
# adduser <username> nix
@ -20,16 +20,21 @@ Don't forget to add your user to the nix group:
### Channels
For `nix` to be able to install packages it is necessary to add a few channels:
For `nix` to be able to install packages it is necessary to add a few channels/repositories in `~/.nix-channels`:
```
https://nixos.org/channels/nixos-<version> nixpkgs
https://nixos.org/channels/nixos-unstable nixpkgs-unstable
https://github.com/nix-community/nixGL/archive/main.tar.gz nixgl
```
and replace the `version` with the latest version of `nix`. Then perform
```
$ nix-channel --add https://nixos.org/channels/nixos-23.11 nixpkgs
$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs-unstable
$ nix-channel --add https://github.com/nix-community/nixGL/archive/main.tar.gz nixgl && nix-channel --update
$ nix-channel --update
```
## Usage
## Home manager
Nix can be used to manage your `$HOME` with `home-manager`. First install `home-manager` through:
@ -37,13 +42,13 @@ Nix can be used to manage your `$HOME` with `home-manager`. First install `home-
$ nix-env -iA nixpkgs.home-manager
```
Now that Nix is up and running utilize the `home.nix` that comes with the [config files](https://docs.bijl.us/alpine-desktop-setup/post-install/config-files/) to set up our home for us. But before initialising `nix` make sure that you set the correct `<username>` in `home.nix` which is located in `~/.config/home-manager`. Then after changing that simply run this command:
Now that Nix is up and running utilize the `home.nix` that comes with the [config files](https://docs.bijl.us/alpine-desktop-setup/post-install/config-files/) to set up your home. But before initialising `nix` make sure that you set the correct `<username>` in `home.nix` which is located in `~/.config/home-manager`. Then after changing that simply run this command:
```
$ home-manager switch
```
And thanks to `home-manager` we can easily set up and manage an entire graphical enviroment with all the necessary packages in one go.
Thanks to `home-manager` we can easily set up and manage an entire graphical environment with all the necessary packages in one go.
You are now also able to install packages as a user without root from `nixpkgs`:
@ -51,15 +56,15 @@ You are now also able to install packages as a user without root from `nixpkgs`:
$ nix-env -iA nixpkgs.<package>
```
But for reproducability it's better to use `home-manager` by declaring them in a `.nix` file and importing that within `home.nix`.
But for reproducibility it is better to use `home-manager` by declaring them in a `.nix` file and importing that within `home.nix`.
You can also test a package before installing it with `nix-shell -p <program>`
You can also test a package before installing it with `nix-shell -p <program>`.
### NixGL
`nixGL` is necessary to be able to run graphical programs and sessions which are installed through `nix`. It should have been installed with `home-manager`.
The `nixGL` channel is necessary to be able to run graphical programs and sessions which are installed through `nix`. It should have been installed with `home-manager`.
Some applications might need vulkan in which case the program has to be prefixed with:
Some applications might need Vulkan in which case the program has to be prefixed with:
```
$ nixVulkanIntel <program>

42
docs/alpine-desktop-setup/post-install/users.md
View file

@ -2,17 +2,15 @@
It might be nice to add a user to your system.
## doas
## Doas
Before creating the user install `doas` for when root is requiered:
Before creating the user install `doas`, to use when root is required:
```
# apk add doas
```
Also configure `doas` through `/etc/doas.d/main.conf`:
Configure `doas` through `/etc/doas.d/main.conf`:
```
permit persist :wheel as root
@ -20,57 +18,51 @@ permit nopasss :_power cmd /sbin/poweroff
permit nopasss :_power cmd /sbin/reboot
```
And create a `_power` group for user's to be able to poweroff the system without root:
and create a `_power` group for users to be able to poweroff the system without root:
```
# addgroup -S _power
```
## Adding a user
Adding a user in alpine can be done using the `setup-user` script. Here we can specify the name, fullname with `-f`, groups and more:
Adding a user in Alpine Linux can be done using the `setup-user` script. Here we can specify the name, full name with `-f`, groups and more:
```
# setup-user -g wheel,_power -f "<Full Name>" <username>
# passwd <username>
```
> It is also recommended to have an "admin" account which is the only one in the wheel group.
> It is recommended to have an "admin" account which is the sole account in the wheel group.
And you may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```
Don't login yet if you want to encrypt the directory.
> Do not log in yet if you want to encrypt the user's home directory.
If you have checked that `doas` works with the user then you can lock the root account because it's insecure to keep open. This can be done with:
If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
```
# passwd -l root
```
And editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:
and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:
```
root:x:0:0:root:/root:/sbin/nologin
```
## Encrypting the home directory
> Not yet working, DO NOT FOLLOW.
### Encrypting the home directory (Not yet working, DO NOT FOLLOW)
If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.
If you are running a system with multiple users or if you want an extra layer of protection then it is possible to encrypt every user's home directory.
> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.
#### Setting up fscrypt
First install the `fscrypt` and `e2fsprogs-extra` packages:
```
@ -93,11 +85,7 @@ auth optional pam_fscrypt.so
session optional pam_fscrypt.so
```
#### Encrypting a user's home
Encrypt the directory with:
Then encrypt the home directory with:
```
# fscrypt encrypt /home/<username> --user=<username>
@ -111,8 +99,6 @@ Then reboot and login with the user to check if it worked. It should also have g
$ fscrypt status /home/<username>
```
## TLDR
If you have already set up a system with a user but want to add another do this:

2
mkdocs.yml
View file

@ -53,10 +53,10 @@ nav:
- 'Init system': alpine-desktop-setup/post-install/init-system.md
- 'Firmware and drivers': alpine-desktop-setup/post-install/drivers.md
- 'Swap': alpine-desktop-setup/post-install/swap.md
- 'Automatic decryption': alpine-desktop-setup/post-install/automatic-decryption.md
- 'Power management': alpine-desktop-setup/post-install/power-management.md
- 'Users': alpine-desktop-setup/post-install/users.md
- 'User packages': alpine-desktop-setup/post-install/user-packages.md
- 'Automatic decryption': alpine-desktop-setup/post-install/automatic-decryption.md
- 'Graphical session':
- 'Config files': alpine-desktop-setup/graphical-session/config-files.md
- 'Session manager': alpine-desktop-setup/graphical-session/session-manager.md