Updated post-installation/config-files section.

docs/alpine-desktop-setup/index.md

@@ -1,5 +1,5 @@
 # An Alpine Linux desktop installation
 
-This guide will demonstrate how to install [Alpine Linux](https://www.alpinelinux.org/) as a desktop with encryption, secureboot and a graphical wayland session using wayfire. Alpine Linux makes a perfect base for those who want a minimal, simple and secure Linux installation. This installation will also make heavy use of [Nix](https://nixos.org/) and [Home-manager](https://github.com/nix-community/home-manager) which allows for easy deployment and user independent packages. Check out the [Alpine Linux wiki](https://wiki.alpinelinux.org/wiki/Main_Page) for additional resources and information.
+This guide will demonstrate how to install [Alpine Linux](https://www.alpinelinux.org/) with encryption, secureboot and a graphical wayland session using wayfire. Alpine Linux makes a perfect base for those who want a minimal, simple and secure Linux installation. This installation will also make use of [Nix](https://nixos.org/) and [Home-manager](https://github.com/nix-community/home-manager) which allows for easy deployment and user independent packages. Check out the [Alpine Linux wiki](https://wiki.alpinelinux.org/wiki/Main_Page) for additional resources and information.
 
-> Do note that all this documentation is focused on the `x86_64` architecture.
+> Note that all this documentation is focused on the `x86_64` architecture.

docs/alpine-desktop-setup/installation.md

@@ -14,9 +14,9 @@ Then set up the base system using `setup-disk`:
 # setup-disk -m sys /mnt
 ```
 
-This will also add grub as bootloader which is going to be replaced on this system but for now it will reside on the boot partition.
+This will also add grub as bootloader which will be replaced but for now it will reside on the boot partition.
 
-Now the other directories are going to be mounted so that it's possible to chroot into the system:
+To make it possible to chroot into the system, mount the other directories:
 
 ```
 # for i in dev proc sys run; do
@@ -25,7 +25,7 @@ Now the other directories are going to be mounted so that it's possible to chroo
 # chroot /mnt
 ```
 
-The other "setup" scripts can be used to configure key aspects of the system.
+The other setup scripts can be used to configure key aspects of the system.
 
 ```
 # setup-hostname <hostname>
@@ -36,7 +36,7 @@ The other "setup" scripts can be used to configure key aspects of the system.
 # passwd root
 ```
 
-> Root's password doesn't really matter because it's going to be locked after a user has been created.
+> The root password does not really matter because it is going to be locked after a user has been created.
 
 Set the `hwclock` to use `localtime` instead of `UTC` in `/etc/conf.d/hwclock`:
 
@@ -73,19 +73,19 @@ modules: vfat,nls_cp437,nls_iso8859_1
 enable_lvm: true
 ```
 
-The most important step is the creation of uki's using `secureboot-hook` which also automatically signs them. First the hook itself will have to be tweaked to use `booster` instead of `mkinitfs`, edit `/etc/kernel-hooks.d/50-secureboot.hook` and change the line:
+The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. First the hook itself will have to be tweaked to use `booster` instead of `mkinitfs`, edit `/etc/kernel-hooks.d/50-secureboot.hook` and change the line:
 
 ```
 /sbin/mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR"
 ```
 
-To:
+to:
 
 ```
 /usr/bin/booster build "$tmpdir"/initramfs --kernel-version "$NEW_VERSION-$FLAVOR"
 ```
 
-And configure `/etc/kernel-hooks.d/secureboot.conf` for cmdline and secureboot. 
+and configure `/etc/kernel-hooks.d/secureboot.conf` for cmdline and secureboot. 
 
 ```
 cmdline="rw rd.luks.name=<uuid>=luks root=/dev/vg<n>/alp_root modules=ext4 quiet splash rd.lvm.vg=vg<n>"
@@ -98,13 +98,13 @@ output_dir="/boot/efi/EFI/Linux"
 output_name="alpine-linux-{flavor}.efi"
 ```
 
-Here `<uuid>` has to be replaced with the uuid of the partition which contains our volume group:
+Here `<uuid>` has to be replaced with the uuid of the partition which contains the volume group:
 
 ```
 # blkid /dev/<disk2> >> /etc/kernel-hooks.d/secureboot.conf
 ```
 
-All that's left for booting is secureboot which `sbctl` will be used for to create keys, and sign some executables with.
+Use `sbctl` to create secureboot keys and sign them.
 
 ```
 # sbctl create-keys
@@ -122,7 +122,7 @@ Now to see if everything went succesfully run:
 
 And it should give no warnings if done properly. 
 
-To make our lives easier we'll also install `gummiboot` as a bootloader.
+As discussed earlier `grub` will be replaced, install `gummiboot` as a bootloader.
 
 ```
 # apk add gummiboot
@@ -131,7 +131,7 @@ To make our lives easier we'll also install `gummiboot` as a bootloader.
 # sbctl sign -s /boot/efi/EFI/Boot/BOOTX64.EFI
 ```
 
-And also remove some junk left over by grub.
+And also remove some remnants of `grub`.
 
 ```
 # rm -rf /boot/efi/EFI/alpine
@@ -140,7 +140,7 @@ And also remove some junk left over by grub.
 # cd /boot && unlink boot
 ```
 
-You can also install `os-prober` which can find operating systems and add them to your bootloader. Besides that `gummiboot` can also be configured with the file `/boot/efi/loader/loader.conf` with which you can specify the timeout and the default OS.
+The `os-prober` package may be installed that may find operating systems and add them to the bootloader. Besides that `gummiboot` can also be configured with the file `/boot/efi/loader/loader.conf` with which the timeout and the default OS can be specified.
 
 ```
 default alpine
@@ -148,7 +148,7 @@ timeout 2
 editor no
 ```
 
-Before finishing the installation, `networkmanager` will be installed for networking.
+Before finishing the installation `networkmanager` will be installed for networking.
 
 ```
 # apk add networkmanager
@@ -156,11 +156,11 @@ Before finishing the installation, `networkmanager` will be installed for networ
 # rc-update add networkmanager default
 ```
 
-Wifi will not yet work but this is will be done later on.
+Wifi will not yet work. For wifi configuration see the [network section](post-install/network). 
 
-> If internet doesn't work after reboot create the config file as described in the [wifi section](https://docs.bijl.us/alpine-desktop-setup/post-install/network/) and restart the service.
+> If internet does not work after reboot create the config file as described in the [network section](post-install/network) and restart the service.
 
-Now exit out of the chroot and you should be able to reboot into a working Alpine system.
+Now exit the chroot and you should be able to reboot into a working Alpine system.
 
 ```
 # exit

docs/alpine-desktop-setup/post-install/config-files.md

@@ -1,21 +0,0 @@
-# Config files
-
-To make life easier there are a few pre-made few configuartion file repositories which contain all necessary files to set up a functional system. `<config-files-repo>` refers to a repository which containes these. We have created a "default config" which you can use as basis for your configuration.
-
-* [lnco/alpine-desktop-config](https://git.bijl.us/lnco/alpine-desktop-config)
-
-Some more examples are:
-
-* [Nils' config-files-alpine](https://git.bijl.us/nils/config-files-alpine) (WIP)
-
-* Luc's config (once it exists)
-
-> Do note that these config file repositories may not contain all the necessary files.
-
-Clone your repository of choice using git:
-
-```
-# apk add git
-$ git clone <config-files-repo>
-$ mv <config-files-repo>/config .config
-```

docs/alpine-desktop-setup/post-install/network.md

@@ -1,8 +1,8 @@
 # Network
 
-## Wifi
+## Using wifi
 
-Being able to connect to the internet is essential so lets set it up. Although `dhcp` will already work out of the box, wifi will not. Luckily there exist `wpa_supplicant`. First install the necessary packages:
+Although `dhcp` will already work out of the box, wifi will not. Luckily there exists `wpa_supplicant`. First install the necessary packages:
 
 ```
 # apk add networkmanager-wifi wpa_supplicant
@@ -23,20 +23,20 @@ wifi.scan-rand-mac-address=yes
 wifi.backend=wpa_supplicant
 ```
 
-Now restart the service and you should be able to connect to the Wifi.
+Now restart the service and you should be able to connect with wifi.
 
 ```
 # rc-service networkmanager restart
 ```
 
-There are different frontends to configure connections but for now lets install `networkmanager-tui`:
+There are different frontends to configure connections but for now install `networkmanager-tui`:
 
 ```
 # apk add networkmanager-tui
 # nmtui
 ```
 
-It should be pretty self-explanatory on how to use it.
+It should be self-explanatory how to use it.
 
 To make it possible for users to edit connections create the config file `/etc/NetworkManager/conf.d/no-polkit.conf` with:
 
@@ -45,21 +45,21 @@ To make it possible for users to edit connections create the config file `/etc/N
 auth-polkit=false
 ```
 
-## VPN's
+## Using a VPN
 
-NetworkManager can already use WireGuard but to use other VPN types it might be necessary to install their corresponding plugin. For OpenVPN that would be:
+NetworkManager can already use WireGuard but to use other VPN's it might be necessary to install their corresponding plugin. For OpenVPN that would be:
 
 ```
 # apk add networkmanager-openvpn
 ```
 
-## Security
+## Security considerations
 
-NetworkManager's defaults are fine for normal usage but in terms of security they are definitly lacking.
+NetworkManager defaults are fine for normal usage but in terms of security they are definitely lacking.
 
 ### MAC Randomization
 
-Create a config file `/etc/NetworkManager/conf.d/mac-rand.conf` to randomize te mac address for every time your computer connects:
+Create a config file `/etc/NetworkManager/conf.d/mac-rand.conf` to randomize the mac address every time your computer connects:
 
 ```
 [connection-mac-randomization]
@@ -69,7 +69,7 @@ wifi.cloned-mac-address=random
 
 ### IPv6 privacy
 
-Although ipv6 will be turned off in the [security section](https://docs.bijl.us/alpine-desktop-setup/post-install/security/#cmdline) you can still turn this on just in case byediting `/etc/NetworkManager/conf.d/ip6-privacy.conf`:
+Although ipv6 will be turned off in the [security section](https://docs.bijl.us/alpine-desktop-setup/post-install/security/#cmdline) you can still turn it on by editing `/etc/NetworkManager/conf.d/ipv6-privacy.conf`:
 
 ```
 [connection]

docs/alpine-desktop-setup/post-install/post-installation.md

@@ -0,0 +1,17 @@
+# Post installation
+
+The post installation section elaborates on the installation and configuration of certain applications and the extension of the operating system. To simplify this and the subsequent sections, reference is made to pre-made configuration files with `<config-files-repo>`. 
+
+A configuration files repository may be chosen to one's preference, by cloning them with the `git` command. It is recommended to do this once a user has been created.
+
+```
+$ git clone <config-files-repo>
+```
+
+Some possible configuration files repositories.
+
+* [Default lnco config-files](https://git.bijl.us/lnco/alpine-desktop-config)
+* [Nils' config-files](https://git.bijl.us/nils/config-files-alpine)
+* [Luc's config-files](https://git.bijl.us/luc/alpine-desktop)
+
+Note that a configuration files repository may not contain all the configuration files mentioned in this wiki.

docs/alpine-desktop-setup/post-install/security.md

@@ -1,23 +1,20 @@
 # Security
 
-There are a few things that have to be done to optimize the security of the system.
+There are a few things that have to be done to optimize the security of the system. Some of the sources used are listed below.
-
-Here are a few of the sources used:
 
 * [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel).
-
 * [PlagueOS](https://0xacab.org/optout/plagueos/-/wikis/Security-Considerations)
 
 ## Apparmor and LSM
 
-Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:
+Apparmor is a mandatory access control mechanism that may restrict the capabilities of a program, install it via:
 
 ```
 # apk add apparmor apparmor-profiles
 # rc-update add apparmor default
 ```
 
-Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks/secureboothook.conf`:
+Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks.d/secureboothook.conf`:
 
 ```
 cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"
@@ -36,10 +33,11 @@ You can check the status of apparmor using `apparmor-utils`:
 # apk add apparmor-utils
 # aa-status
 ```
+## Kernel settings 
 
-## Cmdline
+### Commandline
 
-There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`:
+There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`.
 
 ```
 cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"
@@ -47,11 +45,11 @@ cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pt
 
 After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now. 
 
-> Whilst booting up your system you may see sysctl complaining about ipv6 setting. [It's getting worked on](https://git.bijl.us/lnco/documentation/issues/30).
+> Whilst booting up your system you may see sysctl complaining about ipv6 settings. [We are trying to resolve the problem](https://git.bijl.us/lnco/documentation/issues/30).
 
-## Sysctl
+### Sysctl
 
-More kernel settings can be configured through sysctl. Edit the file `/etc/sysctl.d/main.conf`:
+More kernel settings can be configured through sysctl. Edit `/etc/sysctl.d/main.conf`:
 
 ```
 # Main security configuration.
@@ -102,21 +100,21 @@ This list is most likely still incomplete but should be good enough for now.
 
 ## Blacklisting modules
 
-WIP
+Work in progress.
 
 ## Linux-Hardened
 
-WIP
+Work in progress.
 
 ## Hardened Malloc (WIP)
 
-Musl's default memory allocator which comes with Alpine Linux is already pretty secure but not as secure as [hardened-malloc](https://github.com/GrapheneOS/hardened_malloc/):
+The default memory allocator of Musl is already reasonably secure but not as secure as [hardened-malloc](https://github.com/GrapheneOS/hardened_malloc/):
 
 ```
 # apk add hardened-malloc
 ```
 
-Then to set it system wide edit `/etc/ld-musl-x86_64.path`:
+Then to set it system-wide edit `/etc/ld-musl-x86_64.path`:
 
 ```
 /usr/lib/libhardened_malloc.so
@@ -125,7 +123,7 @@ Then to set it system wide edit `/etc/ld-musl-x86_64.path`:
 /usr/local/lib
 ```
 
-You can also use the light variant of hardened-malloc because the default one may not work well with some graphical applications:
+The light variant of hardened-malloc may also be used instead of the default when problems with graphical applications occur.
 
 ```
 /usr/lib/libhardened_malloc-light.so
@@ -133,13 +131,13 @@ You can also use the light variant of hardened-malloc because the default one ma
 
 ## Entropy
 
-Improve the security of the system by improving the entropy and thus randomness. Install `jitterentropy-library`:
+Improve the security of the system by increasing the entropy. Install `jitterentropy-library`:
 
 ```
 # apk add jitterentropy-library
 ```
 
-And create a config file in `/etc/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded:
+and create a config file in `/etc/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded:
 
 ```
 jitterentropy_rng
@@ -155,13 +153,13 @@ First install PAM through `util-linux-login`:
 # apk add util-linux-login
 ```
 
-Delays can be a deterent against bruteforcing login attempts. Simply add this to the line in `/etc/pam.d/login`:
+Delays can be a deterent against bruteforcing login attempts. Simply add the following to the line in `/etc/pam.d/login`:
 
 ```
 auth optional pam_faildelay.so delay=5000000
 ```
 
-Which will add a 5 second delay between login attempts.
+which will add a 5 second delay between login attempts.
 
 The system can also enforce a stronger hash algorithm for a more secure login protector. Edit the file `/etc/pam.d/base-password` and add the line:
 
@@ -169,10 +167,10 @@ The system can also enforce a stronger hash algorithm for a more secure login pr
 password required pam_unix.so nullock sha512 shadow rounds=1000000
 ``` 
 
-If an account has already been made (which you shouldn't yet have at this point but still) then change your password so that it's also secure:
+> If an account has already been created then change your password so that it is also secure:
-
+>
-```
+> ```
-# passwd <username>
+> # passwd <username>
-```
+> ```
-
+> 
-> When choosing a password make sure it's atleast like 8 characters long.
+> When creating a password make sure that it is at least 8 characters long.

docs/alpine-desktop-setup/provisioning.md

@@ -28,13 +28,13 @@ Then to create the filesystem on the efi partition.
 # mkfs.fat -F 32 -n efi /dev/<disk1>
 ```
 
-The root partition of the system is going to be encrypted using `cryptsetup` but first generate a "key" that has to be used to unlock the device. Later on in the guide `clevis` will be used for automatic decryption so this key only has to be entered a few times before that is installed. But if any changes are made to the bios or secureboot then this key will be needed again so make sure to write it down somewhere safe like Bitwarden. Generate the key and safe it temporarily to the file `/tmp/crypt_passphrase.txt` with:
+The root partition of the system is going to be encrypted using `cryptsetup`. First generate a key that will be used to encrypt the device and safe it temporarily to the file `/tmp/crypt-key.txt` with:
 
 ```
-# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 > /tmp/crypt_passphrase.txt && cat /tmp/crypt_passphrase.txt
+# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 > /tmp/crypt-key.txt && cat /tmp/crypt-key.txt
 ```
 
-Make sure to write it down.
+Later on in the guide `clevis` will be used for automatic decryption so this key only has to be entered a only few times. However, if any changes are made to the bios or secureboot then this key will be needed again so make sure to write it down.
 
 Then format the partition using `cryptsetup`:
 
@@ -44,13 +44,13 @@ Then format the partition using `cryptsetup`:
 # cryptsetup open --type luks /dev/<disk2> luks
 ```
 
-Now to create a new LVM volume group (choose $n \in \mathbb{N}$ accordingly):
+Now to create a new LVM volume group choose $n \in \mathbb{N}$ accordingly:
 
 ```
 # vgcreate vg<n> /dev/mapper/luks
 ```
 
-To create partitions inside the volume group:
+Then create partitions inside the volume group:
 
 ```
 # lvcreate --name alp_root -L 16G vg<n>

mkdocs.yml

@@ -5,8 +5,6 @@ theme:
   name: material
   features:
     - navigation.instant
-    - navigation.instant.progress
-    - navigation.tracking
     - navigation.tabs
     - navigation.indexes
     - toc.follow
@@ -49,6 +47,7 @@ nav:
     - 'Provisioning': alpine-desktop-setup/provisioning.md
     - 'Installation': alpine-desktop-setup/installation.md
     - 'Post installation':
+      - alpine-desktop-setup/post-install/post-installation.md
       - 'Network': alpine-desktop-setup/post-install/network.md
       - 'Security': alpine-desktop-setup/post-install/security.md
       - 'Repositories': alpine-desktop-setup/post-install/repositories.md
@@ -101,7 +100,7 @@ nav:
         - 'Provisioning': void-desktop-setup/installation/provisioning.md
         - 'Installation': void-desktop-setup/installation/installation.md
     - 'Post installation':
-        - 'Config files': void-desktop-setup/post-installation/post-install.md
+        - void-desktop-setup/post-installation/post-installation.md
         - 'Users': void-desktop-setup/post-installation/users.md
         - 'Network': void-desktop-setup/post-installation/network.md
         - 'Linux-lts': void-desktop-setup/post-installation/linux-lts.md