Initial commit

10_install.txt

@@ -0,0 +1,172 @@
+# Use `cat` to get file with lines numbered
+cat -n install.txt
+
+# Use `eval` from `sed` on lines X-Y
+eval "$(sed -n X,Yp install.txt)"
+
+# Ensure ethernet connection is up
+ip link
+
+# Partition 512M for efi (code ef00) and rest for luks
+part /dev/nvme0n1
+
+mkfs.vfat /dev/nvme0n1p1
+
+# Create LUKS container
+cryptsetup luksFormat /dev/nvme0n1p2
+
+cryptsetup luksOpen /dev/nvme0n1p2 cryptoroot
+
+# Partition 4G for swap (code 8200) and the rest for solaris (code bf00)
+gpart /dev/mapper/cryptoroot
+
+# Make swap and swap on
+mkswap /dev/mapper/cryptoroot1
+swapon /dev/mapper/cryptoroot1
+
+# Double check everything is correct
+lsblk /dev/nvme0n1
+
+# Load zfs modules and ensure it's loaded
+modprobe zfs
+lsmod | grep -i zfs
+
+# Create root zpool
+zpool create -f \
+-O acltype=posixacl \
+-O relatime=on \
+-O dnodesize=auto \
+-O xattr=sa \
+-O normalization=formD \
+-O canmount=off \
+-O devices=off \
+-m none \
+-R /mnt \
+zroot /dev/mapper/cryptoroot2
+
+# Create datasets
+zfs create -o mountpoint=none zroot/data
+zfs create -o mountpoint=none -o compression=lz4 zroot/ROOT
+zfs create -o mountpoint=/ -o canmount=noauto zroot/ROOT/default
+zfs create -o mountpoint=/opt zroot/opt
+zfs create -o mountpoint=/var zroot/var
+zfs create zroot/var/log
+zfs create -o mountpoint=/var/lib -o canmount=off zroot/var/lib
+zfs create -o mountpoint=/home zroot/home
+zfs create -o mountpoint=/root zroot/home/root
+zfs create -o setuid=off -o devices=off -o sync=disabled -o mountpoint=/tmp zroot/tmp
+
+# Prepare zpool
+zpool export zroot
+zpool import -d /dev/mapper/cryptoroot2 -R /mnt zroot -N
+
+# Mount and check
+zfs mount zroot/ROOT/default
+zfs mount -a
+df -k
+
+# Prepare device for pool
+zpool set bootfs=zroot/ROOT/default zroot
+zpool set cachefile=/etc/zfs/zpool.cache zroot
+mkdir -p /mnt/{etc/zfs,boot/efi}
+cp /etc/zfs/zpool.cache /mnt/etc/zfs/zpool.cache
+
+# Mount boot part
+mount /dev/nvme0n1p1 /mnt/boot/efi
+
+# Install with pacstrap
+pacman -Syy
+pacstrap /mnt base dkms git intel-ucode linux linux-firmware linux-headers tmux vim zsh
+
+# Create fs table and change root into mount
+genfstab -U -p /mnt/etc/fstab
+arch-chroot /mnt
+
+# Remove zroot entries from fstab
+vim /etc/fstab
+
+# Add archzfs repository
+vim /etc/pacman.conf
+-----
+[archzfs]
+SigLevel = Optional TrustAll
+Server = https://zxcvfdsa.com/archzfs/$repo/$arch
+
+# Update repostories and install zfs-linux
+pacman -Syy
+pacman -S zfs-linux
+
+# 
+vim /etc/mkinitcpio.conf
+HOOKS=(base udev autodetect modconf block keyboard encrypt load_part resume zfs filesystems)
+# Create loader to probe cryptoroot partition
+cat > /etc/initcpio/install/load_part << EOFHOOK
+#!/bin/bash
+
+build() {
+        add_binary 'partprobe'
+        add_runscript
+}
+
+help() {
+        cat << HELPEOF
+Probes mapped LUKS container for partitions.
+HELPEOF
+}
+EOFHOOK
+cat > /etc/initcpio/hooks/load_part << EOFHOOK
+run_hook() {
+        partprobe /dev/mapper/cryptoroot
+}
+EOFHOOK
+
+# Update initramfs
+mkinitcpio -p linux
+
+# Install packages
+pacman -S base-devel dhcpcd efibootmgr grub openssh reflector rsync systemd-networkd terminus-font
+
+# Use blkid /dev/nvme0n1p2 for the uuid of cryptoroot and blkid /dev/mapper/cryptoroot2 for the uuid of the swap space and update the grub file
+vim /etc/default/grub
+-----
+GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/<uuid>:cryptoroot rw resume=UUID=<swap UUID> root=ZFS=zroot/ROOT/default"
+GRUB_ENABLE_CRYPTODISK=y
+
+# Create grub config
+grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux
+grub-mkconfig -o /boot/grub/grub.cfg
+
+# Enable important systems
+systemctl enable systemd-networkd dhcpcd reflector.timer sshd
+systemctl enable zfs-import-cache zfs-import-scan zfs-mount zfs-share zfs-zed zfs.target
+
+# Setup
+ln -sf /usr/share/zoneinfo/Canada/Vancouver /etc/localtime
+hwclock --systohc
+
+# Make passwords
+passwd
+passwd iborrelli
+
+# Make wheel sudoers
+visudo
+-----
+%wheel ALL=(ALL) ALL
+
+# Backup reflector config and create new one
+cd /etc/xdg/reflector
+mv reflector.conf.orig
+vim reflector.conf
+-----
+--country CA
+--protocol https
+--latest 5
+--sort rate
+--save /etc/pacman.d/mirrorlist
+
+# Exit chroot and clean up
+exit
+umount /mnt/boot/efi
+zfs umount -a
+zpool export zroot
+reboot

11_load_from_install_medium.txt

@@ -0,0 +1,9 @@
+# To load from install medium run the following commands
+cryptsetup luksOpen /dev/nvme0n1p2 cryptoroot
+partprobe /dev/mapper/cryptoroot
+zpool import -d /dev/mapper/cryptoroot2 -R /mnt zroot -N
+zfs mount zroot/ROOT/default
+zfs mount -a
+swapon /dev/mapper/cryptoroot1
+mount /dev/nvme0n1p1 /mnt/boot
+arch-chroot /mnt

20_post_install.txt

@@ -0,0 +1,29 @@
+git clone https://aur.archlinux.org/paru.git
+cd paru
+makepkg -si
+# If using rustup then run the following when prompted: rustup install stable
+cd ..
+sudo rm -r paru
+
+paru -Syy
+
+# GUI
+paru -S --noconfirm greetd greetd-regreet hyprland zsh-theme-powerlevel10k-git nerd-fonts kitty oh-my-zsh-git neovim wl-clipboard wofi yazi
+
+# Copy the files in greetd/ to /etc/greetd
+sudo cp ./greetd/* /etc/greetd
+
+# Zinit
+bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/zdharma-continuum/zinit/HEAD/scripts/install.sh)"
+source ~/.zshrc
+zinit self-update
+
+# ZIM
+curl -fsSL https://raw.githubusercontent.com/zimfw/install/master/install.zsh | zsh
+
+# Apps
+paru -S filezilla firefox flatpak haveged libreoffice-fresh mpv neofetch qbittorrent vlc yt-dlp 
+
+# Development
+paru -S nodejs-n
+

21_nvim.txt

@@ -0,0 +1,3 @@
+paru -S nvim
+
+

30_hosting.txt

@@ -0,0 +1,28 @@
+paru -S nginx
+
+sudo systemctl enable nginx
+
+sudo mkdir /etc/nginx/sites-enabled
+sudo mkdir /etc/nginx/sites-available
+
+# Add to /etc/nginx/nginx.conf within the `http {}` block
+    include /etc/nginx/sites-enabled/*
+
+# Create configurations in /etc/nginx/sites-available and link with
+sudo ln -s /etc/nginx/sites-availabe/example.conf /etc/nginx/sites-enabled/
+
+# Create a dataset and group srvadmin for /srv
+sudo zfs create zroot/srv
+sudo groupadd srvadmin
+sudo chown -R root:srvadmin /srv
+sudo chmod -R 770 /srv
+sudo usermod -aG srvadmin $USER
+
+# Serve a site with index.html
+sudo cp ./index.html /srv/http
+sudo chown -R http:http /srv/http
+sudo chmod -R 755 /srv/http
+sudo chmod 644 /srv/http/index.html
+sudo cp turboteam.run /etc/nginx/sites-available/turboteam.run
+sudo ln -s /etc/nginx/sites-available/turboteam.run /etc/nginx/sites-enabled/
+sudo systemctl reload nginx

31_mail.txt

@@ -0,0 +1,58 @@
+paru -S postfix dovecot certbot certbot-nginx postfix-mysql roundcubemail postfixadmin
+
+sudo certbot --nginx -d mail.turboteam.run
+# Postfix
+
+sudo vim /etc/postfix/main.cf
+----
+myhostname = mail.turboteam.run
+mydomain = turboteam.run
+
+# Secure SMTP
+
+smtp_tls_security_level = may
+smtpd_use_tls = yes
+smtpd_tls_cert_file = /etc/letsencrypt/live/mail.turboteam.runpath/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/mail.turboteam.run/privkey.pem
+----
+
+sudo vim /etc/postfix/master.cf
+----
+submission inet n       -       n       -       -       smtpd
+#  Uncommented for Dovecot auth
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+
+#  Added for Dovecot auth
+  -o smtpd_sasl_type=dovecot
+  -o smtpd_sasl_path=private/auth
+  -o smtpd_sasl_security_options=noanonymous
+  -o smtpd_sasl_local_domain=$myhostname
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
+----
+
+# Dovecot SSL
+sudo cp /usr/share/doc/dovecot/dovecot-openssl.cnf /etc/ssl/dovecot-openssl.cnf
+sudo vim /etc/ssl/dovecot-openssl.cnf
+----
+# Common Name (*.example.com is also possible)
+CN=imap.turboteam.run
+
+# E-mail contact
+emailAddress=postmaster@turboteam.run
+----
+sudo /usr/lib/dovecot/mkcert.sh
+sudo cp /etc/ssl/certs/dovecot.pem /etc/ca-certificates/trust-source/anchors/dovecot.crt
+sudo trust extract-compat
+
+sudo systemctl restart postfix
+sudo systemctl enable postfix --now
+
+# Dovecot config
+sudo mkdir /etc/dovecot
+sudo cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/
+sudo cp -r /usr/share/doc/dovecot/example-config/conf.d/ /etc/dovecot/
+
+sudo vim /etc/dovecot/conf.d/10-mail.conf
+mail_location = maildir:/var/mail/%u/Maildir

32_letsencrypt.txt

@@ -0,0 +1,10 @@
+paru -S certbot certbot-nginx bind
+
+sudo certbot --nginx
+
+sudo vim /usr/lib/systemd/system/certbot-renew.service
+# Add to the ExecStart command the following flag
+----
+--post-hook "systemctl reload nginx.service"
+
+sudo systemctl enable certbot-renew.timer --now

40_docker.txt

@@ -0,0 +1,19 @@
+paru -S docker docker-compose
+
+sudo groupadd docker
+sudo usermod -aG docker $USER
+newgrp docker
+
+sudo zfs create zroot/var/lib/docker
+sudo chown -R root:docker /var/lib/docker
+sudo chmod -R 750 /var/lib/docker
+
+sudo mkdir /etc/docker/
+sudo vim /etc/docker/daemon.json
+----
+{
+	"group": "srvadmin",
+	"storage-driver": "zfs"
+}
+
+sudo systemctl enable docker.socket --now

42_gitea.txt

@@ -0,0 +1,5 @@
+cp -r ./gitea/ /srv/
+sudo chown -R root:srvadmin /srv/gitea/
+sudo chmod -R 770 /srv/gitea/
+cd /srv/gitea/
+docker compose up -d

gitea/compose.yaml

@@ -0,0 +1,35 @@
+volumes:
+  gitea-data:
+    driver: local
+  gitea-config:
+    driver: local
+services:
+  server:
+    image: docker.gitea.com/gitea:1.23.6-rootless
+    environment:
+      - GITEA__database__DB_TYPE=mysql
+      - GITEA__database__HOST=db:3306
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=gitea
+      - TZ=Canada/Vancouver
+    restart: always
+    volumes:
+      - gitea-data:/var/lib/gitea
+      - gitea-config:/etc/gitea
+    ports:
+      - "3001:3000"
+      - "2222:2222"
+    depends_on:
+      - db
+
+  db:
+    image: docker.io/library/mysql:8
+    restart: always
+    environment:
+      - MYSQL_ROOT_PASSWORD=gitea
+      - MYSQL_USER=gitea
+      - MYSQL_PASSWORD=gitea
+      - MYSQL_DATABASE=gitea
+    volumes:
+      - ./mysql:/var/lib/mysql

greetd/config.toml

@@ -0,0 +1,16 @@
+[terminal]
+# The VT to run the greeter on. Can be "next", "current" or a number
+# designating the VT.
+vt = 1
+
+# The default session, also known as the greeter.
+[default_session]
+
+# `agreety` is the bundled agetty/login-lookalike. You can replace `/bin/sh`
+# with whatever you want started, such as `sway`.
+command = "Hyprland --config /etc/greetd/hyprland.conf"
+
+# The user to run the command as. The privileges this user must have depends
+# on the greeter. A graphical greeter may for example require the user to be
+# in the `video` group.
+user = "iborrelli"

greetd/hyprland.conf

@@ -0,0 +1 @@
+exec-once = regreet; hyprctl dispatch exit