1 year ago · 7e4d27ac4d
--- a/chroot.sh
+++ b/chroot.sh
@@ -5,9 +5,10 @@ error_exit() {
 
				     exit 1
			
 
				 }
			
 
				 
			
 
				-while true; do
			
 
				-    passwd && break
			
 
				-done
			
 
				+mkdir /etc/systemd/system/getty@tty1.service.d
			
 
				+echo '[Service]
			
 
				+ExecStart=
			
 
				+ExecStart=-/sbin/agetty -o "-p -f -- \\u" --noclear --autologin root %I $TERM' > /etc/systemd/system/getty@tty1.service.d/autologin.conf
			
 
				 
			
 
				 DRIVE=$(cat drive)
			
 
				 
			
@@ -21,16 +22,16 @@ locale-gen
 
				 
			
 
				 systemctl enable NetworkManager
			
 
				 
			
 
				-# mount /dev/"$DRIVE"1 /efi
			
 
				 mkdir -p /efi/EFI/Linux
			
 
				 test -d /efi/EFI || error_exit "Error: EFI partition could not be mounted correctly."
			
 
				 
			
 
				 sed -i 's/block filesystems/block encrypt filesystems/' /etc/mkinitcpio.conf
			
 
				-mkinitcpio -p linux
			
 
				+mkinitcpio -P
			
 
				 
			
 
				 root_uuid="$(grep ext4 /etc/fstab | sed 's/^UUID=//; s/\s\/.*$//')"
			
 
				+drive2_uuid="$(blkid | grep "$DRIVE"2 | tr ' ' '\n' | grep ^UUID= | sed 's/^UUID="//; s/"//')"
			
 
				 
			
 
				-echo "BOOT_IMAGE=/boot/vmlinuz-linux root=UUID=$root_uuid rw cryptdevice=/dev/sda2:cryptroot loglevel=0 quiet udev.log_level=3" > /etc/kernel/cmdline
			
 
				+echo "BOOT_IMAGE=/boot/vmlinuz-linux-hardened root=UUID=$root_uuid rw cryptdevice=$drive2_uuid:cryptroot loglevel=0 quiet udev.log_level=3" > /etc/kernel/cmdline
			
 
				 chmod +w /etc/kernel/cmdline
			
 
				 
			
 
				 sb_status="$(sbctl status)"
			
@@ -40,8 +41,8 @@ echo "$sb_status" | grep "^Vendor Keys:" | grep -q "none" || error_exit "Error:
 
				 
			
 
				 sbctl bundle -s \
			
 
				     -a /boot/amd-ucode.img \
			
 
				-    -k /boot/vmlinuz-linux \
			
 
				-    -f /boot/initramfs-linux.img \
			
 
				+    -k /boot/vmlinuz-linux-hardened \
			
 
				+    -f /boot/initramfs-linux-hardened.img \
			
 
				     -c /etc/kernel/cmdline \
			
 
				     /efi/EFI/Linux/ArchBundle.efi
			
 
				 
			
--- a/dot-config/mpv/mpv.conf
+++ b/dot-config/mpv/mpv.conf
@@ -1,2 +0,0 @@
 
				-hwdec=auto
			
 
				-fs=yes
			
--- a/local-bin/show-pulpit-in
+++ b/local-bin/show-pulpit-in
@@ -3,6 +3,6 @@
 
				 while true; do
			
 
				     mpv "$(~/.local/bin/get-pulpit-device)" --no-cache --untimed \
			
 
				         --no-demuxer-thread --video-sync=audio --vd-lavc-threads=1 \
			
 
				-        --no-resume-playback --title="pulpit_in"
			
 
				-        sleep 0.5
			
 
				+        --no-resume-playback --title="pulpit_in" --fs --hwdec=auto
			
 
				+        sleep 0.1
			
 
				 done
			
--- a/local-bin/show-rtmp-in
+++ b/local-bin/show-rtmp-in
@@ -5,6 +5,6 @@ RTMP_KEY="$(cat /etc/videopc_rtmp_key)"
 
				 while true; do
			
 
				     mpv rtmp://localhost:1935/live/"$RTMP_KEY" --no-cache --untimed \
			
 
				         --no-demuxer-thread --video-sync=audio --vd-lavc-threads=1 \
			
 
				-        --no-resume-playback --title="rtmp_in"
			
 
				-        sleep 0.5
			
 
				+        --no-resume-playback --title="rtmp_in" --fs --hwdec=auto
			
 
				+        sleep 0.1
			
 
				 done
			
--- a/stage1.sh
+++ b/stage1.sh
@@ -56,15 +56,12 @@ mount /dev/"$DRIVE"1 /mnt/efi
 
				 
			
 
				 pacman -Sy --noconfirm archlinux-keyring
			
 
				 
			
 
				-pacstrap /mnt base linux linux-firmware networkmanager sbctl amd-ucode efibootmgr cryptsetup tpm2-tss
			
 
				+pacstrap /mnt base linux-hardened linux-firmware networkmanager sbctl amd-ucode efibootmgr tpm2-tss
			
 
				 
			
 
				 genfstab -U /mnt >> /mnt/etc/fstab
			
 
				 mv drive /mnt
			
 
				 mv videopc_api_key videopc_rtmp_key /mnt/etc
			
 
				 echo "videopc" > /mnt/etc/hostname
			
 
				 
			
 
				-cp chroot.sh /mnt
			
 
				+cp chroot.sh stage2.sh /mnt
			
 
				 arch-chroot /mnt bash chroot.sh
			
 
				-rm /mnt/chroot.sh
			
 
				-
			
 
				-cp stage2.sh /mnt
			
--- a/stage2.sh
+++ b/stage2.sh
@@ -34,14 +34,16 @@ echo "$sb_status" | grep "^Secure Boot:" | grep -q "Enabled" || error_exit "Erro
 
				 
			
 
				 grep -q "^2$" /sys/class/tpm/tpm*/tpm_version_major || error_exit "Error: No tpm2 devices found."
			
 
				 
			
 
				-systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda2 || error_exit "Error: Failed to enroll luks2 key into tpm2"
			
 
				+drive2_uuid="$(sed 's/^.*cryptdevice=//; s/:cryptroot.*$//' /etc/kernel/cmdline)"
			
 
				+drive2_drive="$(blkid | grep "$drive2_uuid" | tr ' ' '\n' | grep '^.*:$' | sed 's/://')"
			
 
				+
			
 
				+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 "$drive2_drive" || error_exit "Error: Failed to enroll luks2 key into tpm2"
			
 
				 
			
 
				 sed -i 's/block encrypt/block sd-encrypt/' /etc/mkinitcpio.conf
			
 
				 sed -i 's/base udev/base systemd/' /etc/mkinitcpio.conf
			
 
				 sed -i 's/keyboard keymap consolefont/keyboard sd-vconsole/' /etc/mkinitcpio.conf
			
 
				 
			
 
				-sda2_uuid="$(blkid | grep sda2 | tr ' ' '\n' | grep ^UUID= | sed 's/^UUID="//; s/"//')"
			
 
				-sed -i "s/cryptdevice=\/dev\/sda2:cryptroot/rd.luks.name=$sda2_uuid=cryptroot/" /etc/kernel/cmdline
			
 
				+sed -i "s/cryptdevice=$drive2_uuid:cryptroot/rd.luks.name=$drive2_uuid=cryptroot/" /etc/kernel/cmdline
			
 
				 
			
 
				 mkinitcpio -P || error_exit "Error: Failed to update mkinitcpio"
			
 
				 
			
@@ -149,7 +151,7 @@ systemctl enable mediamtx
 
				 
			
 
				 make_user_owner_of_HOME_and_mnt_dirs
			
 
				 
			
 
				-# setup autologin
			
 
				+# setup user autologin
			
 
				 echo -e "\e[0;30;34mSetting up Autologin ...\e[0m"
			
 
				 systemctl enable greetd
			
 
				 echo '[initial_session]
			
@@ -159,3 +161,7 @@ user = "videopc"' >> /etc/greetd/config.toml
 
				 # enable sshd daemon
			
 
				 echo -e "\e[0;30;34mEnabling sshd daemon ...\e[0m"
			
 
				 systemctl enable sshd
			
 
				+
			
 
				+# remove root autologin
			
 
				+echo -e "\e[0;30;34mRemoving root autologin ...\e[0m"
			
 
				+rm -rf /etc/systemd/system/getty@tty1.service.d