docs/desktop-os/posts/02-gentoo-openrc-install.md: update

Finalised this blog entry.
2025-08-09 13:48:10 +02:00 · 2025-08-09 13:48:10 +02:00 · 557424664f
commit 557424664f
parent ed531f8b79
1 changed files with 159 additions and 54 deletions
--- a/docs/desktop-os/posts/02-gentoo-openrc-install.md
+++ b/docs/desktop-os/posts/02-gentoo-openrc-install.md
@ -2,7 +2,7 @@
 title: A hardened Gentoo-Linux/openrc base installation
 slug: gentoo-openrc-base-install
 date: 2025-07-19
-draft: true
+draft: false
 authors:
    - nils
    - luc
@ -112,13 +112,9 @@ sh# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o
 Write the encryption key to TPM with `zlevis`:

 ``` shell-session
-sh# zlevis encrypt rpool '{}' < /tmp/rpool.key
+sh# zlevis encrypt rpool '{"pcr_ids":"0,5,7"}' < /tmp/rpool.key
 ```

-> We are using the default configuration settings for `zlevis encrypt` but a different configuration is possible by setting `'{}'` accordingly.
-
-<break>
-
 > To check if it worked, perform `zlevis decrypt rpool`.

 Finally, export the zpool:
@ -168,10 +164,10 @@ Unpack the stage file in the root of the system:
 sh# tar -xpf stage3-*.tar.xz --numeric-owner -C /mnt
 ```

-To have a functional chroot into the system, copy resolv.conf and bind the system process directories:
+To have a functional chroot into the system, copy `resolv.conf` and bind the system process directories:

 ``` shell-session
-sh# cp /etc/resolv.conf /mnt/etc/
+sh# cp --dereference /etc/resolv.conf /mnt/etc/
 sh# for dir in dev proc sys run; do
 > mount --rbind --make-rslave /$dir /mnt/$dir
 > done
@ -280,37 +276,6 @@ Configure the kernel command-line to be able to boot correctly:
 rw root=ZFS=rpool/root/gentoo rootflags=noatime quiet splash
 ```

-The installation of the hardware firmware on the system, such as the CPU microcode, is hardware specific:
-
-=== "AMD CPU"
-
-    The microcode updates for systems with an AMD CPU are all contained in `sys-kernel/linux-firmware`, accept its license:
-
-    ``` shell title="/etc/portage/package.license/kernel"
-    sys-kernel/linux-firmware linux-fw-redistributable @BINARY-REDISTRIBUTABLE
-    ```
-
-    and emerge it:
-
-    ``` shell-session
-    sh# emerge -a sys-kernel/linux-firmware
-    ```
-
-=== "Intel CPU"
-
-    The microcode updates for systems with an Intel CPU require alongside `sys-kernel/linux-firmware` also `sys-kernel/intel-microcode`, accept its licenses:
-
-    ``` shell title="/etc/portage/package.license/kernel"
-    sys-kernel/linux-firmware linux-fw-redistributable @BINARY-REDISTRIBUTABLE
-    sys-firmware/intel-microcode intel-ucode
-    ```
-
-    and emerge them:
-
-    ``` shell-session
-    sh# emerge -a sys-kernel/linux-firmware sys-firmware/intel-microcode
-    ```
-
 Emerge `sbctl` and `sbsigntools` which will be used alongside `dracut` (1) to sign the build Unified Kernel Image (UKI):
 { .annotate }

@ -320,7 +285,7 @@ Emerge `sbctl` and `sbsigntools` which will be used alongside `dracut` (1) to si
 sh# emerge -a app-crypt/sbctl app-crypt/sbsigntools
 ```

-> Verify that secureboot mode is `on` and in `setup mode` with `sbctl status`.
+> Verify that secureboot is in `setup mode` with `sbctl status`.

 Create and enroll the secureboot keys into the system:

@ -352,23 +317,42 @@ Tell `portage` to generate a UKI when installing a kernel:
 sys-kernel/installkernel dracut ukify uki
 ```

-Emerge the configured Gentoo kernel and its necessary kernel modules for this system:
-
-``` shell-session
-sh# emerge -a sys-fs/zfs-kmod sys-kernel/gentoo-kernel
-```
-
 Set the required USE flags for `systemd-utils` such that on emerging the bootloader `systemd-boot` will be installed:

 ``` shell title="/etc/portage/package.use/systemd-utils"
 sys-apps/systemd-utils kernel-install boot ukify
 ```

-and emerge `systemd-utils`:
+The installation of the hardware firmware on the system, such as the CPU microcode, is hardware specific:

-``` shell-session
-sh# sys-apps/systemd-utils (sys-power/acpi sys-power/acpid sys-power/acpi_call)
-```
+=== "AMD CPU"
+
+    The microcode updates for systems with an AMD CPU are all contained in `sys-kernel/linux-firmware`, accept its license:
+
+    ``` shell title="/etc/portage/package.license/kernel"
+    sys-kernel/linux-firmware linux-fw-redistributable @BINARY-REDISTRIBUTABLE
+    ```
+
+    and emerge them together with the Gentoo kernel, its necessary kernel modules for this system and the bootloader:
+
+    ``` shell-session
+    sh# emerge -a sys-kernel/linux-firmware sys-fs/zfs-kmod sys-kernel/gentoo-kernel sys-apps/systemd-utils
+    ```
+
+=== "Intel CPU"
+
+    The microcode updates for systems with an Intel CPU require alongside `sys-kernel/linux-firmware` also `sys-kernel/intel-microcode`, accept its licenses:
+
+    ``` shell title="/etc/portage/package.license/kernel"
+    sys-kernel/linux-firmware linux-fw-redistributable @BINARY-REDISTRIBUTABLE
+    sys-firmware/intel-microcode intel-ucode
+    ```
+
+    and emerge them together with the Gentoo kernel, its necessary kernel modules for this system and the bootloader:
+
+    ``` shell-session
+    sh# emerge -a sys-kernel/linux-firmware sys-firmware/intel-microcode sys-fs/zfs-kmod sys-kernel/gentoo-kernel sys-apps/systemd-utils
+    ```

 Install the bootloader on the ESP:

@ -389,10 +373,16 @@ editor no

 > One may verify the signed files by running `sbctl verify`.

-Add some relevant services:
+Generate the `hostid` and reconfigure the Gentoo Kernel:
+
+``` shell-session
+sh# zgenhostid
+sh# emerge --config gentoo-kernel
+```
+
+Finally, add some services for `ZFS`:

 ``` shell-session
-sh# rc-update add acpid default
 sh# rc-update add zfs-mount sysinit
 sh# rc-update add zfs-import sysinit #(1)!
 sh# rc-update add zfs-load-key sysinit #(2)!
@ -460,12 +450,38 @@ add_dracutmodules+=" zlevis "

 ### Swap

+To add swap to the system emerge `zram-init`:
+
+``` shell-session
+sh# emerge -a sys-block/zram-init
+```
+
+Configure `zram-init` to create a swap device of size one fourth of the ram size:
+
+``` shell title="/etc/conf.d/zram-init"
+load_on_start="yes"
+unload_on_stop="yes"
+num_devices="1"
+
+type0="swap"
+size0=`LC_ALL=C free -m | awk '/^Mem:/{print int($2/4)}'`
+maxs0=1
+algo0=zstd
+labl0=zram_swap
+```
+
+and add `zram-init` to the default runlevel:
+
+``` shell-session
+sh# rc-update add zram-init default
+```
+
 ### Compiler cache

 Compiler cache can speed up recompile's, by avoiding recompilation of the same object files by fetching the result from a cache directory. The package `ccache` enables a compiler cache for `C/C++` object files, present in the Gentoo Kernel for example. Emerge it with:

 ``` shell-session
-sh# emerge -a dev-utils/ccache
+sh# emerge -a dev-util/ccache
 ```

 and edit its configuration file:
@ -498,6 +514,95 @@ sys-kernel/gentoo-kernel enable-ccache.conf

 ### Users

+To run processes securely, in an environment with fewer privileges, a user is necessary. 
+
+Before creating the user, emerge `doas`, to be able to "do as" root when it is required:
+
+which requires us to set:
+
+``` shell title="/etc/portage/package.use/doas"
+app-admin/doas persist
+```
+
+then
+
+``` shell-session
+sh# emerge -a app-admin/doas
+```
+
+and configure `doas` by editing:
+
+``` shell title="/etc/doas.d/wheel.conf"
+permit persist :wheel as root
+```
+
+Now users who are in the `wheel` group are allowed to use the doas command to gain root privileges.
+
+We can add a user, set its password and add it to the `wheel` group (if admin) with:
+
+``` shell-session
+sh# useradd -m -G wheel -s /bin/bash <username>
+sh# passwd <username>
+```
+
+The `wheel` group should ideally only be assigned to one singular admin account. The users in the group are allowed to use the doas command to gain root privileges. This is necessary for installing packages and changing system files but not for a normal user.
+
+If you have checked that doas works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
+
+``` shell-session
+sh# passwd -l root
+```
+
+and by changing its login shell to:
+
+``` shell title="/etc/passwd"
+root:x:0:0:root:/root:/sbin/nologin
+```
+
 ### Networking

-## Concluding remarks
+For desktop use `NetworkManager` is preferred over `dhcpcd` as network daemon, due to its versatility, i.e. Wi-Fi and VPN compatibility, MAC randomisation, et cetera. 
+
+First set the relevant USE flags:
+
+``` shell title="/etc/portage/package.use/networkmanager"
+net-misc/networkmanager dhcpcd -wext
+```
+
+> Also make sure the `networkmanager` USE flag is enabled in your `make.conf`.
+
+Now emerge `networkmanager`:
+
+``` shell-session
+sh# emerge -a net-misc/networkmanager
+```
+
+and configure `networkmanager` to have MAC randomisation by editing:
+
+``` shell title="/etc/NetworkManager/NetworkManager.conf"
+[main]
+hostname-mode=none
+plugins=ifupdown,keyfile
+
+[ifupdown]
+managed=true
+
+[device]
+wifi.scan-rand-mac-address=yes
+
+[connection-mac-randomization]
+ethernet.cloned-mac-address=random
+wifi.cloned-mac-address=random
+```
+
+Then stop any other network service, such as `dhcpcd` running in the dynamic runlevel, and enable `NetworkManager`:
+
+``` shell-session
+sh# rc-update add NetworkManager default
+```
+
+For users to be able to modify connections on the system they will have to be added to the `plugdev` group.
+
+## Concluding remarks
+
+This is the bare minimum for a Gentoo Linux desktop system. Some additional features such as bluetooth, laptop battery management, printer compatiblity, et cetera, have been documented well in the [Gentoo Wiki](https://wiki.gentoo.org/wiki/Main_Page), and can thus be found there. The next steps are the improvement of the security of the system and the configuration of the graphical session.