My personal dotfiles for swaywm on Arch Linux.
Sway should be started from TTY with runsway, which will add some helpful environment variables.
- Install
firefox-user-autoconfigfrom AUR. - Go to
about:profilesand underProfile:default, click on Open Directory next to Root Directory. - Open a terminal at that location and run the following:
ln -s ../chrome
Archinstall should be able to encrypt your root + other partitions. In case you want to encrypt a new partition:
# format + key the partition
cryptsetup luksFormat /dev/nvme0n1p4
cryptsetup luksOpen /dev/nvme0n1p4 nvme0n1p4_crypt
# add a filesystem of your choosing
mkfs.xfs -f /dev/mapper/nvme0n1p4_cryptMake sure that the partition table knows it's encrypted:
sudo gdisk /dev/nvme0n1
# press t (to change partition type code), 4 (for the 4th partition), 8309 (short hex code for generic Linux LUKS), w (to write to partition table), Y (to confirm)To automatically unlock it on decrypting your root partition:
# create a key
dd if=/dev/urandom of=/etc/cryptsetup-keys.d/ainstnvme0n1p4.key bs=512 count=1
chmod 400 /etc/cryptsetup-keys.d/ainstnvme0n1p4.key
# allow the partition to be unlocked by the key in addition to password
cryptsetup luksAddKey /dev/nvme0n1p4 /etc/cryptsetup-keys.d/ainstnvme0n1p4.key
# tell systemd which key to use
# no-read-workqueue,no-write-workqueue are performance optimizations for SSDs: https://wiki.archlinux.org/title/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
echo xfs /dev/nvme0n1p4 /etc/cryptsetup-keys.d/ainstnvme0n1p4.key luks,no-read-workqueue,no-write-workqueue >> /etc/crypttabI use containerd image store:
sudo mkdir -p /etc/docker
echo '{
"features": {
"containerd-snapshotter": true
}
}' | sudo tee /etc/docker/daemon.jsonand /xfs as image store directory. Set root = '/xfs/containerd' in /etc/containerd/config.toml and create a directory owned by root:
sudo mkdir /xfs/containerd
sudo chmod 755 /xfs/containerdIf you want to move data from your old location, you can rsync it over:
sudo rsync -avxP /var/lib/containerd/ /xfs/containerd
rm -rf /var/lib/containerd/*Additionally, systemd cgroup setting should be configured on cgroup v2 kernels:
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options]
SystemdCgroup = true
XFS is one of the better options for image store. It's pretty optimal out of the box, but you can add noatime,nodiratime options to your /etc/fstab.
You can use the newer xe driver instead of the old i915 driver. Find the hex code of your device:
lspci -nnd ::03xx
# 00:02.0 VGA compatible controller [0300]: Intel Corporation Lunar Lake [Intel Arc Graphics 130V / 140V] [8086:64a0] (rev 04)The hex code above is 64a0. Then, add the following to your kernel params (e.g. in /boot/loader/entries/foo.conf) and replace the nex code with yours: i915.force_probe=!64a0 xe.force_probe=64a0
Using mullvad wireguard interface for sandboxing via firejail:
/usr/local/bin/firejail-bridge-up.sh
#!/bin/bash
# Bridge setup
ip link add br0 type bridge
ip addr add 10.10.20.1/24 dev br0
ip link set br0 up
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Forward rules for the bridge
iptables -A FORWARD -i br0 -o wg0-mullvad -j ACCEPT
iptables -A FORWARD -i wg0-mullvad -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# NAT through the VPN
iptables -t nat -A POSTROUTING -o wg0-mullvad -s 10.10.20.0/24 -j MASQUERADE/usr/local/bin/firejail-bridge-down.sh
#!/bin/bash
iptables -D FORWARD -i br0 -o wg0-mullvad -j ACCEPT
iptables -D FORWARD -i wg0-mullvad -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -D POSTROUTING -o wg0-mullvad -s 10.10.20.0/24 -j MASQUERADE
ip link set br0 down
ip link del br0/etc/systemd/system/firejail-bridge.service
[Unit]
Description=Firejail bridge for Mullvad
After=network-online.target wg-quick@wg0-mullvad.service
Wants=network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/firejail-bridge-up.sh
ExecStop=/usr/local/bin/firejail-bridge-down.sh
[Install]
WantedBy=multi-user.target
Start the services
systemctl enable --now firejail-bridge
systemctl enable --now --user ipfsThen, you'll have to use firejail (e.g. firejail --join= COMMAND) to access the IPFS daemon and RPC. The sfpi script in this repo will do this for you.
Other people's helpful dotfiles: