From 32b32bd61549ef44c585a5c8176981f255f3c532 Mon Sep 17 00:00:00 2001 From: Sorin Pânca Date: Mon, 22 May 2023 15:58:50 +0300 Subject: Add support for mDNS. --- configs/releng/airootfs/etc/systemd/network/20-ethernet.network | 1 + configs/releng/airootfs/etc/systemd/network/20-wlan.network | 1 + configs/releng/airootfs/etc/systemd/resolved.conf.d/archiso.conf | 4 ++++ 3 files changed, 6 insertions(+) create mode 100644 configs/releng/airootfs/etc/systemd/resolved.conf.d/archiso.conf (limited to 'configs/releng/airootfs/etc') diff --git a/configs/releng/airootfs/etc/systemd/network/20-ethernet.network b/configs/releng/airootfs/etc/systemd/network/20-ethernet.network index 9ada778..ce8de1f 100644 --- a/configs/releng/airootfs/etc/systemd/network/20-ethernet.network +++ b/configs/releng/airootfs/etc/systemd/network/20-ethernet.network @@ -7,6 +7,7 @@ Name=eth* [Network] DHCP=yes +MulticastDNS=yes IPv6PrivacyExtensions=yes # systemd-networkd does not set per-interface-type default route metrics diff --git a/configs/releng/airootfs/etc/systemd/network/20-wlan.network b/configs/releng/airootfs/etc/systemd/network/20-wlan.network index 601d5b8..e5990bf 100644 --- a/configs/releng/airootfs/etc/systemd/network/20-wlan.network +++ b/configs/releng/airootfs/etc/systemd/network/20-wlan.network @@ -3,6 +3,7 @@ Name=wl* [Network] DHCP=yes +MulticastDNS=yes IPv6PrivacyExtensions=yes # systemd-networkd does not set per-interface-type default route metrics diff --git a/configs/releng/airootfs/etc/systemd/resolved.conf.d/archiso.conf b/configs/releng/airootfs/etc/systemd/resolved.conf.d/archiso.conf new file mode 100644 index 0000000..636f3bd --- /dev/null +++ b/configs/releng/airootfs/etc/systemd/resolved.conf.d/archiso.conf @@ -0,0 +1,4 @@ +# Default systemd-resolved configuration for archiso + +[Resolve] +MulticastDNS=yes -- cgit v1.2.3-70-g09d2 From eb5720331bf72ae9ac97d77b0f7c48c3a3fb7980 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Thu, 1 Jun 2023 10:06:07 +0300 Subject: configs/: move custom mkinitcpio.conf files to /etc/mkinitcpio.conf.d/ This allows to retain a pristine /etc/mkinitcpio.conf in the rootfs. --- CHANGELOG.rst | 2 + configs/baseline/airootfs/etc/mkinitcpio.conf | 67 ---------------------- .../airootfs/etc/mkinitcpio.conf.d/archiso.conf | 67 ++++++++++++++++++++++ .../airootfs/etc/mkinitcpio.d/linux.preset | 2 +- configs/releng/airootfs/etc/mkinitcpio.conf | 67 ---------------------- .../airootfs/etc/mkinitcpio.conf.d/archiso.conf | 67 ++++++++++++++++++++++ .../releng/airootfs/etc/mkinitcpio.d/linux.preset | 2 +- 7 files changed, 138 insertions(+), 136 deletions(-) delete mode 100644 configs/baseline/airootfs/etc/mkinitcpio.conf create mode 100644 configs/baseline/airootfs/etc/mkinitcpio.conf.d/archiso.conf delete mode 100644 configs/releng/airootfs/etc/mkinitcpio.conf create mode 100644 configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf (limited to 'configs/releng/airootfs/etc') diff --git a/CHANGELOG.rst b/CHANGELOG.rst index cab4633..18051a6 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -11,6 +11,8 @@ Added Changed ------- +- Moved custom ``mkinitcpio.conf`` files to ``/etc/mkinitcpio.conf.d/archiso.conf``. + Deprecated ---------- diff --git a/configs/baseline/airootfs/etc/mkinitcpio.conf b/configs/baseline/airootfs/etc/mkinitcpio.conf deleted file mode 100644 index 34b1a06..0000000 --- a/configs/baseline/airootfs/etc/mkinitcpio.conf +++ /dev/null @@ -1,67 +0,0 @@ -# vim:set ft=sh -# MODULES -# The following modules are loaded before any boot hooks are -# run. Advanced users may wish to specify all system modules -# in this array. For instance: -# MODULES=(piix ide_disk reiserfs) -MODULES=() - -# BINARIES -# This setting includes any additional binaries a given user may -# wish into the CPIO image. This is run last, so it may be used to -# override the actual binaries included by a given hook -# BINARIES are dependency parsed, so you may safely ignore libraries -BINARIES=() - -# FILES -# This setting is similar to BINARIES above, however, files are added -# as-is and are not parsed in any way. This is useful for config files. -FILES=() - -# HOOKS -# This is the most important setting in this file. The HOOKS control the -# modules and scripts added to the image, and what happens at boot time. -# Order is important, and it is recommended that you do not change the -# order in which HOOKS are added. Run 'mkinitcpio -H ' for -# help on a given hook. -# 'base' is _required_ unless you know precisely what you are doing. -# 'udev' is _required_ in order to automatically load modules -# 'filesystems' is _required_ unless you specify your fs modules in MODULES -# Examples: -## This setup specifies all modules in the MODULES setting above. -## No raid, lvm2, or encrypted root is needed. -# HOOKS=(base) -# -## This setup will autodetect all modules for your system and should -## work as a sane default -# HOOKS=(base udev autodetect block filesystems) -# -## This setup will generate a 'full' image which supports most systems. -## No autodetection is done. -# HOOKS=(base udev block filesystems) -# -## This setup assembles a pata mdadm array with an encrypted root FS. -## Note: See 'mkinitcpio -H mdadm' for more information on raid devices. -# HOOKS=(base udev block mdadm encrypt filesystems) -# -## This setup loads an lvm2 volume group on a usb device. -# HOOKS=(base udev block lvm2 filesystems) -# -## NOTE: If you have /usr on a separate partition, you MUST include the -# usr, fsck and shutdown hooks. -HOOKS=(base udev modconf archiso block filesystems) - -# COMPRESSION -# Use this to compress the initramfs image. By default, gzip compression -# is used. Use 'cat' to create an uncompressed image. -#COMPRESSION="gzip" -#COMPRESSION="bzip2" -#COMPRESSION="lzma" -#COMPRESSION="xz" -#COMPRESSION="lzop" -#COMPRESSION="lz4" -#COMPRESSION="zstd" - -# COMPRESSION_OPTIONS -# Additional options for the compressor -#COMPRESSION_OPTIONS=() diff --git a/configs/baseline/airootfs/etc/mkinitcpio.conf.d/archiso.conf b/configs/baseline/airootfs/etc/mkinitcpio.conf.d/archiso.conf new file mode 100644 index 0000000..34b1a06 --- /dev/null +++ b/configs/baseline/airootfs/etc/mkinitcpio.conf.d/archiso.conf @@ -0,0 +1,67 @@ +# vim:set ft=sh +# MODULES +# The following modules are loaded before any boot hooks are +# run. Advanced users may wish to specify all system modules +# in this array. For instance: +# MODULES=(piix ide_disk reiserfs) +MODULES=() + +# BINARIES +# This setting includes any additional binaries a given user may +# wish into the CPIO image. This is run last, so it may be used to +# override the actual binaries included by a given hook +# BINARIES are dependency parsed, so you may safely ignore libraries +BINARIES=() + +# FILES +# This setting is similar to BINARIES above, however, files are added +# as-is and are not parsed in any way. This is useful for config files. +FILES=() + +# HOOKS +# This is the most important setting in this file. The HOOKS control the +# modules and scripts added to the image, and what happens at boot time. +# Order is important, and it is recommended that you do not change the +# order in which HOOKS are added. Run 'mkinitcpio -H ' for +# help on a given hook. +# 'base' is _required_ unless you know precisely what you are doing. +# 'udev' is _required_ in order to automatically load modules +# 'filesystems' is _required_ unless you specify your fs modules in MODULES +# Examples: +## This setup specifies all modules in the MODULES setting above. +## No raid, lvm2, or encrypted root is needed. +# HOOKS=(base) +# +## This setup will autodetect all modules for your system and should +## work as a sane default +# HOOKS=(base udev autodetect block filesystems) +# +## This setup will generate a 'full' image which supports most systems. +## No autodetection is done. +# HOOKS=(base udev block filesystems) +# +## This setup assembles a pata mdadm array with an encrypted root FS. +## Note: See 'mkinitcpio -H mdadm' for more information on raid devices. +# HOOKS=(base udev block mdadm encrypt filesystems) +# +## This setup loads an lvm2 volume group on a usb device. +# HOOKS=(base udev block lvm2 filesystems) +# +## NOTE: If you have /usr on a separate partition, you MUST include the +# usr, fsck and shutdown hooks. +HOOKS=(base udev modconf archiso block filesystems) + +# COMPRESSION +# Use this to compress the initramfs image. By default, gzip compression +# is used. Use 'cat' to create an uncompressed image. +#COMPRESSION="gzip" +#COMPRESSION="bzip2" +#COMPRESSION="lzma" +#COMPRESSION="xz" +#COMPRESSION="lzop" +#COMPRESSION="lz4" +#COMPRESSION="zstd" + +# COMPRESSION_OPTIONS +# Additional options for the compressor +#COMPRESSION_OPTIONS=() diff --git a/configs/baseline/airootfs/etc/mkinitcpio.d/linux.preset b/configs/baseline/airootfs/etc/mkinitcpio.d/linux.preset index 9f67184..8e85205 100644 --- a/configs/baseline/airootfs/etc/mkinitcpio.d/linux.preset +++ b/configs/baseline/airootfs/etc/mkinitcpio.d/linux.preset @@ -3,6 +3,6 @@ PRESETS=('archiso') ALL_kver='/boot/vmlinuz-linux' -ALL_config='/etc/mkinitcpio.conf' +archiso_config='/etc/mkinitcpio.conf.d/archiso.conf' archiso_image="/boot/initramfs-linux.img" diff --git a/configs/releng/airootfs/etc/mkinitcpio.conf b/configs/releng/airootfs/etc/mkinitcpio.conf deleted file mode 100644 index 96a8752..0000000 --- a/configs/releng/airootfs/etc/mkinitcpio.conf +++ /dev/null @@ -1,67 +0,0 @@ -# vim:set ft=sh -# MODULES -# The following modules are loaded before any boot hooks are -# run. Advanced users may wish to specify all system modules -# in this array. For instance: -# MODULES=(piix ide_disk reiserfs) -MODULES=() - -# BINARIES -# This setting includes any additional binaries a given user may -# wish into the CPIO image. This is run last, so it may be used to -# override the actual binaries included by a given hook -# BINARIES are dependency parsed, so you may safely ignore libraries -BINARIES=() - -# FILES -# This setting is similar to BINARIES above, however, files are added -# as-is and are not parsed in any way. This is useful for config files. -FILES=() - -# HOOKS -# This is the most important setting in this file. The HOOKS control the -# modules and scripts added to the image, and what happens at boot time. -# Order is important, and it is recommended that you do not change the -# order in which HOOKS are added. Run 'mkinitcpio -H ' for -# help on a given hook. -# 'base' is _required_ unless you know precisely what you are doing. -# 'udev' is _required_ in order to automatically load modules -# 'filesystems' is _required_ unless you specify your fs modules in MODULES -# Examples: -## This setup specifies all modules in the MODULES setting above. -## No raid, lvm2, or encrypted root is needed. -# HOOKS=(base) -# -## This setup will autodetect all modules for your system and should -## work as a sane default -# HOOKS=(base udev autodetect block filesystems) -# -## This setup will generate a 'full' image which supports most systems. -## No autodetection is done. -# HOOKS=(base udev block filesystems) -# -## This setup assembles a pata mdadm array with an encrypted root FS. -## Note: See 'mkinitcpio -H mdadm' for more information on raid devices. -# HOOKS=(base udev block mdadm encrypt filesystems) -# -## This setup loads an lvm2 volume group on a usb device. -# HOOKS=(base udev block lvm2 filesystems) -# -## NOTE: If you have /usr on a separate partition, you MUST include the -# usr, fsck and shutdown hooks. -HOOKS=(base udev modconf kms memdisk archiso archiso_loop_mnt archiso_pxe_common archiso_pxe_nbd archiso_pxe_http archiso_pxe_nfs block filesystems keyboard) - -# COMPRESSION -# Use this to compress the initramfs image. By default, gzip compression -# is used. Use 'cat' to create an uncompressed image. -#COMPRESSION="gzip" -#COMPRESSION="bzip2" -#COMPRESSION="lzma" -COMPRESSION="xz" -#COMPRESSION="lzop" -#COMPRESSION="lz4" -#COMPRESSION="zstd" - -# COMPRESSION_OPTIONS -# Additional options for the compressor -#COMPRESSION_OPTIONS=() diff --git a/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf b/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf new file mode 100644 index 0000000..96a8752 --- /dev/null +++ b/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf @@ -0,0 +1,67 @@ +# vim:set ft=sh +# MODULES +# The following modules are loaded before any boot hooks are +# run. Advanced users may wish to specify all system modules +# in this array. For instance: +# MODULES=(piix ide_disk reiserfs) +MODULES=() + +# BINARIES +# This setting includes any additional binaries a given user may +# wish into the CPIO image. This is run last, so it may be used to +# override the actual binaries included by a given hook +# BINARIES are dependency parsed, so you may safely ignore libraries +BINARIES=() + +# FILES +# This setting is similar to BINARIES above, however, files are added +# as-is and are not parsed in any way. This is useful for config files. +FILES=() + +# HOOKS +# This is the most important setting in this file. The HOOKS control the +# modules and scripts added to the image, and what happens at boot time. +# Order is important, and it is recommended that you do not change the +# order in which HOOKS are added. Run 'mkinitcpio -H ' for +# help on a given hook. +# 'base' is _required_ unless you know precisely what you are doing. +# 'udev' is _required_ in order to automatically load modules +# 'filesystems' is _required_ unless you specify your fs modules in MODULES +# Examples: +## This setup specifies all modules in the MODULES setting above. +## No raid, lvm2, or encrypted root is needed. +# HOOKS=(base) +# +## This setup will autodetect all modules for your system and should +## work as a sane default +# HOOKS=(base udev autodetect block filesystems) +# +## This setup will generate a 'full' image which supports most systems. +## No autodetection is done. +# HOOKS=(base udev block filesystems) +# +## This setup assembles a pata mdadm array with an encrypted root FS. +## Note: See 'mkinitcpio -H mdadm' for more information on raid devices. +# HOOKS=(base udev block mdadm encrypt filesystems) +# +## This setup loads an lvm2 volume group on a usb device. +# HOOKS=(base udev block lvm2 filesystems) +# +## NOTE: If you have /usr on a separate partition, you MUST include the +# usr, fsck and shutdown hooks. +HOOKS=(base udev modconf kms memdisk archiso archiso_loop_mnt archiso_pxe_common archiso_pxe_nbd archiso_pxe_http archiso_pxe_nfs block filesystems keyboard) + +# COMPRESSION +# Use this to compress the initramfs image. By default, gzip compression +# is used. Use 'cat' to create an uncompressed image. +#COMPRESSION="gzip" +#COMPRESSION="bzip2" +#COMPRESSION="lzma" +COMPRESSION="xz" +#COMPRESSION="lzop" +#COMPRESSION="lz4" +#COMPRESSION="zstd" + +# COMPRESSION_OPTIONS +# Additional options for the compressor +#COMPRESSION_OPTIONS=() diff --git a/configs/releng/airootfs/etc/mkinitcpio.d/linux.preset b/configs/releng/airootfs/etc/mkinitcpio.d/linux.preset index 9f67184..8e85205 100644 --- a/configs/releng/airootfs/etc/mkinitcpio.d/linux.preset +++ b/configs/releng/airootfs/etc/mkinitcpio.d/linux.preset @@ -3,6 +3,6 @@ PRESETS=('archiso') ALL_kver='/boot/vmlinuz-linux' -ALL_config='/etc/mkinitcpio.conf' +archiso_config='/etc/mkinitcpio.conf.d/archiso.conf' archiso_image="/boot/initramfs-linux.img" -- cgit v1.2.3-70-g09d2 From 17a71ade2ee2fb6c5774bef43e7b8121d00b4bcf Mon Sep 17 00:00:00 2001 From: nl6720 Date: Thu, 1 Jun 2023 10:11:29 +0300 Subject: configs/*/airootfs/etc/mkinitcpio.conf.d/archiso.conf: remove comments and unused options Set only the custom values for HOOKS and COMPRESSION. --- .../airootfs/etc/mkinitcpio.conf.d/archiso.conf | 66 ---------------------- .../airootfs/etc/mkinitcpio.conf.d/archiso.conf | 65 --------------------- 2 files changed, 131 deletions(-) (limited to 'configs/releng/airootfs/etc') diff --git a/configs/baseline/airootfs/etc/mkinitcpio.conf.d/archiso.conf b/configs/baseline/airootfs/etc/mkinitcpio.conf.d/archiso.conf index 34b1a06..fd9cd48 100644 --- a/configs/baseline/airootfs/etc/mkinitcpio.conf.d/archiso.conf +++ b/configs/baseline/airootfs/etc/mkinitcpio.conf.d/archiso.conf @@ -1,67 +1 @@ -# vim:set ft=sh -# MODULES -# The following modules are loaded before any boot hooks are -# run. Advanced users may wish to specify all system modules -# in this array. For instance: -# MODULES=(piix ide_disk reiserfs) -MODULES=() - -# BINARIES -# This setting includes any additional binaries a given user may -# wish into the CPIO image. This is run last, so it may be used to -# override the actual binaries included by a given hook -# BINARIES are dependency parsed, so you may safely ignore libraries -BINARIES=() - -# FILES -# This setting is similar to BINARIES above, however, files are added -# as-is and are not parsed in any way. This is useful for config files. -FILES=() - -# HOOKS -# This is the most important setting in this file. The HOOKS control the -# modules and scripts added to the image, and what happens at boot time. -# Order is important, and it is recommended that you do not change the -# order in which HOOKS are added. Run 'mkinitcpio -H ' for -# help on a given hook. -# 'base' is _required_ unless you know precisely what you are doing. -# 'udev' is _required_ in order to automatically load modules -# 'filesystems' is _required_ unless you specify your fs modules in MODULES -# Examples: -## This setup specifies all modules in the MODULES setting above. -## No raid, lvm2, or encrypted root is needed. -# HOOKS=(base) -# -## This setup will autodetect all modules for your system and should -## work as a sane default -# HOOKS=(base udev autodetect block filesystems) -# -## This setup will generate a 'full' image which supports most systems. -## No autodetection is done. -# HOOKS=(base udev block filesystems) -# -## This setup assembles a pata mdadm array with an encrypted root FS. -## Note: See 'mkinitcpio -H mdadm' for more information on raid devices. -# HOOKS=(base udev block mdadm encrypt filesystems) -# -## This setup loads an lvm2 volume group on a usb device. -# HOOKS=(base udev block lvm2 filesystems) -# -## NOTE: If you have /usr on a separate partition, you MUST include the -# usr, fsck and shutdown hooks. HOOKS=(base udev modconf archiso block filesystems) - -# COMPRESSION -# Use this to compress the initramfs image. By default, gzip compression -# is used. Use 'cat' to create an uncompressed image. -#COMPRESSION="gzip" -#COMPRESSION="bzip2" -#COMPRESSION="lzma" -#COMPRESSION="xz" -#COMPRESSION="lzop" -#COMPRESSION="lz4" -#COMPRESSION="zstd" - -# COMPRESSION_OPTIONS -# Additional options for the compressor -#COMPRESSION_OPTIONS=() diff --git a/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf b/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf index 96a8752..b4b3095 100644 --- a/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf +++ b/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf @@ -1,67 +1,2 @@ -# vim:set ft=sh -# MODULES -# The following modules are loaded before any boot hooks are -# run. Advanced users may wish to specify all system modules -# in this array. For instance: -# MODULES=(piix ide_disk reiserfs) -MODULES=() - -# BINARIES -# This setting includes any additional binaries a given user may -# wish into the CPIO image. This is run last, so it may be used to -# override the actual binaries included by a given hook -# BINARIES are dependency parsed, so you may safely ignore libraries -BINARIES=() - -# FILES -# This setting is similar to BINARIES above, however, files are added -# as-is and are not parsed in any way. This is useful for config files. -FILES=() - -# HOOKS -# This is the most important setting in this file. The HOOKS control the -# modules and scripts added to the image, and what happens at boot time. -# Order is important, and it is recommended that you do not change the -# order in which HOOKS are added. Run 'mkinitcpio -H ' for -# help on a given hook. -# 'base' is _required_ unless you know precisely what you are doing. -# 'udev' is _required_ in order to automatically load modules -# 'filesystems' is _required_ unless you specify your fs modules in MODULES -# Examples: -## This setup specifies all modules in the MODULES setting above. -## No raid, lvm2, or encrypted root is needed. -# HOOKS=(base) -# -## This setup will autodetect all modules for your system and should -## work as a sane default -# HOOKS=(base udev autodetect block filesystems) -# -## This setup will generate a 'full' image which supports most systems. -## No autodetection is done. -# HOOKS=(base udev block filesystems) -# -## This setup assembles a pata mdadm array with an encrypted root FS. -## Note: See 'mkinitcpio -H mdadm' for more information on raid devices. -# HOOKS=(base udev block mdadm encrypt filesystems) -# -## This setup loads an lvm2 volume group on a usb device. -# HOOKS=(base udev block lvm2 filesystems) -# -## NOTE: If you have /usr on a separate partition, you MUST include the -# usr, fsck and shutdown hooks. HOOKS=(base udev modconf kms memdisk archiso archiso_loop_mnt archiso_pxe_common archiso_pxe_nbd archiso_pxe_http archiso_pxe_nfs block filesystems keyboard) - -# COMPRESSION -# Use this to compress the initramfs image. By default, gzip compression -# is used. Use 'cat' to create an uncompressed image. -#COMPRESSION="gzip" -#COMPRESSION="bzip2" -#COMPRESSION="lzma" COMPRESSION="xz" -#COMPRESSION="lzop" -#COMPRESSION="lz4" -#COMPRESSION="zstd" - -# COMPRESSION_OPTIONS -# Additional options for the compressor -#COMPRESSION_OPTIONS=() -- cgit v1.2.3-70-g09d2 From 0b8704fe4bda6b9208b5bb9e4060a0aeeea2a669 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sun, 30 Jul 2023 15:52:51 +0300 Subject: configs/releng/airootfs/etc/systemd/system/etc-pacman.d-gnupg.mount: use tmpfs with noswap option Since tmpfs has a `noswap` option, use it instead of ramfs. Unlike ramfs, tmpfs has a limit to its size. This reverts commit 09b0428128700f37bd465eb54c6e45f69c17617d ("configs/releng/airootfs/etc/systemd/system/etc-pacman.d-gnupg.mount: use ramfs"). --- CHANGELOG.rst | 2 ++ configs/releng/airootfs/etc/systemd/system/etc-pacman.d-gnupg.mount | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'configs/releng/airootfs/etc') diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 18051a6..cdfd7f5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -12,6 +12,8 @@ Changed ------- - Moved custom ``mkinitcpio.conf`` files to ``/etc/mkinitcpio.conf.d/archiso.conf``. +- Mount ``/etc/pacman.d/gnupg`` on tmpfs with option ``noswap`` instead of using ramfs. This ensures there is a limit to + the file system size. Deprecated ---------- diff --git a/configs/releng/airootfs/etc/systemd/system/etc-pacman.d-gnupg.mount b/configs/releng/airootfs/etc/systemd/system/etc-pacman.d-gnupg.mount index 0ba0e67..038961e 100644 --- a/configs/releng/airootfs/etc/systemd/system/etc-pacman.d-gnupg.mount +++ b/configs/releng/airootfs/etc/systemd/system/etc-pacman.d-gnupg.mount @@ -2,7 +2,7 @@ Description=Temporary /etc/pacman.d/gnupg directory [Mount] -What=ramfs +What=tmpfs Where=/etc/pacman.d/gnupg -Type=ramfs -Options=mode=0755 +Type=tmpfs +Options=mode=0755,noswap -- cgit v1.2.3-70-g09d2 From 2e6db24f23abe37e0aefbe8950ecc6c15e3bd50f Mon Sep 17 00:00:00 2001 From: nl6720 Date: Wed, 2 Aug 2023 11:10:37 +0300 Subject: Set IPv6PrivacyExtensions=yes in global systemd-netorkd configuration Since systemd 245, IPv6PrivacyExtensions can be set not just per connection, but also globally for all connection with a configuration file in /etc/systemd/network.conf.d/. --- CHANGELOG.rst | 1 + .../airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf | 2 ++ configs/baseline/airootfs/etc/systemd/network/20-ethernet.network | 1 - .../airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf | 2 ++ configs/releng/airootfs/etc/systemd/network/20-ethernet.network | 1 - configs/releng/airootfs/etc/systemd/network/20-wlan.network | 1 - configs/releng/airootfs/etc/systemd/network/20-wwan.network | 1 - 7 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 configs/baseline/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf create mode 100644 configs/releng/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf (limited to 'configs/releng/airootfs/etc') diff --git a/CHANGELOG.rst b/CHANGELOG.rst index cdfd7f5..1323333 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -14,6 +14,7 @@ Changed - Moved custom ``mkinitcpio.conf`` files to ``/etc/mkinitcpio.conf.d/archiso.conf``. - Mount ``/etc/pacman.d/gnupg`` on tmpfs with option ``noswap`` instead of using ramfs. This ensures there is a limit to the file system size. +- Enable systemd-networkd's support for IPv6 Privacy Extensions globally instead of per-connection. Deprecated ---------- diff --git a/configs/baseline/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf b/configs/baseline/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf new file mode 100644 index 0000000..0e9ceb4 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf @@ -0,0 +1,2 @@ +[Network] +IPv6PrivacyExtensions=yes diff --git a/configs/baseline/airootfs/etc/systemd/network/20-ethernet.network b/configs/baseline/airootfs/etc/systemd/network/20-ethernet.network index 64bb07e..177e0aa 100644 --- a/configs/baseline/airootfs/etc/systemd/network/20-ethernet.network +++ b/configs/baseline/airootfs/etc/systemd/network/20-ethernet.network @@ -8,4 +8,3 @@ Name=eth* [Network] DHCP=yes MulticastDNS=yes -IPv6PrivacyExtensions=yes diff --git a/configs/releng/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf b/configs/releng/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf new file mode 100644 index 0000000..0e9ceb4 --- /dev/null +++ b/configs/releng/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf @@ -0,0 +1,2 @@ +[Network] +IPv6PrivacyExtensions=yes diff --git a/configs/releng/airootfs/etc/systemd/network/20-ethernet.network b/configs/releng/airootfs/etc/systemd/network/20-ethernet.network index ce8de1f..4b0f9b3 100644 --- a/configs/releng/airootfs/etc/systemd/network/20-ethernet.network +++ b/configs/releng/airootfs/etc/systemd/network/20-ethernet.network @@ -8,7 +8,6 @@ Name=eth* [Network] DHCP=yes MulticastDNS=yes -IPv6PrivacyExtensions=yes # systemd-networkd does not set per-interface-type default route metrics # https://github.com/systemd/systemd/issues/17698 diff --git a/configs/releng/airootfs/etc/systemd/network/20-wlan.network b/configs/releng/airootfs/etc/systemd/network/20-wlan.network index e5990bf..970eb70 100644 --- a/configs/releng/airootfs/etc/systemd/network/20-wlan.network +++ b/configs/releng/airootfs/etc/systemd/network/20-wlan.network @@ -4,7 +4,6 @@ Name=wl* [Network] DHCP=yes MulticastDNS=yes -IPv6PrivacyExtensions=yes # systemd-networkd does not set per-interface-type default route metrics # https://github.com/systemd/systemd/issues/17698 diff --git a/configs/releng/airootfs/etc/systemd/network/20-wwan.network b/configs/releng/airootfs/etc/systemd/network/20-wwan.network index 9104c24..625abbe 100644 --- a/configs/releng/airootfs/etc/systemd/network/20-wwan.network +++ b/configs/releng/airootfs/etc/systemd/network/20-wwan.network @@ -3,7 +3,6 @@ Name=ww* [Network] DHCP=yes -IPv6PrivacyExtensions=yes # systemd-networkd does not set per-interface-type default route metrics # https://github.com/systemd/systemd/issues/17698 -- cgit v1.2.3-70-g09d2 From d501e235bb784885b3bd59843d701b1e546ad492 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 12 Aug 2023 09:07:03 +0300 Subject: Move custom sshd_config to /etc/ssh/sshd_config.d/ openssh 9.4p1-2 changed /etc/ssh/sshd_config to add support for drop-in files in /etc/ssh/sshd_config.d/. Using drop-in files avoids needing to keep up with changes to the default /etc/ssh/sshd_config. --- CHANGELOG.rst | 1 + configs/baseline/airootfs/etc/ssh/sshd_config | 116 --------------------- .../airootfs/etc/ssh/sshd_config.d/10-archiso.conf | 116 +++++++++++++++++++++ configs/releng/airootfs/etc/ssh/sshd_config | 116 --------------------- .../airootfs/etc/ssh/sshd_config.d/10-archiso.conf | 116 +++++++++++++++++++++ 5 files changed, 233 insertions(+), 232 deletions(-) delete mode 100644 configs/baseline/airootfs/etc/ssh/sshd_config create mode 100644 configs/baseline/airootfs/etc/ssh/sshd_config.d/10-archiso.conf delete mode 100644 configs/releng/airootfs/etc/ssh/sshd_config create mode 100644 configs/releng/airootfs/etc/ssh/sshd_config.d/10-archiso.conf (limited to 'configs/releng/airootfs/etc') diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 6d9546f..c6f6296 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -17,6 +17,7 @@ Changed - Mount ``/etc/pacman.d/gnupg`` on tmpfs with option ``noswap`` instead of using ramfs. This ensures there is a limit to the file system size. - Enable systemd-networkd's support for IPv6 Privacy Extensions globally instead of per-connection. +- Moved custom ``sshd_config`` files to ``/ssh/sshd_config.d/10-archiso.conf`` Deprecated ---------- diff --git a/configs/baseline/airootfs/etc/ssh/sshd_config b/configs/baseline/airootfs/etc/ssh/sshd_config deleted file mode 100644 index dc22c11..0000000 --- a/configs/baseline/airootfs/etc/ssh/sshd_config +++ /dev/null @@ -1,116 +0,0 @@ -# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -KbdInteractiveAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin prohibit-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server diff --git a/configs/baseline/airootfs/etc/ssh/sshd_config.d/10-archiso.conf b/configs/baseline/airootfs/etc/ssh/sshd_config.d/10-archiso.conf new file mode 100644 index 0000000..dc22c11 --- /dev/null +++ b/configs/baseline/airootfs/etc/ssh/sshd_config.d/10-archiso.conf @@ -0,0 +1,116 @@ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/configs/releng/airootfs/etc/ssh/sshd_config b/configs/releng/airootfs/etc/ssh/sshd_config deleted file mode 100644 index dc22c11..0000000 --- a/configs/releng/airootfs/etc/ssh/sshd_config +++ /dev/null @@ -1,116 +0,0 @@ -# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -KbdInteractiveAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin prohibit-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server diff --git a/configs/releng/airootfs/etc/ssh/sshd_config.d/10-archiso.conf b/configs/releng/airootfs/etc/ssh/sshd_config.d/10-archiso.conf new file mode 100644 index 0000000..dc22c11 --- /dev/null +++ b/configs/releng/airootfs/etc/ssh/sshd_config.d/10-archiso.conf @@ -0,0 +1,116 @@ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server -- cgit v1.2.3-70-g09d2 From 174f8185813aa9b26dde20be41b5215f33d2139e Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 12 Aug 2023 09:13:42 +0300 Subject: /etc/ssh/sshd_config.d/10-archiso.conf: keep only the modified options The only changes we make to the default are to enable root login via a password. While `PasswordAuthentication yes` is the default, let's set it explicitly to avoid potential issues in the future. --- .../airootfs/etc/ssh/sshd_config.d/10-archiso.conf | 117 +-------------------- .../airootfs/etc/ssh/sshd_config.d/10-archiso.conf | 117 +-------------------- 2 files changed, 4 insertions(+), 230 deletions(-) (limited to 'configs/releng/airootfs/etc') diff --git a/configs/baseline/airootfs/etc/ssh/sshd_config.d/10-archiso.conf b/configs/baseline/airootfs/etc/ssh/sshd_config.d/10-archiso.conf index dc22c11..6ea7b41 100644 --- a/configs/baseline/airootfs/etc/ssh/sshd_config.d/10-archiso.conf +++ b/configs/baseline/airootfs/etc/ssh/sshd_config.d/10-archiso.conf @@ -1,116 +1,3 @@ -# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m +# Allow root login using password authentication +PasswordAuthentication yes PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -KbdInteractiveAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin prohibit-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server diff --git a/configs/releng/airootfs/etc/ssh/sshd_config.d/10-archiso.conf b/configs/releng/airootfs/etc/ssh/sshd_config.d/10-archiso.conf index dc22c11..6ea7b41 100644 --- a/configs/releng/airootfs/etc/ssh/sshd_config.d/10-archiso.conf +++ b/configs/releng/airootfs/etc/ssh/sshd_config.d/10-archiso.conf @@ -1,116 +1,3 @@ -# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m +# Allow root login using password authentication +PasswordAuthentication yes PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -KbdInteractiveAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin prohibit-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server -- cgit v1.2.3-70-g09d2 From 6c5ab3d3885024bc7a8feb724b721d4b481f13a9 Mon Sep 17 00:00:00 2001 From: David Runge Date: Tue, 29 Aug 2023 20:09:46 +0200 Subject: Use pcsclite for communicating with OpenPGP smartcards As opgpcard uses pcsclite and gnupg is able to use it as well, switch away from using gnupg's internal ccid driver. --- CHANGELOG.rst | 1 + .../airootfs/etc/systemd/system/sockets.target.wants/pcscd.socket | 1 + configs/releng/airootfs/root/.gnupg/scdaemon.conf | 4 ++++ configs/releng/profiledef.sh | 1 + 4 files changed, 7 insertions(+) create mode 120000 configs/releng/airootfs/etc/systemd/system/sockets.target.wants/pcscd.socket create mode 100644 configs/releng/airootfs/root/.gnupg/scdaemon.conf (limited to 'configs/releng/airootfs/etc') diff --git a/CHANGELOG.rst b/CHANGELOG.rst index d941d1a..0cf973a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -19,6 +19,7 @@ Changed the file system size. - Enable systemd-networkd's support for IPv6 Privacy Extensions globally instead of per-connection. - Moved custom ``sshd_config`` files to ``/ssh/sshd_config.d/10-archiso.conf`` +- Use pcsclite for interfacing with smartcards, since both gnupg and opgpcard support it. Deprecated ---------- diff --git a/configs/releng/airootfs/etc/systemd/system/sockets.target.wants/pcscd.socket b/configs/releng/airootfs/etc/systemd/system/sockets.target.wants/pcscd.socket new file mode 120000 index 0000000..3897c63 --- /dev/null +++ b/configs/releng/airootfs/etc/systemd/system/sockets.target.wants/pcscd.socket @@ -0,0 +1 @@ +/usr/lib/systemd/system/pcscd.socket \ No newline at end of file diff --git a/configs/releng/airootfs/root/.gnupg/scdaemon.conf b/configs/releng/airootfs/root/.gnupg/scdaemon.conf new file mode 100644 index 0000000..e1f3d1f --- /dev/null +++ b/configs/releng/airootfs/root/.gnupg/scdaemon.conf @@ -0,0 +1,4 @@ +disable-ccid +disable-pinpad +pcsc-driver /usr/lib/libpcsclite.so +pcsc-shared diff --git a/configs/releng/profiledef.sh b/configs/releng/profiledef.sh index 4154816..5cba1b5 100644 --- a/configs/releng/profiledef.sh +++ b/configs/releng/profiledef.sh @@ -19,6 +19,7 @@ file_permissions=( ["/etc/shadow"]="0:0:400" ["/root"]="0:0:750" ["/root/.automated_script.sh"]="0:0:755" + ["/root/.gnupg"]="0:0:700" ["/usr/local/bin/choose-mirror"]="0:0:755" ["/usr/local/bin/Installation_guide"]="0:0:755" ["/usr/local/bin/livecd-sound"]="0:0:755" -- cgit v1.2.3-70-g09d2 From cb61daf8eaffb5e831e51f50aa44080fffac27e8 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 9 Dec 2023 12:31:58 +0200 Subject: configs/*/airootfs/etc/systemd/network/: add RequiredForOnline=routable By default systemd-networkd-wait-online.service considers a network connection to be "online" when it has reached the "degraded" state (see networkctl(1) for the definitions). Since "degraded" does not ensure there's a routable address, let's change the connection's requirement to "routable" instead. This gives a better chance that the network really is online when network-online.target is reached. --- CHANGELOG.rst | 3 +++ configs/baseline/airootfs/etc/systemd/network/20-ethernet.network | 3 +++ configs/releng/airootfs/etc/systemd/network/20-ethernet.network | 3 +++ configs/releng/airootfs/etc/systemd/network/20-wlan.network | 3 +++ configs/releng/airootfs/etc/systemd/network/20-wwan.network | 3 +++ 5 files changed, 15 insertions(+) (limited to 'configs/releng/airootfs/etc') diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 93b044e..fcc57c2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -14,6 +14,9 @@ Added Changed ------- +- Set ``RequiredForOnline=routable`` in systemd-networkd configuration files to improve the chances that the network + really is *online* when ``network-online.target`` is reached. + Deprecated ---------- diff --git a/configs/baseline/airootfs/etc/systemd/network/20-ethernet.network b/configs/baseline/airootfs/etc/systemd/network/20-ethernet.network index 177e0aa..0e4287b 100644 --- a/configs/baseline/airootfs/etc/systemd/network/20-ethernet.network +++ b/configs/baseline/airootfs/etc/systemd/network/20-ethernet.network @@ -5,6 +5,9 @@ Name=en* Name=eth* +[Link] +RequiredForOnline=routable + [Network] DHCP=yes MulticastDNS=yes diff --git a/configs/releng/airootfs/etc/systemd/network/20-ethernet.network b/configs/releng/airootfs/etc/systemd/network/20-ethernet.network index 4b0f9b3..d3a3271 100644 --- a/configs/releng/airootfs/etc/systemd/network/20-ethernet.network +++ b/configs/releng/airootfs/etc/systemd/network/20-ethernet.network @@ -5,6 +5,9 @@ Name=en* Name=eth* +[Link] +RequiredForOnline=routable + [Network] DHCP=yes MulticastDNS=yes diff --git a/configs/releng/airootfs/etc/systemd/network/20-wlan.network b/configs/releng/airootfs/etc/systemd/network/20-wlan.network index 970eb70..8b70a95 100644 --- a/configs/releng/airootfs/etc/systemd/network/20-wlan.network +++ b/configs/releng/airootfs/etc/systemd/network/20-wlan.network @@ -1,6 +1,9 @@ [Match] Name=wl* +[Link] +RequiredForOnline=routable + [Network] DHCP=yes MulticastDNS=yes diff --git a/configs/releng/airootfs/etc/systemd/network/20-wwan.network b/configs/releng/airootfs/etc/systemd/network/20-wwan.network index 625abbe..6e1c8dd 100644 --- a/configs/releng/airootfs/etc/systemd/network/20-wwan.network +++ b/configs/releng/airootfs/etc/systemd/network/20-wwan.network @@ -1,6 +1,9 @@ [Match] Name=ww* +[Link] +RequiredForOnline=routable + [Network] DHCP=yes -- cgit v1.2.3-70-g09d2 From 2facc4630cd3677e5c61705a25d5d5594fd0cc80 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Mon, 1 Apr 2024 18:39:09 +0300 Subject: configs/releng/: use mkinitcpio's microcode hook instead of external microcode images This simplifies boot loader configuration, but custom PXE setups will be forced to update theirs. Implements https://gitlab.archlinux.org/archlinux/archiso/-/issues/226 --- CHANGELOG.rst | 2 ++ configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf | 2 +- configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf | 2 -- .../efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf | 2 -- configs/releng/grub/grub.cfg | 4 ++-- configs/releng/grub/loopback.cfg | 4 ++-- configs/releng/syslinux/archiso_pxe-linux.cfg | 6 +++--- configs/releng/syslinux/archiso_sys-linux.cfg | 4 ++-- 8 files changed, 12 insertions(+), 14 deletions(-) (limited to 'configs/releng/airootfs/etc') diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0592b94..a41a43d 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -15,6 +15,8 @@ Changed ------- - Change releng profile's bootstrap tarball compression from gzip to zstd. zstd provides higher and faster compression. +- Use mkinitcpio's ``microcode`` hook instead of external microcode images to simplify boot loader configuration. + Custom PXE setups will need to update their boot loader configuration. Deprecated ---------- diff --git a/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf b/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf index b4b3095..98dd514 100644 --- a/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf +++ b/configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf @@ -1,2 +1,2 @@ -HOOKS=(base udev modconf kms memdisk archiso archiso_loop_mnt archiso_pxe_common archiso_pxe_nbd archiso_pxe_http archiso_pxe_nfs block filesystems keyboard) +HOOKS=(base udev microcode modconf kms memdisk archiso archiso_loop_mnt archiso_pxe_common archiso_pxe_nbd archiso_pxe_http archiso_pxe_nfs block filesystems keyboard) COMPRESSION="xz" diff --git a/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf b/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf index 2506f07..9df6b0a 100644 --- a/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf +++ b/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf @@ -1,7 +1,5 @@ title Arch Linux install medium (x86_64, UEFI) sort-key 01 linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/intel-ucode.img -initrd /%INSTALL_DIR%/boot/amd-ucode.img initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img options archisobasedir=%INSTALL_DIR% archisodevice=UUID=%ARCHISO_UUID% diff --git a/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf b/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf index 6928a10..865b37f 100644 --- a/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf +++ b/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf @@ -1,7 +1,5 @@ title Arch Linux install medium (x86_64, UEFI) with speech sort-key 02 linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/intel-ucode.img -initrd /%INSTALL_DIR%/boot/amd-ucode.img initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img options archisobasedir=%INSTALL_DIR% archisodevice=UUID=%ARCHISO_UUID% accessibility=on diff --git a/configs/releng/grub/grub.cfg b/configs/releng/grub/grub.cfg index 3486753..6b64947 100644 --- a/configs/releng/grub/grub.cfg +++ b/configs/releng/grub/grub.cfg @@ -63,13 +63,13 @@ timeout_style=menu menuentry "Arch Linux install medium (%ARCH%, ${archiso_platform})" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { set gfxpayload=keep linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisodevice=UUID=${ARCHISO_UUID} - initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img + initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } menuentry "Arch Linux install medium with speakup screen reader (%ARCH%, ${archiso_platform})" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' { set gfxpayload=keep linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisodevice=UUID=${ARCHISO_UUID} accessibility=on - initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img + initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } diff --git a/configs/releng/grub/loopback.cfg b/configs/releng/grub/loopback.cfg index 3ee0d33..d7d5ece 100644 --- a/configs/releng/grub/loopback.cfg +++ b/configs/releng/grub/loopback.cfg @@ -31,13 +31,13 @@ timeout_style=menu menuentry "Arch Linux install medium (%ARCH%, ${archiso_platform})" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { set gfxpayload=keep linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% img_dev=UUID=${archiso_img_dev_uuid} img_loop="${iso_path}" - initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img + initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } menuentry "Arch Linux install medium with speakup screen reader (%ARCH%, ${archiso_platform})" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' { set gfxpayload=keep linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% img_dev=UUID=${archiso_img_dev_uuid} img_loop="${iso_path}" accessibility=on - initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img + initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } diff --git a/configs/releng/syslinux/archiso_pxe-linux.cfg b/configs/releng/syslinux/archiso_pxe-linux.cfg index 305b8fd..2d681d8 100644 --- a/configs/releng/syslinux/archiso_pxe-linux.cfg +++ b/configs/releng/syslinux/archiso_pxe-linux.cfg @@ -5,7 +5,7 @@ It allows you to install Arch Linux or perform system maintenance. ENDTEXT MENU LABEL Arch Linux install medium (x86_64, NBD) LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +INITRD ::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img APPEND archisobasedir=%INSTALL_DIR% archisodevice=UUID=%ARCHISO_UUID% archiso_nbd_srv=${pxeserver} cms_verify=y SYSAPPEND 3 @@ -16,7 +16,7 @@ It allows you to install Arch Linux or perform system maintenance. ENDTEXT MENU LABEL Arch Linux install medium (x86_64, NFS) LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +INITRD ::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img APPEND archisobasedir=%INSTALL_DIR% archiso_nfs_srv=${pxeserver}:/run/archiso/bootmnt cms_verify=y SYSAPPEND 3 @@ -27,6 +27,6 @@ It allows you to install Arch Linux or perform system maintenance. ENDTEXT MENU LABEL Arch Linux install medium (x86_64, HTTP) LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +INITRD ::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img APPEND archisobasedir=%INSTALL_DIR% archiso_http_srv=http://${pxeserver}/ cms_verify=y SYSAPPEND 3 diff --git a/configs/releng/syslinux/archiso_sys-linux.cfg b/configs/releng/syslinux/archiso_sys-linux.cfg index 950dc48..d5898d1 100644 --- a/configs/releng/syslinux/archiso_sys-linux.cfg +++ b/configs/releng/syslinux/archiso_sys-linux.cfg @@ -5,7 +5,7 @@ It allows you to install Arch Linux or perform system maintenance. ENDTEXT MENU LABEL Arch Linux install medium (x86_64, BIOS) LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +INITRD /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img APPEND archisobasedir=%INSTALL_DIR% archisodevice=UUID=%ARCHISO_UUID% # Accessibility boot option @@ -16,5 +16,5 @@ It allows you to install Arch Linux or perform system maintenance with speech fe ENDTEXT MENU LABEL Arch Linux install medium (x86_64, BIOS) with ^speech LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +INITRD /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img APPEND archisobasedir=%INSTALL_DIR% archisodevice=UUID=%ARCHISO_UUID% accessibility=on -- cgit v1.2.3-70-g09d2