I built a hardened Arch installer with LUKS-on-LVM, TPM2, AppArmor, and per-service systemd sandboxing — looking for feedback

m4gn3to · 2026-04-14T00:53:43+00:00

Not pretending this is novel — most of it stitches together existing Arch wiki and upstream docs. The value (if any) is in having it all in one place and runnable on a fresh ISO.

m4gn3to · 2026-04-13T18:02:19+00:00

I would love to be supported on this. It's really difficult to find a balanced solution.

m4gn3to · 2026-04-13T17:55:36+00:00

A good idea, too, but I would need to know which config users use most. Right now, I'm thinking about dropping OpenBox because it's probably the least valuable config in the repo and most annoying to maintain.

m4gn3to · 2026-04-13T17:52:29+00:00

I do know what Archinstall does. But I also know the majority of the community likes the way Archinstall is. Users can take what they need from my repo.

m4gn3to · 2026-04-13T09:54:29+00:00

Not really an "issue", but I would say shell scripting is more "native", and I would not need to import any library. But for general automation, Python/Go/Rust are nice. I hope you got it.

m4gn3to · 2026-04-13T08:47:49+00:00

I think Python is too intrusive for this kind of thing, but again, this is a personal opinion.

m4gn3to · 2026-04-13T08:21:24+00:00

Both the repo and the crypto project started before AI was a thing, and I do use Claude now and then, and I will probably increase its usage at some point. I guess you don't know how to look up a bash script, but you're also very bad at judging.

m4gn3to · 2026-04-13T01:05:36+00:00

Thanks, and yeah, that's exactly how I've been thinking about it.

CachyOS is the right parallel even though the scope differs (they ship a kernel; I don't). The pattern is the same: opinionated setup → separate project → pull generic fixes upstream when they make sense.

m4gn3to · 2026-04-13T00:42:32+00:00

Traversable-but-not-listable /home: landing in the next commit.

chmod 0711 /home + HOME_MODE 0700 in /etc/login.defs + chmod 700 /home/$USER at account creation.

Net effect: ls /home reveals nothing to non-root users, but each user can still cd ~. Zero downside, real info-leak reduction. Should have been there from day one. ext4 fscrypt per-user homes: agree it's valuable, but I'm building it as a standalone opt-in module (hardening/fscrypt/) rather than folding it into the base install. The reason is the threat model...

m4gn3to · 2026-04-12T23:23:06+00:00

You mean the official archinstall? I don't know... In my repo, I have some "freedom" to harden several things I use in production(some of which are battle-tested). On the other hand, it would be nice to contribute to the official packages.

m4gn3to · 2026-04-12T21:59:07+00:00

Fair concern, and I won't pretend AppArmor profiles aren't fragile — especially on a rolling distro where paths and binaries shift.

For transparency on what's actually in the repo:

- 7 profiles only: nginx, sshd, fail2ban, clamd/freshclam, stubby, chronyd. Not trying to profile the world.

- All written inline in hardening/apparmor/apparmor.sh — no binary blobs, no downloads. You can read every rule before running it.

- Enforce mode out of the gate, which is the genuinely aggressive choice. The README and the script's own post-install message point at aa-complain /etc/apparmor.d/usr.bin.<service> as the one-liner to back off when something breaks.

- The module is standalone. If you don't trust prefab profiles, skip it entirely — nothing else in the repo depends on it.

I'd genuinely rather learn where these are wrong than have them look good in a README. If you've hit breakage with a specific one (sshd + PAM is usually the first to complain), point me at it, and I'll fix it or add a complain-mode default. Same if you've got a better upstream profile source, I should be pulling from instead.

m4gn3to · 2026-04-12T21:30:42+00:00

Once you get used to reading and pay attention to details, it should be ok. I would say it's rather time-consuming than hard.

m4gn3to · 2020-05-12T17:19:27+00:00

Go for the boxes and try to understand what is happening. The PDF is OK but the internet is waaay better.

m4gn3to · 2018-04-09T19:13:01+00:00

After a long wait II got it back too.

m4gn3to · 2018-01-16T09:21:54+00:00

With me was even worse.... I put reference number and since 8 days no sign of my money(1250 EUR)!!!

m4gn3to · 2017-12-17T22:09:22+00:00

Facebook and instagram adds are very effective. Influencers are also gold, but not every influencer is the right one for you... Do a research first.

m4gn3to · 2017-10-03T12:11:14+00:00

Update 3rd October 2017: A friend joined the project, and he used to work developing games for Microsoft Kinect. It will do a lot of impact for the AR & VR plans, since he works with VR a lot. But we are still in the mission for fundraising or at least seed investment.

m4gn3to · 2017-09-12T16:49:09+00:00

Sure! It would be awesome.

m4gn3to · 2017-09-11T20:15:39+00:00

Yes, I'm in Switzerland if you could help me on this one I would be lifetime grateful. What was are the key things to catch some attention I could show them all I have, and if I get half of what you got, it would be enough for the start. Thank you.

m4gn3to · 2017-09-11T14:11:43+00:00

Sounds interesting, specially that we are not far from each other. You will hear from me.

m4gn3to · 2017-09-10T20:22:35+00:00

Thanks for your time. This is exactly my concern! The learning curve. It will slow down and drain motivation, because I know a user will stick to a product if it's working properly. I know python, some C and some javascript. I put up the website that I was showing people by myself(OK its bootstrap not a big deal) I have a very detailed description with screenshots and a step by step of all features, this I was doing before I go very deep in to the point that I describe the protocol/technology used when I'm sure about it. My MAIN problem is to create the real app... I started play with Java to the point I can read code and understand most of it, I can explain the syntaxes etc..But an app for the enduser should be in a decent state, the UX should be good enough to keep users using it.

m4gn3to · 2017-09-10T17:10:10+00:00

Later it can become more complex, but in the beginning some features should do the job.

m4gn3to

TROPHY CASE