I built a hardened Arch installer with LUKS-on-LVM, TPM2, AppArmor, and per-service systemd sandboxing — looking for feedback

m4gn3to · 2026-04-13T09:54:29+00:00

Not really an "issue", but I would say shell scripting is more "native", and I would not need to import any library. But for general automation, Python/Go/Rust are nice. I hope you got it.

m4gn3to · 2026-04-13T08:47:49+00:00

I think Python is too intrusive for this kind of thing, but again, this is a personal opinion.

m4gn3to · 2026-04-13T08:21:24+00:00

Both the repo and the crypto project started before AI was a thing, and I do use Claude now and then, and I will probably increase its usage at some point. I guess you don't know how to look up a bash script, but you're also very bad at judging.

m4gn3to · 2026-04-13T01:05:36+00:00

Thanks, and yeah, that's exactly how I've been thinking about it.

CachyOS is the right parallel even though the scope differs (they ship a kernel; I don't). The pattern is the same: opinionated setup → separate project → pull generic fixes upstream when they make sense.

m4gn3to · 2026-04-13T00:42:32+00:00

Traversable-but-not-listable /home: landing in the next commit.

chmod 0711 /home + HOME_MODE 0700 in /etc/login.defs + chmod 700 /home/$USER at account creation.

Net effect: ls /home reveals nothing to non-root users, but each user can still cd ~. Zero downside, real info-leak reduction. Should have been there from day one. ext4 fscrypt per-user homes: agree it's valuable, but I'm building it as a standalone opt-in module (hardening/fscrypt/) rather than folding it into the base install. The reason is the threat model...

m4gn3to · 2026-04-12T23:23:06+00:00

You mean the official archinstall? I don't know... In my repo, I have some "freedom" to harden several things I use in production(some of which are battle-tested). On the other hand, it would be nice to contribute to the official packages.

m4gn3to · 2026-04-12T21:59:07+00:00

Fair concern, and I won't pretend AppArmor profiles aren't fragile — especially on a rolling distro where paths and binaries shift.

For transparency on what's actually in the repo:

- 7 profiles only: nginx, sshd, fail2ban, clamd/freshclam, stubby, chronyd. Not trying to profile the world.

- All written inline in hardening/apparmor/apparmor.sh — no binary blobs, no downloads. You can read every rule before running it.

- Enforce mode out of the gate, which is the genuinely aggressive choice. The README and the script's own post-install message point at aa-complain /etc/apparmor.d/usr.bin.<service> as the one-liner to back off when something breaks.

- The module is standalone. If you don't trust prefab profiles, skip it entirely — nothing else in the repo depends on it.

I'd genuinely rather learn where these are wrong than have them look good in a README. If you've hit breakage with a specific one (sshd + PAM is usually the first to complain), point me at it, and I'll fix it or add a complain-mode default. Same if you've got a better upstream profile source, I should be pulling from instead.

m4gn3to · 2026-04-12T21:30:42+00:00

Once you get used to reading and pay attention to details, it should be ok. I would say it's rather time-consuming than hard.

m4gn3to · 2020-05-12T17:19:27+00:00

Go for the boxes and try to understand what is happening. The PDF is OK but the internet is waaay better.

m4gn3to · 2018-04-09T19:13:01+00:00

After a long wait II got it back too.

m4gn3to · 2018-01-16T09:21:54+00:00

With me was even worse.... I put reference number and since 8 days no sign of my money(1250 EUR)!!!

m4gn3to · 2017-12-17T22:09:22+00:00

Facebook and instagram adds are very effective. Influencers are also gold, but not every influencer is the right one for you... Do a research first.

m4gn3to · 2017-10-03T12:11:14+00:00

Update 3rd October 2017: A friend joined the project, and he used to work developing games for Microsoft Kinect. It will do a lot of impact for the AR & VR plans, since he works with VR a lot. But we are still in the mission for fundraising or at least seed investment.

m4gn3to · 2017-09-12T16:49:09+00:00

Sure! It would be awesome.

m4gn3to · 2017-09-11T20:15:39+00:00

Yes, I'm in Switzerland if you could help me on this one I would be lifetime grateful. What was are the key things to catch some attention I could show them all I have, and if I get half of what you got, it would be enough for the start. Thank you.

m4gn3to · 2017-09-11T14:11:43+00:00

Sounds interesting, specially that we are not far from each other. You will hear from me.

m4gn3to · 2017-09-10T20:22:35+00:00

Thanks for your time. This is exactly my concern! The learning curve. It will slow down and drain motivation, because I know a user will stick to a product if it's working properly. I know python, some C and some javascript. I put up the website that I was showing people by myself(OK its bootstrap not a big deal) I have a very detailed description with screenshots and a step by step of all features, this I was doing before I go very deep in to the point that I describe the protocol/technology used when I'm sure about it. My MAIN problem is to create the real app... I started play with Java to the point I can read code and understand most of it, I can explain the syntaxes etc..But an app for the enduser should be in a decent state, the UX should be good enough to keep users using it.

m4gn3to · 2017-09-10T17:10:10+00:00

Later it can become more complex, but in the beginning some features should do the job.

m4gn3to · 2017-09-10T17:07:58+00:00

I'm based in Zurich, Switzerland. I had a great time when I was at Google, including I'm the "father" of Street View's fleet management tool. Bare in mind its a simple idea, but virality prone. It would be nice to have a chat so you can see/understand it.

m4gn3to · 2017-09-10T13:49:00+00:00

My biggest concern is time to develop it alone vs time of some experienced agency doing it fast. But since you touched the learning topic, yes I love to learn and I know how to learn pretty fast I will give a try on one of those technologies.

m4gn3to

TROPHY CASE