# manual install base
pacstrap: `pacstrap -K /mnt base base-devel linux-lts linux-firmware iwd vim e2fsprogs openssh git efibootmgr linux-lts-headers wpa_supplicant zsh` 
command: `find /mnt -print0 | xargs -0 sha256sum | tee base-image.sha256sum`
  - issues faced
    - `/etc/kernel/cmdline:rd.luks.name=UUID=name` -- BOOT ERROR -- UUID is of superblock not LUKS container, should be correct in ansible
    - `efibootmgr * --loader "PATH"` -- PATH INVALID ERROR -- PATH doesnt require mount name, oops, should be correct in ansible


# manual install compare-to


# ansible install compare-three

## secrets
    - bitwarden
        - [x] complex password
        - [ ] fingerprint / biometric phone login (==GOOGLE== make enough money for GrapheneOS)
        - [ ] email (==GOOGLE EDUCATION -- UNCC email== this will be pain, make enough money for ProtonMail)
    - gpg git repo
        - encrypted using GPG key, commited into private git repo
    - ansible_vault
        - double check that default password file I created wasnt accidentally commited anywhere
        - use gitBFG

## secureboot
    - OEM Micro$oft leaked (lol) keys
        - hashes:
    - personal key
        - fingerprint:

## luks / dm-crypt
    - password
    - backup encryption keyfile

## GPG key package signing