- XanMod - Custom Linux kernel optimized for speed, responsiveness, and desktop performance
- SCX - Dynamic scheduler extension framework
- AppArmor - Mandatory access control framework for process-level security
- Chkrootkit - Rootkit detection tool that scans for common signs of system compromise
- ClamAV - Antivirus engine for detecting malware and trojans
- DNSCrypt - Protocol that encrypts DNS traffic to prevent spoofing and eavesdropping
- DNSMasq - Lightweight DNS and DHCP server for local networks
- Fail2Ban - Intrusion prevention tool that bans IPs showing malicious signs
- Linux Hardening Script - Automated system security and configuration hardening script
- Lynis - Security auditing tool
- USBGuard - Framework for implementing USB device authorization policies
- UFW - Interface for managing iptables-based firewalls
- Includes a comprehensive manual
- MAC address randomization via Macchanger
- Low latency PipeWire audio processing
- ALHP, Chaotic AUR, and Flatpak repositories
- Steam Proton GE prefix
- Booster - Faster mkinitcpio replacement
- Battery life optimizations for laptops via TLP
- System Tuner - Laptop performance manager
- Some processes are launched under Mimalloc, a high-performance memory allocator replacement
- Ephemeral Overlay - Speeds up temporary/root directories and reduces disk I/O
- Real-time audio processing
- A Lynis system hardening rating of 80
- GameMode - Performance on demand utility for games
- Game Focus - A command that kills most system processes and launches Steam
- Arch Package Dictionary - Pacman/AUR/Flatpak search tool
- A suite of productivity tools: Archivist Tools, Audio Frequency Tools, Document Tools, Media Tools
- Earlyoom - Early OOM daemon
- Fix Arch Linux - Diagnostic toolset
This project is a combination of significant upgrades and micro-optimizations. I've implemented most of the known and esoteric Linux performance tweaks along with some original implementations. The philosophy behind this "meta-distribution" is to utilize current hardware features and resources generously (when needed) while increasing system hardness greatly beyond the default.
The configuration files sysctl.conf, limits.conf, and grub are pre-configured for specific workloads. Depending on the variant chosen, there are specific changes tailored for each. These presets are AMD/Intel, NVIDIA, Laptop, Performance, Server, and AI. They can be chosen in the installer and by running the optional command post-installation.
Originally, I was inspired by Luke Smith's LARBS, which is why Algiz's installer is script-based rather than an ISO. This project is packaged similarly to an ISO due to the configurations and content being stored inside various archives. If you want to see what changes I've made, you can view them here.
Algiz Linux implements kernel hardening that enhances both security and performance.
Attack Surface Reduction:
- Restricted ptrace access prevents privilege escalation attacks
- Disabled unprivileged BPF operations eliminate potential exploitation vectors
- Core dump generation disabled to prevent information leakage
- Kernel debugging restricted through pointer exposure protection
- Disabled SysRq functionality and kexec to prevent unauthorized kernel replacement
- ASLR enabled for protection against exploitation
The kernel which comes with the configuration is a custom build of XanMod, tailored for the x86-64-v3 CPU architecture. It also outperforms the standard Linux kernel. XanMod's default CFS scheduler is replaced with an SCX-based scheduler for improved performance and responsiveness.
The desktop scheduler is set to LAVD, and laptops use BPFLand, which provide high performance and low system latency. LAVD is configured for high performance with dynamic 250 µs slicing (1000 Hz+-equivalent responsiveness), and BPFLand is left default for simplicity. If you want to change the scheduler, it can be modified in rc.local under the scheduler section.
RAM usage has the highest priority over swapping. Keeping active data in memory reduces wear on the drive and increases system responsiveness. Swapping is still possible but only used when RAM is nearly filled. The VM subsystem is configured to reduce unnecessary memory compaction overhead while maintaining balanced VFS cache pressure for responsive file operations. HugePages are dynamically allocated on demand, providing up to 3968 large pages to reduce overhead and fragmentation for large memory workloads. NUMA balancing is also disabled to eliminate automatic memory migration overhead.
Zram Integration: The system configures a zram-based swap device /dev/zram0 to provide fast, compressed virtual memory. Zram allocation is dynamically set to 25% of total RAM. The device is initialized with mkswap and immediately activated with swapon.
Tmpfs Overlay: Temporary directories are mounted as tmpfs with the following size limits:
/tmp– 5 GB/var/tmp– 1 GB/var/cache– 2 GB/home/$USER/.cache– 2 GB
Bind-mounted Directories: Essential directories are bind-mounted and remain on local storage:
/var/cache/pacman/home/$USER/.cache/paru/home/$USER/.cache/nvidia/home/$USER/.cache/mesa_shader_cache/home/$USER/.cache/mesa_shader_cache_db
RAM overlay of root filesystem:
- The root filesystem (
/) is overlaid in RAM using an overlay filesystem - Changes made to files in the overlay are stored in RAM and synced back to disk on shutdown
- Excluded directories remain on disk:
/home,/tmp,/var/tmp,/var/cache,/proc,/sys,/dev,/run,/mnt,/media,/boot
Specified directories can be added in /bin/ephemeral-overlay
Garbage Collection:
- Periodic cleanup: Removes files older than 10 minutes
- Safe removal: Ensures files in use are never deleted
Network performance leverages BBR congestion control and cake queue management to improve performance and reduce latency. The TCP stack uses expanded buffer sizes and enables fast connection establishment. IPv6 is limited through restrictive ICMP and routing settings. NetworkManager is set to use dhclient for DHCP with hostname handling disabled, along with DNS encryption via Mullvad.
Disk and SSD performance is tuned through scheduler and queue optimizations. Both NVMe and SATA SSDs use the none scheduler to eliminate scheduling overhead and maximize throughput, while HDDs use bfq for fairness under mixed workloads. Read-ahead is set to 512 KB for SSDs and 2048 KB for HDDs to improve sequential read performance. I/O queue depth is configured at 2048 for NVMe drives, 1024 for SATA SSDs, and 128 for HDDs, enabling optimal parallelism for each device type. I/O request merging is enabled to combine adjacent requests for improved efficiency.
F2FS: Root and home partitions formatted with F2FS are optimized with background garbage collection enabled and tuned idle detection intervals to maintain flash-based storage performance consistency. To preserve SSD longevity and prevent write performance degradation, the system runs TRIM operations once every 7 days, reclaiming unused blocks. These processes ensure efficient resource use across F2FS filesystems.
CPU architecture is automatically detected on installation to ensure optimal package installation. The system integrates some of ALHP's packages, which provide architecture-specific builds optimized for modern processor capabilities while keeping Artix's core system packages.
Configured for AMD hardware, tweaked for high performance and security.
Configured for NVIDIA hardware, tweaked for maximum visual fidelity, high performance and security.
Balanced between power saving, performance and security. At 85% battery + AC connection, performance is increased and reduced at 10%.
Maximum performance configuration with no security mitigations and expanded memory limits.
The system expands TCP/UDP buffer sizes up to 16MB for high-performance connections. TCP stack handling is tuned for scalability with up to 2 million TIME_WAIT sockets, window scaling and reuse enabled for faster turnaround. Security and stability are reinforced with SYN cookies, strict reverse path filtering, martian packet logging, disabled source routing and ICMP redirects. IPv4/IPv6 are hardened with rate limiting for ICMP and disabled router advertisements.
Specialized for AI workloads with larger HugePages allocation and no security mitigations.
