Forked from ansulev/install-arch-linux-on-btrfs-subvolume-inside-luks
Created
May 31, 2018 01:04
-
-
Save 0rbadvent/ec44527feff41ca51c8938eb975e082a to your computer and use it in GitHub Desktop.
Install Arch Linux with full encrypted btrfs subvolume inside luks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install Arch Linux with full encrypted btrfs subvolume inside luks | |
| # filename: install-arch-linux-on-btrfs-subvolume-inside-luks.txt | |
| # The official guide: https://wiki.archlinux.org/index.php/Installation_Guide | |
| # Download the archiso image from https://www.archlinux.org/download/ | |
| # Copy to a usb-drive | |
| dd bs=16M if=archlinux.img of=/dev/sdX status=progress && sync # on linux | |
| # Boot from the usb. | |
| # Set spanish keymap | |
| loadkeys es | |
| # This assumes a wifi only system... | |
| wifi-menu | |
| # Create a primary partition - entire disk | |
| parted -s /dev/sda mklabel msdos | |
| parted -s /dev/sda mkpart primary 2048s 100% | |
| # Create luks container and btrfs filesystem | |
| cryptsetup --cipher aes-xts-plain64 --hash sha512 --use-random \ | |
| --verify-passphrase luksFormat /dev/sda1 | |
| #cryptsetup -y -v luksFormat /dev/sda1 | |
| cryptsetup open /dev/sda1 cryptroot | |
| mkfs -t btrfs -L linuxroot /dev/mapper/cryptroot | |
| # Create btrfs subvolumes | |
| mount -t btrfs -o compress=lzo /dev/mapper/cryptroot /mnt | |
| btrfs subvolume create /mnt/@ | |
| btrfs subvolume create /mnt/@home | |
| btrfs subvolume create /mnt/@snapshots | |
| # Unmount and remount with the corect partitions | |
| umount /mnt | |
| mount -o compress=lzo,subvol=@ /dev/mapper/cryptroot /mnt | |
| mkdir -p /mnt/home | |
| mount -o compress=lzo,subvol=@home /dev/mapper/cryptroot /mnt/home | |
| mkdir -p /mnt/.snapshots | |
| mount -o compress=lzo,subvol=@snapshots /dev/mapper/cryptroot /mnt/.snapshots | |
| # Install the system, wifi and some tools | |
| pacstrap /mnt base base-devel btrfs-progs snapper zsh mlocate htop \ | |
| net-tools wireless_tools wpa_supplicant arch-wiki-lite \ | |
| intel-ucode grub vim aria2 hping elinks dialog | |
| # Generate fstab | |
| genfstab -L -p /mnt >> /mnt/etc/fstab | |
| # Edit /mnt/etc/fstab and add the following options: | |
| LABEL=linuxroot / btrfs rw,noatime,compress=lzo,space_cache,autodefrag,commit=60,subvol=@ 0 0 | |
| LABEL=linuxroot /home btrfs rw,noatime,compress=lzo,space_cache,autodefrag,commit=60,subvol=@home 0 0 | |
| LABEL=linuxroot /.snapshots btrfs rw,noatime,compress=lzo,space_cache,autodefrag,commit=60,subvol=@snapshots 0 0 | |
| # swap in zram | |
| # /dev/zram0 none swap defaults 0 0 | |
| # mount /tmp on tmpfs | |
| # tmpfs /tmp tmpfs rw,nodev,nosuid 0 0 | |
| # Enter the new system | |
| arch-chroot /mnt /bin/bash | |
| # Setup system clock | |
| ln -s /usr/share/zoneinfo/Europe/Madrid /etc/localtime | |
| hwclock --systohc --utc | |
| # Set the hostname | |
| echo arch > /etc/hostname | |
| # Generate and set default locale | |
| vim /etc/locale.gen | |
| # Uncomment en_US.UTF-8, es_ES.UTF-8, bg_BG.UTF-8 | |
| locale-gen | |
| echo LANG=en_US.utf8 >> /etc/locale.conf | |
| echo LANGUAGE=en_US >> /etc/locale.conf | |
| echo LC_ALL=C >> /etc/locale.conf | |
| # Set virtul console lang and font | |
| echo KEYMAP=es > /etc/vconsole.conf | |
| echo FONT=Lat2-Terminus16 >> /etc/vconsole.conf | |
| # Set password for root | |
| passwd | |
| # Create user | |
| useradd -m -G wheel angel | |
| passwd angel | |
| # Configure mkinitcpio | |
| vim /etc/mkinitcpio.conf | |
| # Early modules load | |
| MODULES="i915" | |
| # Embed btrfs to initramfs | |
| BINARIES="/usr/sbin/btrfs" | |
| # Add 'encrypt' to HOOKS before filesystems | |
| HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck" | |
| # Regenerate initrd image | |
| mkinitcpio -p linux | |
| # Setup grub | |
| In /etc/default/grub add GRUB_ENABLE_CRYPTODISK=y and GRUB_DISABLE_SUBMENU=y | |
| # GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:cryptroot root=/dev/mapper/cryptroot rootflags=subvol=@" | |
| GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:cryptroot" | |
| # Extra kernel options to add to GRUB_CMDLINE_LINUX | |
| acpi_osi=Linux acpi=force acpi_enforce_resources=lax ath9k.ps_enable=1 | |
| pcie_aspm=force i915.enable_rc6=1 i915.enable_fbc=1 i915.lvds_downclock=1 | |
| i915.semaphores=1 | |
| run: | |
| grub-mkconfig -o /boot/grub/grub.cfg | |
| grub-install /dev/sda | |
| # Exit new system and go into the cd shell | |
| exit | |
| # Unmount all partitions | |
| umount -R /mnt | |
| # Reboot into the new system, don't forget to remove the cd/usb | |
| reboot | |
| # Create keyfile for paswordless login | |
| dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin | |
| cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin | |
| and add to /etc/mkinitcpio.conf | |
| FILES=/crypto_keyfile.bin | |
| run: | |
| mkinitcpio -p linux | |
| # Reboot again, you’ll only need to enter your password once. | |
| reboot | |
| # Secure keyfile and /boot | |
| chmod 000 /crypto_keyfile.bin # actually, even root doesn't need to access this | |
| chmod -R g-rwx,o-rwx /boot # just to be safe | |
| # Optional: Install Light Desktop, Replace SystemD with OpenRC | |
| # Install Zen Kernel , X, DE, some basic tools | |
| pacman -S linux-zen linux-zen-headers irqbalance cpupower x86_energy_perf_policy \ | |
| pacman -S xorg-server xf86-video-intel xf86-video-nouveau xf86-input-synaptics \ | |
| xorg-utils xorg-xbacklight xorg-xinit xterm rxvt-unicode compton \ | |
| openbox tint2 spacefm conky scite dmenu clipit volumeicon slock \ | |
| nitrogen scrot xarchiver unzip unrar zip p7zip bash-completion \ | |
| rfkill ttf-liberation ttf-droid ttf-hack terminus-font powertop \ | |
| wget whois ethtool archey3 gvim tlc tk lzop udevil | |
| # Look and feel | |
| pacman -S gtk-engine-murrine numix-themes faenza-icon-theme | |
| # Office programs | |
| pacman -S scribus homebank libreoffice-fresh fbreader epdfview | |
| # Some graphics applications | |
| pacman -S gimp inkscape dia mtpaint gpicview graphicsmagick cups-pdf simple-scan | |
| # Utilities | |
| pacman -S stardict-lite aspell-en aspell-es hunspell-en hunspell-es \ | |
| mythes-en mythes-es hyphen-en hyphen-es perl-file-mimeinfo \ | |
| keepassx cherrytree zim gprename galculator gsimplecal | |
| # System tools | |
| pacman -S bleachbit nethogs gparted dosfstools ntfs-3g grsync gsmartcontrol \ | |
| lxterminal lxappearance lxtask obconf geany scite sshfs gpart \ | |
| nmap macchanger ghex yajl pssh wpa_actiond ifplugd gvfs dnsutils\ | |
| ifplugd gvfs dnsutils grsync xdotool alsa-plugins alsa-utils lsof | |
| # Multimedia | |
| pacman -S avidemux-gtk audacity guvcview gtk-recordmydesktop pragha winff \ | |
| handbrake mpv easytag smplayer deadbeef gst-plugins-bad \ | |
| gst-plugins-ugly gst-libav openshot libquicktime \ | |
| frei0r-plugins flashplayer youtube-dl rtmpdump atomicparsley | |
| # Network | |
| pacman -S pidgin pidgin-otr purple-skypeweb linphone xchat transmission-gtk \ | |
| uget filezilla claws-mail opera wireshark-gtk openvpn pptpclient \ | |
| xl2tpd torsocks | |
| # Virtualisation | |
| pacman -S virtualbox virtualbox-host-dkms wine-staging | |
| # Nvidia Optimus | |
| pacman -S --needed bumblebee primus bbswitch-dkms libva-intel-driver \ | |
| libva-mesa-driver libva-vdpau-driver mesa-vdpau nvidia-dkms \ | |
| nvidia-utils nvidia-settings mesa-demos | |
| # Development | |
| pacman -S nginx-mainline php php-apcu php-fpm php-gd php-mcrypt php-snmp \ | |
| php-tidy composer apache nghttp2 lighttpd openvpn \ | |
| mariadb xdebug nodejs ruby npm colordiff git jdk8-openjdk | |
| # Security | |
| pacman -S rkhunter clamav gufw | |
| # Install complementary software from AUR | |
| pacman -U package-query yaourt | |
| yaourt -S ananicy-git cdw csslint dbeaver evince2-light freeplane \ | |
| freshplayerplugin genymotion gtk-theme-numix-sx icecat-bin \ | |
| inox-bin lostfiles netcfg-git nodejs-jshint pepper-flash \ | |
| playerctl profile-cleaner purple-facebook purple-hangouts-hg \ | |
| spacefm-gtk2 sublime-text-dev thermald vibrancy-colors \ | |
| virtualbox-ext-oracle arch32-light megasync \ | |
| numix-themes-archblue-git numix-themes-archblue-git | |
| #################### Get rid of SystemD and Install OpenRC #################### | |
| # Add openrc-eudev repo to pacman.conf | |
| ... | |
| [openrc-eudev] | |
| SigLevel=PackageOptional | |
| Server=http://downloads.sourceforge.net/project/archopenrc/$repo/$arch | |
| ... | |
| # Sync OpenRC repo | |
| pacman -Syl openrc-eudev | |
| # Download packages | |
| pacman -Sw sysvinit openrc eudev udev-openrc eudev-systemd libeudev \ | |
| libeudev-systemd dbus-openrc procps-ng-nosystemd \ | |
| syslog-ng-nosystemd | |
| # Remove SystemD | |
| pacman -Rdd systemd libsystemd | |
| # Install OpenRC packages | |
| pacman -S --needed sysvinit openrc eudev udev-openrc eudev-systemd libeudev \ | |
| libeudev-systemd dbus-openrc procps-ng-nosystemd upower-pm-utils | |
| # Install basic system packages | |
| pacman -S --needed acpid-openrc alsa-utils-openrc autofs-openrc consolekit \ | |
| consolekit-openrc cgmanager-openrc cronie-openrc cups-openrc \ | |
| dbus-openrc dnsmasq fuse-openrc gnome-polkit haveged-openrc \ | |
| hdparm-openrc samba-openrc syslog-ng-openrc udisks2-nosystemd \ | |
| privoxy-openrc tor-openrc samba-openrc device-mapper-openrc lvm2-openrc | |
| # Some openrc start scripts and services | |
| pacman -S avahi-openrc apache-openrc thermald-openrc ntp-openrc tlp-pmu \ | |
| cpupower-openrc | |
| # TODO: Finish Configuration, Update |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment