Skip to content

Instantly share code, notes, and snippets.

@JindrichPilar

JindrichPilar/01_README.md

Last active February 23, 2023 22:56
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JindrichPilar/e22ed9c316f7dc1e4f20 to your computer and use it in GitHub Desktop.
Save JindrichPilar/e22ed9c316f7dc1e4f20 to your computer and use it in GitHub Desktop.
Download ZIP
Arch Linux on Asus ZenBook UX303LB
Raw
01_README.md

Arch Linux on Asus ZenBook UX303LB

Warning

This is a log how I installed and customized Arch linux on Asus ZenBook UX303LB. This is only log of what I did not what you should do! NO WARRANTY!

Specs

  • Intel Core i5 5200U
  • NVIDIA GeForce GT 940M
  • 8GB DRR3L
  • Micron M600 256GB
  • Asus specs

How to use

Read any command before using it. If you dont understand it don't run it. Each sections contains link to important Arch wiki articles. Read them before running any commands. Commands are in order following Arch wiki articles and I recommend following Arch wiki step by step while running them.

Raw
02_basic_install.md

Basic system install

Update firmware

SSD

Check current version

dparm -I /dev/sda | grep Firmware

Find newer M600 SSD firmware

Enable SSH for instalation

Install from SSH

  • Boot from ISO/disk/flash.
  • Boot into correct version (UEFI x86_amd64)
  • change root password (passwd) - password only for instalation
  • Check internet connection (ip address) - if not connected connect
  • start ssh daemon (systemctl start sshd.service)
  • Connect from another device with ssh (user: root)

Arch guide

Beginners guide Installation guide Brtfs with compression

Set clock

timedatectl set-ntp true

Partitioning

Disk encryption with LUKS and BTRFS Why autodefrag on SSD

Separate boot, data, and swap partition. (data will be choped with btrfs subvolumes)

Partitioning (cfdisk to see current layout)

parted /dev/sda mklabel gpt

# sda1 EFI boot partition
parted /dev/sda mkpart ESP fat32 1MiB 513MiB
parted /dev/sda set 1 boot on

# sda2 swap (Maybe not mark as linux swap because encrpytion)
parted /dev/sda mkpart primary linux-swap      513MiB  8.5GiB

# sda3 data
parted /dev/sda mkpart primary btrfs            8.5GiB  100%

Create LUKS encrypted partition

# Find out how fast are ciphers on your machine (AES should have hardware acceleration therefore win)
cryptsetup benchmark 

# Make data partition LUKS formated
cryptsetup --cipher aes-xts-plain64 --key-size 512 --use-random --verify-passphrase luksFormat /dev/sda3

# Check if everything looks good
cryptsetup luksDump /dev/sda3

# Open encrypted partation
cryptsetup open --type luks /dev/sda3 cryptdata

#Create BTRFS on cryptdata
mkfs.btrfs -L data /dev/mapper/cryptdata

# Mount BTRFS with flags
mount /dev/mapper/cryptdata /mnt -t btrfs -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache

# Create subvolumes
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@boot

# Mount subvolumes
umount /mnt
mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@ /dev/mapper/cryptdata /mnt
mkdir /mnt/home
mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@home /dev/mapper/cryptdata /mnt/home
mkdir /mnt/boot
mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@boot /dev/mapper/cryptdata /mnt/boot

TRIM support

http://blog.neutrino.es/2013/howto-properly-activate-trim-for-your-ssd-on-linux-fstrim-lvm-and-dmcrypt/

Create EFI boot partition

mkfs.vfat -F32 /dev/sda1
mkdir -p /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi

Encrypted swap

mkswap /dev/sda2
swapon /dev/sda2

Installation mirrors

To speed things up.

pacman -Syy reflector
reflector --sort rate --save /etc/pacman.d/mirrorlist -f 5 -n 10 -p https

Pacstrap

# btrfs-progs  required for disk encryption
# neovim for file editing
pacstrap -i /mnt base base-devel btrfs-progs neovim

fstab

genfstab -U /mnt > /mnt/etc/fstab

Chroot

arch-chroot /mnt /bin/bash

Swap settings

There is only SSD so we want to reduce swapping as much as possible https://en.wikipedia.org/wiki/Swappiness https://rudd-o.com/linux-and-free-software/tales-from-responsivenessland-why-linux-feels-slow-and-how-to-fix-that

echo "vm.swappiness=10" > /etc/sysctl.d/99-sysctl.conf

Locale

cat >/etc/locale.gen <<END
en_US.UTF-8 UTF-8
cs_CZ.UTF-8 UTF-8
END

locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf

TimeZone

ln -sf /usr/share/zoneinfo/Europe/Prague /etc/localtime
hwclock --systohc --utc

Makepkg

Compile C/C++ to this architecture. Remove compression to make installation faster (you are not sharing the packages). Edit to this:

CFLAGS="-march=native -mtune=native -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
CXXFLAGS="-march=native -mtune=native -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4"
PKGEXT='.pkg.tar' #No compression

nvim "+/^CFLAGS" /etc/makepkg.conf

Disable AUR compression or make it parallel

When using AUR, your machine will create a new Arch package (compress it) and then immediately install it (decompress it). You can disable it (but backup of the package will take more space) or use parallel compressor.

nvim "+/^COMPRESSGZ" /etc/makepkg.conf
COMPRESSGZ=(pigz -c -f -n)

PKGEXT='.pkg.tar.gz'

Keyfile to avoid double typing password

dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin

# set FILES="/crypto_keyfile.bin"
nvim +/FILES= /etc/mkinitcpio.conf

Initramfs

## Add hooks keyboard keymap encrypt  HOOKS="... encrypt ... filesystems ..."
nvim +/^HOOKS= /etc/mkinitcpio.conf
## BINARIES="/usr/bin/btrfs"
nvim +/^BINARIES= /etc/mkinitcpio.conf
mkinitcpio -p linux

Boot loader

Intel microcode

Allow passing TRIM command for encrypted device and luks.options

Enable Zswap to trade cpu for ram. (faster than swapping and saves SSD). Check zswap is running.

# Install
pacman -S grub dosfstools efibootmgr intel-ucode
grub-mkconfig -o /boot/grub/grub.cfg

# Configure encryption
## Add crpyt device to GRUB GRUB_CMDLINE_LINUX="rd.luks.options=discard zswap.enabled=1 cryptdevice=/dev/sda3:cryptdata:allow-discards"
nvim +/^GRUB_CMDLINE_LINUX= /etc/default/grub
## Enable BOOT partition encryption
echo "GRUB_ENABLE_CRYPTODISK=y" >>  /etc/default/grub

# Generate final config
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck

BASE

pacman -S base vim neovim btrfs-progs

Hostname

echo 'r2d2-laptop' > /etc/hostname
echo '127.0.0.1 localhost.localdomain localhost r2d2-laptop' > /etc/hosts

###Set root password

passwd

Create non-root user

# add this line to allow all members of wheel to use sudo `%wheel      ALL=(ALL) ALL`
EDITOR=nvim; visudo

pacman -S zsh
echo "ZDOTDIR=\$HOME/.config/zsh" >> /etc/zsh/zshenv
useradd -m -s /bin/zsh -G wheel $USERNAME
passwd $USERNAME

Pacman mirrors

To speed things up. (yes again)

pacman -S reflector
reflector --sort rate --save /etc/pacman.d/mirrorlist -f 5 -n 10 -p https

Enable TRIM for encryption

docs

 vim "+/issue_discards ="  /etc/lvm/lvm.conf

Install connection manager

Connection Manager

pacman -S connman wpa_supplicant
cat > /etc/udev/rules.d/10-network.rules <<END
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="$(cat /sys/class/net/enp*/address)" NAME="net0"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="$(cat /sys/class/net/wlp*/address)" NAME="wifi0"
END
systemctl enable connman.service

Optional SSH server

If you wish to continue software installation and configuration via SSH you need to install ssh server.

pacman -S openssh
echo "AllowUsers    $USERNAME" >> /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
systemctl enable sshd.service
systemctl start sshd.service

Reboot

exit
umount -R /mnt
reboot

## Disable root account
```bash
sudo passwd -l root
Raw
03_Pacaur.md

Pacaur

Run as non root user

git clone "https://aur.archlinux.org/cower.git"
cd cower
makepkg --syncdeps --noconfirm  --skippgpcheck
sudo -S pacman -U cower*.tar.xz --noconfirm

git clone "https://aur.archlinux.org/pacaur.git"
cd pacaur
makepkg --syncdeps --noconfirm  --skippgpcheck
sudo -S pacman -U pacaur*.tar.xz --noconfirm
Raw
05_Laptop_specific.md

Arch laptop guide

General laptop installation Asus ZenBook UX303 arch wiki

Touchpad

pacaur -S xf86-input-synaptics

Keyboard

Extra keys

Backlight

Backlight Use acpilight - works outside of X and has backwards compatible API vim xbacklight

Power

https://wiki.archlinux.org/index.php/Display_Power_Management_Signaling https://wiki.archlinux.org/index.php/Power_management/Suspend_and_hibernate https://wiki.archlinux.org/index.php/Power_management https://wiki.archlinux.org/index.php/Acpid https://wiki.archlinux.org/index.php/Pm-utils

TLP (replacement for Laptop mode tools)

pacaur -S tlp smartmontools ethtool x86_energy_perf_policy
systemctl enable tlp-sleep.service --now
systemctl enable tlp.service --now
Raw
06_Desktop.md

Desktop

X server

libinput instead of edev

# uses acpilight instead of xorg-xbacklight because it uses device directly and works without xorg-server (from CLI or in Wayland)
pacaur -S xorg-server xorg-xinit xorg-xrand  acpilight  xf86-input-libinput

# Java has a problem with certains WM like bspwm 
echo "export _JAVA_AWT_WM_NONREPARENTING=1" >> .xinitrc

Audio

pacman -S pulseaudio pulseaudio-alsa pavucontrol

DateTime

Chrony

Keyboard

localectl set-x11-keymap us,cz pc104 ','  'grp:win_space_toggle Win+Space'

Language

localectl set-locale LANG=en_US.UTF-8 LANGUAGE=en_US:en
Raw
07_Network.md

Network

DNS

DNSCrypt

DNSCrypt

pacman -S dnscrypt-proxy

mkdir /etc/systemd/system/dnscrypt-proxy.socket.d/
cat > /etc/systemd/system/dnscrypt-proxy.socket.d/override.conf <<END
[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40
END


mkdir /etc/systemd/system/dnscrypt-proxy.service.d
cat > /etc/systemd/system/dnscrypt-proxy.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dnscrypt-proxy -R dnscrypt.eu-nl
END

Pdnsd

Pdnsd

pacman -S pdnsd

#Without it pdnsd will not start
mkdir /var/cache/pdnsd
touch /var/cache/pdnsd/pdnsd.cache

cat > /etc/pdnsd.conf <<END
global {
    perm_cache=1024;
    cache_dir="/var/cache/pdnsd";
    run_as="pdnsd";
    server_ip = 127.0.0.1;
    status_ctl = on;
    query_method=udp_tcp;
    min_ttl=15m;       # Retain cached entries at least 15 minutes.
    max_ttl=1w;        # One week.
    timeout=10;        # Global timeout option (10 seconds).
    neg_domain_pol=on;
    udpbufsize=1024;   # Upper limit on the size of UDP messages.
    interface = any;
    verbosity=3;
    debug=on;
}

server {
    label = "dnscrypt-proxy";
    ip = 127.0.0.1;
    port = 40;
    timeout = 4;
    interface = any;
    uptest = none;
    interval = 15m;
    proxy_only=on;
    caching=on;
}

source {
    owner=localhost;
    file="/etc/hosts";
}


rr {
    name=localhost;
    reverse=on;
    a=127.0.0.1;
    owner=localhost;
    soa=localhost,root.localhost,42,86400,900,86400,86400;
}
END

System DSN settings

echo "nameserver 127.0.0.1" > /etc/resolv.conf
#Prevent other software from changing nameserver
chattr +i /etc/resolv.conf

systemctl enable dnscrypt-proxy.socket --now
systemctl enable pdnsd --now

Connman

mkdir -p  /etc/connman
cat > /etc/connman/main.conf <<END
[General]
SingleConnectedTechnology=true
PreferredTechnologies=ethernet,wifi
AllowHostnameUpdates=false
BackgroundScanning=false
FallbackTimeservers=
FallbackNameservers=127.0.0.1
DefaultAutoConnectTechnologies=
END
Raw
08_Graphics.md

Graphics

Hybrid graphics

Optional Multilib

For gaming on steam Multilib

#Uncoment
##[multilib]
##Include = /etc/pacman.d/mirrorlist

vim /etc/pacman.conf vim -c '/\[multilib\]'

Mesa

pacaur -S mesa libva-mesa-driver mesa-demos

Intel

Intel drivers

Intel graphics

pacaur -S xf86-video-intel intel-gpu-tools libva-intel-driver  libva-utils

check

vainfo

Nvidia (Optional)

NVIDIA Optimus Optimus sucks. Gonna buy AMD for laptop next time.

Nvidia drivers

NVIDIA graphics Use nvidia-xrun bspwm to run desktop on Nvidia (other switch methods didn't work well for me)

pacaur -S nvidia-dkms bbswitch-dkms nvidia-xrun

# Disable nvidia card by default
echo 'bbswitch ' > /etc/modules-load.d/bbswitch.conf
echo 'options bbswitch load_state=0 unload_state=1' > /etc/modprobe.d/bbswitch.conf 
echo "blacklist nouveau" > /etc/modprobe.d/nouveau_blacklist.conf
Raw
09_security.md

Security

Firewall

Uncomplicated firewall

pacman -S ufw

ufw default deny incoming
ufw default deny outgoing

#Localhost
ufw allow from 127.0.0.1 
ufw allow to 127.0.0.1 

ufw allow out https
ufw allow out http
ufw allow out ssh
ufw allow out smtp
ufw allow out imaps
ufw allow out ftp

#DNSCrypt 443
ufw allow out 443

#pacman
ufw allow out 80
ufw allow out 21

ufw  enable
systemctl enable ufw --now
ping archlinux.org
Raw
10-_Istall_software.md

Install software

APPS=""
APPS="$APPS  gcc clang curl make cmake"; #Compiling
APPS="$APPS  opus opusfile libvorbis gstreamer ffmpeg libmad" #Codecs
APPS="$APPS  xclip" #Copy to clipboard
APPS="$APPS  php php-composer";
APPS="$APPS  python-pip"
APPS="$APPS  cppcheck"; #C/CPP
APPS="$APPS  libxml2"; #XML
APPS="$APPS  lm_sensors";  #lm-sensors
APPS="$APPS  tmux htop";
APPS="$APPS  git tig"; #Source controll
APPS="$APPS  aspell aspell-cs"; # Spelling checker
APPS="$APPS  newsboat"; #News
APPS="$APPS  mpv"; #Video
APPS="$APPS  vifm"; #File management
APPS="$APPS  tree"; #Tree view in vifm
APPS="$APPS  pdfgrep"; #Search in PDF
APPS="$APPS  ncdu"; #Disk usage
APPS="$APPS  nethogs nmon nmap"; #Network
APPS="$APPS  rkhunter clamav"; #Evil detection
APPS="$APPS  gnupg pinentry"
APPS="$APPS  cryptsetup"
APPS="$APPS  w3m"; #Terminal web browser
APPS="$APPS  gufw"; #Firewall
APPS="$APPS  zsh"; #ZSH shell
APPS="$APPS  gparted"; #Partitioning tool
APPS="$APPS  dunst"; #Notification deamon
APPS="$APPS  aria2"; #Downloader
APPS="$APPS  expac"; #pacaur dependency
APPS="$APPS  pygmentize"; #Syntax highlithing (use with cat)
APPS="$APPS  p7zip zip unzip unrar"; #Compression
APPS="$APPS  pixz"; #Paralel xz compression
APPS="$APPS  pigz"; #Paralel gzip compression
APPS="$APPS  pbzip2"; #Paralel bzip2 compression
APPS="$APPS  neovim python-neovim" #Neovim + plugin languages
APPS="$APPS  perl-json"; #JSON libraries for perl
APPS="$APPS  wpa_supplicant pptpclient ppp" #Eduroam 
APPS="$APPS  bc" #Math
APPS="$APPS  redshift" #Color in night
APPS="$APPS  exfat-utils" #exFAT filesystem (SD cards). COPY with cfq lags system. Use noop scheduler.
APPS="$APPS  docker" #Docker
APPS="$APPS  sshuttle" #For nice tunels
APPS="$APPS  ntfs-3g" #For Microsoft NTFS compability
APPS="$APPS  dosfstools" # For FAT filesystem
APPS="$APPS  jq" #JSON querying and formating
APPS="$APPS  adobe-source-han-sans-otc-fonts  adobe-source-han-serif-otc-fonts" #Japanese, Chinese, Korean fonts
APPS="$APPS  pavucontrol" # Sound volume gui (can change outpus when using HDMI, laptop speakers and headphones. Had trouble with alsamixer
APPS="$APPS  ripgrep"; #Code grep
APPS="$APPS  youtube-dl"; #Youtube downloader
APPS="$APPS  rofi"; #menu for X (dmenu replacement)
APPS="$APPS  texlive-bin"; #Text format converter chktex included
APPS="$APPS  sxiv"; #Image viewer
APPS="$APPS  bspwm";
APPS="$APPS  exa"; #Alternative to ls and supercrabtree/k
APPS="$APPS  x11-ssh-askpass"; # Graphical input of password for sudo (required for :SudoWrite in Eunuch.vim)
APPS="$APPS  sshfs"; # Mount SSH/FTP to a local dir
APPS="$APPS  moreutils"; # Contains thee "vipe" util

APPS="$APPS  borg borgmatic python-llfuse"; # Backup tools and library to mount backups using FUSE 
APPS="$APPS  shellcheck-git"; #Shell lint
APPS="$APPS  frei0r-plugins-git"; #Plugins for mvc
APPS="$APPS  scrub"; #Secure delete
APPS="$APPS  bleachbit-cli"; #Clean stuff
APPS="$APPS  urlview"; #Urlview for opening urls from tmux pane (ctrl + b, u)
APPS="$APPS  detox"; #Make filenames shell friendly
APPS="$APPS  dtrx"; #Do The Right Extraction
APPS="$APPS  zathura-pdf-mupdf-git foxitreader"; #PDF viewer
APPS="$APPS  cheat-git"; #Managing cheat sheats from terminal
APPS="$APPS  prezto-git"; #zsh framework
APPS="$APPS  vim-plug"; #Vim plugin manager
APPS="$APPS  deepin-screenshot"; #Screenshots
APPS="$APPS  ctop"; #Docker top
APPS="$APPS  rar"; 
APPS="$APPS  java-runtime-common java-environment-common"; # Common Java packages
APPS="$APPS  jre7-openjdk jdk7-openjdk"; # Java7
APPS="$APPS  jre8-openjdk jdk8-openjdk"; # Java8
APPS="$APPS  jre9-openjdk jdk9-openjdk"; # Java9
APPS="$APPS  jre10-openjdk jdk10-openjdk"; # Java10
APPS="$APPS  bat fd"; # Mix of tools
APPS="$APPS  polybar"; # Status bar for the window manager
pacaur -Syyu --needed --noconfirm --devel --noedit "$APPS"
Raw
13_Post_instal_init.md

Run init scripts

Update zsh plugins

antigen update;

Change users default shell to ZSH

sudo chsh -s /bin/zsh $(whoami)

Setup lm-sensors

sudo /usr/sbin/sensors-detect
```bash

##Rofi instead of dmenu
```bash
rm /usr/bin/dmenu;
ln -s  /usr/bin/rofi /usr/bin/dmenu; #Drop in replace dmenu

or IDEs to be able to watch file system

https://confluence.jetbrains.com/display/IDEADEV/Inotify+Watches+Limit

echo "fs.inotify.max_user_watches = 524288\n" > /etc/sysctl.d/idea.conf                                            
sudo sysctl -p --system

Docker

gpasswd -a $USERNAME docker

FiraCode font (for termite)

pacaur -S otf-fira-code
Raw
pacman_conf.md

Pacman

pacman.conf - enable TotalDownload, VerbosePkgLists, ILoveCandy, HookDir a CacheDir

/etc/pacman.d/hooks/reflector.hook

[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Target = pacman-mirrorlist

[Action]
Description = Updating mirrorlist...
When = PostTransaction
Depends = reflector
Exec = sudo reflector --verbose --latest 40 --number 10 --sort rate --protocol https --save /etc/pacman.d/mirrorlist
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment