Skip to content

Instantly share code, notes, and snippets.

@afaikiac
Last active April 15, 2023 22:15
Show Gist options
  • Save afaikiac/97c682624a7c4c76b00d4452fd957551 to your computer and use it in GitHub Desktop.
Save afaikiac/97c682624a7c4c76b00d4452fd957551 to your computer and use it in GitHub Desktop.
id aliases tags
arch_linux_installation_guide
Arch LUKS Btrfs Systemd-boot Systemd-networkd + iwd

Arch LUKS Btrfs Systemd-boot Systemd-networkd + iwd

It explains how to install Arch:

  • on btrfs with swapfile
  • based on LUKS container
  • with single device (SSD in my case)
  • using systemd-boot as boot loader
  • and systemd-networkd + iwd to manage the network
  • + some features

All commands you run at your own risk, double-check them!

I would like to thank my friend @wthoutanymmries. This guide wouldn't have appeared if not for his help. I'm glad I have him!

This guide is up to date for 07.2022. It's based on best practices, we thought, as well as many articles from ArchWiki and other official resources.

For me, the main goal was to put together a set of links for each step of the installation. So that this guide can always be easily updated or adapted to other hardware.

Secret keys

Before a clean install, don't forget to backup your secret keys.

# GPG
gpg --export-secret-keys --armor --output privkey.asc $username

# SSH
cp -r $HOME/.ssh $path

To import the backup of your private key:

# GPG
gpg --import privkey.asc

# SSH
chmod go-w ~
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
chown -R $USER ~/.ssh

arch#GnuPG#Backup your private key

arch#OpenSSH#Checklist

USB flash installation medium

Download archiso and archiso.sig.

archiso=$HOME/Downloads/archlinux-2022.07.01-x86_64.iso
archiso_sig=$HOME/Downloads/archlinux-2022.07.01-x86_64.iso.sig

gpg --auto-key-locate clear,wkd -v --locate-external-key pierre@archlinux.de
gpg --verify $archiso_sig $archiso
$ lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sdc      8:32   1  14.9G  0 disk
...

$ device=/dev/sdc

$ sudo wipefs --all $device

$ sudo dd bs=4M if=$archiso of=$device conv=fsync oflag=direct status=progress

arch#USB flash installation medium

Pre-installation

Connect to the internet

iwctl

[iwd] device list
# assume device name is wlan0
[iwd] station wlan0 scan
[iwd] station wlan0 get-networks
# you can skip previous steps if you know your device name and SSID
[iwd] station wlan0 connect CooLWiFi5G

It might be a good idea to create ssh access:

# this is root pswd only for arch.iso
passwd

ip a

ssh root@192.168...

Verify the boot mode

$ ls /sys/firmware/efi/efivars
AcpiGlobalVariable-c020489e-6db2-4ef2-9aa5-ca06fc11d36a
ActiveVgaDev-59d1c24f-50f1-401a-b101-f33e0daed443
...

Update the system clock

# set the time so that later wouldn't find out that the FSs were created in the future
timedatectl set-ntp true && timedatectl set-timezone Europe/Moscow

# recheck
timedatectl status

Select device

$ lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
loop0    7:0    0 689.8M  1 loop /run/archiso/airootfs
sda      8:0    0 465.8G  0 disk

# set device var for future operations
device=/dev/sda
# recheck
echo $device

# tip: clearly formatted summary of all block devices, their partition labels, filesystem lables, UUIDs and partition UUIDS
$ lsblk -o +LABEL,PARTLABEL,UUID,PARTUUID

Solid drive clearing

If you have an nvme/ssd device, it would be nice to check the article arch#Solid state drive.

In case of SATA drive:

Warning:

  • Triple check that the correct drive designation is used. There is no turning back once the command is confirmed. You have been warned.
  • Ensure that the drive is not mounted when this is ran. If a secure erase command is issued while the device is mounted, it will not erase properly.
# make sure the drive security is not frozen
$ hdparm -I $device | grep frozen
 not frozen

# enable security by setting a user password
$ hdparm --user-master u --security-set-pass PasSWorD $device
security_password: "PasSWorD"

/dev/sda:
 Issuing SECURITY_SET_PASS command, password="PasSWorD", user=user, mode=high

# as a sanity check, issue the following command
# the command output should display "enabled"
$ hdparm -I $device
...
Security:
        Master password revision code = 65534
                supported
                **enabled**
        not     locked
        not     frozen
        not     expired: security count
                supported: enhanced erase
        Security level high
        4min for SECURITY ERASE UNIT. 8min for ENHANCED SECURITY ERASE UNIT.
...

# issue the ATA Secure Erase command
$ time hdparm --user-master u --security-erase PasSWorD $device
security_password: "PasSWorD"

/dev/sda:
 Issuing SECURITY_ERASE command, password="PasSWorD", user=user

# recheck the drive security is set to disabled
$ hdparm -I $device
...
Security:
        Master password revision code = 65534
                supported
        **not     enabled**
        not     locked
        not     frozen
        not     expired: security count
                supported: enhanced erase
        4min for SECURITY ERASE UNIT. 8min for ENHANCED SECURITY ERASE UNIT.
...

$ time xxd -a $device
0000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
...
reboot

arch#Solid state drive/Memory cell clearing

ubuntu#best way to wipe a drive

Define device sector size

Check that the device report correct sector size. Compare the result with the documentation for the device.

$ device=/dev/sda

$ LC_ALL=C.UTF-8 fdisk -l $device | grep 'Sector size'
Sector size (logical/physical): 512 bytes / 512 bytes

# Ok! It's correct for my Samsung SSD 860 EVO M.2

$ sectorsize=512
$ echo $sectorsize

sectorsize used only in boot filesystem (fat32) creation.

Important:

  • LUKS2 and btrfs define the sector size automatically if device report it correctly. If not you must define it manually or change it for the device.
  • It's possible to change sector size on nvme if needed.

arch#Advanced Format#Setting native sector size

arch#Talk:Advanced Format#Rewrite Advanced Format to a new Sector Sizes page + and related articles to this section

Wipe on an empty disk

Tip: This step doesn't seem to be necessary if you have already cleaned the drive using the previous method.

Important: MAY BE DESTRUCTIVE TO SOLID DRIVES, need to check related articles

# create a temporary encrypted container on the device/partition
#
# -d
#    read the passphrase from file
$ cryptsetup open --type plain -d /dev/urandom $device to_be_wiped

# recheck
$ lsblk
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
...
vda           254:0    0    20G  0 disk
└─to_be_wiped 252:0    0    20G  0 crypt

# wipe the container with zeros
$ dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress

# finally, close the temporary container
$ cryptsetup close to_be_wiped

arch#dm-crypt/Drive preparation

Partition the disks

The EFI partition can't be encrypted, it can only be signed using Secure Boot, so you must separate it.

# --clear
#         clear out all partition data (just in case) :)
$ sgdisk --clear \
    --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
    --new=2:0:0       --typecode=2:8300 --change-name=2:cryptsystem \
    $device

# recheck
$ lsblk -o +PARTLABEL
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS           PARTLABEL
...
sda      8:0    0 465.8G  0 disk
├─sda1   8:1    0   550M  0 part                       EFI
└─sda2   8:2    0 465.2G  0 part                       cryptsystem

arch#Partition type:

  • ef00 — EFI system partition
  • 8300 — Linux filesystem

Encrypt System Partition

Info: reddit#Full disk encryption on an ssd

arch#Encrypting devices with cryptsetup

# formatting LUKS partition
$ cryptsetup luksFormat /dev/disk/by-partlabel/cryptsystem

#  Unlocking/Mapping LUKS partitions with the device mapper
$ cryptsetup \
    --perf-no_read_workqueue --perf-no_write_workqueue \
    --persistent \
    open \
    /dev/disk/by-partlabel/cryptsystem \
    system

# recheck
$ cryptsetup luksDump /dev/disk/by-partlabel/cryptsystem | grep Flags
Flags:        no-read-workqueue no-write-workqueue

--persistent — to set below flags as device default flags

important! bad! --allow-discardsarch#Discard/TRIM support for solid state drives (SSD) enable periodic TRIM instead

--perf-no_read_workqueue --perf-no_write_workqueuearch#Disable workqueue for increased solid state drive (SSD) performance

arch#Persistent block device naming:

# tip
$ ls -l /dev/disk/by-partlabel/
total 0
lrwxrwxrwx 1 root root 10 Jun 30 23:31 EFI -> ../../vda1
lrwxrwxrwx 1 root root 10 Jun 30 23:31 cryptsystem -> ../../vda2

Format the filesystem

# recheck
$ lsblk -o +PARTLABEL
NAME       MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS           PARTLABEL
loop0        7:0    0 689.8M  1 loop  /run/archiso/airootfs
sda          8:0    0 465.8G  0 disk
├─sda1       8:1    0   550M  0 part                        EFI
└─sda2       8:2    0 465.2G  0 part                        cryptsystem
  └─system 254:0    0 465.2G  0 crypt

# `-n` — sets the volume name (label) of the filesystem
$ mkfs.fat -F32 -S $sectorsize -n EFI /dev/disk/by-partlabel/EFI

$ mkfs.btrfs -L system /dev/mapper/system

# recheck
$ blkid
...
/dev/mapper/system: LABEL="system" UUID="e7b7e02a-b671-4725-afab-ca578a88711d" UUID_SUB="e8d65a84-2a8b-492b-9eba-c5481848fd5f" BLOCK_SIZE="4096" TYPE="btrfs"
/dev/sda2: UUID="122f84f9-d51b-4d58-b40d-10706ebfcd6e" TYPE="crypto_LUKS" PARTLABEL="cryptsystem" PARTUUID="3002a751-a48a-4dba-a026-9f4d2a3ce41d"
/dev/sda1: LABEL_FATBOOT="EFI" LABEL="EFI" UUID="4517-7348" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI" PARTUUID="5db1228b-293d-482b-be58-48d6062af92c"

arch#btrfs#File system on a single device

Create btrfs subvolumes

My flat layout:

toplevel                  (volume root directory, to be mounted at /)
+-- _root                 (subvolume root directory, to be mounted at /)
+-- _srv                  (subvolume root directory, to be mounted at /srv)
+-- usr/_local            (subvolume root directory, to be mounted at /local)
+-- var                   (directory)
    |-- _tmp              (subvolume root directory)
    |-- _cache            (subvolume root directory)
    |-- _crash            (subvolume root directory)
    \-- _log              (subvolume root directory)
+-- _swap                 (subvolume root directory, to be mounted at /swap)
+-- _home                 (subvolume root directory, to be mounted at /home)
+-- home                  (directory)
    +-- dl2718            (directory)
        \-- _cache        (subvolume root directory, to be mounted at /home/dl2718/.cache)

Info: User's subvolumes will be created after user. Because it's not a good idea to create $HOME's folders manually. The whole process is described here: Subvolume for user.

Info: Alias for the subvolumes are needed to create an flat layout. I use underscores because I'm annoyed by the "at sign" in naming. But you need to use "at sign" to use Snapper.

# run the bash shell because not all loops work in zsh
# don't forgret `exit` twice at the end of installation
bash
mntpoints=( \
    '/mnt/' \
    '/mnt/srv' \
    '/mnt/usr/local' \
    '/mnt/var/tmp' \
    '/mnt/var/cache' \
    '/mnt/var/crash' \
    '/mnt/var/log' \
    '/mnt/home' \
)

subvols=( \
    '_root' \
    '_srv' \
    'usr/_local' \
    'var/_tmp' \
    'var/_cache' \
    'var/_crash' \
    'var/_log' \
    '_home' \
)
# -t
#    fstype
# -L
#    mount partition with specified label
mount -t btrfs -L system /mnt

mkdir /mnt/{usr,var}

for subvol in ${subvols[@]}; do
    btrfs subvolume create /mnt/$subvol
done

btrfs subvolume create /mnt/_swap

umount -R /mnt

opensuse#SDB:BTRFS

btrfs#SysadminGuide

arch#Snapper#Preventing slowdowns

web#[systemd-devel] systemd and nested Btrfs subvolumes

web#Re: How to rollback a snapshot of a subvolume with nested subvolumes?

archinstall#Consider changing the BTRFS subvolume layout

arch#questions about btrfs cow nocow and tmpfs

reddit#What is the advantage of nodatacow/disabling CoW? And when to use it?

Mounting Btrfs subvolumes

# ssd option just in case
$ btrfsoptions=defaults,noatime,compress=zstd:1,ssd
# recheck
$ echo $btrfsoptions
defaults,noatime,compress=zstd:1,ssd

# not work in archiso's zsh shell
$ for i in ${!mntpoints[@]}; do
    echo Mount \'${subvols[$i]}\' to \'${mntpoints[$i]}\'
    mount --mkdir \
        -t btrfs \
        -o subvol=${subvols[$i]},$btrfsoptions \
        -L system \
        ${mntpoints[$i]}
done

$ mount --mkdir \
    -t btrfs \
    -o subvol=_swap,defaults,ssd \
    -L system \
    /mnt/swap

# don't forget mount boot device
$ mount --mkdir \
    -L EFI \
    /mnt/boot

# recheck
$ lsblk
NAME       MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda           8:0    0 465.8G  0 disk
├─sda1        8:1    0   550M  0 part  /mnt/boot
└─sda2        8:2    0 465.2G  0 part
  └─system  254:0    0 465.2G  0 crypt /mnt/swap
                                       /mnt/home
                                       /mnt/var/log
                                       /mnt/var/crash
                                       /mnt/var/cache
                                       /mnt/var/tmp
                                       /mnt/usr/local
                                       /mnt/srv
                                       /mnt
...

noatime — no new access time information (btrfs#NOTES ON GENERIC MOUNT OPTIONS)

compress=zstd:1fedora#Changes/BtrfsTransparentCompression

compress=lzo — fastest (btrfs#compression)

reddit#What are optimal btrfs mount options / best practices

btrfs#btrfs-man5

gentoo#btrfs

Installation of the main packages

pacstrap /mnt base linux linux-firmware

Configure the system

Generate an fstab file

Create an arch#fstab filesystem table file.

# -L
#    using labels to identify the filesystems
# -p
#    exclude pseudofs mounts
$ genfstab -L -p /mnt >> /mnt/etc/fstab

# recheck
$ cat /mnt/etc/fstab
...
# /dev/mapper/system UUID=50e93849-c198-4808-91c5-cb9e1dba53cc
LABEL=system         /          btrfs      rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=256,subvol=/_root 0 0

# /dev/sda1 UUID=BDB9-B057
LABEL=EFI            /boot      vfat       rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2

# /dev/mapper/system UUID=50e93849-c198-4808-91c5-cb9e1dba53cc
LABEL=system         /srv       btrfs      rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=257,subvol=/_srv 0 0

# /dev/mapper/system UUID=50e93849-c198-4808-91c5-cb9e1dba53cc
LABEL=system         /usr/local btrfs      rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=258,subvol=/usr/_local 0 0

# /dev/mapper/system UUID=50e93849-c198-4808-91c5-cb9e1dba53cc
LABEL=system         /var/tmp   btrfs      rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=261,subvol=/var/_tmp 0 0

# /dev/mapper/system UUID=50e93849-c198-4808-91c5-cb9e1dba53cc
LABEL=system         /var/cache btrfs      rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=262,subvol=/var/_cache 0 0

# /dev/mapper/system UUID=50e93849-c198-4808-91c5-cb9e1dba53cc
LABEL=system         /var/crash btrfs      rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=263,subvol=/var/_crash 0 0

# /dev/mapper/system UUID=50e93849-c198-4808-91c5-cb9e1dba53cc
LABEL=system         /var/log   btrfs      rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=264,subvol=/var/_log 0 0

# /dev/mapper/system UUID=50e93849-c198-4808-91c5-cb9e1dba53cc
LABEL=system         /home      btrfs      rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=259,subvol=/_home 0 0

# /dev/mapper/system UUID=50e93849-c198-4808-91c5-cb9e1dba53cc
LABEL=system         /swap      btrfs      rw,relatime,compress=zstd:1,ssd,space_cache=v2,subvolid=260,subvol=/_swap 0 0

Change root into the new system

arch-chroot /mnt

Enable periodic TRIM

# enabling the timer will activate the service weekly
systemctl enable fstrim.timer

# recheck after reboot
systemctl list-timers

arch#Periodic TRIM

digitalocean#How To Configure Periodic TRIM for SSD Storage on Linux Servers

Create the swap file

$ pacman -S btrfs-progs

$ swapfilepath=/swap/swapfile

# clear /swapfile to 0 bytes
$ truncate -s 0 $swapfilepath

# set the No_COW attribute
$ chattr +C $swapfilepath

# preallocate space to /swapfile (determine the size from the link below)
# $ fallocate -l 24G /swapfile # not good approach
$ size_in_MiB=24576
$ dd if=/dev/zero of=$swapfilepath bs=1M count=$size_in_MiB status=progress

# tighten up permissions to -rwx------
$ chmod 0700 /swap

# tighten up permissions to -rw-------
$ chmod 0600 $swapfilepath

# recheck
$ ls -lsh $swapfilepath
24G -rw------- 1 root root 24G Jul 14 18:22 /swap/swapfile

# recheck
$ lsattr $swapfilepath
---------------C------ /swap/swapfile

# format it to swap
$ mkswap -U clear $swapfilepath

# activate the swap file
$ swapon $swapfilepath

# edit the fstab configuration to add an entry for the swap file
$ cat << EOF >> /etc/fstab

$swapfilepath none swap defaults 0 0

EOF

# recheck
$ cat /etc/fstab
...
/swap/swapfile none swap defaults 0 0

# recheck
$ cat /proc/swaps
Filename    Type  Size  Used  Priority
/swap/swapfile                          file  25165820 0  -2

btrfs#swapfile support

fedora#swap space size

arch#Swap file

arch#Swap file creation

Time zone

# set th time zone
ln -sf /usr/share/zoneinfo/Europe/Moscow /etc/localtime

# run `hwclock` to generate `/etc/adjtime`
hwclock --systohc

arch#hwclock(8) assumes the hardware clock is set to UTC. See arch#System time#Time standard for details.

Localization

# edit `/etc/locale.gen`
cat << EOF >> /etc/locale.gen

en_US.UTF-8 UTF-8
ru_RU.UTF-8 UTF-8

EOF

# generate the locales
locale-gen
cat << EOF > /etc/locale.conf
LANG=en_US.UTF-8

EOF

# recheck
cat /etc/locale.conf
# @wthoutanymmries has good taste in fonts
# it will show on load due to the sd-vconsole HOOK
pacman -S terminus-font

cat << EOF > /etc/vconsole.conf
KEYMAP=ru
FONT=ter-u14n

EOF

# recheck
cat /etc/vconsole.conf

cat << EOF
Hello
World
EOF

stackoverflow#How does "<<" operator work in linux shell?

stackoverflow#How to cat <<EOF >> a file containing code?

Network configuration

# create the hostname file
$ cat << EOF > /etc/hostname
machine

EOF

# local hostname resolution
$ cat << EOF > /etc/hosts
127.0.0.1        localhost
::1              localhost
127.0.1.1        machine

EOF

# recheck
$ getent hosts
127.0.0.1       localhost
127.0.0.1       localhost
127.0.1.1       machine
# WLAN
pacman -S iwd

mkdir /etc/iwd

cat << EOF > /etc/iwd/main.conf
[General]
EnableNetworkConfiguration=true

[Network]
NameResolvingService=systemd

[Service]
ExecStartPre=/usr/bin/sleep 2

EOF

# recheck
cat /etc/iwd/main.conf

# Wireless device is not renamed by udev
cat << EOF > /usr/lib/systemd/network/80-iwd.link
[Match]
Type=wlan

[Link]
NamePolicy=keep kernel

EOF

# recheck
cat /usr/lib/systemd/network/80-iwd.link
systemctl enable iwd
systemctl enable systemd-networkd
systemctl enable systemd-resolved
# LAN
# to list the devices on the system
networkctl list

# set your lan device name
lan_device=enp2s0

cat << EOF > /etc/systemd/network/20-wired.network
[Match]
Name=$lan_device

[Network]
DHCP=yes

EOF

# recheck
cat /etc/systemd/network/20-wired.network

reddit#Network Configuration recommendation

arch#Local hostname resolution

arch#systemd-networkd

arch#systemd-networkd (Русский)

arch#iwd

arch#iwd (Русский)

Initramfs

# delete old HOOKS
sed -e '/^HOOKS/d' /etc/mkinitcpio.conf -i

# btrfs hook is not required for using Btrfs on a single device
# take this list from arch#dm-crypt/System configuration#mkinitcpio
cat << EOF >> /etc/mkinitcpio.conf

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)

EOF

# recheck
cat /etc/mkinitcpio.conf

mkinitcpio -P

arch#Initramfs

arch#mkinitcpio#Common hooks

arch#dm-crypt/System configuration#mkinitcpio

arch#Btrfs#Multi-device file system

arch#Power management/Suspend and hibernate#Configure the initramfs

Boot loader

pacman -S gcc wget

wget -q https://raw.githubusercontent.com/osandov/osandov-linux/master/scripts/btrfs_map_physical.c

gcc -O2 -o btrfs_map_physical btrfs_map_physical.c

physical_offset=$(./btrfs_map_physical $swapfilepath | sed -n '2p' | grep -Eo '[0-9]+$')

pagesize=$(getconf PAGESIZE)

resume_offset=$(expr $physical_offset / $pagesize)

# recheck
echo $resume_offset

rm btrfs_map_physical btrfs_map_physical.c
$ bootctl install

$ systemctl enable systemd-boot-update.service

$ pacman -S intel-ucode

$ cat << EOF > /boot/loader/entries/arch.conf
title   Arch Linux
linux   /vmlinuz-linux
initrd  /intel-ucode.img
initrd  /initramfs-linux.img
options rd.luks.name=$(blkid /dev/disk/by-partlabel/cryptsystem -s UUID -o value)=cryptsystem rd.luks.options=password-echo=no resume=LABEL=system resume_offset=$resume_offset root=LABEL=system rootflags=subvol=_root rw nowatchdog

EOF

# recheck
cat /boot/loader/entries/arch.conf
# options

# LUCKS

# rd.luks.name=$(blkid /dev/disk/by-partlabel/cryptsystem -s UUID -o value)=cryptsystem
# rd.luks.options=password-echo=no

# HIBERNATION

# resume=LABEL=system
# resume_offset=$resume_offset

# KERNEL

# root=LABEL=system
# rootflags=subvol=root
# quiet splash
# rw
# nowatchdog

Loader configurationloader.conf

# console-mode
#     This option configures the resolution of the console.
#     1
#         80x50 mode, not supported by all devices
#     max
#         Pick the highest-numbered available mode
# ...
cat << EOF > /boot/loader/loader.conf
default      arch.conf
timeout      4
console-mode 1
editor       no

EOF

# recheck
cat /boot/loader/loader.conf
cat << EOF > /etc/modprobe.d/nowatchdog.conf
blacklist iTCO_wdt

EOF

# recheck new configuration after reboot
cat /proc/sys/kernel/watchdog
# OR
wdctl

arch#Microcode

arch#Boot loader

arch#systemd-boot

arch#dm-crypt/System configuration#Using sd-encrypt hook

arch#Hibernation into swap file

arch#Hibernation into swap file on Btrfs

arch#Kernel parameters#systemd-boot

arch#Btrfs#Mounting subvolume as root

arch#Improving performance#Watchdogs

Root password & User

# root password
$ passwd

# user
username=dl2718

# -m
#    create with home dir
$ useradd -m $username

$ passwd $username

$ usermod -aG wheel $username
# sudo

pacman -S sudo

cat << EOF | EDITOR='tee -a' visudo

%wheel ALL=(ALL:ALL) ALL

Defaults timestamp_timeout=0
Defaults insults

EOF

# recheck
cat /etc/sudoers

insults give you some motivation :)

Necessary pkgs

pacman -S openssh vim man-db

Reboot

Warning: Attempting to unmount with umount -l in this situation will break your session, requiring a reboot (arch#chroot#Using arch-chroot).

# exit twice because of bash shell in zsh shell
exit && exit
umount -R /mnt
# OR (if the swapfile is busy)
umount -Rl /mnt

#recheck
lsblk

reboot

Domain name resolution

Important: It makes no sense to do it in arch-chroot.

# to provide domain name resolution for software
# that reads `/etc/resolv.conf` directly
ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

arch#systemd-resolved#DNS

Subvolume for user

# root user
su

# set user's home dir
username=dl2718

# ssd option just in case
btrfs_cache_options=defaults,noatime,ssd
# recheck
echo $btrfsoptions

mntpoints=( \
    '/home/'$username'/.cache' \
)

subvols=( \
    'home/'$username'/_cache' \
)

mount -t btrfs -L system /mnt

mkdir -p /mnt/home/$username

for subvol in ${subvols[@]}; do
    btrfs subvolume create /mnt/$subvol
done

umount -R /mnt

# recheck
btrfs subvolume list /
# -d
#    treat all arguments as directory names
# -o
#    set ownership
# -g
#    set group ownership
# -m
#    set permission mode
for mntpoint in ${mntpoints[@]}; do
  install -d -o $username -g $username -m 700 $mntpoint
done

for i in ${!mntpoints[@]}; do
    echo Mount \'${subvols[$i]}\' to \'${mntpoints[$i]}\'
    mount \
        -t btrfs \
        -o subvol=${subvols[$i]},$btrfs_cache_options \
        -L system \
        ${mntpoints[$i]}
done

pacman -S arch-install-scripts

# this command will rewrite your fstab
genfstab -L -p / > /etc/fstab

# reload system files to apply new /etc/fstab
systemctl daemon-reload

References

TODO

arch#General recommendations

arch#System maintenance

arch#Improving performance

arch#Power management

arch#Security

Suspend and hibernate:

# hibernation should work
sudo systemctl hibernate

Secure Boot:

ⓒ all rights not reserved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment