Skip to content

Instantly share code, notes, and snippets.

@anler

anler/archlinux_setup_guide.md

Last active September 28, 2020 17:48
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save anler/9b45391638cf89ae64a5 to your computer and use it in GitHub Desktop.
Save anler/9b45391638cf89ae64a5 to your computer and use it in GitHub Desktop.
Download ZIP
How to setup Archlinux
Raw
archlinux_setup_guide.md

Archlinux setup guide

This guide is based on the official Archlinux Installation Guide, Beginners' Guide and my personal experience.

Partition layout

SDD partitions fs size mountpoint
/dev/nvme0n1p1 FAT 512M -
/dev/nvme0n1p2 LUKS MAX -
SDD partition LVM partition Btrfs subvolume mountpoint
nvme0n1p2 /dev/lvm/system--vg-swap - SWAP
nvme0n1p2 /dev/lvm/system--vg-system @ /
nvme0n1p2 /dev/lvm/system--vg-system @home /home

Setup partitions

For an UEFI setup use fdisk to create a 512MB EFI System partition and the LUKS container after that.

Then format the EFI partition as FAT32:

mkfs.fat -F32 /dev/nvme0n1p1

The rest of this howto will assume that your LUKS container is /dev/nvme0n1p2, so keep that in mind.

Create the crypto container

Don't use any of the parameters of cryptsetup to control which cipher or hash to use. You probably have no idea how crypto works so just stick with the defaults. Crypto stuff is pretty hard and the guys behind cryptsetup know what they are doing. At least they know better than you. ;)

# cryptsetup luksFormat /dev/nvme0n1p2

Open the crypto container

# cryptsetup luksOpen --allow-discards /dev/nvme0n1p2 lvm

Setup LVM

  • Create the physical volume and the volume group

    # pvcreate /dev/mapper/lvm
# vgcreate system-vg /dev/mapper/lvm

  • Create the volume for swap and the btrfs partition. Make the swap partition as big as you want, usually is as big as RAM, but here I use 2G.

    # lvcreate -L 2G system-vg -n swap
# lvcreate -l +100%FREE system-vg -n system

Format the partitions

# mkfs.btrfs -L arch /dev/mapper/system--vg-system
# mkswap -L swap /dev/mapper/system--vg-swap

Create BTRFS subvolumes

  • Mount btrfs volume and cd into it

    # mount /dev/mapper/system--vg-system /mnt && cd /mnt

  • Add subvolumes

    # btrfs subvolume create @
# btrfs subvolume create @home

  • Unmount

    # cd && umount /mnt

Mount everything

You can enable compression with lzo or zlib on btrfs and enable auto defragmentation.

# mount /dev/mapper/system--vg-system /mnt -o subvol=@,discard,ssd,compress=lzo,autodefrag
# mkdir -p /mnt/{home, host_run}
# mount /dev/mapper/system--vg-system /mnt/home -o subvol=@home,discard,ssd,compress=lzo,autodefrag
# swapon -d /dev/mapper/vg-swap
# mount --bind /run /mnt/host_run

host_run is needed for later when we install grub, see this for more information.

Install rootfs with pacstrap

# pacstrap -i /mnt base base-devel bash-completion vim

Generate fstab

# genfstab -U -p /mnt >> /mnt/etc/fstab

Change defaults to defaults,discard for swap partition entry in fstab if you have a SSD.

Chroot into the new system

# arch-chroot /mnt
# mkdir /run/lvm
# mount --bind /host_run/lvm /run/lvm

Install and install grub

# pacman -S grub efibootmgr
# # Add `GRUB_ENABLE_CRYPTODISK=y` to /etc/default/grub
# # Set cryptdevice and resume partition: GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p2:lvm:allow-discards resume=/dev/mapper/system--vg-swap"
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
# umount /run/lvm

Create keyfile for the LUKS partition

Generate 4096 bit key and add it to LUKS:

# dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /crypto_keyfile.bin

Nobody except GRUB should read this file. Not even root.

# chmod 000 /crypto_keyfile.bin

Edit /etc/mkinitcpio.conf:

  • Add crc32c (or crc32c-intel for Intel machines) to the MODULES array
MODULES="crc32c-intel"
  • Add btrfs to the end and encrypt and resume between keyboard and filesystems in the HOOKS array.
HOOKS="... keyboard encrypt lvm2 resume filesystems ... fsck btrfs"
  • Add the keyfile for the LUKS partition to the initfamfs so that you only have to unlock the root partition once
FILES="/crypto_keyfile.bin"

Install btrfs-progs to use the btrfs hook:

# pacman -S btrfs-progs

Generate initramfs:

# mkinitcpio -p linux

Generate grub.cfg:

# grub-mkconfig -o /boot/grub/grub.cfg

Seting up the base system

  • Edit /etc/locale.conf:

    LANG=en_US.UTF-8

  • Edit /etc/locale.gen and uncomment the needed locales:

    en_US.UTF-8 UTF-8

  • Generate locales

    # locale-gen

  • Set timezone:

    # ln -s /usr/share/zoneinfo/Europe/Madrid /etc/localtime

Install dependencies for wifi connection (optional)

# pacman -S dialog wpa_supplicant networkmanager

Configure pacman and add a user

Edit /etc/pacman.conf and uncomment [multilib].

Update packages and db:

# pacman -Sy

Add an user and set the password:

# useradd -m -g users -G wheel -s /bin/bash bob
# passwd bob

Run:

# visudo

and uncomment %wheel ALL=(ALL:ALL) ALL or %wheel ALL=(ALL:ALL) NOPASSWD: ALL if you don't want to enter your password again when using sudo.

Now remove the root password so that root cannot login (don't lock the account with passwd -l because than the recovery root login doesn't work anymore):

# passwd -dl root

Finishing

Exit chroot environment.

Umounting devices:

# umount /mnt/host_run
# umount /mnt/home
# umount /mnt
# swapoff /dev/mapper/system--vg-swap
# cryptsetup luksClose /dev/mapper/lvm

Reboot:

# reboot

Finished! You now have an encrypted Archlinux up and running. If you want to build a server you're pretty much finished and can continue to setup the services you want to host. For a more desktop like setup continue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment