burningTyger/arch.sh

## arch.sh
# This guide is based on https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install
# compare for more details on each step. It's a great guide and seems to get frequent updates.
# This guide has a few changes that helped me to get thew bootloader running


# Start up the Live USB/CD and enable SSH:
# set a password for root to enable ssh login
# *
passwd
systemctl start sshd.service

# then login to your machine from another device with ssh
# if you're reinstalling a machine and you have a static ip
# you may want to ignore the hosts file:
ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null root@LIVE_USB

# then go on with these instructions via SSH

# create an ENV variable for your drive. For example, mine was: /dev/sda
# You need to edit this line!!!
DRIVE=/dev/DRIVEID

# clean drive. This deletes everything for good. Be careful
sgdisk --zap-all $DRIVE

# partition with partition labels
sgdisk --clear \
       --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
       --new=2:0:+8GiB   --typecode=2:8200 --change-name=2:cryptswap \
       --new=3:0:0       --typecode=2:8200 --change-name=3:cryptsystem \
         $DRIVE

# format the EFI partition with fat-32
mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI

# create the encrypted system partition
cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem

# open the encrypted partition with label system
# If something fails and you need to restart your system this is the line you need to open your partition again later on.
# I'l mark those commands with an asterisk should you need to reboot and start over with eg. the boot option.
# *
cryptsetup open /dev/disk/by-partlabel/cryptsystem system

# open the swap partition with a random key
cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap

# create the swap partition
mkswap -L swap /dev/mapper/swap

swapon -L swap

# format the system partition with btrfs. Inside we will use subvolumes
mkfs.btrfs --force --label system /dev/mapper/system

# create some useful ENV vars
# *
o=defaults,x-mount.mkdir

#*
o_btrfs=$o,compress=lzo,ssd,noatime

# mount the newly created partition
mount -t btrfs LABEL=system /mnt

# and create the neccessary subvolumes
btrfs subvolume create /mnt/root

btrfs subvolume create /mnt/home

btrfs subvolume create /mnt/snapshots

# then unmount to mount again with subvolumes
umount -R /mnt

# *
mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt

mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home

mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots

# create a boot partition and mount as well
mkdir /mnt/boot

# *
mount LABEL=EFI /mnt/boot;

# then install the base system
pacstrap /mnt base

# You will notice some errors related to fsck.btrfs. We will fix that in a minute

genfstab -L -p /mnt >> /mnt/etc/fstab

# fix fstab so swap partition can be found again
sed -i "s+LABEL=swap+/dev/mapper/swap+" /mnt/etc/fstab

# tell crypttab which partition to mount
echo "swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256" >> /mnt/etc/crypttab

# boot into new system to continue with install
# *
systemd-nspawn -bD /mnt

# basic settings
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen

locale-gen

localectl set-locale LANG=en_US.UTF-8

timedatectl set-ntp 1

timedatectl set-timezone Europe/Berlin

# You need to edit this line
hostnamectl set-hostname A_HOSTNAME

echo "KEYMAP=de-latin1" > /etc/vconsole.conf

# install some more basic stuff otherwise you can't boot into new system
pacman -Syu base-devel btrfs-progs

# you need to change hooks to decrypt your drive
# I also changed MODULES so that I can have early KMS start with my Intel graphics card: MODULES="i915"
sed -i "s+HOOKS=\"base udev autodetect modconf block filesystems keyboard fsck\"+HOOKS=\"base udev autodetect modconf block keyboard keymap encrypt filesystems btrfs\"+" /etc/mkinitcpio.conf

# This line didn't quite work on my second PC. I had to use this here instead in my mkinitio.conf file:
# MODULES=(atkbd)
# HOOKS=(base udev autodetect modconf block keyboard keymap encrypt filesystems btrfs)
# The atkbd module was necessary because I couldn't use the keyboard from systemd 241 on. Some bug maybe?

# then rerun to get a new initramfs image
mkinitcpio -p linux

# * or if you're repairing you can pacman -Syu

# change password
passwd

# get back to the LIVE USB/CD to finish up
poweroff

# I used efibootmgr to boot. You may need GRUB or whatever here I had to use sda3 as device
# usually this line is a point of failure if Arch doesn't boot again
efibootmgr -d /dev/sda -p 1 -c -L "Arch Linux" -l \vmlinuz-linux -u "cryptdevice=/dev/sda3:cryptsystem root=/dev/mapper/cryptsystem rw rootflags=subvol=root initrd=\initramfs-linux.img"

# to list all boot options in case of trouble: efibootmgr
# to remove an entry, e.g. Boot0000 you have to efibootmgr -b 0 -B and then run above line again to make it the new first boot entry.

# this method didn't work on my DELL optiplex 7050. Apparently its UEFI doesn't support boot options so I can't decrypt.
# Instead I used refind:
pacman -S refind-efi
refind-install

# Then edit the /boot/refind_linux.conf file:
"Boot with standard options"  "cryptdevice=/dev/sda3:cryptsystem root=/dev/mapper/cryptsystem rw rootflags=subvol=root initrd=/initramfs-linux.img"

# Make sure you're using your partition here. Mine was sda3

# then reboot and see if it works. Good luck
reboot

# if it doesn't work boot from your pen drive again and run the commands with the asterisk again to get into your newly installed system.
# note that your system is not the same as the one on your pendrive. You will have to reinstall everything that you need.
	# This guide is based on https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install
	# compare for more details on each step. It's a great guide and seems to get frequent updates.
	# This guide has a few changes that helped me to get thew bootloader running


	# Start up the Live USB/CD and enable SSH:
	# set a password for root to enable ssh login
	# *
	passwd
	systemctl start sshd.service

	# then login to your machine from another device with ssh
	# if you're reinstalling a machine and you have a static ip
	# you may want to ignore the hosts file:
	ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null root@LIVE_USB

	# then go on with these instructions via SSH

	# create an ENV variable for your drive. For example, mine was: /dev/sda
	# You need to edit this line!!!
	DRIVE=/dev/DRIVEID

	# clean drive. This deletes everything for good. Be careful
	sgdisk --zap-all $DRIVE

	# partition with partition labels
	sgdisk --clear \
	--new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
	--new=2:0:+8GiB --typecode=2:8200 --change-name=2:cryptswap \
	--new=3:0:0 --typecode=2:8200 --change-name=3:cryptsystem \
	$DRIVE

	# format the EFI partition with fat-32
	mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI

	# create the encrypted system partition
	cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem

	# open the encrypted partition with label system
	# If something fails and you need to restart your system this is the line you need to open your partition again later on.
	# I'l mark those commands with an asterisk should you need to reboot and start over with eg. the boot option.
	# *
	cryptsetup open /dev/disk/by-partlabel/cryptsystem system

	# open the swap partition with a random key
	cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap

	# create the swap partition
	mkswap -L swap /dev/mapper/swap

	swapon -L swap

	# format the system partition with btrfs. Inside we will use subvolumes
	mkfs.btrfs --force --label system /dev/mapper/system

	# create some useful ENV vars
	# *
	o=defaults,x-mount.mkdir

	#*
	o_btrfs=$o,compress=lzo,ssd,noatime

	# mount the newly created partition
	mount -t btrfs LABEL=system /mnt

	# and create the neccessary subvolumes
	btrfs subvolume create /mnt/root

	btrfs subvolume create /mnt/home

	btrfs subvolume create /mnt/snapshots

	# then unmount to mount again with subvolumes
	umount -R /mnt

	# *
	mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt

	mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home

	mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots

	# create a boot partition and mount as well
	mkdir /mnt/boot

	# *
	mount LABEL=EFI /mnt/boot;

	# then install the base system
	pacstrap /mnt base

	# You will notice some errors related to fsck.btrfs. We will fix that in a minute

	genfstab -L -p /mnt >> /mnt/etc/fstab

	# fix fstab so swap partition can be found again
	sed -i "s+LABEL=swap+/dev/mapper/swap+" /mnt/etc/fstab

	# tell crypttab which partition to mount
	echo "swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256" >> /mnt/etc/crypttab

	# boot into new system to continue with install
	# *
	systemd-nspawn -bD /mnt

	# basic settings
	echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen

	locale-gen

	localectl set-locale LANG=en_US.UTF-8

	timedatectl set-ntp 1

	timedatectl set-timezone Europe/Berlin

	# You need to edit this line
	hostnamectl set-hostname A_HOSTNAME

	echo "KEYMAP=de-latin1" > /etc/vconsole.conf

	# install some more basic stuff otherwise you can't boot into new system
	pacman -Syu base-devel btrfs-progs

	# you need to change hooks to decrypt your drive
	# I also changed MODULES so that I can have early KMS start with my Intel graphics card: MODULES="i915"
	sed -i "s+HOOKS=\"base udev autodetect modconf block filesystems keyboard fsck\"+HOOKS=\"base udev autodetect modconf block keyboard keymap encrypt filesystems btrfs\"+" /etc/mkinitcpio.conf

	# This line didn't quite work on my second PC. I had to use this here instead in my mkinitio.conf file:
	# MODULES=(atkbd)
	# HOOKS=(base udev autodetect modconf block keyboard keymap encrypt filesystems btrfs)
	# The atkbd module was necessary because I couldn't use the keyboard from systemd 241 on. Some bug maybe?

	# then rerun to get a new initramfs image
	mkinitcpio -p linux

	# * or if you're repairing you can pacman -Syu

	# change password
	passwd

	# get back to the LIVE USB/CD to finish up
	poweroff

	# I used efibootmgr to boot. You may need GRUB or whatever here I had to use sda3 as device
	# usually this line is a point of failure if Arch doesn't boot again
	efibootmgr -d /dev/sda -p 1 -c -L "Arch Linux" -l \vmlinuz-linux -u "cryptdevice=/dev/sda3:cryptsystem root=/dev/mapper/cryptsystem rw rootflags=subvol=root initrd=\initramfs-linux.img"

	# to list all boot options in case of trouble: efibootmgr
	# to remove an entry, e.g. Boot0000 you have to efibootmgr -b 0 -B and then run above line again to make it the new first boot entry.

	# this method didn't work on my DELL optiplex 7050. Apparently its UEFI doesn't support boot options so I can't decrypt.
	# Instead I used refind:
	pacman -S refind-efi
	refind-install

	# Then edit the /boot/refind_linux.conf file:
	"Boot with standard options" "cryptdevice=/dev/sda3:cryptsystem root=/dev/mapper/cryptsystem rw rootflags=subvol=root initrd=/initramfs-linux.img"

	# Make sure you're using your partition here. Mine was sda3

	# then reboot and see if it works. Good luck
	reboot

	# if it doesn't work boot from your pen drive again and run the commands with the asterisk again to get into your newly installed system.
	# note that your system is not the same as the one on your pendrive. You will have to reinstall everything that you need.