Last active
August 13, 2023 19:21
-
-
Save fikri-izzuddin/97318b5a1363b560ce2a05ef63b9616b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# define variables | |
export DRIVE=/dev/nvme0n1 | |
export ROOT_PASSWORD=password | |
export USER_NAME=user | |
export USER_PASSWORD=password | |
export LOCALE="en_SG.UTF-8" | |
export TIMEZONE="Asia/Singapore" | |
export HOSTNAME=archlinux | |
# create partitions | |
sgdisk -Z $DRIVE | |
sgdisk -o -n=1:0:+512MiB -t=1:ef00 -c=1:EFI -n=2:0:0 -t=2:8300 -c=2:ArchOS $DRIVE | |
# encrypt root partiton | |
cryptsetup luksFormat --cipher aes-xts-plain64 --hash sha512 --use-random /dev/disk/by-partlabel/ArchOS | |
cryptsetup open /dev/disk/by-partlabel/ArchOS crypt_root | |
# format partitions | |
mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI | |
mkfs.btrfs -L ArchOS /dev/mapper/crypt_root | |
# mount encrypted root partition | |
mount /dev/mapper/crypt_root /mnt | |
# create btrfs subvolumes | |
btrfs su cr /mnt/@ | |
btrfs su cr /mnt/@home | |
btrfs su cr /mnt/@snapshots | |
umount -R /mnt | |
# mount partitions | |
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@ /dev/mapper/crypt_root /mnt | |
mkdir -p /mnt/{boot,home,.snapshots} | |
mount /dev/disk/by-partlabel/EFI /mnt/boot | |
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@home /dev/mapper/crypt_root /mnt/home | |
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@snapshots /dev/mapper/crypt_root /mnt/.snapshots | |
# configure pacman | |
sed -i 's/#UseSyslog/UseSyslog/' /etc/pacman.conf | |
sed -i 's/#Color/Color\\\nILoveCandy/' /etc/pacman.conf | |
sed -i 's/#CheckSpace/CheckSpace/' /etc/pacman.conf | |
sed -i 's/#VerbosePkgLists/VerbosePkgLists/' /etc/pacman.conf | |
sed -i 's/#ParallelDownloads.*/ParallelDownloads = 10/' /etc/pacman.conf | |
# update pacman mirrorlist | |
reflector --save /etc/pacman.d/mirrorlist --protocol https --sort rate --thread 12 --latest 5 | |
# base install | |
pacstrap /mnt linux linux-headers linux-firmware base base-devel btrfs-progs amd-ucode git neovim bash-completion zsh zsh-completions | |
# generate fstab | |
genfstab -U /mnt > /mnt/etc/fstab | |
# copy pacman config | |
cp /etc/pacman.conf /mnt/etc/pacman.conf | |
# copy pacman mirrorlist | |
cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist | |
# chroot intall fresh install | |
arch-chroot /mnt /bin/zsh | |
# change root password | |
echo root:$ROOT_PASSWORD | chpasswd | |
# change root default shell | |
chsh -s /bin/zsh | |
# create new user | |
useradd -mG wheel -s /bin/zsh -p $USER_PASSWORD $USER_NAME | |
# add wheel groups to sudoers | |
sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL' /etc/sudoers | |
# set locale, timezone | |
sed -i 's/#en_SG.UTF-8/en_SG.UTF-8' /etc/locale.gen | |
locale-gen | |
echo LANG=$LOCALE >> /etc/locale.conf | |
export LANG=$LOCALE | |
export LC_ALL=$LOCALE | |
timedatectl set-ntp true | |
ln -sf /usr/share/zoneinfo/$TIMEZONE /etc/localtime | |
hwclock --systohc | |
# set hostname | |
echo $HOSTNAME >> /etc/hostname | |
# set hosts | |
cat << EOF >> /etc/hosts | |
# <ip-address> <hostname.domain.org> <hostname> | |
127.0.0.1 localhost | |
::1 localhost | |
127.0.1.1 $HOSTNAME.localdomain $HOSTNAME | |
EOF | |
# configure mkinitcpio | |
sed -i 's/MODULES.*/MODULES=(btrfs)/' /etc/mkinitcpio.conf | |
sed -i 's/BINARIES.*/BINARIES=("\/usr\/bin\/btrfs")/' /etc/mkinitcpio.conf | |
sed -i 's/^HOOKS.*/HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems fsck)/' /etc/mkinitcpio.conf | |
mkinitcpio -P | |
# install essential packages | |
pacman -S networkmanager dialog wpa_supplicant xdg-utils xdg-user-dirs | |
systemctl enable NetworkManager | |
# install pipewire | |
pacman -S pipewire pipewire-alsa pipewire-pulse pipewire-jack | |
# install reflector | |
pacman -S reflector | |
cat << EOF > /etc/xdg/reflector/reflector.conf | |
# Set the output path where the mirrorlist will be saved (--save). | |
--save /etc/pacman.d/mirrorlist | |
# Select the transfer protocol (--protocol). | |
--protocol https | |
# Use only the most recently synchronized mirrors (--latest). | |
--latest 5 | |
# Sort the mirrors by MirrorStatus score | |
--sort rate | |
EOF | |
systemctl enable reflector.service | |
systemctl enable reflector.timer | |
# bootloader: systemd-boot | |
bootctl --path /boot install | |
ROOT_UUID=blkid -s UUID -o value /dev/disk/by-partlabel/ArchOS | |
CRYPT_ROOT_UUID=blkid -s UUID -o value /dev/mapper/crypt_root | |
cat << EOF >> /boot/loader/entries/arch.conf | |
title Arch Linux | |
linux /vmlinuz-linux | |
initrd /amd-ucode.img | |
initrd /initramfs-linux.img | |
options rd.luks.name=$ROOT_UUID=crypt_root rd.luks.options=ROOT_UUID=discard root=/dev/mapper/crypt_root rootflags=subvol=@ rw quiet | |
EOF | |
cat << EOF >> /boot/loader/loader.conf | |
default arch.conf | |
editor no | |
timeout 10 | |
console max | |
EOF | |
reboot | |
# secure boot | |
# enable secure boot, setup mode in BIOS | |
pacman -S sbctl | |
sbctl status | |
sbctl create-keys | |
sbctl enroll-keys | |
sbctl verify | |
sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI | |
sbctl sign -s /boot/EFI/systemd/systemd-boot.efi | |
sbctl sign -s /boot/vmlinuz-linux | |
sbctl sign -s /boot/vmlinuz-linux-lts | |
sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux -f /boot/initramfs-linux.img /boot/EFI/Linux/linux.efi | |
sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux -f /boot/initramfs-linux-fallback.img /boot/EFI/Linux/linux-fallback.efi | |
sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux-lts -f /boot/initramfs-linux-lts.img /boot/EFI/Linux/linux-lts.efi | |
sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux-lts -f /boot/initramfs-linux-lts-fallback.img /boot/EFI/Linux/linux-lts-fallback.efi | |
sbctl generate-bundles | |
sbctl verify | |
sbctl sign -s /boot/EFI/Linux/linux.efi | |
sbctl sign -s /boot/EFI/Linux/linux-fallback.efi | |
sbctl sign -s /boot/EFI/Linux/linux-lts.efi | |
sbctl sign -s /boot/EFI/Linux/linux-lts-fallback.efi | |
# TPM 2.0 | |
# reset TPM in BIOS | |
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,7 /dev/disk/by-partlabel/ArchOS | |
sed -i 's/options.*/options rd.luks.name=$ROOT_UUID=crypt_root rd.luks.options=$ROOT_UUID=tpm2-device=auto,discard root=/dev/mapper/crypt_root rootflags=subvol=@ rw quiet' /boot/loader/entries/arch.conf | |
sed -i 's/options.*/options rd.luks.name=UUID=$ROOT_UUID=crypt_root root=UUID=CRYPT_ROOT_UUID rootflags=subvol=@ rd.luks.options=$ROOT_UUID=tpm2-device=auto,discard rw quiet' /boot/loader/entries/arch-fallback.conf | |
sed -i 's/options.*/options rd.luks.name=UUID=$ROOT_UUID=crypt_root root=UUID=CRYPT_ROOT_UUID rootflags=subvol=@ rd.luks.options=$ROOT_UUID=tpm2-device=auto,discard rw quiet' /boot/loader/entries/arch-lts.conf | |
sed -i 's/options.*/options rd.luks.name=UUID=$ROOT_UUID=crypt_root root=UUID=CRYPT_ROOT_UUID rootflags=subvol=@ rd.luks.options=$ROOT_UUID=tpm2-device=auto,discard rw quiet' /boot/loader/entries/arch-lts-fallback.conf | |
# LVM | |
pacman -S lvm2 | |
cryptsetup open /dev/my_vg/lv_r10 crypt_data | |
mkdir /mnt/data | |
chown USER_NAME:USER_NAME /mnt/data | |
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/my_vg/lv_r10 | |
echo "crypt_data /dev/my_vg/lv_r10 - tpm2-device=auto" >> /etc/crypttab | |
echo "/dev/mapper/crypt_data /mnt/data ext4 defaults 0 0" >> /etc/fstab | |
sed -i 's/^HOOKS.*/HOOKS=(base udev systemd autodetect keyboard keymap modconf block sd-encrypt lvm2 filesystems)/' /etc/mkinitcpio.conf | |
# firewall | |
pacman -S firewalld | |
firewall-cmd --zone=home --change-interface=eno1 | |
firewall-cmd --set-default-zone=home | |
firewall-cmd --reload | |
# sway wm | |
paru -S sway swaylock swayidle clipman | |
mkdir -P ~/.config/sway | |
cp /etc/sway/config ~/.config/sway | |
sed 's/# output/output HDMI-A-1 mode 3840x2160 position 0,0 scale 1.5' /etc/sway/config | |
cat << EOF >> ~/.config/sway/config | |
# enable clipboard manager | |
exec wl-paste -t text --watch clipman store --no-persist | |
# initially enable numlock | |
input * xkb_numlock enable | |
# remove title bar | |
default_border pixel 0 | |
default_floating_border pixel 0 | |
# gaps | |
gaps outer 0 | |
gaps inner 10 | |
# volume control | |
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +1% | |
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -1% | |
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle | |
# brightness control | |
bindsym XF86MonBrightnessDown exec brightnessctl set 5%- | |
bindsym XF86MonBrightnessUp exec brightnessctl set 5%+ | |
# media playback control | |
bindsym XF86AudioPlay exec playerctl play-pause | |
bindsym XF86AudioNext exec playerctl next | |
bindsym XF86AudioPrev exec playerctl previous | |
EOF | |
# rustup | |
pacman -S rustup | |
rustup default stable | |
# paru | |
su $USER_NAME | |
cd ~ && \ | |
git clone https://aur.archlinux.org/paru-bin \ | |
cd paru-bin && \ | |
makepkg -si && \ | |
cd .. && \ | |
sudo rm -rf paru-bin | |
exit | |
# snapper | |
pacman -S snapper | |
umount /.snapshots | |
rm -r /.snapshotsb | |
snapper -c root create-config / | |
btrfs subvolume delete /.snapshots | |
mkdir /.snapshots | |
mount -a | |
chmod 750 /.snapshots | |
cat << EOF >> /etc/snapper/configs/root | |
ALLOW_USERS="$USER_NAME" | |
TIMELINE_MIN_AGE="1800" | |
TIMELINE_LIMIT_HOURLY="24" | |
TIMELINE_LIMIT_DAILY="14" | |
TIMELINE_LIMIT_WEEKLY="2" | |
TIMELINE_LIMIT_MONTHLY="0" | |
TIMELINE_LIMIT_YEARLY="0" | |
EOF | |
systemctl enable snapper-timeline.timer | |
systemctl enable snapper-cleanup.timer | |
# fonts | |
paru -S noto-fonts noto-fonts-cjk noto-fonts-emoji noto-fonts-extra nerd-fonts-jetbrains-mono | |
# alacritty | |
pacman -S alacritty | |
mkdir -p ~/.config/alacritty | |
cp /usr/share/doc/alacritty/example/alacritty.yml ~/.config/alacritty | |
sed -i 's/set $term.*/set $term alacritty' ~/.config/sway/config | |
# rofi | |
paru -S rofi-lbonn-wayland | |
sed -i 's/set $menu.*/set $menu rofi -show combi' ~/.config/sway/config | |
# TODO waybar | |
pacman -S waybar | |
mkdir -p ~/.config/waybar | |
cp -r /etc/xdg/waybar/* ~/.config/waybar/ | |
# mako | |
pacman -S mako | |
cat << EOF >> ~/.config/sway/config | |
# mako, notification daemon | |
exec mako | |
EOF | |
# japanese input | |
pacman -S fcitx5 fcitx5-configtool fcitx5-qt fcitx5-mozc | |
fcitx5-configtool # add mozc to fcitx5 | |
cat << EOF >> /etc/environment | |
GTK_IM_MODULE=fcitx | |
QT_IM_MODULE=fcitx | |
XMODIFIERS=@im=fcitx | |
EOF | |
cat << EOF >> ~/.config/sway/config | |
# fcitx5 | |
exec --no-startup-id fcitx5 -d | |
EOF | |
# /usr/lib/mozc/mozc_tool --mode=config_dialog # mozc setting | |
# /usr/lib/mozc/mozc_tool --mode=dictionary_tool # mozc dictionary tool | |
# /usr/lib/mozc/mozc_tool --mode=word_register_dialog # mozc word register | |
# optionally, install sway-im | |
paru -S sway-im | |
# samba | |
pacman -S samba | |
curl https://git.samba.org/samba.git/?p=samba.git;a=blob_plain;f=examples/smb.conf.default;hb=HEAD -o /etc/samba/smb.conf | |
sudo cat << EOF >> /etc/samba/smb.conf | |
[global] | |
workgroup = MYGROUP | |
server string = Samba Server | |
server role = standalone server | |
log file = /usr/local/samba/var/log.%m | |
max log size = 50 | |
dns proxy = no | |
mangled names = no | |
[Some name] | |
comment = Some description | |
path = /mnt/data | |
browsable = yes | |
writeable = yes | |
create mask = 0700 | |
directory mask = 0700 | |
read only = no | |
guest ok = no | |
EOF | |
pdbedit -a -u $USER_NAME | |
systemctl enable --now smb.service | |
systemctl enable --now nmb.service | |
firewall-cmd --permanent --add-service=samba --zone=home | |
# firefox | |
pacman -S firefox | |
echo "MOZ_ENABLE_WAYLAND=1" >> /etc/environment | |
# podman | |
pacman -S podman podman-compose | |
touch /etc/subuid /etc/subgid | |
usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER_NAME | |
podman system migrate | |
echo "unqualified-search-registries=["docker.io"]" >> /etc/containers/registries.conf | |
# change DNS | |
echo "[global-dns-domain-*]\nservers=1.1.1.1,1.0.0.1" > /etc/NetworkManager/conf.d/dns-servers.conf | |
# nvidia | |
pacman -S nvidia-dkms | |
edit /etc/mkinicpio.conf | |
MODULES=(... nvidia nvidia_modeset nvidia_uvm nvidia_drm ..) | |
mkinitcpio -P | |
pacman -S nvidia-settings | |
edit /etc/X11/xorg.conf.d/20-nvidia.conf | |
Section "Device" | |
Identifier "NVIDIA Card" | |
Driver "nvidia" | |
VendorName "NVIDIA Corporation" | |
BoardName "GeForce GTX 1050 Ti" | |
EndSection | |
Section "Screen" | |
Identifier "Screen0" | |
Device "Device0" | |
Monitor "Monitor0" | |
Option "ForceFullCompositionPipeline" "on" | |
Option "AllowIndirectGLXProtocol" "off" | |
Option "TripleBuffer" "on" | |
EndSection |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment