Skip to content

Instantly share code, notes, and snippets.

@fikri-izzuddin

fikri-izzuddin/arch_linux.sh

Last active August 13, 2023 19:21
Show Gist options
  • Save fikri-izzuddin/97318b5a1363b560ce2a05ef63b9616b to your computer and use it in GitHub Desktop.
Save fikri-izzuddin/97318b5a1363b560ce2a05ef63b9616b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
arch_linux.sh
# define variables
export DRIVE=/dev/nvme0n1
export ROOT_PASSWORD=password
export USER_NAME=user
export USER_PASSWORD=password
export LOCALE="en_SG.UTF-8"
export TIMEZONE="Asia/Singapore"
export HOSTNAME=archlinux
# create partitions
sgdisk -Z $DRIVE
sgdisk -o -n=1:0:+512MiB -t=1:ef00 -c=1:EFI -n=2:0:0 -t=2:8300 -c=2:ArchOS $DRIVE
# encrypt root partiton
cryptsetup luksFormat --cipher aes-xts-plain64 --hash sha512 --use-random /dev/disk/by-partlabel/ArchOS
cryptsetup open /dev/disk/by-partlabel/ArchOS crypt_root
# format partitions
mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
mkfs.btrfs -L ArchOS /dev/mapper/crypt_root
# mount encrypted root partition
mount /dev/mapper/crypt_root /mnt
# create btrfs subvolumes
btrfs su cr /mnt/@
btrfs su cr /mnt/@home
btrfs su cr /mnt/@snapshots
umount -R /mnt
# mount partitions
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@ /dev/mapper/crypt_root /mnt
mkdir -p /mnt/{boot,home,.snapshots}
mount /dev/disk/by-partlabel/EFI /mnt/boot
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@home /dev/mapper/crypt_root /mnt/home
mount -o noatime,space_cache=v2,ssd,discard=async,subvol=@snapshots /dev/mapper/crypt_root /mnt/.snapshots
# configure pacman
sed -i 's/#UseSyslog/UseSyslog/' /etc/pacman.conf
sed -i 's/#Color/Color\\\nILoveCandy/' /etc/pacman.conf
sed -i 's/#CheckSpace/CheckSpace/' /etc/pacman.conf
sed -i 's/#VerbosePkgLists/VerbosePkgLists/' /etc/pacman.conf
sed -i 's/#ParallelDownloads.*/ParallelDownloads = 10/' /etc/pacman.conf
# update pacman mirrorlist
reflector --save /etc/pacman.d/mirrorlist --protocol https --sort rate --thread 12 --latest 5
# base install
pacstrap /mnt linux linux-headers linux-firmware base base-devel btrfs-progs amd-ucode git neovim bash-completion zsh zsh-completions
# generate fstab
genfstab -U /mnt > /mnt/etc/fstab
# copy pacman config
cp /etc/pacman.conf /mnt/etc/pacman.conf
# copy pacman mirrorlist
cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist
# chroot intall fresh install
arch-chroot /mnt /bin/zsh
# change root password
echo root:$ROOT_PASSWORD | chpasswd
# change root default shell
chsh -s /bin/zsh
# create new user
useradd -mG wheel -s /bin/zsh -p $USER_PASSWORD $USER_NAME
# add wheel groups to sudoers
sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL' /etc/sudoers
# set locale, timezone
sed -i 's/#en_SG.UTF-8/en_SG.UTF-8' /etc/locale.gen
locale-gen
echo LANG=$LOCALE >> /etc/locale.conf
export LANG=$LOCALE
export LC_ALL=$LOCALE
timedatectl set-ntp true
ln -sf /usr/share/zoneinfo/$TIMEZONE /etc/localtime
hwclock --systohc
# set hostname
echo $HOSTNAME >> /etc/hostname
# set hosts
cat << EOF >> /etc/hosts
# <ip-address> <hostname.domain.org> <hostname>
127.0.0.1 localhost
::1 localhost
127.0.1.1 $HOSTNAME.localdomain $HOSTNAME
EOF
# configure mkinitcpio
sed -i 's/MODULES.*/MODULES=(btrfs)/' /etc/mkinitcpio.conf
sed -i 's/BINARIES.*/BINARIES=("\/usr\/bin\/btrfs")/' /etc/mkinitcpio.conf
sed -i 's/^HOOKS.*/HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems fsck)/' /etc/mkinitcpio.conf
mkinitcpio -P
# install essential packages
pacman -S networkmanager dialog wpa_supplicant xdg-utils xdg-user-dirs
systemctl enable NetworkManager
# install pipewire
pacman -S pipewire pipewire-alsa pipewire-pulse pipewire-jack
# install reflector
pacman -S reflector
cat << EOF > /etc/xdg/reflector/reflector.conf
# Set the output path where the mirrorlist will be saved (--save).
--save /etc/pacman.d/mirrorlist
# Select the transfer protocol (--protocol).
--protocol https
# Use only the most recently synchronized mirrors (--latest).
--latest 5
# Sort the mirrors by MirrorStatus score
--sort rate
EOF
systemctl enable reflector.service
systemctl enable reflector.timer
# bootloader: systemd-boot
bootctl --path /boot install
ROOT_UUID=blkid -s UUID -o value /dev/disk/by-partlabel/ArchOS
CRYPT_ROOT_UUID=blkid -s UUID -o value /dev/mapper/crypt_root
cat << EOF >> /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=$ROOT_UUID=crypt_root rd.luks.options=ROOT_UUID=discard root=/dev/mapper/crypt_root rootflags=subvol=@ rw quiet
EOF
cat << EOF >> /boot/loader/loader.conf
default arch.conf
editor no
timeout 10
console max
EOF
reboot
# secure boot
# enable secure boot, setup mode in BIOS
pacman -S sbctl
sbctl status
sbctl create-keys
sbctl enroll-keys
sbctl verify
sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI
sbctl sign -s /boot/EFI/systemd/systemd-boot.efi
sbctl sign -s /boot/vmlinuz-linux
sbctl sign -s /boot/vmlinuz-linux-lts
sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux -f /boot/initramfs-linux.img /boot/EFI/Linux/linux.efi
sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux -f /boot/initramfs-linux-fallback.img /boot/EFI/Linux/linux-fallback.efi
sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux-lts -f /boot/initramfs-linux-lts.img /boot/EFI/Linux/linux-lts.efi
sbctl bundle -s -a /boot/amd-ucode.img -l /usr/share/systemd/bootctl/splash-arch.bmp -c /proc/cmdline -k /boot/vmlinuz-linux-lts -f /boot/initramfs-linux-lts-fallback.img /boot/EFI/Linux/linux-lts-fallback.efi
sbctl generate-bundles
sbctl verify
sbctl sign -s /boot/EFI/Linux/linux.efi
sbctl sign -s /boot/EFI/Linux/linux-fallback.efi
sbctl sign -s /boot/EFI/Linux/linux-lts.efi
sbctl sign -s /boot/EFI/Linux/linux-lts-fallback.efi
# TPM 2.0
# reset TPM in BIOS
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,7 /dev/disk/by-partlabel/ArchOS
sed -i 's/options.*/options rd.luks.name=$ROOT_UUID=crypt_root rd.luks.options=$ROOT_UUID=tpm2-device=auto,discard root=/dev/mapper/crypt_root rootflags=subvol=@ rw quiet' /boot/loader/entries/arch.conf
sed -i 's/options.*/options rd.luks.name=UUID=$ROOT_UUID=crypt_root root=UUID=CRYPT_ROOT_UUID rootflags=subvol=@ rd.luks.options=$ROOT_UUID=tpm2-device=auto,discard rw quiet' /boot/loader/entries/arch-fallback.conf
sed -i 's/options.*/options rd.luks.name=UUID=$ROOT_UUID=crypt_root root=UUID=CRYPT_ROOT_UUID rootflags=subvol=@ rd.luks.options=$ROOT_UUID=tpm2-device=auto,discard rw quiet' /boot/loader/entries/arch-lts.conf
sed -i 's/options.*/options rd.luks.name=UUID=$ROOT_UUID=crypt_root root=UUID=CRYPT_ROOT_UUID rootflags=subvol=@ rd.luks.options=$ROOT_UUID=tpm2-device=auto,discard rw quiet' /boot/loader/entries/arch-lts-fallback.conf
# LVM
pacman -S lvm2
cryptsetup open /dev/my_vg/lv_r10 crypt_data
mkdir /mnt/data
chown USER_NAME:USER_NAME /mnt/data
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/my_vg/lv_r10
echo "crypt_data /dev/my_vg/lv_r10 - tpm2-device=auto" >> /etc/crypttab
echo "/dev/mapper/crypt_data /mnt/data ext4 defaults 0 0" >> /etc/fstab
sed -i 's/^HOOKS.*/HOOKS=(base udev systemd autodetect keyboard keymap modconf block sd-encrypt lvm2 filesystems)/' /etc/mkinitcpio.conf
# firewall
pacman -S firewalld
firewall-cmd --zone=home --change-interface=eno1
firewall-cmd --set-default-zone=home
firewall-cmd --reload
# sway wm
paru -S sway swaylock swayidle clipman
mkdir -P ~/.config/sway
cp /etc/sway/config ~/.config/sway
sed 's/# output/output HDMI-A-1 mode 3840x2160 position 0,0 scale 1.5' /etc/sway/config
cat << EOF >> ~/.config/sway/config
# enable clipboard manager
exec wl-paste -t text --watch clipman store --no-persist
# initially enable numlock
input * xkb_numlock enable
# remove title bar
default_border pixel 0
default_floating_border pixel 0
# gaps
gaps outer 0
gaps inner 10
# volume control
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +1%
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -1%
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle
# brightness control
bindsym XF86MonBrightnessDown exec brightnessctl set 5%-
bindsym XF86MonBrightnessUp exec brightnessctl set 5%+
# media playback control
bindsym XF86AudioPlay exec playerctl play-pause
bindsym XF86AudioNext exec playerctl next
bindsym XF86AudioPrev exec playerctl previous
EOF
# rustup
pacman -S rustup
rustup default stable
# paru
su $USER_NAME
cd ~ && \
git clone https://aur.archlinux.org/paru-bin \
cd paru-bin && \
makepkg -si && \
cd .. && \
sudo rm -rf paru-bin
exit
# snapper
pacman -S snapper
umount /.snapshots
rm -r /.snapshotsb
snapper -c root create-config /
btrfs subvolume delete /.snapshots
mkdir /.snapshots
mount -a
chmod 750 /.snapshots
cat << EOF >> /etc/snapper/configs/root
ALLOW_USERS="$USER_NAME"
TIMELINE_MIN_AGE="1800"
TIMELINE_LIMIT_HOURLY="24"
TIMELINE_LIMIT_DAILY="14"
TIMELINE_LIMIT_WEEKLY="2"
TIMELINE_LIMIT_MONTHLY="0"
TIMELINE_LIMIT_YEARLY="0"
EOF
systemctl enable snapper-timeline.timer
systemctl enable snapper-cleanup.timer
# fonts
paru -S noto-fonts noto-fonts-cjk noto-fonts-emoji noto-fonts-extra nerd-fonts-jetbrains-mono
# alacritty
pacman -S alacritty
mkdir -p ~/.config/alacritty
cp /usr/share/doc/alacritty/example/alacritty.yml ~/.config/alacritty
sed -i 's/set $term.*/set $term alacritty' ~/.config/sway/config
# rofi
paru -S rofi-lbonn-wayland
sed -i 's/set $menu.*/set $menu rofi -show combi' ~/.config/sway/config
# TODO waybar
pacman -S waybar
mkdir -p ~/.config/waybar
cp -r /etc/xdg/waybar/* ~/.config/waybar/
# mako
pacman -S mako
cat << EOF >> ~/.config/sway/config
# mako, notification daemon
exec mako
EOF
# japanese input
pacman -S fcitx5 fcitx5-configtool fcitx5-qt fcitx5-mozc
fcitx5-configtool # add mozc to fcitx5
cat << EOF >> /etc/environment
GTK_IM_MODULE=fcitx
QT_IM_MODULE=fcitx
XMODIFIERS=@im=fcitx
EOF
cat << EOF >> ~/.config/sway/config
# fcitx5
exec --no-startup-id fcitx5 -d
EOF
# /usr/lib/mozc/mozc_tool --mode=config_dialog # mozc setting
# /usr/lib/mozc/mozc_tool --mode=dictionary_tool # mozc dictionary tool
# /usr/lib/mozc/mozc_tool --mode=word_register_dialog # mozc word register
# optionally, install sway-im
paru -S sway-im
# samba
pacman -S samba
curl https://git.samba.org/samba.git/?p=samba.git;a=blob_plain;f=examples/smb.conf.default;hb=HEAD -o /etc/samba/smb.conf
sudo cat << EOF >> /etc/samba/smb.conf
[global]
workgroup = MYGROUP
server string = Samba Server
server role = standalone server
log file = /usr/local/samba/var/log.%m
max log size = 50
dns proxy = no
mangled names = no
[Some name]
comment = Some description
path = /mnt/data
browsable = yes
writeable = yes
create mask = 0700
directory mask = 0700
read only = no
guest ok = no
EOF
pdbedit -a -u $USER_NAME
systemctl enable --now smb.service
systemctl enable --now nmb.service
firewall-cmd --permanent --add-service=samba --zone=home
# firefox
pacman -S firefox
echo "MOZ_ENABLE_WAYLAND=1" >> /etc/environment
# podman
pacman -S podman podman-compose
touch /etc/subuid /etc/subgid
usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER_NAME
podman system migrate
echo "unqualified-search-registries=["docker.io"]" >> /etc/containers/registries.conf
# change DNS
echo "[global-dns-domain-*]\nservers=1.1.1.1,1.0.0.1" > /etc/NetworkManager/conf.d/dns-servers.conf
# nvidia
pacman -S nvidia-dkms
edit /etc/mkinicpio.conf
MODULES=(... nvidia nvidia_modeset nvidia_uvm nvidia_drm ..)
mkinitcpio -P
pacman -S nvidia-settings
edit /etc/X11/xorg.conf.d/20-nvidia.conf
Section "Device"
Identifier "NVIDIA Card"
Driver "nvidia"
VendorName "NVIDIA Corporation"
BoardName "GeForce GTX 1050 Ti"
EndSection
Section "Screen"
Identifier "Screen0"
Device "Device0"
Monitor "Monitor0"
Option "ForceFullCompositionPipeline" "on"
Option "AllowIndirectGLXProtocol" "off"
Option "TripleBuffer" "on"
EndSection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment