Arch Install script with disk encryption

arch-install.sh

#!/bin/sh
# Arch Linux install script.
# (based on: https://github.com/arceryz/archlinux-installer-script/blob/master/archstrap.sh - Parcevval @2023)
# EFI only

[ -z "$1" ] && printf "Usage: Provide only the drive to install to (i.e /dev/sda, see lsblk)\n\n./archstrap.sh [DRIVE]\n\n" && exit
[ ! -b "$1" ] && printf "Drive $1 is not a valid block device.\n" && exit
printf "\nReady to install Arch on $1.\nContinue? (y/n): " && read CERTAIN
[ "$CERTAIN" != "y" ] && printf "Abort." && exit

disk=$1
boot=${disk}1
system=${disk}2

# Cleanup from previous runs.
swapoff $swap
umount -R /mnt

# Partition 512 MiB for boot, 12G for swap, 50G for root and rest to home.
# Optimal alignment will change the exact size though!
set -xe
# Partition 512 MiB for boot, and rest for encrypted LVM container.
parted -s $disk mklabel gpt
parted -sa optimal $disk mkpart primary fat32 0% 512MiB
parted -sa optimal $disk mkpart primary ext4 512MiB 100%
parted -s $disk set 1 esp on

mkfs.fat -IF32 $boot

# Encrypt the LVM container partition
cryptsetup luksFormat --label cryptlvm --batch-mode $system
cryptsetup open $system cryptlvm

# Set up LVM inside the encrypted container
pvcreate /dev/mapper/cryptlvm
vgcreate vg0 /dev/mapper/cryptlvm
lvcreate -L 12G vg0 -n swap
lvcreate -L 50G vg0 -n root
lvcreate -l 100%FREE vg0 -n home

# Format the LVM partitions
mkfs.ext4 /dev/vg0/root
mkfs.ext4 /dev/vg0/home
mkswap /dev/vg0/swap

# Mount the partitions
mount /dev/vg0/root /mnt
mkdir /mnt/boot
mount $boot /mnt/boot
mkdir /mnt/home
mount /dev/vg0/home /mnt/home
swapon /dev/vg0/swap

# Packages and chroot.
pacstrap /mnt linux linux-firmware base base-devel \
        git efibootmgr grub lvm2 networkmanager openssh make sudo unzip zip \
        pulseaudio pavucontrol wget gcc tmux \
        alacritty neovim less ranger firefox \

genfstab -U /mnt > /mnt/etc/fstab

cat <<EOF > /mnt/setup_chroot.sh
#!/bin/sh
set -xe

# Locale, timezone, hostname, and user setup
sed -i 's/^#en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
locale-gen
ln -sf /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
hwclock --systohc
systemctl enable NetworkManager
echo "DUMMY_HOSTNAME" > /etc/hostname
useradd -m -G wheel,audio,video,network,storage -s /bin/bash myuser
echo "myuser:1234" | chpasswd
sed -i 's/^# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/' /etc/sudoers
echo "root:1234" | chpasswd

# Configure GRUB for LVM on encrypted partitions
sed -i 's/^GRUB_CMDLINE_LINUX=".*"/GRUB_CMDLINE_LINUX="cryptdevice=LABEL=cryptlvm:cryptlvm root=\/dev\/vg0\/root"/' /etc/default/grub
sed -i 's/^#GRUB_ENABLE_CRYPTODISK=y/GRUB_ENABLE_CRYPTODISK=y/' /etc/default/grub

# Initramfs configuration for LVM and encryption
sed -i 's/^HOOKS=(.*)/HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)/' /etc/mkinitcpio.conf

mkinitcpio -P

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg

su myuser
systemctl --user enable pulseaudio

EOF

# Run the setup script in chroot
chmod +x /mnt/setup_chroot.sh
arch-chroot /mnt /setup_chroot.sh
rm /mnt/setup_chroot.sh

# Finalize.
umount -R /mnt
swapoff /dev/vg0/swap
cryptsetup close cryptlvm
set +xe