mathben/archlinux_installation_ux370u_full_disk_encrypted.sh

## archlinux_installation_ux370u_full_disk_encrypted.sh
#!/usr/bin/env bash

# French Guide : https://github.com/FredBezies/arch-tuto-installation
# Install ARCH Linux with UEFI
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

# Download the archiso image from https://www.archlinux.org/
# Copy to a usb-drive
dd if=archlinux.img of=/dev/sdX bs=16M status=progress && sync # on linux

# Load Canadien Multilingue keyboard
# ERROR not works
#loadkeys ca_multi

# Setup the wifi
wifi-menu

# Set fast mirror from Montreal/Quebec
# add the next line on top of file /etc/pacman.d/mirrorlist
# Server = http://mirror.csclub.uwaterloo.ca/archlinux/$repo/os/$arch
# Update pacman package database
pacman -Sy

# Find disk and partitionned it
# show the list of device and ignore loop0, sda
lsblk
# Find device /dev/nvme0n1

# Create partitions
cgdisk /dev/nvme0n1
# Manually create partition
1 100MB EFI partition # Hex code ef00
2 250MB Boot partition # Hex code 8300
3 100% size partiton # (to be encrypted) Hex code 8300

# Format partitions
mkfs.vfat -F32 /dev/nvme0n1p1
mkfs.ext2 /dev/nvme0n1p2
# Setup the encryption of the system with 256 bit effective size
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 -y --use-random luksFormat /dev/nvme0n1p3
cryptsetup luksOpen /dev/nvme0n1p3 luks

# Create encrypted partitions
# Usually, create swap with same size of ram size or more (150% is the best)
lsmem
# Check line "Total online memory:". In this case, it's 16G

# Usually, 20G to 40G is enough for root dependant of your usage
# Suggest to create another secret partition for critical data, can be decrypted
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 16G vg0 --name swap
lvcreate --size 40G vg0 --name root
lvcreate --size 4G vg0 --name secret
lvcreate -l +100%FREE vg0 --name home

# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkfs.ext4 /dev/mapper/vg0-home
mkswap /dev/mapper/vg0-swap

# Create secret filesystems
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 -y --use-random luksFormat /dev/mapper/vg0-secret
cryptsetup open /dev/mapper/vg0-secret secret
mkfs.ext4 /dev/mapper/secret
cryptsetup close secret

# Mount the new system
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
# Create boot section
mkdir /mnt/boot
mount /dev/nvme0n1p2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/nvme0n1p1 /mnt/boot/efi
# Create home
mkdir /mnt/home
mount /dev/mapper/vg0-home /mnt/home

# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
# Unless vim and zsh are desired these can be removed from the command
# Install Linux LTS
pacstrap /mnt base base-devel pacman-contrib grub-efi-x86_64 zsh os-prober vim git efibootmgr dialog wpa_supplicant sudo zip unzip p7zip alsa-utils syslog-ng mtools dosfstools lsb-release ntfs-3g exfat-utils bash-completion linux-lts openssh util-linux

# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
# More information about ArchLinux and ssd : https://wiki.archlinux.org/index.php/Solid_state_drive
# Suggestion, use Periodic TRIM. Enable systemctl service later!
# More information from Debian : https://wiki.debian.org/SSDOptimization

# Enter the new system
arch-chroot /mnt /bin/bash

# Setup system clock
ln -fs /usr/share/zoneinfo/Canada/Eastern /etc/localtime
hwclock --systohc --utc

# Set the hostname
echo MYHOSTNAME > /etc/hostname

# Generate locale
#Uncomment wanted locales in /etc/locale.gen
#en_CA.UTF-8 UTF-8
#or
#ca_FR.UTF-8 UTF-8
vim /etc/locale.gen
locale-gen

echo LANG=en_CA.UTF-8 >> /etc/locale.conf
echo LC_ALL= >> /etc/locale.conf
echo LC_COLLATE=C >> /etc/locale.conf

# Set password for root
passwd

# Add real user remove -s flag if you don't whish to use zsh
# useradd -m -g users -G wheel,storage,power -s /bin/zsh MYUSERNAME
# passwd MYUSERNAME
# Configure sudo. Use visudo to edit /etc/sudoers
# Uncomment the line "%wheel ALL=(ALL) ALL"

# Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
# Add 'ext4' to MODULES
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems
# Add 'resume' after 'lvm2' (also has to be after 'udev')

# Regenerate initrd image
mkinitcpio -p linux-lts

# Setup grub
mount | grep efivars &> /dev/null || mount -t efivarfs efivarfs /sys/firmware/efi/efivars
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck
# Configure grub with luks
# In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:luks:allow-discards"
# Bug with next command, got "Device /dev/xxx not initialized in udev database even after waiting 10000000 microseconds", check https://wiki.archlinux.org/index.php/GRUB#Warning_when_installing_in_chroot
grub-mkconfig -o /boot/grub/grub.cfg
# Finalize EFI
mkdir /boot/efi/EFI/boot
cp /boot/efi/EFI/arch_grub/grubx64.efi /boot/efi/EFI/boot/bootx64.efi

# Enable fstrim for SSD
systemctl enable fstrim.timer
systemctl start fstrim.timer

# Configure TLP for energy save for laptop
# https://wiki.archlinux.org/index.php/TLP
pacman -S tlp networkmanager
systemctl enable tlp.service
systemctl enable tlp-sleep.service
# Do configuration "Force battery (BAT) configuration"

# add ntp and cronie
pacman -Syy ntp cronie
# Add media plugin
pacman -S gst-plugins-{base,good,bad,ugly} gst-libav
# xorg for laptop
pacman -S xorg-{server,xinit,apps} xf86-input-{mouse,keyboard} xdg-user-dirs xf86-input-libinput xf86-video-vesa xf86-video-intel
# Font
pacman -S ttf-{bitstream-vera,liberation,freefont,dejavu} freetype2
# Printer
pacman -S cups gimp gimp-help-fr hplip python-pyqt5
pacman -S foomatic-{db,db-ppds,db-gutenprint-ppds,db-nonfree,db-nonfree-ppds} gutenprint
# Libreoffice
pacman -S libreoffice-still-fr hunspell-fr
# Web navigator
pacman -S firefox-i18n-fr chromium
# Install Gnome
pacman -S gnome gnome-extra system-config-printer telepathy shotwell rhythmbox
# Enable GDM at startup
systemctl enable gdm.service
# Install Yay
cd /tmp
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
# Apply makepkg optimization : https://wiki.archlinux.org/index.php/makepkg
# Follow guide "Building optimized binaries"

# Exit new system and go into the cd shell
exit

# Unmount all partitions
umount -R /mnt
swapoff -a

# Reboot into the new system, don't forget to remove the cd/usb
reboot
	#!/usr/bin/env bash

	# French Guide : https://github.com/FredBezies/arch-tuto-installation
	# Install ARCH Linux with UEFI
	# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

	# Download the archiso image from https://www.archlinux.org/
	# Copy to a usb-drive
	dd if=archlinux.img of=/dev/sdX bs=16M status=progress && sync # on linux

	# Load Canadien Multilingue keyboard
	# ERROR not works
	#loadkeys ca_multi

	# Setup the wifi
	wifi-menu

	# Set fast mirror from Montreal/Quebec
	# add the next line on top of file /etc/pacman.d/mirrorlist
	# Server = http://mirror.csclub.uwaterloo.ca/archlinux/$repo/os/$arch
	# Update pacman package database
	pacman -Sy

	# Find disk and partitionned it
	# show the list of device and ignore loop0, sda
	lsblk
	# Find device /dev/nvme0n1

	# Create partitions
	cgdisk /dev/nvme0n1
	# Manually create partition
	1 100MB EFI partition # Hex code ef00
	2 250MB Boot partition # Hex code 8300
	3 100% size partiton # (to be encrypted) Hex code 8300

	# Format partitions
	mkfs.vfat -F32 /dev/nvme0n1p1
	mkfs.ext2 /dev/nvme0n1p2
	# Setup the encryption of the system with 256 bit effective size
	cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 -y --use-random luksFormat /dev/nvme0n1p3
	cryptsetup luksOpen /dev/nvme0n1p3 luks

	# Create encrypted partitions
	# Usually, create swap with same size of ram size or more (150% is the best)
	lsmem
	# Check line "Total online memory:". In this case, it's 16G

	# Usually, 20G to 40G is enough for root dependant of your usage
	# Suggest to create another secret partition for critical data, can be decrypted
	pvcreate /dev/mapper/luks
	vgcreate vg0 /dev/mapper/luks
	lvcreate --size 16G vg0 --name swap
	lvcreate --size 40G vg0 --name root
	lvcreate --size 4G vg0 --name secret
	lvcreate -l +100%FREE vg0 --name home

	# Create filesystems on encrypted partitions
	mkfs.ext4 /dev/mapper/vg0-root
	mkfs.ext4 /dev/mapper/vg0-home
	mkswap /dev/mapper/vg0-swap

	# Create secret filesystems
	cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 -y --use-random luksFormat /dev/mapper/vg0-secret
	cryptsetup open /dev/mapper/vg0-secret secret
	mkfs.ext4 /dev/mapper/secret
	cryptsetup close secret

	# Mount the new system
	mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
	swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
	# Create boot section
	mkdir /mnt/boot
	mount /dev/nvme0n1p2 /mnt/boot
	mkdir /mnt/boot/efi
	mount /dev/nvme0n1p1 /mnt/boot/efi
	# Create home
	mkdir /mnt/home
	mount /dev/mapper/vg0-home /mnt/home

	# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
	# Unless vim and zsh are desired these can be removed from the command
	# Install Linux LTS
	pacstrap /mnt base base-devel pacman-contrib grub-efi-x86_64 zsh os-prober vim git efibootmgr dialog wpa_supplicant sudo zip unzip p7zip alsa-utils syslog-ng mtools dosfstools lsb-release ntfs-3g exfat-utils bash-completion linux-lts openssh util-linux

	# 'install' fstab
	genfstab -pU /mnt >> /mnt/etc/fstab
	# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
	tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
	# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
	# More information about ArchLinux and ssd : https://wiki.archlinux.org/index.php/Solid_state_drive
	# Suggestion, use Periodic TRIM. Enable systemctl service later!
	# More information from Debian : https://wiki.debian.org/SSDOptimization

	# Enter the new system
	arch-chroot /mnt /bin/bash

	# Setup system clock
	ln -fs /usr/share/zoneinfo/Canada/Eastern /etc/localtime
	hwclock --systohc --utc

	# Set the hostname
	echo MYHOSTNAME > /etc/hostname

	# Generate locale
	#Uncomment wanted locales in /etc/locale.gen
	#en_CA.UTF-8 UTF-8
	#or
	#ca_FR.UTF-8 UTF-8
	vim /etc/locale.gen
	locale-gen

	echo LANG=en_CA.UTF-8 >> /etc/locale.conf
	echo LC_ALL= >> /etc/locale.conf
	echo LC_COLLATE=C >> /etc/locale.conf

	# Set password for root
	passwd

	# Add real user remove -s flag if you don't whish to use zsh
	# useradd -m -g users -G wheel,storage,power -s /bin/zsh MYUSERNAME
	# passwd MYUSERNAME
	# Configure sudo. Use visudo to edit /etc/sudoers
	# Uncomment the line "%wheel ALL=(ALL) ALL"

	# Configure mkinitcpio with modules needed for the initrd image
	vim /etc/mkinitcpio.conf
	# Add 'ext4' to MODULES
	# Add 'encrypt' and 'lvm2' to HOOKS before filesystems
	# Add 'resume' after 'lvm2' (also has to be after 'udev')

	# Regenerate initrd image
	mkinitcpio -p linux-lts

	# Setup grub
	mount \| grep efivars &> /dev/null \|\| mount -t efivarfs efivarfs /sys/firmware/efi/efivars
	grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck
	# Configure grub with luks
	# In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:luks:allow-discards"
	# Bug with next command, got "Device /dev/xxx not initialized in udev database even after waiting 10000000 microseconds", check https://wiki.archlinux.org/index.php/GRUB#Warning_when_installing_in_chroot
	grub-mkconfig -o /boot/grub/grub.cfg
	# Finalize EFI
	mkdir /boot/efi/EFI/boot
	cp /boot/efi/EFI/arch_grub/grubx64.efi /boot/efi/EFI/boot/bootx64.efi

	# Enable fstrim for SSD
	systemctl enable fstrim.timer
	systemctl start fstrim.timer

	# Configure TLP for energy save for laptop
	# https://wiki.archlinux.org/index.php/TLP
	pacman -S tlp networkmanager
	systemctl enable tlp.service
	systemctl enable tlp-sleep.service
	# Do configuration "Force battery (BAT) configuration"

	# add ntp and cronie
	pacman -Syy ntp cronie
	# Add media plugin
	pacman -S gst-plugins-{base,good,bad,ugly} gst-libav
	# xorg for laptop
	pacman -S xorg-{server,xinit,apps} xf86-input-{mouse,keyboard} xdg-user-dirs xf86-input-libinput xf86-video-vesa xf86-video-intel
	# Font
	pacman -S ttf-{bitstream-vera,liberation,freefont,dejavu} freetype2
	# Printer
	pacman -S cups gimp gimp-help-fr hplip python-pyqt5
	pacman -S foomatic-{db,db-ppds,db-gutenprint-ppds,db-nonfree,db-nonfree-ppds} gutenprint
	# Libreoffice
	pacman -S libreoffice-still-fr hunspell-fr
	# Web navigator
	pacman -S firefox-i18n-fr chromium
	# Install Gnome
	pacman -S gnome gnome-extra system-config-printer telepathy shotwell rhythmbox
	# Enable GDM at startup
	systemctl enable gdm.service
	# Install Yay
	cd /tmp
	git clone https://aur.archlinux.org/yay.git
	cd yay
	makepkg -si
	# Apply makepkg optimization : https://wiki.archlinux.org/index.php/makepkg
	# Follow guide "Building optimized binaries"

	# Exit new system and go into the cd shell
	exit

	# Unmount all partitions
	umount -R /mnt
	swapoff -a

	# Reboot into the new system, don't forget to remove the cd/usb
	reboot