Skip to content

Instantly share code, notes, and snippets.

@nyxkrage
Last active February 24, 2021 19:29
Show Gist options
  • Save nyxkrage/473b60cb6446cba18f7114d5eabe8d36 to your computer and use it in GitHub Desktop.
Save nyxkrage/473b60cb6446cba18f7114d5eabe8d36 to your computer and use it in GitHub Desktop.

Arch Install

Notes about this "guide"

This is more-so notes for myself that would also be understandable for others.
It will NOT be an in-depth guide explaining my choices.
It will NOT tell you the function of every option for every command, as I assume you will look up any that you find interesting or confusing.
I WILL link to general info about the main parts being used, or if some info is harder to find.

This will guide you through the installation from after booting from the USB to booting Arch from your SSD/HDD.

Resulting installation

1.Arch Linuxwith linux-zen and linux-lts kernel.
2.rEFInd boot manager.
3.btrfs single partiton system with subvolumes.
4.Full-disk encryption with LUKS.

Some setup to make life easier

Set up some enviourment variables that are gonna make your life a lot easier down the line.

btrfs mounting options

btrfso=defaults,x-mount.mkdir,compress=lzo,ssd,noatime

or if installing on a HDD instead of an SSD you can omit the ssd option

Set up variable for the drive that should be worked on, this will help prevent accidentally wiping a wrong drive. Remeber to subtitute for what ever drive you're using often will it be /dev/sda or /dev/nvme0n1

DRIVE=/dev/<DRIVE>

You can use lsblk to find your drive

Setting up the Drive

Wiping the drive

Securely(recommend)

I'll be using the method found on the dm-crypt archwiki article Create a temporary encrypted container on the disk.

cryptsetup open --type plain $DRIVE container --key-file /dev/urandom

Optionally verify that it was created

lsblk

Now wipe the container with zeroes, using /dev/urandom here is not necesarry as randomness comes from the cipher.

dd if=/dev/zero of=/dev/mapper/container status=progress bs=1M

Regulary(not recommend)

sgdisk --zap-all $DRIVE

Partitioning

Our partition scheme will look somehting like this

  1. EFI Partition. FAT32 This will contain the rEFInd boot manager. This will out of neccesity not be encrypted.
  2. SWAP Partition. dm-crypt(Linux SWAP) This will be our swap partiton. It will be encrypted with straight dm-crypt using a random keyfile. Make this larger than your RAM capacity if you wan't to use hibernation else i recommend making it minumum 8G. I used 32G for my laptop with 16 gigabytes of RAM as i need more than 40 gigabytes of ramspace for some tasks. For my desktop with 128 gigabytes I don't have a swap partiton.
  3. System Partition. dm-crypt(btrfs) This will be the main partition which is gonna be encrypted using LUKS and the passphrase of your choice. It will be structured using 3 btrfs subvolumes, root, home, and snapshots.
sgdisk --clear \
  --new=1:0:+512MiB --typecode=1:ef00 --change-name=1:EFI \
  --new=2:0:+<SWAPSIZE>GiB --typecode=2:8200 --change-name=2:cryptswap \
  --new=3:0:0 --typecode=3:8300 --change-name=3:cryptsystem \
  $DRIVE

You can change the labels which are defined by the --change-name option to whatever you prefer. I use EFI, cryptswap, and cryptsystem as they are clear and and concise.

Formating The EFI Partition

Formating the EFI partition is pretty straight forward.

mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI

NOTE: Change EFI for whatever you used in the change-name option in the Partitioning section. We used partlabel in the next section aswell so remeber to change there aswell if you used something different

Encrypting the SWAP and System partition

First we format the cryptsystem partition using LUKS. using the aes-xts-plain64 cipher and a aes keysize of 256 bits. These are the standard at the time of writing but I like being verbose as to not break anything if new defaults are introduced.

cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem

The align-payload option is used by suggestion for SSD optimization per the dm-crypt mailing list

Here we are encrypting the swap partition using a random keyfile.

cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap

Setting up swap

We make the swap partition and enable it.

mkswap -L swap /dev/mapper/swap
swapon -L swap

Formatting the system partition

Format the opened luks partition with btrfs.

mkfs.btrfs --force --label system /dev/mapper/system

Now we mount the drive so we can create our subvolumes on it and then unmounting it, so we can mount the subvolumes instead.

mount -t btrfs LABEL=system /mnt
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/snapshots
umount -R /mnt

Mounting the btrfs subvolumes

Now we mount the subvolumes using the options we defined in the very beginning.

mount -t btrfs -o subvol=root,$btrfso LABEL=system /mnt
mount -t btrfs -o subvol=home,$btrfso LABEL=system /mnt/home
mount -t btrfs -o subvol=snapshots,$btrfso LABEL=system /mnt/.snapshots

Mounting the EFI partition

mkdir /mnt/boot
mount LABEL=EFI /mnt/boot

Generating the fstab

genfstab -L -p /mnt >> /mnt/etc/fstab

Installing the system

Pacstrap

We use pacstrap to install the required packages without needing to chroot into the system.

pacstrap /mnt base base-devel vim linux-zen linux-lts refind-efi btrfs-progs zsh ttf-hack otf-overpass dhcpcd opendoas linux-firmware man-db man-pages intel-ucode

The packages that we install are

  1. base - provides neccesary packages to boot the system
  2. base-devel - provides some essential packages for utilising the system
  3. intel-ucode - microcode for intel cpus, change this to amd-ucode if you're running an amd based system
  4. linux-zen - is the zen linux kernel which has some optimizations for linux when used for daily drive
  5. linux-lts - longterm kernel which i have as a backup incase something in the newer linux-zen kernel breaks
  6. linux-firmware - provides firmware for most devices, example network cards or other devices
  7. refind-efi - provides the boot manager and bootloader
  8. man-db and man-pages - provides the ability to look up programs man pages in the terminal
  9. vim - is the text editor i install as a base, other options include vi, neovim, nano, emacs, or ed
  10. zsh and dash - zsh is my prefered shell and dash is used as the lightweight posix compliant shell for running scripts
  11. ttf-hack and otf-overpass - my prefered fonts, hack for monospace and overpass for sans-serif
  12. dhcpcd - dhcp client can't connect to the internet without it
  13. opendoas - a lighter and simpler alternative to sudo

chroot'ing into the system

You can either do this with regular arch-chroot or with systemd-nspawn. I will not be covering the systemd method here, as it's simply too much of a hassle in my opinion.

Getting a shell using arch-chroot is as follows

arch-chroot /mnt

Then setup a hostname variable for use inside the system.

HOSTNAME=Your desired hostname

Setting up all the configs

Setting locale

Edit the /etc/locale.gen and uncomment the needed lines.

vim /etc/locale.gen
----------------------
...
#cy_GB ISO-8859-14  
da_DK.UTF-8 UTF-8  
#de_AT.UTF-8 UTF-8  
...
#en_CA ISO-8859-1  
en_DK.UTF-8 UTF-8  
#en_GB.UTF-8 UTF-8  
...
#en_SG ISO-8859-1  
en_US.UTF-8 UTF-8  
#en_US ISO-8859-1  
#en_ZA.UTF-8 UTF-8  
...

or add the ones you need by just appending them.

echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen

Now we can generate the locales using

locale-gen

And then finally we set the locale we wanna use.

systemd-firstboot --prompt-locale

Setting timezone

First enable NTP syncing

timedatectl set-ntp 1

Set your timezone.

timedatectl set-timezone LOCATION/CITY

example

timedatectl set-timezone Europe/Copenhagen

Setting hostname and hosts

Set your hostname using

hostnamectl set-hostname $HOSTNAME

Then add the following to your hosts file

/etc/hosts
------------
127.0.0.1 localhost.localdomain localhost
::1       localhost.localdomain localhost
127.0.1.1	HOSTNAME.localdomain HOSTNAME

or using echo

echo "127.0.0.1\tlocalhost.localdomain\tlocalhost\n \
::1\t\tlocalhost.localdomain\tlocalhost\n \
127.0.1.1\t$HOSTNAME.localdomain\t$HOSTNAME > /etc/hosts

Setting up decryption on startup

This is done by editing the /etc/crypttab This is what it should look like

swap	/dev/disk/by-partlabel/cryptswap	/dev/urandom	swap,offset=2048,cipher=aes-xts-plain64,size=256
system	/dev/disk/by-partlabel/cryptsystem	none		offset=2048,cipher=aes-xts-plain64,size=256

Generate new initramfs

This is needed since we need to include the encrypt and btrfs hooks into our initramfs. Edit /etc/mkinitcpio.conf to contain the following

MODULES=""
BINARIES=""
FILES=""
HOOKS="systemd modconf keyboard block filesystems btrfs sd-encrypt fsck"

Then generate the initramfs for our kernels using

mkinitpcio -p linux-zen
mkinitpcio -p linux-lts

Configure rEFInd

Install rEFInd to your EFI partition.

refind-install --usedefault /dev/sdXY --alldrivers

Create or edit /boot/EFI/BOOT/refind.conf

/boot/EFI/BOOT/refind.conf
-------
timeout          20               # Timeout how long ReFind wait for user input
use_graphics_for windows          # Specify the simpler "mac-style" behaviour
also_scan_dirs   +,@/             # Search for boot loaders in the specified directory

Create or edit /boot/refind_linux.conf

"Boot with standard options"  "rd.luks.name=*FILL IN UUID FROM PARTITION*=cryptsystem root=UUID=*UUID FROM encrypted root* rw rootflags=subvol=root initrd=/intel-ucode.img initrd=/initramfs-linux-zen.img add_efi_memmap"

NOTE: replace intel-ucode.img with amd-ucode.img for amd based systems.

Getting the UUIDS can be found with

lsblk -fs

and the UUIDs you need are

  1. The one from the partition that has type: crypto_LUKS 2
  2. The one from the partition that has type: btrfs

Setting the root password

passwd

Shutdown and boot from your SSD/HDD

shutdown now

Final Notes

Thank you for reading.

Most of this guide was written using my editor rotide

Revision 1.0

By Nyxiative

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment