physics-sec/arch-install_2-disks_LUKS-on-LVM_UEFI.sh

## arch-install_2-disks_LUKS-on-LVM_UEFI.sh

# The idea is install arch in a SSD and add a HDD disk as an 'extra' folder.
# Encript everything with LUKS on LVM
# Use UEFI
# Use a very simple layout, almost no disk partitioning

# select the correct keyboard layout
loadkeys la-latin1 # la-latin1 is just an example

# get an internet connection
wifi-menu

# set ntp
timedatectl set-ntp true

# get the disk layout
fdisk -l

# format the fisrt disk (small SSD)
fdisk /dev/sda

# show current partitions
p

# create EFI partition
g # to create an empty GPT partition table
n
enter
enter
+300M
t
1 # for EFI

# create boot partition
n
enter
enter
+400M

# create LVM partition
n
enter
enter
enter
t
enter
30

# show current partitions again
p

# finalize partition changes
w

# format the second disk (big SSD)
fdisk /dev/sdb

# show current partitions
p

# create LVM partition
g # to create an empty GPT partition table
n
enter
enter
enter
t
30

# show current partitions again
p

# finalize partition changes
w

# format the EFI partition
mkfs.fat -F32 /dev/sda1

# format the boot partition
mkfs.ext4 /dev/sda2

# preparing the logical volumes
pvcreate /dev/sda3
vgcreate volgroup1 /dev/sda3
lvcreate -l 100%FREE -n lv_root volgroup1 # I don't separate in root, home, etc.

# set up encryption
cryptsetup -y luksFormat /dev/volgroup1/lv_root
cryptsetup open /dev/volgroup1/lv_root root

# format the root partition
mkfs.ext4 /dev/mapper/root

# mount the root partition
mount /dev/mapper/root /mnt

# create the boot partition mount directory
mkdir /mnt/boot

# mount the boot partition
mount /dev/sda2 /mnt/boot

# choose the best mirror
pacman -Sy reflector
reflector --verbose --latest 100 --sort rate --save /etc/pacman.d/mirrorlist

# install the main system
pacstrap /mnt base base-devel linux linux-firmware

# generate the fstab file
genfstab -U /mnt >> /mnt/etc/fstab

# chroot into the syetem
arch-chroot /mnt

# set up the timezone
ln -sf /usr/share/zoneinfo/<?>/<?> /etc/localtime

# set up the hardware clock
hwclock --systohc

# install vim
pacman -S vim

# set up the locale
vim /etc/locale.gen # uncomment your locale
locale-gen

# set up the hostname
echo your_hostname > /etc/hostname
vim /etc/hosts
## write:
#   127.0.0.1 localhost
#   ::1   localhost
#   127.0.1.1 your_hostname.localdomain  your_hostname

# install and enable the network manager
pacman -S networkmanager
systemctl enable NetworkManager

# install the lvm2 package
pacman -S lvm2

# set up the kernel hooks
vim /etc/mkinitcpio.conf
## replace:
#   MODULES=()
## for
#   MODULES=(dm-mod)
## replace:
#   HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)
## for
#   HOOKS=(base udev autodetect keyboard keymap modconf block lvm2 encrypt filesystems fsck)

# run mkinitcpio
mkinitcpio -p linux

# set the password of the root user
passwd

# create a normal user and set the password
useradd -m -G wheel,storage,power -s /bin/bash user
passwd user

# allow the wheel group to run sudo
EDITOR=vim visudo
## replace
#   #%wheel ALL=(ALL) ALL
## for
#   %wheel ALL=(ALL) ALL

# install GRUB on UEFI
pacman -S grub efibootmgr
mkdir /boot/efi
mount /dev/sda1 /boot/efi
grub-install --target=x86_64-efi --bootloader-id=GRUB --efi-directory=/boot/efi

# configure the boot loader
vim /etc/default/grub
## replace
#   #GRUB_ENABLE_CRYPTODISK=y
## for
#   GRUB_ENABLE_CRYPTODISK=y
## Add to the GRUB_CMDLINE_LINUX_DEFAULT line:
#   cryptdevice=/dev/volgroup1/lv_root:root root=/dev/mapper/root

# create the GRUB config file
grub-mkconfig -o /boot/grub/grub.cfg

# create the swap file
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab # don't forget the '-a'

# install gnome (you might want something different)
pacman -S gdm
systemctl enable gdm
pacman -S gnome gnome-extra gnome-terminal nautilus gnome-tweaks gnome-control-center gnome-backgrounds arc-gtk-theme

# install firefox (why not?)
 pacman -S firefox

# install microcode
pacman -S amd-ucode   # ONLY for AMD
pacman -S intel-ucode # ONLY for INTEL
grub-mkconfig -o /boot/grub/grub.cfg # for both

# exit the instalation
exit

# unmount everything
umount -R /mtn # if you see errors that's ok

# reboot
reboot

# after the first boot...

# create the key directory
mkdir -m 700 /etc/luks-keys

# create the key
dd if=/dev/random of=/etc/luks-keys/extra bs=1 count=256

# set up LVM on the second disk
pvcreate /dev/sdb1
vgcreate volgroup2 /dev/sdb1
lvcreate -l 100%FREE -n lv_extra volgroup2

# set up LUKS on the second disk
cryptsetup luksFormat -v -s 512 /dev/volgroup2/lv_extra /etc/luks-keys/extra
cryptsetup -d /etc/luks-keys/extra open --type luks /dev/volgroup2/lv_extra extra

# format the second disk
mkfs.ext4 /dev/mapper/extra

# mount the second disk in the /extra directory
mkdir /extra
mount /dev/mapper/extra /extra

# set up crypttab so that arch knows how to decrypt it
vim /etc/crypttab
## add this line at the end
#   extra    /dev/volgroup2/lv_extra      /etc/luks-keys/extra

# set up fstab so that arch knows how to mount it
vim /etc/fstab
## add this line at the end
#   /dev/mapper/extra    /extra      ext4          defaults       0   2

# reboot and enjoy
reboot

	# The idea is install arch in a SSD and add a HDD disk as an 'extra' folder.
	# Encript everything with LUKS on LVM
	# Use UEFI
	# Use a very simple layout, almost no disk partitioning

	# select the correct keyboard layout
	loadkeys la-latin1 # la-latin1 is just an example

	# get an internet connection
	wifi-menu

	# set ntp
	timedatectl set-ntp true

	# get the disk layout
	fdisk -l

	# format the fisrt disk (small SSD)
	fdisk /dev/sda

	# show current partitions
	p

	# create EFI partition
	g # to create an empty GPT partition table
	n
	enter
	enter
	+300M
	t
	1 # for EFI

	# create boot partition
	n
	enter
	enter
	+400M

	# create LVM partition
	n
	enter
	enter
	enter
	t
	enter
	30

	# show current partitions again
	p

	# finalize partition changes
	w

	# format the second disk (big SSD)
	fdisk /dev/sdb

	# show current partitions
	p

	# create LVM partition
	g # to create an empty GPT partition table
	n
	enter
	enter
	enter
	t
	30

	# show current partitions again
	p

	# finalize partition changes
	w

	# format the EFI partition
	mkfs.fat -F32 /dev/sda1

	# format the boot partition
	mkfs.ext4 /dev/sda2

	# preparing the logical volumes
	pvcreate /dev/sda3
	vgcreate volgroup1 /dev/sda3
	lvcreate -l 100%FREE -n lv_root volgroup1 # I don't separate in root, home, etc.

	# set up encryption
	cryptsetup -y luksFormat /dev/volgroup1/lv_root
	cryptsetup open /dev/volgroup1/lv_root root

	# format the root partition
	mkfs.ext4 /dev/mapper/root

	# mount the root partition
	mount /dev/mapper/root /mnt

	# create the boot partition mount directory
	mkdir /mnt/boot

	# mount the boot partition
	mount /dev/sda2 /mnt/boot

	# choose the best mirror
	pacman -Sy reflector
	reflector --verbose --latest 100 --sort rate --save /etc/pacman.d/mirrorlist

	# install the main system
	pacstrap /mnt base base-devel linux linux-firmware

	# generate the fstab file
	genfstab -U /mnt >> /mnt/etc/fstab

	# chroot into the syetem
	arch-chroot /mnt

	# set up the timezone
	ln -sf /usr/share/zoneinfo/<?>/<?> /etc/localtime

	# set up the hardware clock
	hwclock --systohc

	# install vim
	pacman -S vim

	# set up the locale
	vim /etc/locale.gen # uncomment your locale
	locale-gen

	# set up the hostname
	echo your_hostname > /etc/hostname
	vim /etc/hosts
	## write:
	# 127.0.0.1 localhost
	# ::1 localhost
	# 127.0.1.1 your_hostname.localdomain your_hostname

	# install and enable the network manager
	pacman -S networkmanager
	systemctl enable NetworkManager

	# install the lvm2 package
	pacman -S lvm2

	# set up the kernel hooks
	vim /etc/mkinitcpio.conf
	## replace:
	# MODULES=()
	## for
	# MODULES=(dm-mod)
	## replace:
	# HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)
	## for
	# HOOKS=(base udev autodetect keyboard keymap modconf block lvm2 encrypt filesystems fsck)

	# run mkinitcpio
	mkinitcpio -p linux

	# set the password of the root user
	passwd

	# create a normal user and set the password
	useradd -m -G wheel,storage,power -s /bin/bash user
	passwd user

	# allow the wheel group to run sudo
	EDITOR=vim visudo
	## replace
	# #%wheel ALL=(ALL) ALL
	## for
	# %wheel ALL=(ALL) ALL

	# install GRUB on UEFI
	pacman -S grub efibootmgr
	mkdir /boot/efi
	mount /dev/sda1 /boot/efi
	grub-install --target=x86_64-efi --bootloader-id=GRUB --efi-directory=/boot/efi

	# configure the boot loader
	vim /etc/default/grub
	## replace
	# #GRUB_ENABLE_CRYPTODISK=y
	## for
	# GRUB_ENABLE_CRYPTODISK=y
	## Add to the GRUB_CMDLINE_LINUX_DEFAULT line:
	# cryptdevice=/dev/volgroup1/lv_root:root root=/dev/mapper/root

	# create the GRUB config file
	grub-mkconfig -o /boot/grub/grub.cfg

	# create the swap file
	fallocate -l 2G /swapfile
	chmod 600 /swapfile
	mkswap /swapfile
	echo '/swapfile none swap sw 0 0' \| tee -a /etc/fstab # don't forget the '-a'

	# install gnome (you might want something different)
	pacman -S gdm
	systemctl enable gdm
	pacman -S gnome gnome-extra gnome-terminal nautilus gnome-tweaks gnome-control-center gnome-backgrounds arc-gtk-theme

	# install firefox (why not?)
	pacman -S firefox

	# install microcode
	pacman -S amd-ucode # ONLY for AMD
	pacman -S intel-ucode # ONLY for INTEL
	grub-mkconfig -o /boot/grub/grub.cfg # for both

	# exit the instalation
	exit

	# unmount everything
	umount -R /mtn # if you see errors that's ok

	# reboot
	reboot

	# after the first boot...

	# create the key directory
	mkdir -m 700 /etc/luks-keys

	# create the key
	dd if=/dev/random of=/etc/luks-keys/extra bs=1 count=256

	# set up LVM on the second disk
	pvcreate /dev/sdb1
	vgcreate volgroup2 /dev/sdb1
	lvcreate -l 100%FREE -n lv_extra volgroup2

	# set up LUKS on the second disk
	cryptsetup luksFormat -v -s 512 /dev/volgroup2/lv_extra /etc/luks-keys/extra
	cryptsetup -d /etc/luks-keys/extra open --type luks /dev/volgroup2/lv_extra extra

	# format the second disk
	mkfs.ext4 /dev/mapper/extra

	# mount the second disk in the /extra directory
	mkdir /extra
	mount /dev/mapper/extra /extra

	# set up crypttab so that arch knows how to decrypt it
	vim /etc/crypttab
	## add this line at the end
	# extra /dev/volgroup2/lv_extra /etc/luks-keys/extra

	# set up fstab so that arch knows how to mount it
	vim /etc/fstab
	## add this line at the end
	# /dev/mapper/extra /extra ext4 defaults 0 2

	# reboot and enjoy
	reboot