Last active
December 12, 2021 22:38
-
-
Save pkulak/93270e06ebed35ddc51f4c64bcc3b9b6 to your computer and use it in GitHub Desktop.
My Arch Encrypted, BTRFS with Snapper Install Notes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is mostly here for my reference. If someone on the internet finds this, I hope it's | |
| # helpful, but don't trust it! I'm pretty new at this, which is why I have to keep exhaustive | |
| # notes like this. The corollary then, is that if you're a pro at this, and notice something | |
| # dumb I'm doing, please let me know. | |
| # | |
| # The idea here is to end up with an ecrypted BTRFS filesystem running Snapper in a way that | |
| # makes rollbacks super easy. I tried to keep things simple, so the swap is a file, not a | |
| # partition (that would have to be encryped separately). The subvolume layout is totally flat, | |
| # to make rollbacks a simple matter of moving the volumes around. When this is all done, a | |
| # simple ls of either .snapshots directory will show you your live filesystem right alongside | |
| # every snapshot. | |
| curl -L tinyurl.com/arch-btrfs > notes.sh | |
| # Get internet any way you can: | |
| # https://wiki.archlinux.org/index.php/Iwd | |
| # https://wiki.archlinux.org/index.php/Systemd-resolved | |
| # | |
| # and maybe this, if you need to manage multiple interfaces: | |
| # https://wiki.archlinux.org/index.php/systemd-networkd | |
| timedatectl set-ntp true | |
| # Figure out what you're working with | |
| lsblk | |
| # Format with a single EFI boot partion, and the rest BTRFS | |
| fdisk /dev/vda | |
| # g | |
| # n <enter> <enter> +500M t 1 | |
| # n <enter> <enter> <enter> | |
| # w | |
| # Make sure your didn't screw up (too late now, though) | |
| lsblk | |
| # After this, you'll have a new view of your partion that | |
| # encrypts on the way in, and decrypts on the way out. So | |
| # make sure you never mount the raw partion again! | |
| cryptsetup -y -v luksFormat /dev/vda2 | |
| cryptsetup open /dev/vda2 cryptroot | |
| mkfs.fat -F32 /dev/vda1 | |
| mkfs.btrfs /dev/mapper/cryptroot | |
| # Notice we mount the "view", not the actual partition | |
| mount /dev/mapper/cryptroot /mnt | |
| btrfs su cr /mnt/@hometop | |
| btrfs su cr /mnt/@roottop | |
| btrfs su cr /mnt/@vlogtop | |
| btrfs su cr /mnt/@vcchtop | |
| mkdir /mnt/@hometop/live | |
| mkdir /mnt/@roottop/live | |
| btrfs su cr /mnt/@hometop/live/snapshot | |
| btrfs su cr /mnt/@roottop/live/snapshot | |
| umount /mnt | |
| # Now mount everything in. Bit brain-hurting, but it makes sense if you stare long enough. | |
| mount -o noatime,compress-force=zstd,autodefrag,subvol=@roottop/live/snapshot /dev/mapper/cryptroot /mnt | |
| mkdir -p /mnt/{boot,home,var/log,var/cache,.snapshots} | |
| mount -o noatime,compress-force=zstd,autodefrag,subvol=@hometop/live/snapshot /dev/mapper/cryptroot /mnt/home | |
| mount -o noatime,compress-force=zstd,autodefrag,subvol=@roottop /dev/mapper/cryptroot /mnt/.snapshots | |
| mkdir -p /mnt/home/.snapshots | |
| mount -o noatime,compress-force=zstd,autodefrag,subvol=@hometop /dev/mapper/cryptroot /mnt/home/.snapshots | |
| mount -o noatime,compress-force=zstd,autodefrag,subvol=@vlogtop /dev/mapper/cryptroot /mnt/var/log | |
| mount -o noatime,subvol=@vcchtop /dev/mapper/cryptroot /mnt/var/cache | |
| # make the swapfile | |
| cd /mnt/var/cache | |
| truncate -s 0 swapfile | |
| chattr +C swapfile | |
| btrfs property set swapfile compression none | |
| dd if=/dev/zero of=swapfile bs=1M count=2048 status=progress | |
| chmod 600 swapfile | |
| mkswap swapfile | |
| swapon swapfile | |
| cd / | |
| mount /dev/vda1 /mnt/boot | |
| pacstrap /mnt base base-devel linux-zen linux-zen-headers linux-firmware amd-ucode neovim iwd | |
| genfstab -U /mnt >> /mnt/etc/fstab | |
| # Get rid of the subvol ids and dupe paths. You don't need to, since it seems | |
| # like if there's a path and a subvod id, and they are in conflict, btrfs will | |
| # go with the path, but why tempt fate when we roll back and the ids change? | |
| vim /mnt/etc/fstab | |
| arch-chroot /mnt | |
| ln -s /usr/share/zoneinfo/US/Pacific /etc/localtime | |
| hwclock --systohc | |
| vim /etc/locale.gen | |
| locale-gen | |
| echo "LANG=en_US.UTF-8" >> /etc/locale.conf | |
| echo "fry" >> /etc/hostname | |
| vim /etc/hosts | |
| # 127.0.0.1 localhost | |
| # ::1 localhost | |
| # 127.0.1.1 fry.localdomain fry | |
| passwd | |
| pacman -S grub efibootmgr os-prober mtools dosfstools | |
| grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB | |
| useradd -mG wheel phil | |
| passwd phil | |
| visudo | |
| vim /etc/mkinitcpio.conf # add "keyboard" after "autodetect" and "encrypt" after "block" in "HOOKS" | |
| mkinitcpio -p linux-zen | |
| vim /etc/default/grub | |
| # GRUB_ENABLE_CRYPTODISK=y | |
| # add to GRUB_CMDLINE_LINUX_DEFAULT: "cryptdevice=/dev/vda2:cryptroot:allow-discards root=/dev/mapper/cryptroot" | |
| # (allow-discards is for SSDs) | |
| grub-mkconfig -o /boot/grub/grub.cfg | |
| exit | |
| umount -a | |
| reboot # and pray | |
| # Post Arch Install | |
| sudo su | |
| systemctl enable systemd-resolvd | |
| systemctl start systemd-resolvd | |
| ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf | |
| vim /etc/iwd/main.conf | |
| # [General] | |
| # EnableNetworkConfiguration=true | |
| # | |
| # [Network] | |
| # EnableIPv6=true | |
| # NameResolvingService=systemd | |
| systemctl enable iwd | |
| systemctl start iwd | |
| # No one ever tells you to do this, and then your clock is off by | |
| # 20 minutes in a couple weeks. | |
| timedatectl set-ntp on | |
| pacman -S snapper | |
| cd /etc/snapper/config-templates/ | |
| cp default ../configs/root | |
| cp default ../configs/home # edit both | |
| vim /etc/conf.d/snapper # spaces, not commas | |
| systemctl start snapper-timeline.timer | |
| systemctl enable snapper-timeline.timer | |
| systemctl start snapper-cleanup.timer | |
| systemctl enable snapper-cleanup.timer | |
| pacman -S snap-pac | |
| # Enable and start paccache.timer to discard unused packages weekly. | |
| exit | |
| # All my goodies | |
| pacman -S sway swayidle alacritty cage waybar xorg-server-xwayland wl-clipboard fish pipewire pipewire-pulse xdg-desktop-portal-wlr git otf-font-awesome noto-fonts noto-fonts-cjk noto-fonts-emoji noto-fonts-extra playerctl pavucontrol mesa libva-mesa-driver xf86-video-amdgpu vulkan-radeon rsync zathura zathura-pdf-mupdf imv mpv youtube-dl firefox libnotify ttf-ubuntu-font-family element-desktop qt5-wayland mako grim slurp papirus-icon-theme python-cssselect python-requests python-lxml python-pip fuse fzf sshfs gocryptfs jdk11-openjdk pacman-contrib htop wf-recorder mlocate | |
| git clone https://aur.archlinux.org/paru.git | |
| cd paru | |
| makepkg -si | |
| paru -S ulauncher redshift-wayland-git spotify ant-dracula-gtk-theme lf dragon-drag-and-drop z.lua neovim-symlinks autotiling-git | |
| # Fix Firefox Insane Scroll Speed | |
| mousewheel.default.delta_multiplier_y = 25 |
Oh man, sorry I missed you first comment months ago. Didn't even notice it for some reason. Glad this worked out for you!
I actually took this to even the next level and turned it into a fully-automated install script, if you ever have to do it again:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've been trying to figure out how to get snapper working with grub-btrfs for a while now. Was unable to run snapper in the installer, ran into issues with .snapshots being under root, and grub-btrfs.path issues too. Your method works flawlessly, thanks!