robertbeal/install.sh

## install.sh
#!/bin/bash
# Command for setting up a fully disk encrypted (including /boot) install with EFI partition with crypto_keyfile.bin (so the passphrase only needs to be entered once)
# Not yet automated, I still need to 'sed' some of the comment entries.

USER=foo
HOSTNAME=foo-linux

# Connect to wifi...
wifi-menu

# Create partitions
cgdisk /dev/sda
# 1 100MB EFI partition # Hex code = ef00
# 2 100% / partition    # Hex code = 8300

# Format the EFI partition
mkfs.vfat -F32 /dev/sda1

# Create the encrypted partition
cryptsetup --verify-passphrase luksFormat /dev/sda2 -c aes-xts-plain64 -s 512 -h sha512
cryptsetup luksOpen /dev/sda2 arch

# Encryption key (so passphrase isn't prompted twice)
dd if=/dev/urandom of=/crypto_keyfile.bin bs=1024 count=4
chmod 000 /crypto-key.bin
cryptsetup luksAddKey /dev/sda2 /crypto-key.bin

# Logical volumes inside the encrypted partition
pvcreate /dev/mapper/arch
vgcreate vg0 /dev/mapper/arch
lvcreate --size 8G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root

# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

# Mount the new system
mount /dev/mapper/vg0-root /mnt
swapon /dev/mapper/vg0-swap
mkdir -p /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi

# Install the base system
pacstrap /mnt base base-devel bash dialog efibootmgr gnome-terminal grub-efi-x86_64 sudo vim wpa_supplicant
# install graphics drivers
pacstrap /mnt xorg-server mesa xf86-video-fbdev

# Generate fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Change relatime on all non-boot partitions to noatime (to reduces wear if using an SSD)

# Enter the new system
arch-chroot /mnt /bin/bash

# Login
pacman -S lightdm lightdm-gtk-greeter
systemctl enable lightdm

# Desktop
pacman -S cinnamon nemo-fileroller nemo-preview

# NetworkManager
pacman -S networkmanager gnome-keyring
systemctl enable NetworkManager

# Sytem clock
ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime
hwclock --systohc --utc

# Hostname
echo $HOSTNAME > /etc/hostname

# Locale
vim /etc/locale.gen # uncomment any locales needed, ie en_GB.UTF-8
locale-gen
echo LANG=en_GB.UTF-8 > /etc/locale.conf

# Users
useradd --create-home --user-group --group wheel $USER && passwd $USER

# Allow wheel groups in sudoers
sed -i '/%wheel ALL=(ALL) ALL/s/^#//' /etc/sudoers

# Disable root
passwd -l root

# Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
## Add 'keyboard keymap' to HOOKS before block
## Add 'encrypt' and 'lvm2' to HOOKS before filesystems
sed -i 's\^FILES=.*\FILES="/crypto_keyfile.bin"\g' /etc/mkinitcpio.conf
mkinitcpio -p linux

# Grub
vim /etc/default/grub
## GRUB_HIDDEN_TIMEOUT=5
## GRUB_HIDDEN_TIMEOUT_QUIET=true
## GRUB_ENABLE_CRYPTODISK=y
## GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:arch root:/dev/mapper/vg0-root"
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub

# Clean up and reboot
exit
umount -R /mnt
swapoff -a
reboot
	#!/bin/bash
	# Command for setting up a fully disk encrypted (including /boot) install with EFI partition with crypto_keyfile.bin (so the passphrase only needs to be entered once)
	# Not yet automated, I still need to 'sed' some of the comment entries.

	USER=foo
	HOSTNAME=foo-linux

	# Connect to wifi...
	wifi-menu

	# Create partitions
	cgdisk /dev/sda
	# 1 100MB EFI partition # Hex code = ef00
	# 2 100% / partition # Hex code = 8300

	# Format the EFI partition
	mkfs.vfat -F32 /dev/sda1

	# Create the encrypted partition
	cryptsetup --verify-passphrase luksFormat /dev/sda2 -c aes-xts-plain64 -s 512 -h sha512
	cryptsetup luksOpen /dev/sda2 arch

	# Encryption key (so passphrase isn't prompted twice)
	dd if=/dev/urandom of=/crypto_keyfile.bin bs=1024 count=4
	chmod 000 /crypto-key.bin
	cryptsetup luksAddKey /dev/sda2 /crypto-key.bin

	# Logical volumes inside the encrypted partition
	pvcreate /dev/mapper/arch
	vgcreate vg0 /dev/mapper/arch
	lvcreate --size 8G vg0 --name swap
	lvcreate -l +100%FREE vg0 --name root

	# Create filesystems on encrypted partitions
	mkfs.ext4 /dev/mapper/vg0-root
	mkswap /dev/mapper/vg0-swap

	# Mount the new system
	mount /dev/mapper/vg0-root /mnt
	swapon /dev/mapper/vg0-swap
	mkdir -p /mnt/boot/efi
	mount /dev/sda1 /mnt/boot/efi

	# Install the base system
	pacstrap /mnt base base-devel bash dialog efibootmgr gnome-terminal grub-efi-x86_64 sudo vim wpa_supplicant
	# install graphics drivers
	pacstrap /mnt xorg-server mesa xf86-video-fbdev

	# Generate fstab
	genfstab -pU /mnt >> /mnt/etc/fstab
	# Change relatime on all non-boot partitions to noatime (to reduces wear if using an SSD)

	# Enter the new system
	arch-chroot /mnt /bin/bash

	# Login
	pacman -S lightdm lightdm-gtk-greeter
	systemctl enable lightdm

	# Desktop
	pacman -S cinnamon nemo-fileroller nemo-preview

	# NetworkManager
	pacman -S networkmanager gnome-keyring
	systemctl enable NetworkManager

	# Sytem clock
	ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime
	hwclock --systohc --utc

	# Hostname
	echo $HOSTNAME > /etc/hostname

	# Locale
	vim /etc/locale.gen # uncomment any locales needed, ie en_GB.UTF-8
	locale-gen
	echo LANG=en_GB.UTF-8 > /etc/locale.conf

	# Users
	useradd --create-home --user-group --group wheel $USER && passwd $USER

	# Allow wheel groups in sudoers
	sed -i '/%wheel ALL=(ALL) ALL/s/^#//' /etc/sudoers

	# Disable root
	passwd -l root

	# Configure mkinitcpio with modules needed for the initrd image
	vim /etc/mkinitcpio.conf
	## Add 'keyboard keymap' to HOOKS before block
	## Add 'encrypt' and 'lvm2' to HOOKS before filesystems
	sed -i 's\^FILES=.*\FILES="/crypto_keyfile.bin"\g' /etc/mkinitcpio.conf
	mkinitcpio -p linux

	# Grub
	vim /etc/default/grub
	## GRUB_HIDDEN_TIMEOUT=5
	## GRUB_HIDDEN_TIMEOUT_QUIET=true
	## GRUB_ENABLE_CRYPTODISK=y
	## GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:arch root:/dev/mapper/vg0-root"
	grub-mkconfig -o /boot/grub/grub.cfg
	grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub

	# Clean up and reboot
	exit
	umount -R /mnt
	swapoff -a
	reboot