Skip to content

Instantly share code, notes, and snippets.

@tjcim
Last active August 22, 2020 17:57
Show Gist options
  • Save tjcim/f275d5d85e6c5dda875032a732f164ca to your computer and use it in GitHub Desktop.
Save tjcim/f275d5d85e6c5dda875032a732f164ca to your computer and use it in GitHub Desktop.
2020 Archlinux on Intel NUC10i7 - 2 Harddrives - UEFI/GPT - LVM on LUKS
###########################################
We will use GPT and grub as the bootloader.
# First Hard drive (nvme0n1)
The ESP will reside in the first partition mounted to /efi.
The kernel and initramfs will be the second partition and will be mounted to /boot
The third partition on nvme0n1 will be encrypted with Luks with a password.
The encrypted partition on the first drive will always require a password to be manually entered on boot.
# Second Hard drive (sda)
The second harddrive will have one partition.
The partition on the second harddrive will be encrypted with Luks and be decrypted by password or a file.
Decryption with both password and file allows us to access it manually (if needed) and the system to decrypt automatically during boot.
# LVM
LVM will go on the two encrypted partitions.
LVM will have two logical partitions and swap:
* swap - 32GB - Filesystem: swap
* /root - /dev/nvme0n1p3 - Filesystem: ext4
* /home - /dev/sda1 - Filesystem: ext4
#############################################
# Download and verify iso
gpg --homedir=/etc/pacman.d/gnupg --verify ~/Downloads/archlinux-2020.08.01-x86_64.iso.sig
# Burn iso to USB - Make sure you have the right drive by running `lsblk`
sudo dd bs=4M if=/home/trevor/Downloads/archlinux-2020.08.01-x86_64.iso of=/dev/sdb status=progress oflag=sync
# Update bios
# Turn off secure boot in bios
# Boot usb image
# Check we are booting into UEFI Mode - if this shows no errors we are in UEFI Mode
ls /sys/firmware/efi/efivars
# Set root passwd (this is a temp password used for install only)
passwd
# Ensure time is correct
timedatectl set-ntp true
# Start ssh to connect using another computer
systemctl start sshd.service
# Get IP address
ip addr
# Log into computer from another machine using root user
ssh root@<ip address>
# This gist is designed to work with two harddrives
# /dev/nvme0n1 is for root
# /dev/sda will be used for home
gdisk /dev/nvme0n1
# Create partitions on primary drive:
o<enter> Y<enter> # Create a new GPT
# This system will create 3 partitions on nvme0n1:
# /efi will hold the ESP
# /boot will hold the kernel and initramfs
# LVM partition will be encrypted
n<enter> 1<enter> <enter> +300M<enter> EF00<enter> # Partition 1 = 300 MiB EFI partition # Hex code EF00
n<enter> 2<enter> <enter> +300M<enter> 8300<enter> # Partition 2 = 300 MiB Boot partition # Hex code 8300
n<enter> 3<enter> <enter> <enter> <enter> # Partition 3 = Rest of drive # Hex code 8300.
# Review partitions
p<enter>
# Write gdisk changes
w<enter>
# Create partition on second disk
gdisk /dev/sda
o<enter> Y<enter>
n<enter> 1<enter> <enter> <enter> <enter> # Partition 1 = All of the drive # Hex code 8300
# Review partitions
p<enter>
# Write gdisk changes
w<enter>
# Create filesystems for /efi and /boot
mkfs.vfat -F 32 /dev/nvme0n1p1
mkfs.ext2 /dev/nvme0n1p2
# Encrypt system partition on first harddrive with password
cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/nvme0n1p3
# Encrypt second harddrive with password
cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sda1
# Create file to use as a key to open second harddrive
dd if=/dev/urandom of=/keyfile.bin bs=1024 count=20
# Add file as key to open second harddrive - later we will copy this to the root partition
cryptsetup luksAddKey /dev/sda1 /keyfile.bin
# Open first harddrive with password
cryptsetup luksOpen /dev/nvme0n1p3 cryptroot
# Open second harddrive with keyfile
cryptsetup --key-file /keyfile.bin luksOpen /dev/sda1 crypthome
# Create encrypted LVM partitions
pvcreate /dev/mapper/cryptroot
pvcreate /dev/mapper/crypthome
vgcreate Arch /dev/mapper/cryptroot
vgcreate ArchHome /dev/mapper/crypthome
# I use a larger swap for virtual machines,
# I seem to run into trouble without it. If you don't need a large
# swap set this to something reasonable for you.
lvcreate -L +32G Arch -n swap
lvcreate -l +100%FREE Arch -n root
lvcreate -l +100%FREE ArchHome -n home
# Create filesystems on your encrypted partitions. I will be using ext4
mkswap /dev/mapper/Arch-swap
mkfs.ext4 /dev/mapper/Arch-root
mkfs.ext4 /dev/mapper/ArchHome-home
# Mount the new system
mount /dev/mapper/Arch-root /mnt
swapon /dev/mapper/Arch-swap
mkdir /mnt/boot
mount /dev/nvme0n1p2 /mnt/boot
mkdir /mnt/efi
mount /dev/nvme0n1p1 /mnt/efi
mkdir /mnt/home
mount /dev/mapper/ArchHome-home /mnt/home
# Check pacman.d mirrolist and comment out any that you do not want to use
vim /etc/pacman.d/mirrorlist
# Copy keyfile to new drive and set permissions
cp /keyfile.bin /mnt/keyfile.bin
chmod 000 /mnt/keyfile.bin
# Install your base Arch system along with a couple of utilities
pacstrap /mnt base base-devel linux mkinitcpio grub-efi-x86_64 efibootmgr dialog vim lvm2
# Create and review FSTAB
genfstab -U /mnt >> /mnt/etc/fstab # The -U option pulls in all the correct UUIDs for your mounted filesystems.
sed -i 's/noatime/relatime/g' /mnt/etc/fstab # Swap noatime with relatime
# Edit crypttab
HOMEUUID=$(blkid /dev/sda1 | awk '{print $2}' | cut -d '"' -f2)
echo "crypt_hdd UUID=$HOMEUUID /keyfile.bin luks" >> /mnt/etc/crypttab
# Copy edited pacman.d to new drive
cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist
# Enter the new system
arch-chroot /mnt /bin/bash
# Set locale
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
export LANG=en_US.UTF-8
# Set clock
unlink /etc/localtime
ln -s /usr/share/zoneinfo/US/Mountain /etc/localtime
hwclock --systohc --utc
# Assign your hostname
echo "eth1" > /etc/hostname
# Add entries to /etc/hosts
127.0.0.1 localhost
::1 localhost
127.0.1.1 eth1.localdomain eth1
# Install dhcpcd (a dhcp client)
pacman -Sy dhcpcd
# Enable dhcpcd
systemctl enable dhcpcd.service
# Set root password
passwd
# Create user
useradd -m -G wheel -s /bin/bash trevor
passwd trevor
# Configure mkinitcpio with the correct HOOKS required for your initrd image
sed -i 's/^HOOKS=.*/HOOKS="base udev autodetect modconf block keyboard encrypt lvm2 resume filesystems fsck"/' /etc/mkinitcpio.conf
mkinitcpio -p linux
# Install and configure Grub-EFI
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=ArchLinux
ROOTUUID=$(blkid /dev/nvme0n1p3 | awk '{print $2}' | cut -d '"' -f2)
sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$ROOTUUID:cryptroot:allow-discards root=\/dev\/mapper\/Arch-root resume=\/dev\/mapper\/Arch-swap\"/" /etc/default/grub
# Generate Your Final Grub Configuration:
grub-mkconfig -o /boot/grub/grub.cfg
# Let users in wheel group run any command
visudo # Uncomment line: '%wheel ALL=(ALL) ALL'
# Exit Your New Arch System
exit
# Unmount all partitions
umount -R /mnt
swapoff -a
# Reboot
reboot
# The rest is to enable the provisioning of archlinux using another machine with ansible:
# Login locally to the machine and install openssh
sudo pacman -S openssh python
# On this build I had to edit /etc/dhcpcd.conf so that the computer sends the hostname to the DHCP server.
sudo vim /etc/dhcpcd.conf
sudo systemctl restart dhcpcd
# Start the SSH server
sudo systemctl start sshd.service
------------------
# The rest I do from the ansible provisioning box
# Copy your ssh key to the new machine
ssh-copy-id <user>@<ip address>
# Ensure you can now do passwordless ssh
ssh <user>@<ip address> "uname -r"
-------------------
# While logged into the new machine via ssh
# Create an ssh key
mkdir ~/.ssh
ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/id_ed25519
# Generate an ssh key to be used to download dotfiles from github
ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/github
cat ~/.ssh/github.pub # Copy to github ssh keys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment