tjcim/gist:f275d5d85e6c5dda875032a732f164ca

## gistfile1.txt
###########################################
We will use GPT and grub as the bootloader.

# First Hard drive (nvme0n1)
The ESP will reside in the first partition mounted to /efi.
The kernel and initramfs will be the second partition and will be mounted to /boot
The third partition on nvme0n1 will be encrypted with Luks with a password.
The encrypted partition on the first drive will always require a password to be manually entered on boot.

# Second Hard drive (sda)
The second harddrive will have one partition.
The partition on the second harddrive will be encrypted with Luks and be decrypted by password or a file.
Decryption with both password and file allows us to access it manually (if needed) and the system to decrypt automatically during boot.

# LVM
LVM will go on the two encrypted partitions.
LVM will have two logical partitions and swap:

  * swap - 32GB - Filesystem: swap
  * /root - /dev/nvme0n1p3 - Filesystem: ext4
  * /home - /dev/sda1 - Filesystem: ext4

#############################################

# Download and verify iso
gpg --homedir=/etc/pacman.d/gnupg --verify ~/Downloads/archlinux-2020.08.01-x86_64.iso.sig

# Burn iso to USB - Make sure you have the right drive by running `lsblk`
sudo dd bs=4M if=/home/trevor/Downloads/archlinux-2020.08.01-x86_64.iso of=/dev/sdb status=progress oflag=sync

# Update bios
# Turn off secure boot in bios
# Boot usb image

# Check we are booting into UEFI Mode - if this shows no errors we are in UEFI Mode
ls /sys/firmware/efi/efivars

# Set root passwd (this is a temp password used for install only)
passwd

# Ensure time is correct
timedatectl set-ntp true

# Start ssh to connect using another computer
systemctl start sshd.service

# Get IP address
ip addr

# Log into computer from another machine using root user
ssh root@<ip address>

# This gist is designed to work with two harddrives
  # /dev/nvme0n1 is for root
  # /dev/sda will be used for home
gdisk /dev/nvme0n1

# Create partitions on primary drive:
o<enter> Y<enter> # Create a new GPT

# This system will create 3 partitions on nvme0n1:
  # /efi will hold the ESP
  # /boot will hold the kernel and initramfs
  # LVM partition will be encrypted
n<enter> 1<enter> <enter> +300M<enter> EF00<enter> # Partition 1 = 300 MiB EFI partition # Hex code EF00
n<enter> 2<enter> <enter> +300M<enter> 8300<enter> # Partition 2 = 300 MiB Boot partition # Hex code 8300
n<enter> 3<enter> <enter> <enter> <enter> # Partition 3 = Rest of drive # Hex code 8300.

# Review partitions
p<enter>

# Write gdisk changes
w<enter>

# Create partition on second disk
gdisk /dev/sda
o<enter> Y<enter>

n<enter> 1<enter> <enter> <enter> <enter> # Partition 1 = All of the drive # Hex code 8300

# Review partitions
p<enter>

# Write gdisk changes
w<enter>

# Create filesystems for /efi and /boot
mkfs.vfat -F 32 /dev/nvme0n1p1
mkfs.ext2 /dev/nvme0n1p2

# Encrypt system partition on first harddrive with password
cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/nvme0n1p3

# Encrypt second harddrive with password
cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sda1

# Create file to use as a key to open second harddrive
dd if=/dev/urandom of=/keyfile.bin bs=1024 count=20

# Add file as key to open second harddrive - later we will copy this to the root partition
cryptsetup luksAddKey /dev/sda1 /keyfile.bin

# Open first harddrive with password
cryptsetup luksOpen /dev/nvme0n1p3 cryptroot

# Open second harddrive with keyfile
cryptsetup --key-file /keyfile.bin luksOpen /dev/sda1 crypthome

# Create encrypted LVM partitions
pvcreate /dev/mapper/cryptroot
pvcreate /dev/mapper/crypthome
vgcreate Arch /dev/mapper/cryptroot
vgcreate ArchHome /dev/mapper/crypthome
# I use a larger swap for virtual machines,
# I seem to run into trouble without it. If you don't need a large
# swap set this to something reasonable for you.
lvcreate -L +32G Arch -n swap
lvcreate -l +100%FREE Arch -n root
lvcreate -l +100%FREE ArchHome -n home

# Create filesystems on your encrypted partitions. I will be using ext4
mkswap /dev/mapper/Arch-swap
mkfs.ext4 /dev/mapper/Arch-root
mkfs.ext4 /dev/mapper/ArchHome-home

# Mount the new system
mount /dev/mapper/Arch-root /mnt
swapon /dev/mapper/Arch-swap
mkdir /mnt/boot
mount /dev/nvme0n1p2 /mnt/boot
mkdir /mnt/efi
mount /dev/nvme0n1p1 /mnt/efi
mkdir /mnt/home
mount /dev/mapper/ArchHome-home /mnt/home

# Check pacman.d mirrolist and comment out any that you do not want to use
vim /etc/pacman.d/mirrorlist

# Copy keyfile to new drive and set permissions
cp /keyfile.bin /mnt/keyfile.bin
chmod 000 /mnt/keyfile.bin

# Install your base Arch system along with a couple of utilities
pacstrap /mnt base base-devel linux mkinitcpio grub-efi-x86_64 efibootmgr dialog vim lvm2

# Create and review FSTAB
genfstab -U /mnt >> /mnt/etc/fstab  # The -U option pulls in all the correct UUIDs for your mounted filesystems.
sed -i 's/noatime/relatime/g' /mnt/etc/fstab  # Swap noatime with relatime

# Edit crypttab
HOMEUUID=$(blkid /dev/sda1 | awk '{print $2}' | cut -d '"' -f2)
echo "crypt_hdd UUID=$HOMEUUID /keyfile.bin luks" >> /mnt/etc/crypttab

# Copy edited pacman.d to new drive
cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist

# Enter the new system
arch-chroot /mnt /bin/bash

# Set locale
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
export LANG=en_US.UTF-8

# Set clock
unlink /etc/localtime
ln -s /usr/share/zoneinfo/US/Mountain /etc/localtime
hwclock --systohc --utc

# Assign your hostname
echo "eth1" > /etc/hostname

# Add entries to /etc/hosts
127.0.0.1	localhost
::1		localhost
127.0.1.1	eth1.localdomain	eth1

# Install dhcpcd (a dhcp client)
pacman -Sy dhcpcd

# Enable dhcpcd
systemctl enable dhcpcd.service

# Set root password
passwd

# Create user
useradd -m -G wheel -s /bin/bash trevor
passwd trevor

# Configure mkinitcpio with the correct HOOKS required for your initrd image
sed -i 's/^HOOKS=.*/HOOKS="base udev autodetect modconf block keyboard encrypt lvm2 resume filesystems fsck"/' /etc/mkinitcpio.conf
mkinitcpio -p linux

# Install and configure Grub-EFI
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=ArchLinux
ROOTUUID=$(blkid /dev/nvme0n1p3 | awk '{print $2}' | cut -d '"' -f2)
sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$ROOTUUID:cryptroot:allow-discards root=\/dev\/mapper\/Arch-root resume=\/dev\/mapper\/Arch-swap\"/" /etc/default/grub

# Generate Your Final Grub Configuration:
grub-mkconfig -o /boot/grub/grub.cfg

# Let users in wheel group run any command
visudo # Uncomment line: '%wheel ALL=(ALL) ALL'

# Exit Your New Arch System
exit

# Unmount all partitions
umount -R /mnt
swapoff -a

# Reboot
reboot

# The rest is to enable the provisioning of archlinux using another machine with ansible:

# Login locally to the machine and install openssh
sudo pacman -S openssh python

# On this build I had to edit /etc/dhcpcd.conf so that the computer sends the hostname to the DHCP server.
sudo vim /etc/dhcpcd.conf
sudo systemctl restart dhcpcd

# Start the SSH server
sudo systemctl start sshd.service

------------------

# The rest I do from the ansible provisioning box

# Copy your ssh key to the new machine
ssh-copy-id <user>@<ip address>

# Ensure you can now do passwordless ssh
ssh <user>@<ip address> "uname -r"

-------------------
# While logged into the new machine via ssh

# Create an ssh key
mkdir ~/.ssh
ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/id_ed25519

# Generate an ssh key to be used to download dotfiles from github
ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/github
cat ~/.ssh/github.pub # Copy to github ssh keys
	###########################################
	We will use GPT and grub as the bootloader.

	# First Hard drive (nvme0n1)
	The ESP will reside in the first partition mounted to /efi.
	The kernel and initramfs will be the second partition and will be mounted to /boot
	The third partition on nvme0n1 will be encrypted with Luks with a password.
	The encrypted partition on the first drive will always require a password to be manually entered on boot.

	# Second Hard drive (sda)
	The second harddrive will have one partition.
	The partition on the second harddrive will be encrypted with Luks and be decrypted by password or a file.
	Decryption with both password and file allows us to access it manually (if needed) and the system to decrypt automatically during boot.

	# LVM
	LVM will go on the two encrypted partitions.
	LVM will have two logical partitions and swap:

	* swap - 32GB - Filesystem: swap
	* /root - /dev/nvme0n1p3 - Filesystem: ext4
	* /home - /dev/sda1 - Filesystem: ext4

	#############################################

	# Download and verify iso
	gpg --homedir=/etc/pacman.d/gnupg --verify ~/Downloads/archlinux-2020.08.01-x86_64.iso.sig

	# Burn iso to USB - Make sure you have the right drive by running `lsblk`
	sudo dd bs=4M if=/home/trevor/Downloads/archlinux-2020.08.01-x86_64.iso of=/dev/sdb status=progress oflag=sync

	# Update bios
	# Turn off secure boot in bios
	# Boot usb image

	# Check we are booting into UEFI Mode - if this shows no errors we are in UEFI Mode
	ls /sys/firmware/efi/efivars

	# Set root passwd (this is a temp password used for install only)
	passwd

	# Ensure time is correct
	timedatectl set-ntp true

	# Start ssh to connect using another computer
	systemctl start sshd.service

	# Get IP address
	ip addr

	# Log into computer from another machine using root user
	ssh root@<ip address>

	# This gist is designed to work with two harddrives
	# /dev/nvme0n1 is for root
	# /dev/sda will be used for home
	gdisk /dev/nvme0n1

	# Create partitions on primary drive:
	o<enter> Y<enter> # Create a new GPT

	# This system will create 3 partitions on nvme0n1:
	# /efi will hold the ESP
	# /boot will hold the kernel and initramfs
	# LVM partition will be encrypted
	n<enter> 1<enter> <enter> +300M<enter> EF00<enter> # Partition 1 = 300 MiB EFI partition # Hex code EF00
	n<enter> 2<enter> <enter> +300M<enter> 8300<enter> # Partition 2 = 300 MiB Boot partition # Hex code 8300
	n<enter> 3<enter> <enter> <enter> <enter> # Partition 3 = Rest of drive # Hex code 8300.

	# Review partitions
	p<enter>

	# Write gdisk changes
	w<enter>

	# Create partition on second disk
	gdisk /dev/sda
	o<enter> Y<enter>

	n<enter> 1<enter> <enter> <enter> <enter> # Partition 1 = All of the drive # Hex code 8300

	# Review partitions
	p<enter>

	# Write gdisk changes
	w<enter>

	# Create filesystems for /efi and /boot
	mkfs.vfat -F 32 /dev/nvme0n1p1
	mkfs.ext2 /dev/nvme0n1p2

	# Encrypt system partition on first harddrive with password
	cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/nvme0n1p3

	# Encrypt second harddrive with password
	cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sda1

	# Create file to use as a key to open second harddrive
	dd if=/dev/urandom of=/keyfile.bin bs=1024 count=20

	# Add file as key to open second harddrive - later we will copy this to the root partition
	cryptsetup luksAddKey /dev/sda1 /keyfile.bin

	# Open first harddrive with password
	cryptsetup luksOpen /dev/nvme0n1p3 cryptroot

	# Open second harddrive with keyfile
	cryptsetup --key-file /keyfile.bin luksOpen /dev/sda1 crypthome

	# Create encrypted LVM partitions
	pvcreate /dev/mapper/cryptroot
	pvcreate /dev/mapper/crypthome
	vgcreate Arch /dev/mapper/cryptroot
	vgcreate ArchHome /dev/mapper/crypthome
	# I use a larger swap for virtual machines,
	# I seem to run into trouble without it. If you don't need a large
	# swap set this to something reasonable for you.
	lvcreate -L +32G Arch -n swap
	lvcreate -l +100%FREE Arch -n root
	lvcreate -l +100%FREE ArchHome -n home

	# Create filesystems on your encrypted partitions. I will be using ext4
	mkswap /dev/mapper/Arch-swap
	mkfs.ext4 /dev/mapper/Arch-root
	mkfs.ext4 /dev/mapper/ArchHome-home

	# Mount the new system
	mount /dev/mapper/Arch-root /mnt
	swapon /dev/mapper/Arch-swap
	mkdir /mnt/boot
	mount /dev/nvme0n1p2 /mnt/boot
	mkdir /mnt/efi
	mount /dev/nvme0n1p1 /mnt/efi
	mkdir /mnt/home
	mount /dev/mapper/ArchHome-home /mnt/home

	# Check pacman.d mirrolist and comment out any that you do not want to use
	vim /etc/pacman.d/mirrorlist

	# Copy keyfile to new drive and set permissions
	cp /keyfile.bin /mnt/keyfile.bin
	chmod 000 /mnt/keyfile.bin

	# Install your base Arch system along with a couple of utilities
	pacstrap /mnt base base-devel linux mkinitcpio grub-efi-x86_64 efibootmgr dialog vim lvm2

	# Create and review FSTAB
	genfstab -U /mnt >> /mnt/etc/fstab # The -U option pulls in all the correct UUIDs for your mounted filesystems.
	sed -i 's/noatime/relatime/g' /mnt/etc/fstab # Swap noatime with relatime

	# Edit crypttab
	HOMEUUID=$(blkid /dev/sda1 \| awk '{print $2}' \| cut -d '"' -f2)
	echo "crypt_hdd UUID=$HOMEUUID /keyfile.bin luks" >> /mnt/etc/crypttab

	# Copy edited pacman.d to new drive
	cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist

	# Enter the new system
	arch-chroot /mnt /bin/bash

	# Set locale
	echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
	locale-gen
	echo "LANG=en_US.UTF-8" > /etc/locale.conf
	export LANG=en_US.UTF-8

	# Set clock
	unlink /etc/localtime
	ln -s /usr/share/zoneinfo/US/Mountain /etc/localtime
	hwclock --systohc --utc

	# Assign your hostname
	echo "eth1" > /etc/hostname

	# Add entries to /etc/hosts
	127.0.0.1 localhost
	::1 localhost
	127.0.1.1 eth1.localdomain eth1

	# Install dhcpcd (a dhcp client)
	pacman -Sy dhcpcd

	# Enable dhcpcd
	systemctl enable dhcpcd.service

	# Set root password
	passwd

	# Create user
	useradd -m -G wheel -s /bin/bash trevor
	passwd trevor

	# Configure mkinitcpio with the correct HOOKS required for your initrd image
	sed -i 's/^HOOKS=.*/HOOKS="base udev autodetect modconf block keyboard encrypt lvm2 resume filesystems fsck"/' /etc/mkinitcpio.conf
	mkinitcpio -p linux

	# Install and configure Grub-EFI
	grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=ArchLinux
	ROOTUUID=$(blkid /dev/nvme0n1p3 \| awk '{print $2}' \| cut -d '"' -f2)
	sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$ROOTUUID:cryptroot:allow-discards root=\/dev\/mapper\/Arch-root resume=\/dev\/mapper\/Arch-swap\"/" /etc/default/grub

	# Generate Your Final Grub Configuration:
	grub-mkconfig -o /boot/grub/grub.cfg

	# Let users in wheel group run any command
	visudo # Uncomment line: '%wheel ALL=(ALL) ALL'

	# Exit Your New Arch System
	exit

	# Unmount all partitions
	umount -R /mnt
	swapoff -a

	# Reboot
	reboot

	# The rest is to enable the provisioning of archlinux using another machine with ansible:

	# Login locally to the machine and install openssh
	sudo pacman -S openssh python

	# On this build I had to edit /etc/dhcpcd.conf so that the computer sends the hostname to the DHCP server.
	sudo vim /etc/dhcpcd.conf
	sudo systemctl restart dhcpcd

	# Start the SSH server
	sudo systemctl start sshd.service

	------------------

	# The rest I do from the ansible provisioning box

	# Copy your ssh key to the new machine
	ssh-copy-id <user>@<ip address>

	# Ensure you can now do passwordless ssh
	ssh <user>@<ip address> "uname -r"

	-------------------
	# While logged into the new machine via ssh

	# Create an ssh key
	mkdir ~/.ssh
	ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/id_ed25519

	# Generate an ssh key to be used to download dotfiles from github
	ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/github
	cat ~/.ssh/github.pub # Copy to github ssh keys