th.d

Installation Path

goals:

  • uefi installation
  • systemd-boot
  • cryptsetup & lvm
  • english system
  • german keyboard and TZ
  • bspwm desktop

preparing

get ISO and verify integrety

# curl ISO
> curl -O https://mirror.x33u.org/archlinux/iso/latest/archlinux-2022.02.01-x86_64.iso

# compare checksum with sha1 hash from "archlinux.org/download"
> sha256sum archlinux-2022.02.01-x86_64.iso
  ....
  3f3ba996e7d8e0b15d911180682093cd8fe6b805  archlinux-2022.02.01-x86_64.iso

# or pipe hash value
> echo \
  a1d6a69ab11b17149194804e1bd848b3c90c1e9bd06eb330cff074b3e9e82fa8 \
  archlinux-2022.02.01-x86_64.iso|sha256sum -c
  ....
  archlinux-2022.02.01-x86_64.iso: OK

# get arch linux signature
> curl -O https://mirror.x33u.org/archlinux/iso/latest/archlinux-2022.02.01-x86_64.iso.sig

# locate master signing keys - maybe from Allan McRae
> gpg --locate-keys allan@archlinux.org

# verify signature
> gpg --keyserver-options auto-key-retrieve --verify archlinux-2022.02.01-x86_64.iso.sig
  ....
  gpg: assuming signed data in 'archlinux-2022.02.01-x86_64.iso'
  gpg: Signature made Tue 01 Feb 2022 06:09:25 PM CET
  gpg:                using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
  gpg:                issuer "pierre@archlinux.de"
  gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC


# dump image as root to usb device
> dd if=archlinux-2022.02.01-x86_64.iso|pv -s 831M|dd of=/dev/sdX bs=10M

check master signing keys on archlinux.org

partition schema

disk layout
                          ┌─────────────────────────────────────┐
                          │                                     │
1. Create GPT partition   │       512MB EFI Boot Partition      │
                          │                                     │
2. Set EFI flags          ├─────────────────────────────────────┤
                          │                                     │
-  We don't need SWAP     │    Remaining Encrypted Partition    │
                          │                                     │
                          └─────────────────────────────────────┘

disk partitioning

disk preparing for /dev/sda

# create gpt table with two partitions
> echo -e "g\nn\n1\n2048\n+512M\nn\n2\n\n\nt\n1\n1\nw" \
  | fdisk /dev/sda

# create EFI boot partition
> mkfs.fat -F 32 -n EFIBOOT /dev/sda1

disk encryption

encrypt sda2 partition using cryptsetup

> cryptsetup -c \
  aes-xts-plain64 \
  -y -s 512 luksFormat \
  /dev/sda2

on HDD i would recommend to fill the whole device with /dev/zero or use shred - on SSD's it’s rather perceived security
for more details see: "fd0's" talk on media.cc.de


create LVM

open newly encrypted device and setup lvm and file system

# open device
> cryptsetup luksOpen /dev/sda2 lvm

# create physical volume
> pvcreate /dev/mapper/lvm

# create volume group
> vgcreate main /dev/mapper/lvm

# create 80gb logical volume for "/"
> lvcreate -L 80GB -n root main
# all other space goes to "/home"
> lvcreate -l 100%FREE -n home main

# create EXT4 filesystem for both partitions
> mkfs.ext4 -L root /dev/mapper/main-root
> mkfs.ext4 -L home /dev/mapper/main-home

mount filesystem

# mount "/"
> mount /dev/mapper/main-root /mnt

# create missing directories
> mkdir /mnt/{boot,home}

# mount "/home"
> mount /dev/mapper/main-home /mnt/home

# mount "/boot"
> mount /dev/sda1 /mnt/boot

arch chroot

do the magic

# pacstrap tools to "/mnt"
> pacstrap /mnt \
  base \
  base-devel \
  efibootmgr \
  dosfstools \
  gptfdisk \
  nano \
  linux \
  linux-firmware \
  mkinitcpio \
  zsh \
  lvm2 \
  dhcpcd

# generate fstab
> genfstab -L /mnt >> /mnt/etc/fstab

# change root to "/mnt"
> arch-chroot /mnt

language config

setup language, locale and timezone

# edit /etc/locale.conf
LANG="en_US.UTF-8"

# edit /etc/locale.gen
de_DE.UTF-8 UTF-8
de_DE ISO-8859-1
de_DE@euro ISO-8859-15
en_US.UTF-8 UTF-8

# generate locales
> locale-gen

# link timezone
> ln -sf /usr/share/zoneinfo/Europe/Berlin \
  /etc/localtime

system config

set hostname and vconsole

# set hostname
> echo "hostname" >> /etc/hostname

# keyboard mapping
> echo "KEYMAP=de-latin1" >> /etc/vconsole.conf

kernel config

edit /etc/mkinitcpio.conf

# only for INTEL
# set modules "ext4" and intel boot graphics
MODULES=(ext4 i915 intel_agp)

# only for AMD
# set modules "ext4" and amd graphics
MODULES=(ext4 amdgpu)

# set hooks and take care of the order!
HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck shutdown)

# create kernel image
> mkinitcpio -p linux

bootloader

systemd boot

# install bootloader
> bootctl install

# edit /boot/loader/entries/arch.conf
title    Arch Linux
linux    /vmlinuz-linux
initrd   /initramfs-linux.img
options  cryptdevice=/dev/sda2:main root=/dev/mapper/main-root rw lang=de init=/usr/lib/systemd/systemd locale=de_DE.UTF-8

# edit /boot/loader/entries/arch-fallback.conf
title    Arch Linux Fallback
linux    /vmlinuz-linux
initrd   /initramfs-linux-fallback.img
options  cryptdevice=/dev/sda2:main root=/dev/mapper/main-root rw lang=de init=/usr/lib/systemd/systemd locale=de_DE.UTF-8

# edit /boot/loader/loader.conf
timeout 1
default arch

# update boot config
> bootctl update

last steps

set root password and enable dhcpcd

# set root password
> passwd root

# enable dhcp at boot
> systemctl enable dhcpcd.service

smoke test

exit chroot and do the smoke test

# leave chroot
> exit

# unmount "/boot" and "/home"
> umount /mnt/{boot,home}

# unmount "/"
> umount /mnt

# restart system
> reboot

userland

configure the new system - beginning with user management

# add user with ZSH default shell
> useradd -m -s /bin/zsh <username>

# set password for new user
> passwd <username>

# put new user in wheel group for "sudo"
> usermod -aG wheel <username>

# enable wheel in suduers file by using nano
> EDITOR=nano visudo
# uncomment "%wheel ALL=(ALL) ALL"

x server

install Xorg environment

# get Xorg driver
> pacman -S \
  xorg \
  xorg-server \
  xorg-xinit \
  xorg-xrandr \
  xf86-input-elographics \
  xf86-input-evdev \
  xf86-input-libinput \
  xf86-input-vmmouse \
  xf86-input-void

# INTEL gpu driver
> pacman -S xf86-video-intel

# AMD gpu driver
> pacman -S xf86-video-amdgpu

add keyboard options file to Xorg’s conf.d/ folder:

/etc/X11/xorg.conf.d/00-keyboard.conf
Section "InputClass"
    Identifier "Keyboard Defaults"
    MatchIsKeyboard "yes"
    MatchProduct "keyboard"
    Option "XkbLayout" "de"
EndSection

desktop env

# install BSPWM and some desktop software
> pacman -S \
  alsa-firmware \
  alsa-lib \
  blueman \
  bspwm \
  dmenu \
  feh \
  file-roller \
  pcmanfm \
  picom \
  polybar \
  pulseaudio \
  pulseaudio-bluetooth \
  pulsemixer \
  rofi \
  rxvt-unicode \
  sxhkd \
  x11-ssh-askpass \
  xsecurelock \
  xsettingsd \
  xss-lock \
  xorg-xset

autologin

autologin using systemd

# copy unitfile
> cp /usr/lib/systemd/system/getty@.service \
  /etc/systemd/system/autologin@tty1.service

> edit /etc/systemd/system/autologin@tty1.service
  change: "ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM"
  to:     "ExecStart=-/sbin/agetty --noclear -a <username> %I 38400"

# disable getty@tty1
> systemctl disable getty@tty1

# enable autoglogin@tty1
> systemctl enable autologin@tty1

wifi tools

# install wifi req
> pacman -S \
  dialog \
  netctl \
  wpa_supplicant

dotfiles

# install git
> pacman -S --needed git

# get dotfiles
> git clone \
  https://codeberg.org/x33u/dotfiles

# set owner
> chown -R $USER: dotfiles/

# copy dotfiles to "/home"
> cp -r  dotfiles/.[^git]* $HOME/

# remove cloned folder
> rm -rf dotfiles/

arch user repo

AUR using yay

# install dev tools
> pacman -S --needed base-devel

# clone yay repo
> git clone https://aur.archlinux.org/yay.git

# change into dir - build pkg and install it
> cd yay/ && makepkg -si

# remove cloned folder
> cd ../ \
  && rm -rf yay/
Prev
Restic
Next
Replace Root Disk