Skip to content

Instantly share code, notes, and snippets.

@cjber

cjber/arch-linux-install.md

Forked from kylemanna/arch-linux-install.md
Last active May 2, 2021 12:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save cjber/ffca9604649f7932f197a70ce0ef5b44 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save cjber/ffca9604649f7932f197a70ce0ef5b44 to your computer and use it in GitHub Desktop.
Download ZIP
Minimal instructions for installing arch linux on an UEFI NVMe system with full system encryption using dm-crypt and luks
Raw
arch-linux-install.md

Install ARCH Linux with encrypted file-system and UEFI

The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

Download the Arch ISO

Copy to a USB drive

dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux

Boot from USB drive

If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

Connect to Wifi (if required)

iwctl
[iwd] device list
[iwd] etc...

See https://wiki.archlinux.org/index.php/Iwd

Create partitions

cgdisk /dev/sdx
1 512MB EFI partition # Hex code ef00
2 100% size partiton # (to be encrypted) Hex code 8300

Create EFI partition

mkfs.vfat -F32 -n EFI /dev/sdx1

Setup the encryption of the system with 256 bit effective size

Note: Many NVMe drives can exceed 2GB/s, consider your crypto algorithm wisely, review cryptsetup benchmark, the defaults are viewable end of cryptsetup --help, defaults are commonly the fastest with good security from my experience with cryptsetup (AES 256, sha256, 2000ms)

cryptsetup --use-random luksFormat /dev/nvme0n1p2
cryptsetup luksOpen /dev/sdx2 luks

Create encrypted partitions

This creates one partions for root, modify if /home or other partitions should be on separate partitions

pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate -l +100%FREE vg0 --name root

Create filesystems on encrypted partitions

mkfs.ext4 -L root /dev/mapper/vg0-root

Mount the new system

mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
mkdir /mnt/boot
mount /dev/sdx1 /mnt/boot

Install the system

fish is optional as bash can be used or zsh etc. go is installed as a dependency for yay which is used as an AUR helper later on, git is also required for this. vim is useful for editing configs etc.

Other than these I believe the rest are required.

pacstrap /mnt base base-devel vim git sudo efibootmgr lvm2 linux linux-headers fish go
pacstrap /mnt amd-ucode/intel-ucode -- for amd/intel CPU

Generate fstab

genfstab -pU /mnt | tee -a /mnt/etc/fstab

Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)

tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0

Also change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

Enter the new system

arch-chroot /mnt /bin/bash

Setup system clock

ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
hwclock --systohc --utc

Set the hostname

echo cjber > /etc/hostname

Generate locale

Uncomment wanted locales in /etc/locale.gen

vim /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8

Set password for root

passwd

Add user

groupadd cjber
useradd -m -g cjber -G wheel -s /bin/fish cjber
passwd cjber

Configure mkinitcpio with modules needed for the initrd image

mkinitcpio -p linux
vim /etc/mkinitcpio.conf
  • Add 'ext4' to MODULES
  • Add 'encrypt' and 'lvm2' to HOOKS before filesystems

Regenerate initrd image

mkinitcpio -p linux

Setup systembootd

bootctl --path=/boot install

Create loader.conf

echo default arch >> /boot/loader/loader.conf
echo timeout 5 >> /boot/loader/loader.conf

Create arch.conf (or XYZ.conf for default XYZ in loader.conf)

vim /boot/loader/entries/arch.conf

Add the following content to arch.conf

<UUID> is the the one of the raw encrypted device (/dev/sdx2). It can be found with the blkid command

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img OR /amd-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:vg0 root=/dev/mapper/vg0-root rw

Add windows to systemd-boot (if on different drive)

  • Mount Windows boot partition from different drive (lsblk likely shows it as 100M on an sdx1).
    • mount /dev/sdx1 /mnt
  • Copy Windows Microsoft folder to EFI.
    • cp /mnt/EFI/Microsoft /boot/EFI

Set up network (DO NOT FORGET THIS...)

pacman -S dhcpcd
systemctl enable dhcpcd

Exit new system

exit

Unmount all partitions

umount -R /mnt

Reboot into the new system (check BIOS for boot order)

reboot

Extras

Install everything else

git clone https://github.com/cjber/dotfiles
cd dotfiles/restore
su root
bash 01_restore_all_root.sh
export EDITOR=vim
visudo

Uncomment # %wheel ALL=(ALL) NOPASSWD: ALL

su cjber
bash 02_restore_all.sh
dotdrop --profile=home install

sudo systemctl enable lightdm.service

Auto login

For some reason I found you need to insall a greeter then uninstall.

e.g.

sudo pacman -S light-gtk-greeter

Edit:

/etc/lightdm/lightdm.conf
[Seat:*]
autologin-user=username

.

groupadd -r autologin
gpasswd -a username autologin
reboot

sudo pacman -R light-gtk-greeter

Create auto swap

Uncomment and set swapfc_enabled=1 in /etc/systemd/swap.conf.

systemctl start systemd-swap
systemctl enable systemd-swap

Nvidia

pacman -S nvidia nvidia-settings nvidia-container-toolkit
nvidia-xconfig

Add nvidia-drm.modeset=1 as kernel param to /boot/loader/entries/arch.conf.

Also see here NVIDIA/nvidia-docker#1447 (comment)

Can also try systemd.unified_cgroup_hierarchy=false

Fix screen tearing (and overclockable)

Edit /etc/X11/xorg.conf, change device section to:

Section "Device"
    Identifier     "Device0"
    Driver         "nvidia"
    VendorName     "NVIDIA Corporation"
    Option         "CoolBits"   "24"
    Option         "ForceFullCompositionPipeline" "true"
EndSection

Early OOM

pacman -S earlyoom
systemctl enable --now earlyoom

Reflector

systemctl enable reflector.service

Can edit /etc/xdg/reflector/reflector.conf, default is ok though.

Stop staggered spinup

Add libahci.ignore_sss=1 as kernel param in /boot/loader/entries/arch.conf.

To chroot into encrypted drive (if something breaks)

cryptsetup luksOpen /dev/sdx2 encrypted_device
vgchange -ay
mount /dev/vg0/root /mnt
arch-chroot /mnt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment