Forked from mattiaslundberg/arch-linux-install
Last active
September 26, 2020 09:19
-
-
Save rdangdev/4f3e3c0cd1782b03ffbb0cd388462372 to your computer and use it in GitHub Desktop.
Minimal instructions for installing arch linux on an UEFI system with full system encryption + Post-Install Setup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # HOW TO INSTALL ARCH LINUX(UEFI) WITH LUKS1, LVM, grub | |
| # Arch-Linux Official Guide: https://wiki.archlinux.org/index.php/Installation_Guide | |
| # Based on: https://paste.ubuntu.com/p/nXNMPBYfk4/ | |
| # use: https://emanuelduss.ch/2016/03/arch-linux-installation-gpt-luks-lvm-i3/ | |
| # Desired layout: | |
| +---------------+----------------+----------------+----------------+ | |
| |ESP partition: |Boot partition: |Volume 1: |Volume 2: | | |
| | | | | | | |
| |/boot/efi |/boot |root |home | | |
| | | | | | | |
| | | |/dev/vg1/root |/dev/vg1/home | | |
| |/dev/sda1 |/dev/sda2 +----------------+----------------+ | |
| |unencrypted |LUKS encrypted |/dev/sda3 encrypted LVM on LUKS | | |
| +---------------+----------------+---------------------------------+ | |
| # download archlinux iso and then verify signature: | |
| pacman-key -v archlinux-2019.12.01-x86_64.iso.sig | |
| # create bootable flash drive | |
| dd bs=4M if=archlinux-2019.12.01-x86_64.iso of=/dev/sdb status=progress oflag=sync | |
| # (optional) - securely wipe target drive | |
| # https://wiki.archlinux.org/index.php/Securely_wipe_disk | |
| ------------------------------------------------------------------------ | |
| BOOT INTO ISO - DISBALE LEGACY MODE AND ENABLE USB BOOT DRIVE IN BIOS | |
| https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fi.stack.imgur.com%2Fx4URD.png&f=1&nofb=1 | |
| ------------------------------------------------------------------------ | |
| # check efi boot | |
| ls /sys/firmware/efi/efivars | |
| # connect to wifi (or use ethernet cable) | |
| wifi-menu | |
| # check connection | |
| ping -c 3 duck.com | |
| # enable ntp | |
| timedatectl set-ntp true | |
| timedatectl status | |
| # preparing the drive - create partitions | |
| ## checking drive name - make sure you know what it is | |
| lsblk | |
| ## check what the /dev/*** is for your main drive(see the size to double check) | |
| ## might be mmc**** or nvme*** depending on your hd/ssd | |
| ## match following commands with your respective drive name | |
| gdisk /dev/sda | |
| # use "o" to create GPT table | |
| # use "n" to create a new partition | |
| # partition 1: start sector 2048, size 512M, code EF00 | |
| # partition 2: size 256M, code 8300 | |
| # partition 3: remaining size, code 8E00 | |
| # use "p" to show new partition table | |
| # use "w" to write changes | |
| # use "q" to quit | |
| # preparing the drive - format partitions | |
| # iter-time is in milliseconds - 0 means default for that setting | |
| # p1 - efi | |
| mkfs.fat -F32 /dev/sda1 | |
| # p2 - encrypted /boot | |
| # iter-time is in milliseconds - 0 means default for that setting | |
| cryptsetup luksFormat --type luks1 -h sha512 --iter-time 2000 /dev/sda2 | |
| cryptsetup open /dev/sda2 cryptboot | |
| mkfs.ext4 /dev/mapper/cryptboot | |
| # p3 - encrypted LVM with root and home partition | |
| # iter-time is in milliseconds - 0 means default for that setting | |
| cryptsetup luksFormat --type luks1 -h sha512 --iter-time 1000 /dev/sda3 | |
| cryptsetup open /dev/sda3 cryptlvm | |
| pvcreate /dev/mapper/cryptlvm | |
| vgcreate vg1 /dev/mapper/cryptlvm | |
| lvcreate -L 35G vg1 -n root | |
| lvcreate -l 100%FREE vg1 -n home | |
| mkfs.ext4 /dev/mapper/vg1-root | |
| mkfs.ext4 /dev/mapper/vg1-home | |
| # mount the 3 partitions | |
| mount /dev/mapper/vg1-root /mnt | |
| mkdir /mnt/home | |
| mount /dev/mapper/vg1-home /mnt/home | |
| mkdir /mnt/boot | |
| mount /dev/mapper/cryptboot /mnt/boot | |
| mkdir /mnt/boot/efi | |
| mount /dev/sda1 /mnt/boot/efi | |
| # check with lsblk, it should look like this: | |
| # sda 8:0 0 931.5G 0 disk | |
| # ├─sda2 8:2 0 200M 0 part | |
| # │ └─cryptboot 254:0 0 198M 0 crypt /mnt/boot | |
| # ├─sda3 8:3 0 800G 0 part | |
| # │ └─cryptlvm 254:1 0 800G 0 crypt | |
| # │ ├─vg1-home 254:2 0 35G 0 lvm /mnt/home | |
| # │ └─vg1-root 254:3 0 784G 0 lvm /mnt | |
| # └─sda1 8:1 0 512M 0 part /mnt/boot/efi | |
| # select faster pacman mirrors | |
| # edit /etc/pacman.d/mirrorlist | |
| # uncomment by deleting the # in front of your specific country | |
| # install essential packages | |
| pacstrap /mnt base base-devel linux linux-firmware grub-efi-x86_64 efibootmgr lvm2 wpa_supplicant neovim git wget dosfstools terminus-font reflector networkmanager | |
| reflector -c "Australia" --verbose /etc/pacman.d/mirrorlist | |
| # generate fstab | |
| genfstab -U /mnt >> /mnt/etc/fstab | |
| # chroot into our newly installed system | |
| arch-chroot /mnt /bin/bash | |
| # set timezone | |
| ln -sf /usr/share/zoneinfo/{CODE}/{CODE} /etc/localtime | |
| timedatectl set-timezone Australia/Sydney | |
| timedatectl set-ntp true | |
| hwclock --systohc --utc | |
| # set hostname | |
| echo {WANTED_HOSTNAME} >/etc/hostname | |
| # set locale | |
| echo "en_AU.UTF-8 UTF-8" > /etc/locale.gen | |
| locale-gen | |
| echo LANG=en_AU.UTF-8 >> /etc/locale.conf | |
| localectl set-locale LANG=en_AU.UTF-8 | |
| # set terminal = tty font | |
| echo 'FONT=ter-v32n' | sudo tee -a /etc/vconsole.conf > /dev/null | |
| # set root password | |
| passwd | |
| # edit HOOKS in /etc/mkinitcpio.conf | |
| # make sure its in the exact order below | |
| # HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck) | |
| # regenerate initrd image | |
| mkinitcpio -p linux | |
| # edit grub config: /etc/default/grub | |
| **uncomment "GRUB_ENABLE_CRYPTODISK=y" | |
| sed -i "s#^GRUB_CMDLINE_LINUX=.*#GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$(blkid /dev/sda3 -s UUID -o value):lvm resume=/dev/mapper/vg1-swap\"#g" /etc/default/grub | |
| mkdir /boot/grub | |
| grub-mkconfig -o /boot/grub/grub.cfg | |
| # install grub | |
| grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux | |
| # create keyfiles so we do not have to enter a password twice | |
| dd bs=512 count=8 if=/dev/urandom of=/etc/key | |
| chmod 400 /etc/key | |
| cryptsetup luksAddKey /dev/sda2 /etc/key | |
| # edit /etc/crypttab | |
| blkid /dev/sda2 -s UUID -o value >> /etc/crypttab | |
| # the line should look like this: cryptboot UUID=THEONEONTOPOFCRYPTO_LUKS /etc/key luks" | |
| # so we can open LVM without entering a password: | |
| dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin | |
| chmod 000 /crypto_keyfile.bin | |
| cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin | |
| # edit /etc/mkinitcpio.conf | |
| replace "FILES=()" with "FILES=/crypto_keyfile.bin" | |
| mkinitcpio -p linux | |
| chmod 600 /boot/initramfs-linux* | |
| # enable Intel microcode CPU updates (if you use Intel processor, of course) | |
| pacman -S intel-ucode | |
| grub-mkconfig -o /boot/grub/grub.cfg | |
| # some additional security | |
| chmod 700 /boot | |
| chmod 700 /etc/iptables | |
| # create non-root user, set password | |
| useradd -m -g users -G wheel -s /bin/bash {YOUR_USER_NAME} | |
| passwd YOUR_USER_NAME | |
| # allow group wheel to have sudo permissions: | |
| # edit /etc/sudoers and uncomment string %wheel ALL=(ALL) ALL | |
| exit | |
| umount -R /mnt | |
| # swapoff -a | |
| reboot | |
| -------------------- POST ARCH INSTALL --------------------- | |
| # Wificard = wifi cards name in the output of $(ip a) - normally wlp**** | |
| sudo systemctl enable --now NetworkManager | |
| nmtui | |
| sudo pacman -S xdg-utils xorg-server xorg-xinit xf86-video-intel xf86-input-libinput xautolock pulseaudio pulseaudio-utils ntfs-3g(for rw access to ntfs) | |
| sudo pacman -S sshfs clang pdsh zathura ranger ncmpcpp mpd mpc emacs pulseaudio alsa-utils(amixer) pamixer(for dwm vol to work) feh maim xorg-xbacklight terminus-font dunst neofetch neomutt rofi python-pywal picom bash-completion redshift htop zart(for webcam) npm cronie | |
| # fonts | |
| y -S ttf-roboto noto-fonts noto-fonts-emoji noto-fonts-cjk adobe-source-han-sans-cn-fonts adobe-source-han-serif-cn-fonts ttf-dejavu-emojiless ttf-roboto ttf-symbola ttf-joypixels | |
| yay -S ttf-ms-fonts ttf-vista-fonts | |
| git clone https://aur.archlinux.org/yay.git && cd yay && makepkg -si | |
| yay -Syu pmount mutt-wizard ttf-symbola(for emojis) freecad(cad maker) | |
| mw add | |
| git clone https://github.com/pearsaregross/{st, dwm, dmenu, rice}.git | |
| npm install npx | |
| npx hblock | |
| sudo visudo | |
| ## User privilege specification | |
| root ALL=(ALL) ALL | |
| USERNAME ALL(ALL) NOPASSWD:ALL | |
| sudo nvim /etc/hosts | |
| sudo nvim /etc/resolv.conf | |
| nameserver 1.1.1.1 | |
| nameserver 1.0.0.1 | |
| # change default apps for files | |
| ## https://www.guyrutenberg.com/2018/01/20/set-default-application-using-xdg-mime/ | |
| You can use the xdg-mime utility to query the default mime-type associations and change them. | |
| xdg-mime query default video/mp4 | |
| Will return the .desktop file associated with the default app to open mp4 files. | |
| To change the default association: | |
| xdg-mime default vlc.desktop video/mp4 | |
| To check the mime-type of a given file, use | |
| file -ib filename | |
| # r and latex | |
| sp -S pandoc-citeproc r texlive-core texlive-most tk(lib for r to work) | |
| sudo R | |
| install.packages("reticulate") # to run code with python | |
| install.packages("rmarkdown") | |
| # 3d printer | |
| sp -S cura | |
| yay -S cura-plugin-octoprint-git | |
| # find the curpackage online and drag and drop onto cura machine | |
| # go into plugins and update octoprint | |
| # restart cura and connect to printer | |
| # xbanish app hides cursor when scrolling + timeout | |
| yay -S xbanish | |
| # to open it in the background or place in $HOME/.xinitrc | |
| xbanish & disown | |
| # epub editor - Sigil | |
| sp -S sigil | |
| # mount apple-related devices | |
| sp -S ifuse | |
| reboot | |
| sudo modprobe fuse # to see if fuse module is correctly installed, run: tree /etc/modules-load.d/'uname -r' | grep fuse | |
| # example: ifuse ~/ipad | |
| # pip env | |
| sp -S python-pip | |
| sudo pip install pipenv | |
| # simplified chinese input | |
| # install fonts: https://wiki.archlinux.org/index.php/Font_Configuration/Chinese_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87) | |
| sp -S ibus ibus-rime | |
| # setup: https://wiki.archlinux.org/index.php/IBus#Chinese | |
| # configure: https://wiki.archlinux.org/index.php/Rime#Selecting_Input_Method | |
| # woe-usb to flash windows iso | |
| yay -S woeusb-git | |
| # for editing wifis that require WPA2 Enterprise | |
| sp -S nm-connection-editor | |
| nm-connection-editor | |
| # flashing devices with fat32 to access on android/windows | |
| https://www.redips.net/linux/create-fat32-usb-drive/ | |
| # kdeconnect | |
| sp -S kdeconnect | |
| y -S indicator-kdeconnect-git | |
| # launch kdeconnect | |
| killall kdeconnectd | |
| /usr/lib/kdeconnectd | |
| # install app on phone | |
| # connect through interface | |
| kdeconnect-settings | |
| # rust + autocompletion for emacs | |
| # https://github.com/racer-rust/racer#installation | |
| sp -S rustup | |
| sudo rustup toolchain add nightly | |
| sudo cargo +nightly install racer | |
| # WIP: setup cups with Brother MFC-9340CDW | |
| sp -S cups cups-pdf samba | |
| y -S brother-mfc-9340cdw | |
| # go to http:/localhost:631/ | |
| # should give cups html website | |
| # syncthing | |
| # localhost:8384 | |
| y -S syncthing-gtk | |
| # shreddit to clean reddit | |
| sudo pip installl -U shreddit | |
| # cache github credentials | |
| https://help.github.com/en/github/using-git/caching-your-github-password-in-git | |
| # fix emoji fonts | |
| gpg --keyserver keys.gnupg.net --recv-keys 4A193C06D35E7C670FA4EF0BA2FB9E081F2D130E | |
| yay -S libxft-bgra | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment