silicondosa · July 12, 2023 14:49
diff --git a/arch-linux-install_2020 b/arch-linux-install_2020
 # THIS IS STILL A WORK IN PROGRESS!

 # Install ARCH Linux with a whole-disk encrypted BTRFS file-system on UEFI
 # The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

 # Download the archiso image from https://www.archlinux.org/download/

 # Copy to a USB drive (Replace X with device number of USB)
 dd bs=4M if=path/to/archlinux.iso of=/dev/sdX status=progress oflag=sync

 # Boot from the USB. If the the live disk fails to boot, make sure that secure boot is disabled in the UEFI/BIOS configuration.

 # We'll be using the default US english keymap

 # Check if your preferred network interfaces are available
 ip link

 # If you are connected on a wired network, it should already be ready to go since the installer enables DHCP by default
 # If you want connect to wi-fi network, you can pick one using
 wifi-menu

 # Verify an active internet connection
 ping -c 3 archlinux.org

 # Update system clock
 timedatectl set-ntp true

 # Setup the time zone by typing the following command and hitting tab to list all the options.
 # Pick the one that suits you. 
 timedatectl set-timezone

 # Get a list of storage devices
 lsblk -f

 # SATA and USB disks (including the USB live disk) are listed as /dev/sdX
 # NVMe disks are listed as /dev/nvme0nX

 # We are going to use the LVM on LUKS approach to build following partition layout
 # More info at https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
 # And also at https://flypenguin.de/2018/01/20/arch-full-disk-encryption-btrfs-on-efi-systems/
 +-----------------------+---------------------------------------------+----------------------+
 | EFI system partition  | Logical volume 1 (BTRFS system volume)      | Logical volume 2     |
 |                       | /dev/secureVG/system                        | /dev/secureVG/swap   |
 |                       +----------------------+----------------------+----------------------+
 |                       | BTRFS subvol @       | BTRFS subvol @home   |                      |
 |                       |                      |                      |                      |
 | /boot                 | /                    | /home                | [SWAP]               |
 |                       |                      |                      |                      |
 |                       +----------------------+----------------------+----------------------+
 |                       | Physical volume /dev/mapper/cryptlvm with volume group "secureVG"  |
 | /dev/nvme0n1p1 (boot) +--------------------------------------------------------------------+
 | unencrypted           | /dev/nvme0n1p2 (cryptsys): LUKS2 encrypted container "cryptlvm"    |
 +-----------------------+--------------------------------------------------------------------+

 # Create partitions
 cgdisk /dev/nvme0n1
 # 1 1000 MB EFI partition ### (to be used as boot partition labeled 'boot')     Hex code ef00
 # 2 100% size partiton    ### (to be an encrypted partition labeled 'cryptsys') Hex code 8300

 # Format the EFI partition (for EFI boot) to a FAT32 filesystem
 mkfs.vfat -F32 /dev/nvme0n1p1

 # Create LUKS envrypted container on the primary system partition (/dev/nvme0n1p2).
 # When prompted, enter a chosen password twice
 cryptsetup luksFormat /dev/nvme0n1p2

 # Open the LUKS container
 cryptsetup open /dev/nvme0n1p2 cryptlvm
 # The decrypted container is mounted at /dev/mapper/cryptlvm
    # For SSDs, TRIM is disabled by default due to some security concerns: https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
    # It can be manually enabled for every LUKS activation
 cryptsetup open --allow-discards /dev/nvme0n1p2 cryptlvm
 # Create a physical volume on top of the LUKS container
 pvcreate /dev/mapper/cryptlvm

 # To view the list of physical volumes:
 pvs

 # Now, create a volume group called secureVG and add the decrypted LUKS contatiner to it
 vgcreate secureVG /dev/mapper/cryptlvm

 # To view the list of volume groups:
 vgs

 # Create logical volumes for swap and the rest of the system within the secureVG volume group
 # To enable the suspend to disk function, swap must be as large as RAM (32GB in our case)
 lvcreate -L 32G secureVG -n swap
 lvcreate -l 100%FREE secureVG -n system

 # To view the list of logical volumes:
 lvs

 # Format the swap logical volume as swap space
 mkswap /dev/secureVG/swap

 # Format the system logical volume to BTRFS and mount it at /mnt
 mkfs.btrfs /dev/secureVG/system
 mount /dev/secureVG/system /mnt

 # Create subvolumes for root and home directories in the BTRFS logical volume
    # root directory subvolume
 btrfs subvolume create /mnt/@
    # home directory subvolume
 btrfs subvolume create /mnt/@home

 # unmount BTRFS primary volume
 umount /mnt

 # Mount the subvolumes within the system volume as root and home directories
    # mount subvolume as root
 mount -o subvol=@ /dev/secureVG/system /mnt
    # create directories for home and boot volumes
 mkdir -p /mnt/home /mnt/boot
    # mount home directory
 mount -o subvol=@home /dev/secureVG/system /mnt/home
    # mount boot directory
 mount /dev/nvme0n1p1 /mnt/boot

 # Turn on Swap
 swapon /dev/secureVG/swap

 # The system is now prepared for installing arch linux

 # Select mirrors by editing pacman's mirrorlist file
 # Mirrors placed higher up in the file have higher priority
 vim /etc/pacman.d/mirrorlist

 # Install essential packages
    # basic system packages
 pacstrap /mnt base linux linux-firmware intel-ucode
    # filesystem tools
 pacstrap /mnt btrfs-progs dosfstools e2fsprogs exfat-utils ntfs-3g lvm2 efibootmgr efitools
    # networking tools
 pacstrap /mnt netctl networkmanager iproute2 dhcpcd wpa_supplicant
    # debug tools
 pacstrap /mnt less nano vim tmux htop man-db man-pages texinfo

 # Generate fstab file using UUIDs and check the output file to ensure it matches our layout (could also use part labels)
    # Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
 genfstab -U /mnt >> /mnt/etc/fstab
 less /mnt/etc/fstab

 #Chroot into the newly installed system
 arch-chroot /mnt

 # Set timezone and run hwclock to set BIOS clock to UTC
 ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
 hwclock --systohc

 # Setup locale
    # Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and other needed locales
 vim /etc/locale.gen
    # Generate the locales
 locale-gen
    # Create /etc/locale.conf and set the LANG variable as LANG=en_US.UTF-8
 touch /etc/locale.conf
 echo "LANG=en_US.UTF-8" >> /etc/locale.conf
    
 # Create the /etc/hostname file and add a hostname
 touch /etc/hostname
 echo "myhostname" >> /etc/hostname

 # Don't forget to add matching entries in /etc/hosts to look like this:
 echo "127.0.0.1	localhost" >> /etc/hosts
 echo "::1		localhost" >> /etc/hosts
 echo "127.0.1.1	myhostname.localdomain	myhostname" >> /etc/hosts

 # Any network manager configuration?

 # Setup systemd-boot

 # Make systemd-boot regenerate after updates

 # More stuff from that blog?

 # Edit /etc/mkinitcpio.conf

 # initramfs generation
 mkinitcpio -p linux

 # Setup new root password. Passwords are typed in twice.
 passwd

 # Exit new system and go into the cd shell
 exit

 # Unmount all partitions and turn off swap
 umount -R /mnt
 swapoff -a

 # Reboot into the new system, don't forget to remove the cd/usb
 reboot

 ## PROFIT?


 mkfs.ext2 /dev/sdX2

 # Setup the encryption of the system
 cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3
 cryptsetup luksOpen /dev/sdX3 luks

 # Create encrypted partitions
 # This creates one partions for root, modify if /home or other partitions should be on separate partitions
 pvcreate /dev/mapper/luks
 vgcreate vg0 /dev/mapper/luks
 lvcreate --size 8G vg0 --name swap
 lvcreate -l +100%FREE vg0 --name root

 # Create filesystems on encrypted partitions
 mkfs.ext4 /dev/mapper/vg0-root
 mkswap /dev/mapper/vg0-swap

 # Mount the new system 
 mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
 swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
 mkdir /mnt/boot
 mount /dev/sdX2 /mnt/boot
 mkdir /mnt/boot/efi
 mount /dev/sdX1 /mnt/boot/efi

 # Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
 # Unless vim and zsh are desired these can be removed from the command
 pacstrap /mnt base base-devel grub-efi-x86_64 zsh vim git efibootmgr dialog wpa_supplicant

 # 'install' fstab
 genfstab -pU /mnt >> /mnt/etc/fstab
 # Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
 tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0


 # Enter the new system
 arch-chroot /mnt /bin/bash

 # Setup system clock
 ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
 hwclock --systohc --utc

 # Set the hostname
 echo MYHOSTNAME > /etc/hostname

 # Update locale
 echo LANG=en_US.UTF-8 >> /etc/locale.conf
 echo LANGUAGE=en_US >> /etc/locale.conf
 echo LC_ALL=C >> /etc/locale.conf

 # Set password for root
 passwd

 # Add real user remove -s flag if you don't whish to use zsh
 # useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME
 # passwd MYUSERNAME

 # Configure mkinitcpio with modules needed for the initrd image
 vim /etc/mkinitcpio.conf
 # Add 'ext4' to MODULES
 # Add 'encrypt' and 'lvm2' to HOOKS before filesystems

 # Regenerate initrd image
 mkinitcpio -p linux

 # Setup grub
 grub-install
 In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" then run:
 grub-mkconfig -o /boot/grub/grub.cfg
	# THIS IS STILL A WORK IN PROGRESS!

	# Install ARCH Linux with a whole-disk encrypted BTRFS file-system on UEFI
	# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

	# Download the archiso image from https://www.archlinux.org/download/

	# Copy to a USB drive (Replace X with device number of USB)
	dd bs=4M if=path/to/archlinux.iso of=/dev/sdX status=progress oflag=sync

	# Boot from the USB. If the the live disk fails to boot, make sure that secure boot is disabled in the UEFI/BIOS configuration.

	# We'll be using the default US english keymap

	# Check if your preferred network interfaces are available
	ip link

	# If you are connected on a wired network, it should already be ready to go since the installer enables DHCP by default
	# If you want connect to wi-fi network, you can pick one using
	wifi-menu

	# Verify an active internet connection
	ping -c 3 archlinux.org

	# Update system clock
	timedatectl set-ntp true

	# Setup the time zone by typing the following command and hitting tab to list all the options.
	# Pick the one that suits you.
	timedatectl set-timezone

	# Get a list of storage devices
	lsblk -f

	# SATA and USB disks (including the USB live disk) are listed as /dev/sdX
	# NVMe disks are listed as /dev/nvme0nX

	# We are going to use the LVM on LUKS approach to build following partition layout
	# More info at https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
	# And also at https://flypenguin.de/2018/01/20/arch-full-disk-encryption-btrfs-on-efi-systems/
	+-----------------------+---------------------------------------------+----------------------+
	\| EFI system partition \| Logical volume 1 (BTRFS system volume) \| Logical volume 2 \|
	\| \| /dev/secureVG/system \| /dev/secureVG/swap \|
	\| +----------------------+----------------------+----------------------+
	\| \| BTRFS subvol @ \| BTRFS subvol @home \| \|
	\| \| \| \| \|
	\| /boot \| / \| /home \| [SWAP] \|
	\| \| \| \| \|
	\| +----------------------+----------------------+----------------------+
	\| \| Physical volume /dev/mapper/cryptlvm with volume group "secureVG" \|
	\| /dev/nvme0n1p1 (boot) +--------------------------------------------------------------------+
	\| unencrypted \| /dev/nvme0n1p2 (cryptsys): LUKS2 encrypted container "cryptlvm" \|
	+-----------------------+--------------------------------------------------------------------+

	# Create partitions
	cgdisk /dev/nvme0n1
	# 1 1000 MB EFI partition ### (to be used as boot partition labeled 'boot') Hex code ef00
	# 2 100% size partiton ### (to be an encrypted partition labeled 'cryptsys') Hex code 8300

	# Format the EFI partition (for EFI boot) to a FAT32 filesystem
	mkfs.vfat -F32 /dev/nvme0n1p1

	# Create LUKS envrypted container on the primary system partition (/dev/nvme0n1p2).
	# When prompted, enter a chosen password twice
	cryptsetup luksFormat /dev/nvme0n1p2

	# Open the LUKS container
	cryptsetup open /dev/nvme0n1p2 cryptlvm
	# The decrypted container is mounted at /dev/mapper/cryptlvm
	# For SSDs, TRIM is disabled by default due to some security concerns: https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
	# It can be manually enabled for every LUKS activation
	cryptsetup open --allow-discards /dev/nvme0n1p2 cryptlvm
	# Create a physical volume on top of the LUKS container
	pvcreate /dev/mapper/cryptlvm

	# To view the list of physical volumes:
	pvs

	# Now, create a volume group called secureVG and add the decrypted LUKS contatiner to it
	vgcreate secureVG /dev/mapper/cryptlvm

	# To view the list of volume groups:
	vgs

	# Create logical volumes for swap and the rest of the system within the secureVG volume group
	# To enable the suspend to disk function, swap must be as large as RAM (32GB in our case)
	lvcreate -L 32G secureVG -n swap
	lvcreate -l 100%FREE secureVG -n system

	# To view the list of logical volumes:
	lvs

	# Format the swap logical volume as swap space
	mkswap /dev/secureVG/swap

	# Format the system logical volume to BTRFS and mount it at /mnt
	mkfs.btrfs /dev/secureVG/system
	mount /dev/secureVG/system /mnt

	# Create subvolumes for root and home directories in the BTRFS logical volume
	# root directory subvolume
	btrfs subvolume create /mnt/@
	# home directory subvolume
	btrfs subvolume create /mnt/@home

	# unmount BTRFS primary volume
	umount /mnt

	# Mount the subvolumes within the system volume as root and home directories
	# mount subvolume as root
	mount -o subvol=@ /dev/secureVG/system /mnt
	# create directories for home and boot volumes
	mkdir -p /mnt/home /mnt/boot
	# mount home directory
	mount -o subvol=@home /dev/secureVG/system /mnt/home
	# mount boot directory
	mount /dev/nvme0n1p1 /mnt/boot

	# Turn on Swap
	swapon /dev/secureVG/swap

	# The system is now prepared for installing arch linux

	# Select mirrors by editing pacman's mirrorlist file
	# Mirrors placed higher up in the file have higher priority
	vim /etc/pacman.d/mirrorlist

	# Install essential packages
	# basic system packages
	pacstrap /mnt base linux linux-firmware intel-ucode
	# filesystem tools
	pacstrap /mnt btrfs-progs dosfstools e2fsprogs exfat-utils ntfs-3g lvm2 efibootmgr efitools
	# networking tools
	pacstrap /mnt netctl networkmanager iproute2 dhcpcd wpa_supplicant
	# debug tools
	pacstrap /mnt less nano vim tmux htop man-db man-pages texinfo

	# Generate fstab file using UUIDs and check the output file to ensure it matches our layout (could also use part labels)
	# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
	genfstab -U /mnt >> /mnt/etc/fstab
	less /mnt/etc/fstab

	#Chroot into the newly installed system
	arch-chroot /mnt

	# Set timezone and run hwclock to set BIOS clock to UTC
	ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
	hwclock --systohc

	# Setup locale
	# Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and other needed locales
	vim /etc/locale.gen
	# Generate the locales
	locale-gen
	# Create /etc/locale.conf and set the LANG variable as LANG=en_US.UTF-8
	touch /etc/locale.conf
	echo "LANG=en_US.UTF-8" >> /etc/locale.conf

	# Create the /etc/hostname file and add a hostname
	touch /etc/hostname
	echo "myhostname" >> /etc/hostname

	# Don't forget to add matching entries in /etc/hosts to look like this:
	echo "127.0.0.1 localhost" >> /etc/hosts
	echo "::1 localhost" >> /etc/hosts
	echo "127.0.1.1 myhostname.localdomain myhostname" >> /etc/hosts

	# Any network manager configuration?

	# Setup systemd-boot

	# Make systemd-boot regenerate after updates

	# More stuff from that blog?

	# Edit /etc/mkinitcpio.conf

	# initramfs generation
	mkinitcpio -p linux

	# Setup new root password. Passwords are typed in twice.
	passwd

	# Exit new system and go into the cd shell
	exit

	# Unmount all partitions and turn off swap
	umount -R /mnt
	swapoff -a

	# Reboot into the new system, don't forget to remove the cd/usb
	reboot

	## PROFIT?


	mkfs.ext2 /dev/sdX2

	# Setup the encryption of the system
	cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3
	cryptsetup luksOpen /dev/sdX3 luks

	# Create encrypted partitions
	# This creates one partions for root, modify if /home or other partitions should be on separate partitions
	pvcreate /dev/mapper/luks
	vgcreate vg0 /dev/mapper/luks
	lvcreate --size 8G vg0 --name swap
	lvcreate -l +100%FREE vg0 --name root

	# Create filesystems on encrypted partitions
	mkfs.ext4 /dev/mapper/vg0-root
	mkswap /dev/mapper/vg0-swap

	# Mount the new system
	mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
	swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
	mkdir /mnt/boot
	mount /dev/sdX2 /mnt/boot
	mkdir /mnt/boot/efi
	mount /dev/sdX1 /mnt/boot/efi

	# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
	# Unless vim and zsh are desired these can be removed from the command
	pacstrap /mnt base base-devel grub-efi-x86_64 zsh vim git efibootmgr dialog wpa_supplicant

	# 'install' fstab
	genfstab -pU /mnt >> /mnt/etc/fstab
	# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
	tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0


	# Enter the new system
	arch-chroot /mnt /bin/bash

	# Setup system clock
	ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
	hwclock --systohc --utc

	# Set the hostname
	echo MYHOSTNAME > /etc/hostname

	# Update locale
	echo LANG=en_US.UTF-8 >> /etc/locale.conf
	echo LANGUAGE=en_US >> /etc/locale.conf
	echo LC_ALL=C >> /etc/locale.conf

	# Set password for root
	passwd

	# Add real user remove -s flag if you don't whish to use zsh
	# useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME
	# passwd MYUSERNAME

	# Configure mkinitcpio with modules needed for the initrd image
	vim /etc/mkinitcpio.conf
	# Add 'ext4' to MODULES
	# Add 'encrypt' and 'lvm2' to HOOKS before filesystems

	# Regenerate initrd image
	mkinitcpio -p linux

	# Setup grub
	grub-install
	In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" then run:
	grub-mkconfig -o /boot/grub/grub.cfg
No results found