Skip to content

Instantly share code, notes, and snippets.

@AntonFriberg

AntonFriberg/arch-linux-install.md

Forked from kylemanna/arch-linux-install.md
Last active May 13, 2020 11:22
Show Gist options
  • Save AntonFriberg/9992718da22c2437733db0f1dadb5473 to your computer and use it in GitHub Desktop.
Save AntonFriberg/9992718da22c2437733db0f1dadb5473 to your computer and use it in GitHub Desktop.
Download ZIP
Minimal instructions for installing arch linux on an UEFI NVMe system with full system encryption using dm-crypt and luks
Raw
arch-linux-install.md

Install ARCH Linux with encrypted file-system and UEFI

The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

Download the Arch ISO

Verify the ISO

gpg --verify archlinux-2019.11.01-x86_64.iso.sig

Copy to a USB drive

dd if=archlinux-*.iso of=/dev/sdX bs=4M status=progress oflag=sync # on linux

Boot from USB drive

If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

This assumes a wifi only system...

wifi-menu

Verify internet and bring up this guide using the elinks browser

Ping archlinux to verify internet access and access this guide from within your arch linux installation environment using the built in elinks browser.

ping archlinux.org
elinks

Create partitions

cgdisk /dev/nvme0n1
1 512MB EFI partition # Hex code ef00
2 100% size partiton # (to be encrypted) Hex code 8300

Create EFI partition

mkfs.vfat -F32 -n EFI /dev/nvme0n1p1

Setup the encryption of the system with 256 bit effective size

Note: Many NVMe drives can exceed 2GB/s, consider your crypto algorithm wisely, review cryptsetup benchmark, the defaults are viewable end of cryptsetup --help, defaults are commonly the fastest with good security from my experience with cryptsetup (AES 256, sha256, 2000ms)

cryptsetup --use-random luksFormat /dev/nvme0n1p2
cryptsetup luksOpen /dev/nvme0n1p2 luks

Create encrypted partitions

This creates one partions for root, modify if /home or other partitions should be on separate partitions

pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 16G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root

Create filesystems on encrypted partitions

mkfs.ext4 -L root /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

Mount the new system

mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

Install the system

Also includes stuff needed for starting wifi when first booting into the newly installed system Unless vim and zsh are desired these can be removed from the command. Dialog is needed by wifi-menu

pacstrap /mnt base base-devel linux linux-firmware lvm2 zsh git sudo efibootmgr dialog intel-ucode

Generate fstab

genfstab -pU /mnt | tee -a /mnt/etc/fstab

Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)

#tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0

Also change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

Enter the new system

arch-chroot /mnt /bin/bash

Setup system clock

ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
hwclock --systohc --utc

Set the hostname

echo MYHOSTNAME > /etc/hostname

Generate locale

Uncomment wanted locales in /etc/locale.gen

vim /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8

To avoid problems with gnome-terminal set locale system wide Do NOT set LC_ALL=C. It overrides all the locale vars and messes up special characters Pay attention to the UTF-8. Capital letters !

echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LC_ALL= >> /etc/locale.conf

Set password for root

passwd

Add user

groupadd MYUSERNAME
useradd -m -g MYUSERNAME -G wheel,storage,power,network,uucp -s /bin/zsh MYUSERNAME
passwd MYUSERNAME

Configure mkinitcpio with modules needed for the initrd image

vim /etc/mkinitcpio.conf
  • Add 'ext4' to MODULES
  • Add 'encrypt' and 'lvm2' to HOOKS before filesystems
  • Add 'resume' after 'lvm2' (also has to be after 'udev')

Regenerate initrd image

mkinitcpio -p linux

Setup systembootd (grub will not work on nvme at this moment)

bootctl --path=/boot install

Create loader.conf

echo default arch >> /boot/loader/loader.conf
echo timeout 5 >> /boot/loader/loader.conf

Create arch.conf (or XYZ.conf for default XYZ in loader.conf)

nvim /boot/loader/entries/arch.conf

Add the following content to arch.conf

<UUID> is the the one of the raw encrypted device (/dev/nvme0n1p2). It can be found with the blkid command

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:vg0 root=/dev/mapper/vg0-root resume=/dev/mapper/vg0-swap rw intel_pstate=no_hwp

Exit new system

exit

Unmount all partitions

umount -R /mnt
swapoff -a

Reboot into the new system, don't forget to remove the cd/usb

reboot

Post-install instructions

Getting working networking on iwd

Enable iwd and connect to wifi

sudo systemctl enable iwd
iwctl device list
iwctl station <device> scan
iwctl station <device> get-networks
iwctl station <device> connect <SSID>

Configure and enable systemd-networkd

The systemd package is part of the default Arch installtion and contains the needed packages.

Configure wireless network in /etc/systemd/network/25-wireless.network

[Match]
Name=wlan0

[Network]
DHCP=ipv4

Configure wired network in /etc/systemd/network/20-wired.network

[Match]
Name=enp0s31f6

[Network]
DHCP=ipv4

Enable systemd-networkd and test connection

sudo systemctl enable systemd-networkd
sudo systemctl status systemd-networkd
ping 8.8.8.8

Add entry to hosts file

Normally you do not need to edit the /etc/hosts file since the myhostname NSS module of systemd provides the needed local hostname resolution. But it is still recommended to avoid problems that some old clients might experience otherwise.

Add the following to your /etc/hosts

127.0.0.1        localhost
::1              localhost
127.0.1.1        <hostname>.localdomain        <hostname>

Add workaround for clients that assume resolveconf

Some DHCP or VPN clients use the resolveconf program to set name servers and search domains (e.g. OpenVPN, Wireguard). To provide these client with the /usr/bin/resolvconf file in the form of a symlink we install the following package.

sudo pacman -S systemd-resolvconf

Configure and enable systemd-resolved

Disable DNSSEC since it is not yet widely adopted in /etc/systemd/resolved.conf.d/dnssec.conf

[Resolve]
DNSSEC=false

Set desired DNS mode. The default is to use a DNS stub file by symlinking to /run/systemd/resolve/stub-resolv.conf but this does not currently work with sshuttle and other utilities. Instead we utilize the normal resolve file.

ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Enable systemd-resolved and test dns connection

sudo systemctl enable systemd-resolved
sudo systemctl status systemd-resolved
resolvectl query archlinux.org

Change

Install window manager, terminal and dynamic meny

sudo pacman -Syu sway alacrittt dmenu

Enabling audio

sudo pacman -Syu alsa-utils pulseaudio pulseaudio-alsa pavucontrol

If you only see dummy output listed in pavucontrol and are using intel laptop try adding the following kernel parameter

snd_hda_intel.dmic_detect=0

This can be done in the loader configuration /boot/loader/entries/arch.conf

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:vg0 root=/dev/mapper/vg0-root resume=/dev/mapper/vg0-swap rw intel_pstate=no_hwp snd_hda_intel.dmic_detect=0

Reboot and test audio

speaker-test -c 2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment