Installing Arch Linux with an encrypted btrfs root, with GPT and UEFI support

luks_btrfs.sh

# Install arch linux in an encrypted btrfs partition with GPT and UEFI support, gummiboot and hibernate/resume support
# sources:
# http://hole.tuziwo.info/install-arch-linux-on-uefi-gpt-computer-with-btrfs-support.html
# http://www.brunoparmentier.be/blog/how-to-install-arch-linux-on-an-encrypted-btrfs-partition.html
# https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption

# Take note of this:
# - The first thing you need is to identify which disk you're going to use. For the purpose of this guide, it will be /dev/sdX
#   Be VERY CAREFUL if you have more than one disk on your computer, and DOUBLE CAREFUL if one of them is the one with your backups
# - Since btrfs does not support swapfiles (yet), we'll create a swap partition. In this guide, it will NOT be encrypted
#   This means that, if you hibernate your notebook, even if you have your whole root encrypted, when you resume,
#   it will come back ALREADY UNLOCKED.
# - This doc expects you kinda know what you're doing already, and just needs the steps to guide you thru it.

# 1 - set the setup environment how we like it
loadkeys br-abnt2
setfont Lat2-Terminus16

# 2 - wipe your existing disk with random data
# Wiping your disk is an optional step. This is supposed to make your data harder to eventually recover via cryptoanalysis.
# If you're not worried about this, and just want to make sure that whoever steals your notebook doesn't look into your
# cat pictures, then feel free to skip to Partitioning below.
# Relevant XKCD: https://xkcd.com/538/
# wipe the SSD with randomness
cryptsetup open --type plain /dev/sdX container
dd if=/dev/zero of=/dev/mapper/container
# go grab yourself some coffee or watch an episode of Doctor Who, this WILL take a while.
cryptsetup luksClose container

# 3 - Partitioning:
gdisk /dev/sdX
# sdX1 = /boot, sdX2 = SWAP, sdX3 = encrypted root
# for the SWAP partition below, try and make it a bit bigger than your RAM, for hybernating
# o ,
# n , [enter] , [enter], +512M , EF00 ,
# n , [enter] , [enter], +8G, 8200,
# n , [enter] , [enter], [enter] , [enter] ,
# w

# 4 - Formatting the partitions:
# the first one is our ESP partition, so for now we just need to format it
mkfs.vfat -F32 -n "EFI" /dev/sdX1
# the second one will be our swap partition:
mkswap -L swap /dev/sdX2
# the third one one will be our encrypted root
# first, we need to prepare the encrypted (outer) volume
cryptsetup --cipher aes-xts-plain64 --hash sha512 --use-random --verify-passphrase luksFormat /dev/sdX3
# I really hope I don't have to lecture you on NOT LOSING this password, lest all of your data will be forever inaccessible, right?
# then, we actually open it as a block device, and format the inner volume
cryptsetup luksOpen /dev/sdX3 root
mkfs.btrfs -L "Arch Linux" /dev/mapper/root

# 5 - Mount the partition
mkdir -p /mnt/btrfs-root
mount -o defaults,relatime,space_cache /dev/mapper/root /mnt/btrfs-root
mkdir -p /mnt/btrfs-root/__active
mkdir -p /mnt/btrfs-root/__snapshot

# 6 - Create btrfs subvolumes
cd /mnt/btrfs-root
btrfs subvolume create __active/rootvol
btrfs subvolume create __active/home
btrfs subvolume create __active/var
btrfs subvolume create __active/opt

# 7 - Create mountpoints and mount the btrfs subvolumes on the correct hierarchy
mkdir -p /mnt/btrfs-active
mount -o defaults,nodev,relatime,space_cache,subvol=__active/rootvol /dev/mapper/root /mnt/btrfs-active
# create the mountpoints and mount separately /home, /opt, /var and /var/lib
mkdir -p /mnt/btrfs-active/{home,opt,var,var/lib,boot}
mount -o defaults,nosuid,nodev,relatime,subvol=__active/home /dev/mapper/root /mnt/btrfs-active/home
mount -o defaults,nosuid,nodev,relatime,subvol=__active/opt /dev/mapper/root /mnt/btrfs-active/opt
mount -o defaults,nosuid,nodev,noexec,relatime,subvol=__active/var /dev/mapper/root /mnt/btrfs-active/var
# /var/lib is special, since it's very useful for snapshots of it to be part of the active root volume.
# To manage that, we bind-mount the directory from the "rootvol" subvolume back inside the var subvolume
mkdir -p /mnt/btrfs-active/var/lib
mount --bind /mnt/btrfs-root/__active/rootvol/var/lib /mnt/btrfs-active/var/lib
# you need to make sure that this directory exists, there's a step below for that

# 8 - Mount the EFI partition
# we're using /boot here, not /boot/efi as some suggest, since our / is encrypted.
# apparently, grub2 can manage this, but I haven't been able to replicate it.
mount -o defaults,nosuid,nodev,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro /dev/sdX1 /mnt/btrfs-active/boot

# 9 - now that the filesystem layout is of our liking, we install arch
# (this is the time where you change the mirrorlist, if that's your thing)
# for simplicity, I'm just installing what's really needed at this point.
pacstrap /mnt/btrfs-active base base-devel btrfs-progs

# 10 - generate the fstab and then manually edit it
# genfstab doesn't really understand the bind-mount
genfstab -U -p /mnt/btrfs-active >> /mnt/btrfs-active/etc/fstab
vi /mnt/btrfs-active/etc/fstab
# it should look kinda like this:
"""
# /dev/sdX1 LABEL=EFI
UUID=1234-ABCD        /boot   vfat rw,nosuid,nodev,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro,discard 0 2

# /dev/sdX2 LABEL=Arch\x20Linux
UUID=44444444-4444-4444-4444-4444444444444	/               btrfs   rw,nodev,relatime,ssd,discard,space_cache,subvol=__active/rootvol 0 0
UUID=44444444-4444-4444-4444-4444444444444	/home           btrfs   rw,nodev,nosuid,relatime,ssd,discard,space_cache,subvol=__active/home 0 0
UUID=44444444-4444-4444-4444-4444444444444	/opt            btrfs   rw,nodev,nosuid,relatime,ssd,discard,space_cache,subvol=__active/opt 0 0
UUID=44444444-4444-4444-4444-4444444444444	/var            btrfs   rw,nodev,nosuid,noexec,relatime,ssd,discard,space_cache,subvol=__active/var 0 0
UUID=44444444-4444-4444-4444-4444444444444	/run/btrfs-root btrfs   rw,nodev,nosuid,noexec,relatime,ssd,discard,space_cache 0 0
/run/btrfs-root/__active/rootvol/var/lib   	/var/lib        none    bind 0 0

tmpfs                                   	/tmp            tmpfs   rw,nodev,nosuid 0 0
tmpfs                                   	/dev/shm        tmpfs   rw,nodev,nosuid,noexec 0 0
"""

# 11 - chroot into the newly installed system:
arch-chroot /mnt/btrfs-active bash

# 12 - Set up your minimum environment as you wish (as per the Beginner's Guide)
#   12a - timezone
ln -sf /usr/share/zoneinfo/America/Costa_Rica /etc/localtime
hwclock --systohc

#   12b - locale
# Uncomment en_US.UTF-8 UTF-8 in /etc/locale.gen, then
locale-gen

vi /etc/locale.conf
"""
LANG=en_US.UTF-8
"""

#   12c - hostname
vi /etc/hostname
"""
<myhostname>
"""

vi /etc/hosts
"""
127.0.0.1	localhost.localdomain	localhost
::1		localhost.localdomain	localhost
127.0.1.1	<myhostname>.localdomain	<myhostname>
"""

#   12d - root password
passwd

#   12e - networks
pacman -S connman wpa_supplicant

#   12f - console
# follow the Beginner's Guide up until 'Install and configure a bootloader'. You know the drill.

# 13 - now, create the /run directory where btrfs-root will eventually be mounted
# this is the step that (7) above was refering.
mkdir -p /run/btrfs-root

# 14 - fix the mkinitcpio.conf to contain what we actually need.
vi /etc/mkinitcpio.conf
# on the MODULES section, add "vfat aes_x86_64 crc32c-intel" (and whatever else you know your hardware needs. Mine needs i915 too)
# on the BINARIES section, add "/usr/bin/btrfsck", since it's useful to have in case your filesystem has troubles
# on the HOOKS section:
#  - add "resume" after "udev" (IF and ONLY IF you want to enable resume support)
#  - add "encrypt" before "filesystems"
#  - remove "fsck" and
#  - add "btrfs" at the end

# 15 - re-generate your initrd images:
mkinitcpio -p linux

# 16 - use bootctl as a bootloader
bootctl --path=/boot install

# 17 - set the bootloader global options
vi /boot/loader/loader.conf
# it should contain:
"""
default arch
timeout 4
editor 0
"""

# 18 - set the bootloader entries
# "arch.conf" is related to "arch" above.. if you your default in /boot/loader/loader.conf is called "bob", this should be "entries/bob.conf"
vi /boot/loader/entries/arch.conf
# now, for this one, a little bit of explaining is needed
# first, get your hands of the output of blkid, specifically the UUIDs of each block device.
# (the easy way to do this is lsblk -f > /boot/loader/entries/arch.conf, and then edit the file and leave it out as comments)
# for this example, I'm going to mark them like this:
# /dev/sdX1 LABEL="EFI"  				UUID=11111111-1111-1111-1111-111111111111
# /dev/sdX2 LABEL="SWAP" 				UUID=22222222-2222-2222-2222-222222222222
# /dev/sdX3 LABEL="encrypted root"		UUID=33333333-3333-3333-3333-333333333333
# /dev/mapper/root LABEL="Arch Linux" 	UUID=44444444-4444-4444-4444-444444444444
# now, keep these in mind:
#  - 444444... should be the UUID that is present on your fstab, identifying the volume you're mounting. this is your inner encrypted volume
#  - 33333... is the OUTER UUID of your encrypted volume, the actual primary partition on your disk
#  - your DECRYPTED (inner) volume will show as /dev/mapper/luks-3333... . This way, you know which inner volume is inside which outer volume
#  - 2222.... is the swap partition, where you'll be resuming from
"""
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img

options cryptdevice=UUID=33333333-3333-3333-3333-333333333333:luks-33333333-3333-3333-3333-333333333333 root=UUID=44444444-4444-4444-4444-444444444444 rootflags=subvol=__active/rootvol  quiet resume=UUID=22222222-2222-2222-2222-222222222222 ro
"""

# 19 - Proceed with the configuration as from the beginner's guide, if you still need anything

# 20 - reboot into your new install
reboot

# 21 - after rebooting and entering your password, finish setting up arch the way you want it.

# 22 - ????

# 23 - Profit

luks_lvm_btrfs.sh

# Install arch linux in an encrypted btrfs partition with GPT and UEFI support, bootctl and hibernate/resume support
# sources:
# http://hole.tuziwo.info/install-arch-linux-on-uefi-gpt-computer-with-btrfs-support.html
# http://www.brunoparmentier.be/blog/how-to-install-arch-linux-on-an-encrypted-btrfs-partition.html
# https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption
# https://fogelholk.io/installing-arch-with-lvm-on-luks-and-btrfs/

# Take note of this:
# - The first thing you need is to identify which disk you're going to use. For the purpose of this guide, it will be /dev/sdX
#   Be VERY CAREFUL if you have more than one disk on your computer and DOUBLE CAREFUL if one of them is the one with your backups
# - Since btrfs does not support swapfiles (yet), we'll create a swap partition.
# - This doc expects you kinda know what you're doing already and you just need the steps to guide you thru it.

# 1 - Check the disks to find out which is the one we want to install to
lsblk

# 2 - Wipe your existing disk with random data
# Wiping your disk is an optional step. This is supposed to make your data harder to eventually recover via cryptoanalysis.
# If you're not worried about this, and just want to make sure that whoever steals your notebook doesn't look into your
# cat pictures, then feel free to skip to Partitioning below.
# Relevant XKCD: https://xkcd.com/538/
# wipe the SSD with randomness
cryptsetup open --type plain /dev/sdX container
dd if=/dev/zero of=/dev/mapper/container
# go grab yourself some coffee or watch an episode of Doctor Who, this WILL take a while.
cryptsetup luksClose container

# 3 - Partitioning:
gdisk /dev/sdX
# sdX1 = /boot, sdX2 = encrypted root with LVM mounted on top
# > Command (? for help): o (Create a new empty GUID partition table (GPT))
# > Proceed? (Y/N): Y
#
# > Command (? for help): n (Add a new partition)
# Partition number (1-128, default 1): 1
# First sector: 2048 (default)
# Last sector: +512M
# Hex code or GUID: EF00
#
# > Command (? for help): n (Add a new partition)
# Partition number (2-128, default 2): 2
# First sector: 1050624 (default)
# Last sector: (press Enter to use remaining disk)
# Hex code or GUID: 8E00
#
# And it looks like this:
# > Command (? for help): p (Print):
# Number  Start (sector)    End (sector)  Size       Code  Name
#    1            2048         1050623   512.0 MiB   EF00  EFI System
#    2         1050624       XXXXXXXXX   XXX.X GiB   8E00  Linux LVM
#
# Then save and quit:
# > Command (? for help): w (Write)
# > Do you want to proceed? (Y/N): Y


# 4 - Set up the encrypted container
cryptsetup --cipher aes-xts-plain64 --hash sha512 --use-random --verify-passphrase luksFormat /dev/sdX2
cryptsetup luksOpen /dev/sdX2 lvm

# 5 - Create the LVM physical volume:
pvcreate /dev/mapper/lvm

# 6 - Create the LVM volume group:
vgcreate lvmvg /dev/mapper/lvm

# 7 - Create the LVM logical volumes:
lvcreate -L 8G lvmvg -n swapvol
lvcreate -l 100%Free lvmvg -n rootvol

# The result should look something like this (lsblk)
# sdX                                             8:16   1  57.7G  0 disk
# ├─sdX1                                          8:17   1   512M  0 part
# └─sdX2                                          8:18   1  57.2G  0 part
#   └─lvm                                       254:1    0  57.2G  0 crypt
#     ├─lvmvg-swapvol                           254:2    0     8G  0 lvm
#     └─lvmvg-rootvol                           254:3    0  49.2G  0 lvm


# 8 - Formatting the partitions:
# The first one is our ESP partition, so for now we just need to format it
mkfs.vfat -F32 -n "EFI" /dev/sdX1
# The second one will be our swap logical volume:
mkswap -L swap /dev/mapper/lvmvg-swapvol
swapon /dev/mapper/lvmvg-swapvol
# The third one one will be root logical volume:
mkfs.btrfs -L "Arch Linux" /dev/mapper/lvmvg-rootvol

# 9 - Mount the partition
mkdir -p /mnt/btrfs-root
mount -o defaults,relatime,space_cache,ssd,compress=lzo /dev/mapper/lvmvg-rootvol /mnt/btrfs-root
mkdir -p /mnt/btrfs-root/__active
mkdir -p /mnt/btrfs-root/__snapshot

# 10 - Create btrfs subvolumes
cd /mnt/btrfs-root
btrfs subvolume create __active/rootvol
btrfs subvolume create __active/home
btrfs subvolume create __active/var
btrfs subvolume create __active/opt

# 11 - Create mountpoints and mount the btrfs subvolumes on the correct hierarchy
mkdir -p /mnt/btrfs-active
mount -o compress=lzo,defaults,nodev,relatime,space_cache,ssd,subvol=__active/rootvol /dev/mapper/lvmvg-rootvol /mnt/btrfs-active
# create the mountpoints and mount separately /home, /opt, /var and /var/lib
mkdir -p /mnt/btrfs-active/{home,opt,var,var/lib,boot}
mount -o defaults,nodev,nosuid,relatime,ssd,subvol=__active/home /dev/mapper/lvmvg-rootvol /mnt/btrfs-active/home
mount -o defaults,nodev,nosuid,relatime,ssd,subvol=__active/opt /dev/mapper/lvmvg-rootvol /mnt/btrfs-active/opt
mount -o defaults,nodev,noexec,nosuid,relatime,ssd,subvol=__active/var /dev/mapper/lvmvg-rootvol /mnt/btrfs-active/var
# /var/lib is special, since it's very useful for snapshots of it to be part of the active root volume.
# To manage that, we bind-mount the directory from the "rootvol" subvolume back inside the var subvolume
mkdir -p /mnt/btrfs-active/var/lib
mount --bind /mnt/btrfs-root/__active/rootvol/var/lib /mnt/btrfs-active/var/lib
# you need to make sure that this directory exists, there's a step below for that

# 12 - Mount the EFI partition
# we're using /boot here, not /boot/efi as some suggest, since our / is encrypted.
# apparently, grub2 can manage this, but I haven't been able to replicate it.
mount -o defaults,nosuid,nodev,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro /dev/sdX1 /mnt/btrfs-active/boot

# 13 - Now that the filesystem layout is of our liking, we install arch
# (this is the time where you change the mirrorlist, if that's your thing)
# for simplicity, I'm just installing what's really needed at this point.
pacstrap /mnt/btrfs-active base base-devel btrfs-progs neovim sudo wpa_supplicant
# Note: you should also add 'intel-ucode' for Intel processors.

# 14 - generate the fstab and then manually edit it
# genfstab doesn't really understand the bind-mount
genfstab -U -p /mnt/btrfs-active >> /mnt/btrfs-active/etc/fstab
vi /mnt/btrfs-active/etc/fstab
# it should look kinda like this:
"""
# LABEL=EFI
UUID=YYYY-YYYY					/boot		vfat	rw,nosuid,nodev,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro	0 2

# /dev/mapper/lvmvg-rootvol LABEL=Arch\134x20Linux
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx	/		btrfs	rw,nodev,relatime,compress=lzo,ssd,space_cache,subvolid=257,subvol=__active/rootvol	0 0

# /dev/mapper/lvmvg-rootvol LABEL=Arch\134x20Linux
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx	/home		btrfs	rw,nosuid,nodev,relatime,compress=lzo,ssd,autodefrag,space_cache,subvolid=258,subvol=__active/home	0 0

# /dev/mapper/lvmvg-rootvol LABEL=Arch\134x20Linux
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx	/opt		btrfs	rw,nosuid,nodev,relatime,compress=lzo,ssd,space_cache,subvolid=260,subvol=__active/opt	0 0

# /dev/mapper/lvmvg-rootvol LABEL=Arch\134x20Linux
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx	/var		btrfs	rw,nosuid,nodev,noexec,relatime,compress=lzo,ssd,space_cache,subvolid=259,subvol=__active/var	0 0

# /dev/mapper/lvmvg-rootvol LABEL=Arch\134x20Linux (Manually added)
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx	/run/btrfs-root	btrfs	rw,nosuid,nodev,noexec,relatime,compress=lzo,ssd,space_cache	0 0

# Bound /var/lib (Manually edited)
/run/btrfs-root/__active/rootvol/var/lib	/var/lib	none	bind 0 0

# /dev/mapper/lvmvg-swapvol LABEL=swap
UUID=zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz	none		swap	defaults,pri=-2	0 0

# Temporary (Manually added)
tmpfs						/tmp		tmpfs	rw,nodev,nosuid 0 0
tmpfs						/dev/shm	tmpfs	rw,nodev,nosuid,noexec 0 0
"""

# 15 - chroot into the newly installed system:
arch-chroot /mnt/btrfs-active bash

# 16 - Set up your minimum environment as you wish (as per the Beginner's Guide)
#   16a - timezone
ln -sf /usr/share/zoneinfo/America/Costa_Rica /etc/localtime
hwclock --systohc

#   16b - locale
sed -i 's/#\(en_US.UTF-8 UTF-8\)/\1/' /etc/locale.gen
locale-gen
echo 'LANG=en_US.UTF-8' > /etc/locale.conf

#   16c - hostname
echo '<myhostname>' > /etc/hostname
sed -i 's/\(::1.*\)/\1\n127.0.0.1	<myhostname>.localdomain	<myhostname>/' /etc/hosts

#   16d - root password
passwd

#   16e - console
# follow the Beginner's Guide up until 'Install and configure a bootloader'. You know the drill.

# 17 - now, create the /run directory where btrfs-root will eventually be mounted
# this is the step that (7) above was refering.
mkdir -p /run/btrfs-root

# 18 - fix the mkinitcpio.conf to contain what we actually need.
nvim /etc/mkinitcpio.conf
# on the MODULES section, add "vfat aes_x86_64 crc32c-intel" (and whatever else you know your hardware needs. Mine needs i915 too)
# on the BINARIES section, add "/usr/bin/btrfsck", since it's useful to have in case your filesystem has troubles
# on the HOOKS section:
#  - If installing to USB move "block" to right after udev for appropriate module loading in early userspace
#  - add "keyboard" before "autodetect"
#  - add "encrypt lvm2 btrfs resume" before "filesystems"
#  - remove "fsck"
#  - add "shutdown" to the end (https://bbs.archlinux.org/viewtopic.php?pid=1204644)

# 19 - re-generate your initrd images:
mkinitcpio -p linux

# 20 - use bootctl as a bootloader
bootctl --path=/boot install

# 21 - set the bootloader global options
nvim /boot/loader/loader.conf
# it should contain:
"""
default arch
timeout 4
editor 0
"""

# 22 - set the bootloader entries
# "arch.conf" is related to "arch" above.. if your default in /boot/loader/loader.conf is called "bob", this should be "entries/bob.conf"

# Now, for this one, a little bit of explaining is needed because the values need to be set based on the disks' UUIDs.

#   22a - Obtain UUID information of the disks (IMPORTANT: run this from the host you're installing the new system from, not inside the new Arch)
exit # from the newly installed Arch
lsblk -f | grep 'sdX' -A 5 | sed 's/^/# /' > /mnt/btrfs-active/boot/loader/entries/arch.conf

#   22b - Edit the file that has been generated
arch-chroot /mnt/btrfs-active bash # go back to the new installation
nvim /boot/loader/entries/arch.conf

"""
# sdX
# ├─sdX1                                        vfat        EFI        1111-1111                              /mnt/btrfs-active/boot
# └─sdX2                                        crypto_LUKS            22222222-2222-2222-2222-222222222222
#   └─lvm                                       LVM2_member            333333-3333-3333-3333-3333-3333-333333
#     ├─lvmvg-swapvol                           swap        swap       44444444-4444-4444-4444-444444444444   [SWAP]
#     └─lvmvg-rootvol                           btrfs       Arch Linux 55555555-5555-5555-5555-555555555555   /mnt/btrfs-root

# Manually added based on the above UUIDs
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img

options cryptdevice=UUID=22222222-2222-2222-2222-222222222222:luks-22222222-2222-2222-2222-222222222222 root=UUID=55555555-5555-5555-5555-555555555555 rootflags=subvol=__active/rootvol quiet resume=UUID=44444444-4444-4444-4444-444444444444 ro
"""
# Now, keep these in mind:
#  - 22222222-... is the OUTER UUID of your encrypted volume, the actual primary partition on your disk.
#  - 55555555-... should be the UUID that is present on your fstab, identifying the volume you're mounting. This is your inner encrypted volume.
#  - 333333-... your DECRYPTED (inner) LVM volume. This way, you know which inner volume is inside which outer volume.
#  - 44444444-... is the swap volume, where you'll be resuming from.

#   22c - Add an entry for loading the Intel microcode before the initial ramdisk.
"""
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
"""

# 23 - Store journald journals in RAM - to prevent shutdown error (and minimize disk writes)
mkdir -p /etc/systemd/journald.conf.d
nvim /etc/systemd/journald.conf.d/write-in-ram.conf
"""
[Journal]
Storage=volatile
RuntimeMaxUse=30M
"""

# 24 - Proceed with the configuration as from the beginner's guide (if you still need anything)
#   24a - Add the first non-root user:
useradd -m -G wheel -s /bin/bash <username>
passwd <username>

#   24b - configure systemd-networkd

# Let it manage your wired network
nvim /etc/systemd/network/20-wired.network
"""
[Match]
Name=en*

[Network]
DHCP=yes
RouteMetric=10
IPv6PrivacyExtensions=true
## to use static IP uncomment these instead of DHCP
#DNS=192.168.1.254
#Address=192.168.1.87/24
#Gateway=192.168.1.254
"""

# Let it manage your wireless network
nvim /etc/systemd/network/25-wireless.network
"""
[Match]
Name=wl*

[Network]
DHCP=yes
RouteMetric=20
IPv6PrivacyExtensions=true
## to use static IP uncomment these instead of DHCP
#DNS=192.168.1.254
#Address=192.168.1.87/24
#Gateway=192.168.1.254
"""

# wpa_supplicant - the device name is determined with `ip a`
nvim /etc/wpa_supplicant/wpa_supplicant-<device>.conf
"""
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1
eapol_version=1
ap_scan=1
fast_reauth=1
"""

# Setup systemd-resolved
rm /etc/resolv.conf
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
systemctl enable systemd-resolved

# Setup systemd-networkd
systemctl enable systemd-networkd

# Set hook for having dhcpcd start wpa_supplicant
ln -s /usr/share/dhcpcd/hooks/10-wpa_supplicant /usr/lib/dhcpcd/dhcpcd-hooks/

# These actions need to be done after rebooting in the new install (it is
# suggested to copy this information into the new installation for having it at
# hand after reboot).
#
# Add wireless network profile
# set +o history
# sudo wpa_passphrase <ESSID> '<passphrase>' >> /etc/wpa_supplicant/wpa_supplicant-<device>.conf
# set -o history
# /etc/wpa_supplicatn/wpa_supplicant-<defice>.conf can be manually edited for removing plain text passprhase
#
# Enable and start dhcpd:
# sudo systemctl enable dhcpcd
# sudo systemctl start dhcpcd

# 25 - reboot into your new install
reboot

# 26 - keyboard (English with altgr-intl)
# Once logged in as the user:
localectl --no-convert set-x11-keymap us pc104 altgr-intl

###############################################################################

# In case something goes wrong, this mounts everything again:
cryptsetup luksOpen /dev/sdX2 lvm

# First check the lvm volumes are active: lsblk
# sdX
# ├─sdX1                                          8:33   1   512M  0 part
# └─sdX2                                          8:34   1  XX.XG  0 part
#   └─lvm                                       254:1    0  XX.XG  0 crypt
#     ├─lvmvg-swapvol                           254:2    0     XG  0 lvm
#     └─lvmvg-rootvol                           254:3    0  XX.XG  0 lvm

# If they aren't, then run:
vgscan
vgchange -ay

# Once you're sure they are active
swapon /dev/mapper/lvmvg-swapvol
mount -o defaults,relatime,space_cache,ssd,compress=lzo /dev/mapper/lvmvg-rootvol /mnt/btrfs-root
mount -o defaults,nodev,relatime,space_cache,ssd,subvol=__active/rootvol /dev/mapper/lvmvg-rootvol /mnt/btrfs-active
mount -o defaults,nodev,nosuid,relatime,ssd,subvol=__active/home /dev/mapper/lvmvg-rootvol /mnt/btrfs-active/home
mount -o defaults,nodev,nosuid,relatime,ssd,subvol=__active/opt /dev/mapper/lvmvg-rootvol /mnt/btrfs-active/opt
mount -o defaults,nodev,noexec,nosuid,relatime,ssd,subvol=__active/var /dev/mapper/lvmvg-rootvol /mnt/btrfs-active/var
mount --bind /mnt/btrfs-root/__active/rootvol/var/lib /mnt/btrfs-active/var/lib
mount -o defaults,nosuid,nodev,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro /dev/sdX1 /mnt/btrfs-active/boot

# Then umount
umount /mnt/btrfs-active/boot
umount /mnt/btrfs-active/var/lib
umount /mnt/btrfs-active/var
umount /mnt/btrfs-active/opt
umount /mnt/btrfs-active/home
umount /mnt/btrfs-active
umount /mnt/btrfs-root
swapoff /dev/mapper/lvmvg-swapvol
lvchange -a n lvmvg
cryptsetup luksClose lvm