Skip to content

Instantly share code, notes, and snippets.

@tatumroaquin

tatumroaquin/uefi-archlinux.md

Last active December 15, 2021 13:19
Show Gist options
  • Save tatumroaquin/7756c29f6faa4a1f7382e63f4a57d751 to your computer and use it in GitHub Desktop.
Save tatumroaquin/7756c29f6faa4a1f7382e63f4a57d751 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
uefi-archlinux.md

UEFI Encrypted Arch Linux (10/2021)

Bootable USB

  1. lsblk - list block devices
  2. sudo umount /dev/sdx - ensure usb is not mounted
  3. sudo dd bs=4M if=path/to/input.iso of=/dev/sdx oflag=sync status=progress

Check UEFI Support

  • ls /sys/firmware/efi/efivars
  • if the directory exist then UEFI is supported

Establish Connectivity

the iwd internet wireless daemon is included in the ISO by default and provides the iwctl utility.

  1. iwctl - run the interactive prompt
  2. device list - list all wireless NICs
  3. station wlan0 scan
  4. station wlan0 get-networks
  5. station wlan0 connect <ssid>
  6. ping archlinux.org

alternatively:

  • iwctl --passphrase passphrase station <device> connect <ssid>

Partition Drives

  • cfdisk /dev/nvme0n1
  • create a boot partition minimum 300MB, and recommended 512MB
  • ensure that the boot partition type is an EFI System
  • create a root partition consisting with the rest of the space
  • ensure that the root partition type is a Linux Filesystem

NOTE: the main advantage of separate partitions for root and home is that personal data can be retrieved even when the system is reinstalled or corrupted. the disadvantage is only a limited amount of programs can be installed on the root parition. i do not use this type of partitioning because i like to have a flexible system where size is not a constraint.

Encrypt Root Partition

  1. cryptsetup -y -v luksFormat /dev/nvme0n1p2
  2. cryptsetup open /dev/nvme0n1p2 root

Make File Systems

the mkfs utility is provided by the package util-linux and util-linux-libs included on the ISO from the linux kernel archive. To format DOS file systems such as FAT32 after this guide, install the package dosfstools.

  1. mkfs.vfat -F 32 /dev/nvme0n1p1 - UEFI needs FAT32
  2. mkfs.ext4 /dev/mapper/root - root partition ext4 is standard

Mount File Systems

  1. mount /dev/mapper/root /mnt
  2. mkdir /mnt/boot
  3. mount /dev/nvme0n1p1 /mnt/boot
  4. lsblk

Make Swap File

  1. dd if=/dev/zero of=/mnt/swapfile bs=1M count=2048 status=progress
  2. chmod 600 /mnt/swapfile
  3. mkswap /mnt/swapfile
  4. swapon /mnt/swapflie

Install Linux Base Packages

  1. pacstrap /mnt base base-devel linux linux-firmware zsh sudo neovim
  2. genfstab -U /mnt >> /mnt/etc/fstab - the -U flag utilises UUIDs
  3. arch-root /mnt

Setup Timezone and Locales

  1. ln -sf /usr/share/zoneinfo/Australia/NSW
  2. hwclock --systohc
  3. timedatectl set-ntp true
  4. nvim /etc/locale.gen
# Uncomment the following lines
en_US.UTF-8 UTF-8
zh_CN.UTF-8 UTF-8
  1. locale-gen
  2. echo LANG=en_AU.UTF-8 > /etc/locale.conf

Set Hostname

  1. hostnamectl hostname <name> or echo '<name>' > /etc/hostname
  2. nvim /etc/hosts
# Insert/Modify the following lines
127.0.0.1 localhost
::1       localhost
127.0.1.1 hostname.localdomain hostname

Setup Initramfs

  1. nvim /etc/mkinitcpio.conf
# add keyboard between autodetect and modconf, add encrypt between block and filesystems`
HOOKS=(base udev autodetect keyboard modconf block encrypt filesystems keyboard fsck)
  1. mkinitcpio -P

Install Bootloader

  1. pacman -S grub efibootmgr intel-ucode (or amd-ucode for AMD processors)
  2. blkid -s UUID -o value /dev/nvme0n1p2 to get the UUID of the device
  3. nvim /etc/default/grub
# replace xxxx with the UUID of the nvme0n1p2 device to tell GRUB about the encrypted file system
GRUB_TIMEOUT=0
GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxx:root"
  1. grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
  2. grub-mkconfig -o /boot/grub/grub.cfg to configure GRUB

Install Network Manager

  1. pacman -S networkmanager
  2. systemctl enable --now NetworkManager
  3. exit && reboot

Connect to Wi-Fi AP

  1. nmcli d wifi list
  2. nmcli d wifi connect ESSID password MY_PASSWORD

Setup Audio Drivers

sudo pacman -S pipewire pipewire-pulse

Setup Bluetooth

  1. sudo pacman -S bluez bluez-utils
  2. sudo systemctl enable bluetooth.service

Install A Firewall

  1. sudo pacman -S nftables
  2. sudo nvim /etc/nftables.conf
## Comment rules if they are not needed
#tcp dport ssh accept comment "allow sshd"
  1. sudo systemctl enable nftables --now

Enable Time Synchronization

sudo systemctl enable systemd-timesyncd.service --now

Laptop Power Management

  1. sudo pacman -S tlp tlp-rdw
  2. sudo systemctl enable tlp --now
  3. sudo systemctl enable NetworkManager-dispatcher --now
  4. sudo tlp-stat
  • follow the instructions provided by tlp-stat

Maintain SSD Health

sudo systemctl enable --now fstrim.timer

Reflector Mirrorlist Updates (Optional)

  1. sudo pacman -S reflector
  2. sudo nvim /etc/xdg/reflector/reflector.conf
  3. sudo systemctl enable reflector.timer --now

Reduce Swappiness (if RAM > 4GB)

sudo echo 'vm.swappiness=10' > /etc/sysctl.d/99-swappiness.conf'

Setup Sudo Groups

  1. passwd root
  2. EDITOR=nvim; VISUAL=nvim; visudo or nvim /etc/sudoers - uncomment %sudo group
  3. sudo passwd -l root - (optional lock out root for security)
## Uncomment to allow members of group sudo to execute any command
%sudo   ALL=(ALL) NOPASSWD: ALL

Create Regular User

  1. useradd -m -G wheel,sudo,video <username>
  2. passwd <username>
  3. su - <username>

install Dotfiles

  1. sudo pacman -S git
  2. git config --global user.email <email>
  3. git config --global user.name <username>
  4. git config --global init.defaultBranch <branchname>
  5. git clone --bare <git-repo-url> $HOME/.local/share/.dotrepo
  6. alias dot="git --git-dir=$HOME/.local/share/.dotrepo --work-tree=$HOME"
  7. dot checkout
  8. dot config --local status.showUntrackedFlies no
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment