tjcim · August 22, 2020 17:57
diff --git a/gistfile1.txt b/gistfile1.txt
 ###########################################
 We will use GPT and grub as the bootloader.

 # First Hard drive (nvme0n1)
 The ESP will reside in the first partition mounted to /efi.
 The kernel and initramfs will be the second partition and will be mounted to /boot
 The third partition on nvme0n1 will be encrypted with Luks with a password.
 The encrypted partition on the first drive will always require a password to be manually entered on boot.

 # Second Hard drive (sda)
 The second harddrive will have one partition.
 The partition on the second harddrive will be encrypted with Luks and be decrypted by password or a file.
 Decryption with both password and file allows us to access it manually (if needed) and the system to decrypt automatically during boot.

 # LVM
 LVM will go on the two encrypted partitions.
 LVM will have two logical partitions and swap:

  * swap - 32GB - Filesystem: swap
  * /root - /dev/nvme0n1p3 - Filesystem: ext4
  * /home - /dev/sda1 - Filesystem: ext4

 #############################################

 # Download and verify iso
 gpg --homedir=/etc/pacman.d/gnupg --verify ~/Downloads/archlinux-2020.08.01-x86_64.iso.sig

 # Burn iso to USB - Make sure you have the right drive by running `lsblk`
 sudo dd bs=4M if=/home/trevor/Downloads/archlinux-2020.08.01-x86_64.iso of=/dev/sdb status=progress oflag=sync

 # Update bios
 # Turn off secure boot in bios
 # Boot usb image

 # Check we are booting into UEFI Mode - if this shows no errors we are in UEFI Mode
 ls /sys/firmware/efi/efivars

 # Set root passwd (this is a temp password used for install only)
 passwd

 # Ensure time is correct
 timedatectl set-ntp true

 # Start ssh to connect using another computer
 systemctl start sshd.service

 # Get IP address
 ip addr

 # Log into computer from another machine using root user
 ssh root@<ip address>

 # This gist is designed to work with two harddrives
  # /dev/nvme0n1 is for root
  # /dev/sda will be used for home
 gdisk /dev/nvme0n1

 # Create partitions on primary drive:
 o<enter> Y<enter> # Create a new GPT

 # This system will create 3 partitions on nvme0n1:
  # /efi will hold the ESP
  # /boot will hold the kernel and initramfs
  # LVM partition will be encrypted
 n<enter> 1<enter> <enter> +300M<enter> EF00<enter> # Partition 1 = 300 MiB EFI partition # Hex code EF00
 n<enter> 2<enter> <enter> +300M<enter> 8300<enter> # Partition 2 = 300 MiB Boot partition # Hex code 8300
 n<enter> 3<enter> <enter> <enter> <enter> # Partition 3 = Rest of drive # Hex code 8300.  

 # Review partitions
 p<enter>

 # Write gdisk changes
 w<enter>

 # Create partition on second disk
 gdisk /dev/sda
 o<enter> Y<enter>

 n<enter> 1<enter> <enter> <enter> <enter> # Partition 1 = All of the drive # Hex code 8300

 # Review partitions
 p<enter>

 # Write gdisk changes
 w<enter>

 # Create filesystems for /efi and /boot
 mkfs.vfat -F 32 /dev/nvme0n1p1
 mkfs.ext2 /dev/nvme0n1p2

 # Encrypt system partition on first harddrive with password
 cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/nvme0n1p3

 # Encrypt second harddrive with password
 cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sda1

 # Create file to use as a key to open second harddrive
 dd if=/dev/urandom of=/keyfile.bin bs=1024 count=20

 # Add file as key to open second harddrive - later we will copy this to the root partition
 cryptsetup luksAddKey /dev/sda1 /keyfile.bin

 # Open first harddrive with password
 cryptsetup luksOpen /dev/nvme0n1p3 cryptroot

 # Open second harddrive with keyfile
 cryptsetup --key-file /keyfile.bin luksOpen /dev/sda1 crypthome

 # Create encrypted LVM partitions
 pvcreate /dev/mapper/cryptroot
 pvcreate /dev/mapper/crypthome
 vgcreate Arch /dev/mapper/cryptroot
 vgcreate ArchHome /dev/mapper/crypthome
 # I use a larger swap for virtual machines,
 # I seem to run into trouble without it. If you don't need a large
 # swap set this to something reasonable for you.
 lvcreate -L +32G Arch -n swap
 lvcreate -l +100%FREE Arch -n root
 lvcreate -l +100%FREE ArchHome -n home

 # Create filesystems on your encrypted partitions. I will be using ext4
 mkswap /dev/mapper/Arch-swap
 mkfs.ext4 /dev/mapper/Arch-root
 mkfs.ext4 /dev/mapper/ArchHome-home

 # Mount the new system 
 mount /dev/mapper/Arch-root /mnt
 swapon /dev/mapper/Arch-swap
 mkdir /mnt/boot
 mount /dev/nvme0n1p2 /mnt/boot
 mkdir /mnt/efi
 mount /dev/nvme0n1p1 /mnt/efi
 mkdir /mnt/home
 mount /dev/mapper/ArchHome-home /mnt/home

 # Check pacman.d mirrolist and comment out any that you do not want to use
 vim /etc/pacman.d/mirrorlist

 # Copy keyfile to new drive and set permissions
 cp /keyfile.bin /mnt/keyfile.bin
 chmod 000 /mnt/keyfile.bin

 # Install your base Arch system along with a couple of utilities
 pacstrap /mnt base base-devel linux mkinitcpio grub-efi-x86_64 efibootmgr dialog vim lvm2

 # Create and review FSTAB
 genfstab -U /mnt >> /mnt/etc/fstab  # The -U option pulls in all the correct UUIDs for your mounted filesystems.
 sed -i 's/noatime/relatime/g' /mnt/etc/fstab  # Swap noatime with relatime

 # Edit crypttab
 HOMEUUID=$(blkid /dev/sda1 | awk '{print $2}' | cut -d '"' -f2)
 echo "crypt_hdd UUID=$HOMEUUID /keyfile.bin luks" >> /mnt/etc/crypttab

 # Copy edited pacman.d to new drive
 cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist

 # Enter the new system
 arch-chroot /mnt /bin/bash

 # Set locale
 echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
 locale-gen
 echo "LANG=en_US.UTF-8" > /etc/locale.conf
 export LANG=en_US.UTF-8

 # Set clock
 unlink /etc/localtime
 ln -s /usr/share/zoneinfo/US/Mountain /etc/localtime
 hwclock --systohc --utc

 # Assign your hostname
 echo "eth1" > /etc/hostname

 # Add entries to /etc/hosts
 127.0.0.1	localhost
 ::1		localhost
 127.0.1.1	eth1.localdomain	eth1

 # Install dhcpcd (a dhcp client)
 pacman -Sy dhcpcd

 # Enable dhcpcd
 systemctl enable dhcpcd.service

 # Set root password
 passwd

 # Create user
 useradd -m -G wheel -s /bin/bash trevor
 passwd trevor

 # Configure mkinitcpio with the correct HOOKS required for your initrd image
 sed -i 's/^HOOKS=.*/HOOKS="base udev autodetect modconf block keyboard encrypt lvm2 resume filesystems fsck"/' /etc/mkinitcpio.conf
 mkinitcpio -p linux

 # Install and configure Grub-EFI
 grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=ArchLinux
 ROOTUUID=$(blkid /dev/nvme0n1p3 | awk '{print $2}' | cut -d '"' -f2)
 sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$ROOTUUID:cryptroot:allow-discards root=\/dev\/mapper\/Arch-root resume=\/dev\/mapper\/Arch-swap\"/" /etc/default/grub

 # Generate Your Final Grub Configuration:
 grub-mkconfig -o /boot/grub/grub.cfg

 # Let users in wheel group run any command
 visudo # Uncomment line: '%wheel ALL=(ALL) ALL'

 # Exit Your New Arch System
 exit

 # Unmount all partitions
 umount -R /mnt
 swapoff -a

 # Reboot
 reboot

 # The rest is to enable the provisioning of archlinux using another machine with ansible:

 # Login locally to the machine and install openssh
 sudo pacman -S openssh python

 # On this build I had to edit /etc/dhcpcd.conf so that the computer sends the hostname to the DHCP server.
 sudo vim /etc/dhcpcd.conf
 sudo systemctl restart dhcpcd

 # Start the SSH server
 sudo systemctl start sshd.service

 ------------------

 # The rest I do from the ansible provisioning box

 # Copy your ssh key to the new machine
 ssh-copy-id <user>@<ip address>

 # Ensure you can now do passwordless ssh
 ssh <user>@<ip address> "uname -r"

 -------------------
 # While logged into the new machine via ssh

 # Create an ssh key
 mkdir ~/.ssh
 ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/id_ed25519

 # Generate an ssh key to be used to download dotfiles from github
 ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/github
 cat ~/.ssh/github.pub # Copy to github ssh keys
	###########################################
	We will use GPT and grub as the bootloader.

	# First Hard drive (nvme0n1)
	The ESP will reside in the first partition mounted to /efi.
	The kernel and initramfs will be the second partition and will be mounted to /boot
	The third partition on nvme0n1 will be encrypted with Luks with a password.
	The encrypted partition on the first drive will always require a password to be manually entered on boot.

	# Second Hard drive (sda)
	The second harddrive will have one partition.
	The partition on the second harddrive will be encrypted with Luks and be decrypted by password or a file.
	Decryption with both password and file allows us to access it manually (if needed) and the system to decrypt automatically during boot.

	# LVM
	LVM will go on the two encrypted partitions.
	LVM will have two logical partitions and swap:

	* swap - 32GB - Filesystem: swap
	* /root - /dev/nvme0n1p3 - Filesystem: ext4
	* /home - /dev/sda1 - Filesystem: ext4

	#############################################

	# Download and verify iso
	gpg --homedir=/etc/pacman.d/gnupg --verify ~/Downloads/archlinux-2020.08.01-x86_64.iso.sig

	# Burn iso to USB - Make sure you have the right drive by running `lsblk`
	sudo dd bs=4M if=/home/trevor/Downloads/archlinux-2020.08.01-x86_64.iso of=/dev/sdb status=progress oflag=sync

	# Update bios
	# Turn off secure boot in bios
	# Boot usb image

	# Check we are booting into UEFI Mode - if this shows no errors we are in UEFI Mode
	ls /sys/firmware/efi/efivars

	# Set root passwd (this is a temp password used for install only)
	passwd

	# Ensure time is correct
	timedatectl set-ntp true

	# Start ssh to connect using another computer
	systemctl start sshd.service

	# Get IP address
	ip addr

	# Log into computer from another machine using root user
	ssh root@<ip address>

	# This gist is designed to work with two harddrives
	# /dev/nvme0n1 is for root
	# /dev/sda will be used for home
	gdisk /dev/nvme0n1

	# Create partitions on primary drive:
	o<enter> Y<enter> # Create a new GPT

	# This system will create 3 partitions on nvme0n1:
	# /efi will hold the ESP
	# /boot will hold the kernel and initramfs
	# LVM partition will be encrypted
	n<enter> 1<enter> <enter> +300M<enter> EF00<enter> # Partition 1 = 300 MiB EFI partition # Hex code EF00
	n<enter> 2<enter> <enter> +300M<enter> 8300<enter> # Partition 2 = 300 MiB Boot partition # Hex code 8300
	n<enter> 3<enter> <enter> <enter> <enter> # Partition 3 = Rest of drive # Hex code 8300.

	# Review partitions
	p<enter>

	# Write gdisk changes
	w<enter>

	# Create partition on second disk
	gdisk /dev/sda
	o<enter> Y<enter>

	n<enter> 1<enter> <enter> <enter> <enter> # Partition 1 = All of the drive # Hex code 8300

	# Review partitions
	p<enter>

	# Write gdisk changes
	w<enter>

	# Create filesystems for /efi and /boot
	mkfs.vfat -F 32 /dev/nvme0n1p1
	mkfs.ext2 /dev/nvme0n1p2

	# Encrypt system partition on first harddrive with password
	cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/nvme0n1p3

	# Encrypt second harddrive with password
	cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sda1

	# Create file to use as a key to open second harddrive
	dd if=/dev/urandom of=/keyfile.bin bs=1024 count=20

	# Add file as key to open second harddrive - later we will copy this to the root partition
	cryptsetup luksAddKey /dev/sda1 /keyfile.bin

	# Open first harddrive with password
	cryptsetup luksOpen /dev/nvme0n1p3 cryptroot

	# Open second harddrive with keyfile
	cryptsetup --key-file /keyfile.bin luksOpen /dev/sda1 crypthome

	# Create encrypted LVM partitions
	pvcreate /dev/mapper/cryptroot
	pvcreate /dev/mapper/crypthome
	vgcreate Arch /dev/mapper/cryptroot
	vgcreate ArchHome /dev/mapper/crypthome
	# I use a larger swap for virtual machines,
	# I seem to run into trouble without it. If you don't need a large
	# swap set this to something reasonable for you.
	lvcreate -L +32G Arch -n swap
	lvcreate -l +100%FREE Arch -n root
	lvcreate -l +100%FREE ArchHome -n home

	# Create filesystems on your encrypted partitions. I will be using ext4
	mkswap /dev/mapper/Arch-swap
	mkfs.ext4 /dev/mapper/Arch-root
	mkfs.ext4 /dev/mapper/ArchHome-home

	# Mount the new system
	mount /dev/mapper/Arch-root /mnt
	swapon /dev/mapper/Arch-swap
	mkdir /mnt/boot
	mount /dev/nvme0n1p2 /mnt/boot
	mkdir /mnt/efi
	mount /dev/nvme0n1p1 /mnt/efi
	mkdir /mnt/home
	mount /dev/mapper/ArchHome-home /mnt/home

	# Check pacman.d mirrolist and comment out any that you do not want to use
	vim /etc/pacman.d/mirrorlist

	# Copy keyfile to new drive and set permissions
	cp /keyfile.bin /mnt/keyfile.bin
	chmod 000 /mnt/keyfile.bin

	# Install your base Arch system along with a couple of utilities
	pacstrap /mnt base base-devel linux mkinitcpio grub-efi-x86_64 efibootmgr dialog vim lvm2

	# Create and review FSTAB
	genfstab -U /mnt >> /mnt/etc/fstab # The -U option pulls in all the correct UUIDs for your mounted filesystems.
	sed -i 's/noatime/relatime/g' /mnt/etc/fstab # Swap noatime with relatime

	# Edit crypttab
	HOMEUUID=$(blkid /dev/sda1 \| awk '{print $2}' \| cut -d '"' -f2)
	echo "crypt_hdd UUID=$HOMEUUID /keyfile.bin luks" >> /mnt/etc/crypttab

	# Copy edited pacman.d to new drive
	cp /etc/pacman.d/mirrorlist /mnt/etc/pacman.d/mirrorlist

	# Enter the new system
	arch-chroot /mnt /bin/bash

	# Set locale
	echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
	locale-gen
	echo "LANG=en_US.UTF-8" > /etc/locale.conf
	export LANG=en_US.UTF-8

	# Set clock
	unlink /etc/localtime
	ln -s /usr/share/zoneinfo/US/Mountain /etc/localtime
	hwclock --systohc --utc

	# Assign your hostname
	echo "eth1" > /etc/hostname

	# Add entries to /etc/hosts
	127.0.0.1 localhost
	::1 localhost
	127.0.1.1 eth1.localdomain eth1

	# Install dhcpcd (a dhcp client)
	pacman -Sy dhcpcd

	# Enable dhcpcd
	systemctl enable dhcpcd.service

	# Set root password
	passwd

	# Create user
	useradd -m -G wheel -s /bin/bash trevor
	passwd trevor

	# Configure mkinitcpio with the correct HOOKS required for your initrd image
	sed -i 's/^HOOKS=.*/HOOKS="base udev autodetect modconf block keyboard encrypt lvm2 resume filesystems fsck"/' /etc/mkinitcpio.conf
	mkinitcpio -p linux

	# Install and configure Grub-EFI
	grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=ArchLinux
	ROOTUUID=$(blkid /dev/nvme0n1p3 \| awk '{print $2}' \| cut -d '"' -f2)
	sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$ROOTUUID:cryptroot:allow-discards root=\/dev\/mapper\/Arch-root resume=\/dev\/mapper\/Arch-swap\"/" /etc/default/grub

	# Generate Your Final Grub Configuration:
	grub-mkconfig -o /boot/grub/grub.cfg

	# Let users in wheel group run any command
	visudo # Uncomment line: '%wheel ALL=(ALL) ALL'

	# Exit Your New Arch System
	exit

	# Unmount all partitions
	umount -R /mnt
	swapoff -a

	# Reboot
	reboot

	# The rest is to enable the provisioning of archlinux using another machine with ansible:

	# Login locally to the machine and install openssh
	sudo pacman -S openssh python

	# On this build I had to edit /etc/dhcpcd.conf so that the computer sends the hostname to the DHCP server.
	sudo vim /etc/dhcpcd.conf
	sudo systemctl restart dhcpcd

	# Start the SSH server
	sudo systemctl start sshd.service

	------------------

	# The rest I do from the ansible provisioning box

	# Copy your ssh key to the new machine
	ssh-copy-id <user>@<ip address>

	# Ensure you can now do passwordless ssh
	ssh <user>@<ip address> "uname -r"

	-------------------
	# While logged into the new machine via ssh

	# Create an ssh key
	mkdir ~/.ssh
	ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/id_ed25519

	# Generate an ssh key to be used to download dotfiles from github
	ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/github
	cat ~/.ssh/github.pub # Copy to github ssh keys