Meta
This article is based on this guide
Enable SSH for remote access
systemctl start sshd.service
passwd
ip a
ssh root@10.100.100.149
Installation
Check if UEFI is enabled
ls /sys/firmware/efi/efivars
Update time
timedatectl set-ntp true
timedatectl status
export disk variables
export disk="/dev/vda"
export disk_boot=/dev/vda1
export disk_luks=/dev/vda2
Wipe disk that is going to be used
cryptsetup open --type plain -d /dev/urandom $disk target
dd if=/dev/zero of=/dev/mapper/target bs=1M status=progress oflag=direct
cryptsetup close target
Partition 1 - EFI partition (ESP) - size 512MiB, code ef00
Partition 2 - encrypted partition (LUKS) - remaining storage, code 8309
sgdisk --list-types
sgdisk -n 0:0:+512MiB -t 0:ef00 -c 0:esp $disk
sgdisk -n 0:0:0 -t 0:8309 -c 0:luks $disk
partprobe $disk
sgdisk -p $disk
Format disk
cryptsetup --type luks1 -v -y luksFormat ${disk_luks}
cryptsetup open ${disk_luks} cryptdev
mkfs.vfat -F32 -n ESP ${disk_boot}
mkfs.btrfs -L archlinux /dev/mapper/cryptdev
mount /dev/mapper/cryptdev /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@snapshots
btrfs subvolume create /mnt/@cache
btrfs subvolume create /mnt/@libvirt
btrfs subvolume create /mnt/@log
btrfs subvolume create /mnt/@tmp
umount /mnt
export sv_opts="rw,noatime,compress-force=zstd:1,space_cache=v2"
mount -o ${sv_opts},subvol=@ /dev/mapper/cryptdev /mnt
mkdir -p /mnt/{home,.snapshots,var/cache,var/lib/libvirt,var/log,var/tmp}
mount -o ${sv_opts},subvol=@home /dev/mapper/cryptdev /mnt/home
mount -o ${sv_opts},subvol=@snapshots /dev/mapper/cryptdev /mnt/.snapshots
mount -o ${sv_opts},subvol=@cache /dev/mapper/cryptdev /mnt/var/cache
mount -o ${sv_opts},subvol=@libvirt /dev/mapper/cryptdev /mnt/var/lib/libvirt
mount -o ${sv_opts},subvol=@log /dev/mapper/cryptdev /mnt/var/log
mount -o ${sv_opts},subvol=@tmp /dev/mapper/cryptdev /mnt/var/tmp
mkdir /mnt/efi
mount ${disk_boot} /mnt/efi
pacman -Syy
# sort by freshest
reflector --verbose --protocol https --latest 10 --sort rate --country Germany --country Germany --save /etc/pacman.d/mirrorlist
export microcode="intel-ucode"
export microcode="amd-ucode"
pacstrap /mnt base base-devel ${microcode} btrfs-progs linux linux-firmware bash-completion cryptsetup htop man-db mlocate neovim networkmanager openssh pacman-contrib pkgfile reflector sudo terminus-font tmux neovim
genfstab -U -p /mnt >> /mnt/etc/fstab
#
arch-chroot /mnt /usr/bin/bash
Continue installation inside chroot
ln -sf /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
hwclock --systohc
export hostname="lightspeed-nb"
echo "$hostname" > /etc/hostname
cat > /etc/hosts <<EOF
127.0.0.1 localhost
::1 localhost
127.0.1.1 $hostname.localdomain $hostname
EOF
export locale="en_US.UTF-8"
sed -i "s/^#\(${locale}\)/\1/" /etc/locale.gen
echo "LANG=${locale}" > /etc/locale.conf
locale-gen
echo "FONT=ter-v24n" > /etc/vconsole.conf
echo "KEYMAP=colemak" >> /etc/vconsole.conf
echo "EDITOR=nvim" > /etc/environment && echo "VISUAL=nvim" >> /etc/environment
passwd
useradd -m -G wheel -s /bin/bash mono
passwd mono
sed -i "s/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/" /etc/sudoers
systemctl enable NetworkManager
systemctl enable sshd.service
dd bs=512 count=4 iflag=fullblock if=/dev/random of=/crypto_keyfile.bin
chmod 600 /crypto_keyfile.bin
cryptsetup luksAddKey ${disk_luks} /crypto_keyfile.bin
pacman -S grub efibootmgr
blkid -s UUID -o value ${disk_luks}
nvim /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=UUID_OF_ENCRYPTED_PARTITION:cryptdev"
GRUB_PRELOAD_MODULES="part_gpt part_msdos luks"
GRUB_ENABLE_CRYPTODISK=y
File that will open
FILES
Add the keyfile ...
FILES=(/crypto_keyfile.bin)
MODULES
Add btrfs support to mount the root filesystem ...
MODULES=(btrfs nvme nvme_core)
HOOKS
Set hooks ...
HOOKS=(base udev keyboard autodetect keymap consolefont modconf block encrypt filesystems fsck)
Order of the hooks matters:
base sets up all initial directories and installs base utilities and libraries.
udev starts the udev daemon and processes uevents from the kernel; creating device nodes.
keyboard should be placed before autodetect to include all keyboard drivers in initramfs. Systems that boot with different hardware configurations (example: laptops used both with USB external and built-in keyboards) require this at boot to unlock the encrypted device.
keymap and consolefont loads the specified keymap and font from /etc/vconsole.conf
modconf includes modprobe configuration files.
block adds all block device modules.
encrypt is required to detect and unlock an encrypted root partition. This must be placed before filesystems.
Recreate the initramfs image ...
mkinitcpio -P
``
```shell
grub-install --target=x86_64-efi --efi-directory=/efi --boot-directory=/efi --bootloader-id=GRUB
efibootmgr
grub-mkconfig -o /efi/grub/grub.cfg
Verify that grub.cfg has entries for insmod cryptodisk and insmod luks by running ...
grep 'cryptodisk\|luks' /efi/grub/grub.cfg
pacman -S NetworkManager iwctl
exit
umount -R /mnt
reboot
Misc
SSD Users
Enable fstrim.timer for SSD drives
systemctl enable fstrim.timer
Pacman
Make pacman aesthetically pleasing
Modify /etc/pacman.conf ...
Color
ILoveCandy
DE
LightDM installation
pacman -S lightdm lightdm-gtk-greeter --needed
systemctl enable lightdm
After installation
Check for failed services
systemctl --failed
journalctl -p 3 -xb