Szymon Niedźwiedź


This article is based on this guide

Enable SSH for remote access

systemctl start sshd.service
ip a
ssh root@


Check if UEFI is enabled

ls /sys/firmware/efi/efivars

Update time

timedatectl set-ntp true
timedatectl status

export disk variables

export disk="/dev/vda"
export disk_boot=/dev/vda1
export disk_luks=/dev/vda2

Wipe disk that is going to be used

cryptsetup open --type plain -d /dev/urandom $disk target
dd if=/dev/zero of=/dev/mapper/target bs=1M status=progress oflag=direct
cryptsetup close target

Partition 1 - EFI partition (ESP) - size 512MiB, code ef00

Partition 2 - encrypted partition (LUKS) - remaining storage, code 8309

sgdisk --list-types
sgdisk -n 0:0:+512MiB -t 0:ef00 -c 0:esp $disk
sgdisk -n 0:0:0 -t 0:8309 -c 0:luks $disk
partprobe $disk
sgdisk -p $disk

Format disk

cryptsetup --type luks1 -v -y luksFormat ${disk_luks}
cryptsetup open ${disk_luks} cryptdev
mkfs.vfat -F32 -n ESP ${disk_boot}
mkfs.btrfs -L archlinux /dev/mapper/cryptdev
mount /dev/mapper/cryptdev /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@snapshots
btrfs subvolume create /mnt/@cache
btrfs subvolume create /mnt/@libvirt
btrfs subvolume create /mnt/@log
btrfs subvolume create /mnt/@tmp
umount /mnt
export sv_opts="rw,noatime,compress-force=zstd:1,space_cache=v2"
mount -o ${sv_opts},subvol=@ /dev/mapper/cryptdev /mnt
mkdir -p /mnt/{home,.snapshots,var/cache,var/lib/libvirt,var/log,var/tmp}
mount -o ${sv_opts},subvol=@home /dev/mapper/cryptdev /mnt/home
mount -o ${sv_opts},subvol=@snapshots /dev/mapper/cryptdev /mnt/.snapshots
mount -o ${sv_opts},subvol=@cache /dev/mapper/cryptdev /mnt/var/cache
mount -o ${sv_opts},subvol=@libvirt /dev/mapper/cryptdev /mnt/var/lib/libvirt
mount -o ${sv_opts},subvol=@log /dev/mapper/cryptdev /mnt/var/log
mount -o ${sv_opts},subvol=@tmp /dev/mapper/cryptdev /mnt/var/tmp
mkdir /mnt/efi
mount ${disk_boot} /mnt/efi
pacman -Syy

# sort by freshest
reflector --verbose --protocol https --latest 10 --sort rate --country Germany --country Germany --save /etc/pacman.d/mirrorlist

export microcode="intel-ucode"
export microcode="amd-ucode"

pacstrap /mnt base base-devel ${microcode} btrfs-progs linux linux-firmware bash-completion cryptsetup htop man-db mlocate neovim networkmanager openssh pacman-contrib pkgfile reflector sudo terminus-font tmux neovim

genfstab -U -p /mnt >> /mnt/etc/fstab
arch-chroot /mnt /usr/bin/bash

Continue installation inside chroot

ln -sf /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
hwclock --systohc

export hostname="lightspeed-nb"

echo "$hostname" > /etc/hostname
cat > /etc/hosts <<EOF   localhost
::1         localhost   $hostname.localdomain $hostname

export locale="en_US.UTF-8"
sed -i "s/^#\(${locale}\)/\1/" /etc/locale.gen
echo "LANG=${locale}" > /etc/locale.conf

echo "FONT=ter-v24n" > /etc/vconsole.conf
echo "KEYMAP=colemak" >> /etc/vconsole.conf
echo "EDITOR=nvim" > /etc/environment && echo "VISUAL=nvim" >> /etc/environment


useradd -m -G wheel -s /bin/bash mono
passwd mono

sed -i "s/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/" /etc/sudoers

systemctl enable NetworkManager
systemctl enable sshd.service

dd bs=512 count=4 iflag=fullblock if=/dev/random of=/crypto_keyfile.bin
chmod 600 /crypto_keyfile.bin
cryptsetup luksAddKey ${disk_luks} /crypto_keyfile.bin

pacman -S grub efibootmgr

blkid -s UUID -o value ${disk_luks}

nvim /etc/default/grub
GRUB_PRELOAD_MODULES="part_gpt part_msdos luks"

File that will open


Add the keyfile ...



Add btrfs support to mount the root filesystem ...

MODULES=(btrfs nvme nvme_core)


Set hooks ...

HOOKS=(base udev keyboard autodetect keymap consolefont modconf block encrypt filesystems fsck)

Order of the hooks matters:

    base sets up all initial directories and installs base utilities and libraries.
    udev starts the udev daemon and processes uevents from the kernel; creating device nodes.
    keyboard should be placed before autodetect to include all keyboard drivers in initramfs. Systems that boot with different hardware configurations (example: laptops used both with USB external and built-in keyboards) require this at boot to unlock the encrypted device.
    keymap and consolefont loads the specified keymap and font from /etc/vconsole.conf
    modconf includes modprobe configuration files.
    block adds all block device modules.
    encrypt is required to detect and unlock an encrypted root partition. This must be placed before filesystems.

Recreate the initramfs image ...

mkinitcpio -P



grub-install --target=x86_64-efi --efi-directory=/efi --boot-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /efi/grub/grub.cfg

Verify that grub.cfg has entries for insmod cryptodisk and insmod luks by running ...
grep 'cryptodisk\|luks' /efi/grub/grub.cfg
pacman -S NetworkManager iwctl

umount -R /mnt


SSD Users

Enable fstrim.timer for SSD drives

systemctl enable fstrim.timer


Make pacman aesthetically pleasing

Modify /etc/pacman.conf ...


LightDM installation

pacman -S lightdm lightdm-gtk-greeter --needed
systemctl enable lightdm

After installation

Check for failed services

systemctl --failed
journalctl -p 3 -xb