Skip to content

Latest commit

 

History

History
873 lines (626 loc) · 19.3 KB

arch-linux.md

File metadata and controls

873 lines (626 loc) · 19.3 KB

Arch Linux

Arch Linux - Full disk encryption install

Disable beep

rmmod pcspkr

Remap CAPS-LOCK to CTRL

echo "keymaps 0-127" > kbd-map
echo "keycode 58 = Control" >> kbd-map
loadkeys keymap

Network

Ensure your network interface is listed and enabled, for example with ip-link(8):

ip link

Connect to wi-fi

iwctl device list
iwctl station <wlan0> scan
iwctl station <wlan0> get-networks
iwctl station <wlan0> connect <SSID>

Connect to ethernet

dhcpcd

Check network

ping 1.1.1.1 -c 4

SSH Remote Installation [ optional ]

Enable ssh service from the live iso installation media and start screen session

passwd
ip addr
systemctl start sshd
screen -S share-screen

SSH to remote host and shared screen session

ssh [email protected]
screen -x share-screen

Configure Mirrorlist

curl -L 'https://archlinux.org/mirrorlist/?country=all&protocol=https&ip_version=4' >> /etc/pacman.d/mirrorlist
vim /etc/pacman.d/mirrorlist

Refresh pacman db and install reflector

pacman -Syyy
pacman -S reflector
reflector --protocol https --age 24 --latest 32 --sort rate --sort score --sort country --save /etc/pacman.d/mirrorlist
reflector --protocol https --age 24 --latest 32 --sort rate --sort score --sort country --country 'BG,RO,PL,SI,HU,CZ,FR,NL,DE,UA,CH,IT,DK,LT,LV,GB' --save /etc/pacman.d/mirrorlist

Install terminus-font

pacman -Sy terminus-font
setfont ter-v16b

Verify the UEFI/BOOT mode

List the efivars directory:

efivar --list
ls /sys/firmware/efi/efivars

Clock

Update the system clock

timedatectl set-ntp true
timedatectl status

Format NVME/SSD

nvme id-ns -H /dev/nvme0n1
nvme format --lbaf=1 /dev/nvme0n1
nvme id-ns -H /dev/nvme0n1 | grep "Relative Performance"

Disk Partitioning

fdisk -l

The following partitions are required

Mount point Partition Partition type Encryption Size
/efi /mnt/efi /dev/nvme0n1p1 EFI System 4GB
/ /mnt /dev/nvme0n1p2 Linux LVM Root luks2 256GB

Start fdisk

fdisk /dev/nvme0n1
  1. Create new partition table
  • g - create new GPT partition table
  1. Create EFI partition
  • n - Add new partition
  • 1 - Partition number
  • Enter - For first sector
  • +4G - For last sector
  • t - Change partition type
  • 1 - Partition type - (1) EFI System
  1. Create LVM partition
  • n - Add new partition
  • 2 - Partition number
  • Enter - For first sector
  • +256G | Enter - For last sector
  • t - Change partition type
  • 2 - Number of partition
  • 44 - Partition type - (44) Linux LVM
  1. Save changes
  • p - print partition table
  • w - write table to disk and exit

Setup LVM & Encryption

cryptsetup -y -v luksFormat --sector-size 4096 /dev/nvme0n1p2
cryptsetup open --type luks /dev/nvme0n1p2 lvm

pvcreate --dataalignment 1m /dev/mapper/lvm
vgcreate vg /dev/mapper/lvm

lvcreate -L 32GB vg -n lv-swap
lvcreate -L 128GB vg -n lv-root
lvcreate -l 100%FREE -n lv-home vg

# load device mapper kernel module
lsmod | grep dm_mod
modprobe dm_mod

vgscan
vgchange -ay

Make FS

mkswap /dev/vg/lv-swap
swapon /dev/vg/lv-swap

mkfs.ext4 -b 4096 /dev/vg/lv-root
mount /dev/vg/lv-root /mnt

mkfs.ext4 -b 4096 /dev/vg/lv-home
mount --mkdir /dev/vg/lv-home /mnt/home

mkfs.vfat -F32 -S 4096 /dev/nvme0n1p1
mount --mkdir -o uid=0,gid=0,fmask=0077,dmask=0077 /dev/nvme0n1p1 /mnt/efi

Install Arch Linux

pacstrap -i /mnt base base-devel vi vim
genfstab -U /mnt >> /mnt/etc/fstab

Enter arch-chroot

Install base system

arch-chroot /mnt

pacman-key --init
pacman-key --populate archlinux

pacman -S linux linux-headers linux-firmware mkinitcpio efibootmgr lvm2 terminus-font

echo KEYMAP=us > /etc/vconsole.conf
echo FONT=ter-v16b >> /etc/vconsole.conf

Configure mkinitcpio

vim /etc/mkinitcpio.conf
  • Add to BINARIES -> setfont
  • Add to HOOKS -> systemd, keyboard, sd-vconsole, sd-encrypt, lvm2

File /etc/mkinitcpio.conf should look like this:

# /etc/mkinitcpio.conf
BINARIES=(setfont)
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck)

Warning

Do not regenerate the initramfs yet, as the /efi/EFI/Linux directory needs to be created by the boot loader installer first!

Set kernel command line

mkinitcpio supports reading kernel parameters from command line files in the /etc/cmdline.d directory

mkdir /etc/cmdline.d
touch /etc/cmdline.d/root.conf
echo "rd.luks.name=$(blkid --match-tag UUID --output value /dev/nvme0n1p2)=lvm root=/dev/vg/lv-root rw rootfstype=ext4 rd.shell=0 rd.emergency=reboot" > /etc/cmdline.d/root.conf

In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set:

# /etc/cmdline.d/root.conf
# ------------------------
rd.luks.name=<DEVICE-UUID>=lvm root=/dev/vg/lv-root rw rootfstype=ext4 rd.shell=0 rd.emergency=reboot

Configure systemd-ukify

pacman -S systemd-ukify sbsigntools efitools
touch /etc/kernel/uki.conf
vim /etc/kernel/uki.conf

Enter the following configuration

# /etc/kernel/uki.conf
# --------------------
[UKI]
OSRelease=@/etc/os-release
PCRBanks=sha256

[PCRSignature:initrd]
Phases=enter-initrd
PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem
PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem

Generate the key for the PCR policy

ukify genkey --config=/etc/kernel/uki.conf

Modify /etc/mkinitcpio.d/linux.preset, with the appropriate mount point of the EFI system partition

vim /etc/mkinitcpio.d/linux.preset

Enter the following configuration

# /etc/mkinitcpio.d/linux.preset
# ------------------------------
ALL_kver="/boot/vmlinuz-linux"
PRESETS=('default' 'fallback')

default_uki="/efi/EFI/Linux/arch-linux.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"

fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
fallback_options="-S autodetect"

Create UKIs directory

mkdir -p /efi/EFI/Linux

Warning

Now generate initial ramdisk environment for booting the Linux kernel

mkinitcpio -p linux
rm /boot/initramfs-linux.img /boot/initramfs-linux-fallback.img /boot/loader/entries/*.conf

Configure the boot loader

Install systemd-boot with:

bootctl install

Configure password

passwd

Configure locale

ln -sf /usr/share/zoneinfo/Europe/Sofia /etc/localtime

hwclock --systohc
hwclock --systohc --utc

vim /etc/locale.gen

>> `bg_BG.UTF-8 UTF-8`
>> `en_GB.UTF-8 UTF-8`
>> `en_US.UTF-8 UTF-8`

locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
echo LC_TIME=en_GB.UTF-8 >> /etc/locale.conf

Configure network

Configure network with iwd or networkmanager

pacman -S iwd
echo arch > /etc/hostname
vim /etc/hosts
#/etc/hosts
::1 localhost
127.0.0.1 localhost
127.0.1.1 arch.local arch
vim /etc/resolv.conf
#/etc/resolv.conf
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
nameserver 8.8.8.4
mkdir /etc/iwd
vim /etc/iwd/main.conf
#/etc/iwd/main.conf
# -----------------
[General]
EnableNetworkConfiguration=true

[Network]
NameResolvingService=systemd

Enable Network Services

systemctl enable iwd
systemctl enable systemd-networkd
systemctl enable systemd-resolved

Exit arch-chroot

exit

Reboot into UEFI

umount -R /mnt
systemctl reboot --firmware-setup
  • Enable Secure Boot, turn on Setup Mode and Clear All Keys.
  • Save changes and login with root after.

Secure Boot

pacman -S sbctl
sbctl status
sbctl create-keys

# if it fails remove --firmware-builtin or --tpm-eventlog flag
sbctl enroll-keys --microsoft --firmware-builtin --tpm-eventlog

sbctl status
sbctl verify

Sign all the files from sbctl verify

sbctl sign --save /efi/EFI/BOOT/BOOTX64.EFI
sbctl sign --save /efi/EFI/systemd/systemd-bootx64.efi
sbctl sign --save /efi/EFI/Linux/arch-linux.efi
sbctl sign --save /efi/EFI/Linux/arch-linux-fallback.efi

The --save flag is used to add a pacman hook to automatically sign all new files whenever the Linux kernel, systemd or the boot loader is updated.

Reboot, and verify that Secure Boot is enabled with bootctl command.

reboot
bootctl

Tip

Secure Boot: enabled (user)

Enroll LUKS key in TPM

Warning

Make sure Secure Boot is active and in user mode when binding to PCR 7, otherwise, unauthorized boot devices could unlock the encrypted volume. The state of PCR 7 can change if firmware certificates change, which can risk locking the user out. This can be implicitly done by fwupd or explicitly by rotating Secure Boot keys.

systemd-cryptenroll --tpm2-device=list
systemd-cryptenroll /dev/nvme0n1p2 --recovery-key > recovery-key
cryptsetup luksDump /dev/nvme0n1p2
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --tpm2-public-key /etc/kernel/pcr-initrd.pub.pem --tpm2-with-pin=yes /dev/nvme0n1p2
systemctl reboot

Caution

Including PCR0 in the PCRs can cause the entry to become invalid after every firmware update. This happens because PCR0 reflects measurements of the firmware, and any update to the firmware will change these measurements, invalidating the TPM2 entry. If you prefer to avoid this issue, you might exclude PCR0 and use only PCR7 or other suitable PCRs.

TPM key removal

Warning

If the secure boot state changes in the future, the TPM may no longer unlock the encrypted drive. Remove the TPM2 keyslot and its associated unlocking mechanism (pin is removed too) from a LUKS-encrypted device.

systemd-cryptenroll --wipe-slot=tpm2 --tpm2-pcrs=0+7 /dev/nvme0n1p2

This is equivalent to manual removal:

cryptsetup luksDump /dev/nvme0n1p2
# look for systemd-tpm2 keyslot
# example -> 1: systemd-tpm2 -> Keyslot: 2
cryptsetup luksKillSlot /dev/nvme0n1p2 2
cryptsetup token remove --token-id 1 /dev/nvme0n1p2

After removal you can enroll the TPM again

Arch Linux Post Install

Installation should be ready now. All bellow is optional.

pacman -Syu

Microcode

  • For AMD processors, install the amd-ucode package.
  • For Intel processors, install the intel-ucode package.
  • Add microcode hook in /etc/mkinitcpio.conf
  • Delete ALL_microcode=(/boot/*-ucode.img) from /etc/mkinitcpio.d/linux.preset
  • Arch wiki -> https://wiki.archlinux.org/index.php/Microcode
pacman -S amd-ucode | intel-ucode !

Install GPU drivers

GPU Drivers and video acceleration

AMD GPU

pacman -S mesa
pacman -S vulkan-radeon
pacman -S vulkan-mesa-layers
pacman -S adwaita-cursors
pacman -S libva-utils
pacman -S vulkan-tools
vulkaninfo | rg -i "vulkan api"

Intel GPU

NOTE: TODO

PipeWire

pacman -S pipewire
pacman -S pipewire-alsa
pacman -S pipewire-audio
pacman -S pipewire-jack
pacman -S pipewire-pulse
pacman -S wireplumber

Improve SSD perf and lifespan

sudo systemctl enable --now fstrim.timer

Zswap

  • Zswap is enabled by default in linux-lts and linux-zen kernels
  • To enable Zswap in vanilla linux kernel add zswap.enabled=1 to kernel parameters

Caution

Do not use zswap with zram

sed -i '1s/$/ zswap.enabled=1/' /etc/cmdline.d/root.conf
mkinitcpio -p linux

To verify check dmesg after reboot

dmesg | grep -i zswap

Should show

zswap: loaded using pool zstd/zsmalloc

Silent Boot

To prevent any messages during boot add the following kernel parameters

amdgpu.seamless=1 quiet loglevel=3 systemd.show_status=auto rd.udev.log_level=3

sed -i '1s/$/ amdgpu.seamless=1 quiet loglevel=3 systemd.show_status=auto rd.udev.log_level=3/' /etc/cmdline.d/root.conf
mkinitcpio -p linux

setfont does not play well with silent boot and sd-vconsole so comment it in /etc/vconsole.conf in order to avoid flash screen and blinking cursor as well

Improve battery life with TLP

  • Do not use powertop with TLP
  • Do not use power-profiles-daemon with TLP
pacman -S tlp
systemctl start tlp.service
systemctl enable tlp.service

Security

Basic Firewall

pacman -S ufw
ufw enable
ufw status verbose
systemctl enable ufw

DNS with DNSSEC validation

pacman -S unbound expat

Check for errors

systemctl --failed
journalctl -p 3 -xb

Add user

useradd -m -g users -G wheel <user>
passwd <user>
EDITOR=vim visudo
# # >> -> uncomment %wheel group
pacman -S sudo

Additions

Cron crontab

Cronie

pacman -S cronie
systemctl start cronie.service
systemctl enable cronie.service
crontab -e
crontab -l

Cron list

# do not use powertop if TLP is enabled
# @reboot sleep 60 && powertop --auto-tune
@reboot sleep 10 && brightnessctl --device platform::micmute set 0

Dev Tools

pacman -S fish fisher
pacman -S git git-delta
pacman -S curl wget rsync
pacman -S procs htop bottom
pacman -S bat man tldr
pacman -S tree eza lsd zoxide
pacman -S duf dust
pacman -S fx tokei
pacman -S fd fzf skim ripgrep the_silver_searcher
pacman -S helix neovim neovide
pacman -S starship
pacman -S alacritty kitty
pacman -S fastfetch
pacman -S llvm gcc clang cmake python rust nodejs npm typescript zig

Fonts

pacman -S
  terminus-font
  gnu-free-fonts
  cantarell-fonts
  powerline-fonts
  otf-font-awesome
  noto-fonts-emoji
  adobe-source-code-pro-fonts

pacman -S
  ttf-ibm-plex
  ttf-jetbrains-mono
  ttf-ubuntu-font-family
  AUR ttf-intel-one-mono

pacman -S
  # ttf-font-nerd
  ttf-ubuntu-mono-nerd
  ttf-ibmplex-mono-nerd
  ttf-jetbrains-mono-nerd #alacritty fallback
  ttf-nerd-fonts-symbols-mono # alacritty fallback
  ttf-nerd-fonts-symbols-common # alacritty fallback

paru -S ttf-intel-one-mono

Paru AUR Helper

Switch to non root user

git https://aur.archlinux.org/paru-bin.git && cd paru-bin && makepkg -si && paru --gendb

Sway Window Manager

pacman -S sway swaybg swayimg swayidle swaylock swaync waybar nwg-bar

Hyprland Window Manager

pacman -S hyprland hypridle hyprlock hyprcursor hyprutils hyprpaper hyprwayland-scanner
pacman -S fuzzel cosmic-files waybar nwg-bar nwg-look swaync wl-clipboard
pacman -S xdg-desktop-portal-gtk xdg-desktop-portal-hyprland
pacman AUR -S hyprsysteminfo hyprlauncher

Login / Display Manager

Ly

pacman -S ly
systemctl enable ly.service
systemctl disable [email protected]

Lemurs

pacman -S lemurs
systemctl disable display-manager.service
systemctl enable lemurs.service

Info pacman

  • pacman -Ss <keyword> - search pacakge
  • pacman -R <package-name> - remove pkg
  • pacman -Rs <package-name> - remove pkg with dependencies
  • pacman -Q - list all install packages
  • pacman -Qi <package-name> - info and reason for installation
  • pacman -Qm <package-name> - look for foreign dependencies
  • pacman -Qdt - list all packages no longer required as dependencies
  • pacman -Qet - list all packages explicitly installed and not required as dependencies
  • pacman -R $(pacman -Qdtq) - remove all of these unnecessary packages
  • pactree <package-name> - view the dependency tree of a package

Configure pacman options

/etc/pacman.conf
  • Color - enable color output
  • CacheDir - can be set to /tmp in order to use tmpfs which is in RAM
  • ParallelDownloads - adjust appropriate

Info paccache & checkupdates

A pacman cache cleaning utility

paru -S paccache-hook
pacman -S pacman-contrib

  • pacman -Sc - Remove cached packages not used

  • pacman -Scc - Empty the entire pacman cache

  • paccache -d - Perform a dry-run and show the number of candidate packages for deletion

  • paccache -r - Remove all but the 3 most recent package versions from the pacman cache

  • paccache -rk 3 - Set the number of package versions to keep

# to enable paccache.service
systemctl enable paccache.timer

Misc

Auto update pacman mirror list

Make bootable usb with dd

λ dd if=<file> of=<device> bs=16M status=progress; sync
λ dd if=arch-linux.iso of=/dev/sda1 bs=16M status=progress; sync

Update uefi-bios

λ geteltorito.pl -o <image>.img <image>.iso
λ geteltorito.pl -o uefi_bios.img r10ur26w.iso
λ sudo dd if=uefi_bios.img of=/dev/sda bs=512K

Links