ItsDrike/dotfiles
1
0
Fork 0
mirror of https://github.com/ItsDrike/dotfiles.git synced 2024-11-10 02:39:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add full arch installation guide

Browse source
This commit is contained in:
ItsDrike 2023-08-01 01:42:21 +02:00
parent b83e5b55a1
commit 47429dddee
1 changed files with 370 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

370
guides/installation.md Normal file
View file

@ -0,0 +1,370 @@
# Installation
This is a full Arch Linux installation guide, from live cd to a working OS.
This installation includes steps for full disk encryption, and sets up the
system with some basic tools and my zsh configuration.
## Partition, format and mount the disks
This will depend on your setup, following are the commands I used for my
specific setup as a reference, however you'll very like want a different
disk structure, and you probably won't even have the drives in the same
configuration as I do.
Create partitions for the drives
```bash
fdisk /dev/nvme0n1
# Create new GPT table and make 5 partitions
# first for boot (1G), second for swap (16G),
# third for root 1 (100G), fourth for root 2 (100G), fifth for data (rest ~714G)
fdisk /dev/nvme1n1
# Create new GPT table with single partition
fdisk /dev/sda
# Create new GPT table with single partition
```
Format partitions that shouldn't be encrypted
```bash
mkfs.fat -F 32 /dev/nvme0n1p1
fatlabel /dev/nvme0n1p1 BOOT
mkswap -L SWAP /dev/nvme0n1p2
```
Format drives using LUKS for encryption and open them to mapper devices
```bash
cryptsetup luksFormat --label ARCH_ROOT1 /dev/nvme0n1p3
cryptsetup luksFormat --label ARCH_ROOT2 /dev/nvme0n1p4
cryptsetup luksFormat --label DATA /dev/nvme0n1p5
cryptsetup luksFormat --label DATA2 /dev/sda1
cryptsetup luksFormat --label BACKUPS /dev/nvme1n1p1
cryptsetup luksOpen /dev/disk/by-label/ARCH_ROOT1 cryptroot
cryptsetup luksOpen /dev/disk/by-label/ARCH_ROOT2 cryptroot2
cryptsetup luksOpen /dev/disk/by-label/DATA cryptdata
cryptsetup luksOpen /dev/disk/by-label/DATA2 cryptdata2
cryptsetup luksOpen /dev/disk/by-label/BACKUPS cryptbackups
```
Create EXT4 filesystem on the encrypted drives
```bash
mkfs.ext4 -L ARCH_HYPRLAND /dev/mapper/cryptroot
mkfs.ext4 -L ARCH_KDE /dev/mapper/cryptroot2
mkfs.ext4 -L CRYPTDATA /dev/mapper/cryptdata
mkfs.ext4 -L CRYPTDATA2 /dev/mapper/cryptdata2
mkfs.ext4 -L CRYPTBACKUPS /dev/mapper/cryptbackups
```
Mount the drives
```bash
mount /dev/mapper/cryptroot /mnt
mount /dev/disk/by-label/BOOT /mnt/efi --mkdir
mkdir /mnt/efi/arch-hyprland /mnt/efi/arch-kde
mount --bind /mnt/efi/arch-kde /mnt/boot --mkdir
mount /dev/mapper/cryptdata /mnt/mnt/data --mkdir
mount /dev/mapper/cryptdata2 /mnt/mnt/data2 --mkdir
mount /dev/mapper/cryptbackups /mnt/mnt/backups --mkdir
mount /dev/mapper/cryptroot2 /mnt/mnt/arch-kde --mkdir
swapon /dev/disk/by-label/SWAP
```
## Base installation
```bash
reflector --save /etc/pacman.d/mirrorlist --latest 10 --protocol https --sort rate
pacstrap -K /mnt base linux linux-firmware linux-headers amd-ucode # or intel-ucode
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
```
Configure essentials
```bash
pacman -S networkmanager neovim sudo reflector pacman-contrib man-db man-pages \
rsync btop bind tldr git base-devel
ln -sf /usr/share/zoneinfo/CET /etc/localtime
hwclock --systohc
sed -i 's/^#en_US.UTF-8/en_US.UTF-8/g' /etc/locale.gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
locale-gen
echo "pc" > /etc/hostname
passwd
```
## Basic configuration
Clone my dotfiles and run the install script
```bash
git clone --recursive https://github.com/ItsDrike/dotfiles ~/dots
cd ~/dots
./install_root.sh
```
Exit and reenter chroot, this time into zsh shell
```bash
exit
arch-chroot /mnt zsh
```
Create non-privileged user
```bash
useradd itsdrike
usermod -aG wheel itsdrike
install -o itsdrike -g itsdrike -d /home/itsdrike
passwd itsdrike
chsh -s /usr/bin/zsh itsdrike
su -l itsdrike # press q or esc in the default zsh options
```
Setup user account
```bash
git clone --recursive https://github.com/dotfiles ~/dots
cd ~/dots
./install_user.sh
```
Exit (logout) the user and relogin, this time into configured zsh shell
```bash
exit
su -l itsdrike
```
Install astronvim
```bash
sudo pacman -S luarocks rustup cargo cmake meson npm
rustup default stable
mkdir -p ~/.config/wakatime
git clone https://github.com/AstroNvim/AstroNvim ~/.config/nvim
git clone https://github.com/ItsDrike/AstroNvimUser ~/.config/nvim/lua/user
```
## Auto-mounting encrypted partitions
We've create a bunch of LUKS encrypted partitions to store our date into,
however it would be very inconvenient to have to mount them ourselves on each
boot. Instead, we'll probably want to set up a way to mount them automatically.
### Key files
LUKS encryption has support for multiple keys to the same parition. We'll
utilize this support and add 2nd key slot to all of the partitions that we wish
to auto-mount.
For this 2nd key slot, we will use a key file, as opposed to the regular
user-entered text, so that we can store this key in the file system directly. We
will later be using this stored key to auto-mount. The key file will contain
random data that will be used as the key.
Note that it is very important to have these key files themselves stored on an
encrypted partition, in this case, we're storing them in /etc/secrets, and our
root is encrypted. If you don't have encrypted root partition, it is unsafe to
keep those files in there!
Note that you don't actually need the key files, and if you wish, you can also
be prompted to enter a password on each boot instead (for every partition). You
should prefer this approach if your root partition isn't encrypted, although
know that this can get pretty annoying with more than one encrypted device. If
you wish to do this, you can skip this section.
In this example, we'll be creating a different key for every encrypted
partition, but you could also share the same key file for all of them if you
wish. This is however more secure.
```bash
mkdir -p /etc/secrets
dd if=/dev/random bs=4096 count=1 of=/etc/secrets/keyFile-data.bin
dd if=/dev/random bs=4096 count=1 of=/etc/secrets/keyFile-data2.bin
dd if=/dev/random bs=4096 count=1 of=/etc/secrets/keyFile-backups.bin
dd if=/dev/random bs=4096 count=1 of=/etc/secrets/keyFile-arch-hyprland.bin
dd if=/dev/random bs=4096 count=1 of=/etc/secrets/keyFile-arch-kde.bin
chmod -R 004 /etc/secrets
chmod 007 /etc/secrets
```
The bs argument signifies a block size (in bits), so this will create 4096-bit keys.
Now we can add these keys into our LUKS encrypted partitions:
```bash
cryptsetup luksAddKey /dev/disk/by-label/DATA --new-keyfile /etc/secrets/keyFile-data.bin
cryptsetup luksAddKey /dev/disk/by-label/DATA2 --new-keyfile /etc/secrets/keyFile-data2.bin
cryptsetup luksAddKey /dev/disk/by-label/BACKUPS --new-keyfile /etc/secrets/keyFile-backups.bin
cryptsetup luksAddKey /dev/disk/by-label/ARCH_ROOT1 --new-keyfile /etc/secrets/keyFile-arch-hyprland.bin
cryptsetup luksAddKey /dev/disk/by-label/ARCH_ROOT2 --new-keyfile /etc/secrets/keyFile-arch-kde.bin
```
### /etc/crypttab
Now that we have the key files ready, we can utilize /etc/crypttab, which
is a file that systemd reads during boot (similarly to /etc/fstab), and contains
instructions for auto-mounting devices.
This is the `/etc/crypttab` file that I use:
<!-- markdownlint-disable MD010 MD013 -->
```txt
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
cryptdata LABEL=DATA /etc/secrets/keyFile-data.bin discard
cryptdata2 LABEL=DATA2 /etc/secrets/keyFile-data2.bin discard
cryptbackups LABEL=BACKUPS /etc/secrets/keyFile-backups.bin discard
cryptarch2 LABEL=ARCH_ROOT2 /etc/secrets/keyFile-arch-kde.bin discard
```
<!-- markdownlint-enable MD010 MD013 -->
If you want to be prompted for the password during boot instead of it being read
from a file, you can use `none` instead of the file path.
The `discard` option is specified to enable TRIM on SSDs, which should improve
their lifespan. It is not necessary if you're using an HDD.
### /etc/fstab
While the crypttab file opens the encrypted block devices and creates the mapper
interfaces for them, to mount those to a concrete directory, we still use
/etc/fstab. Below is the /etc/fstab that I use on my system:
<!-- markdownlint-disable MD010 MD013 -->
```txt
# Static information about the filesystems.
# See fstab(5) for details.
# <file system> <dir> <type> <options> <dump> <pass>
# region: LUKS encrypted devices (opened from /etc/crypttab, or mounted from initramfs)
/dev/mapper/cryptroot / ext4 rw,relatime,nofail,discard 0 1
/dev/mapper/cryptdata /mnt/data ext4 rw,relatime,nofail,discard 0 2
/dev/mapper/cryptdata2 /mnt/data2 ext4 rw,relatime,nofail,discard 0 2
/dev/mapper/cryptarch2 /mnt/arch-kde ext4 rw,relatime,nofail,discard 0 2
# endregion
# region: Physical devices
LABEL=BOOT /efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
LABEL=SWAP none swap defaults 0 0
# endregion
# region: Bind mounts
# Write kernel images to /efi/arch-hyprland, not directly to the efi system partition (esp), to avoid conflicts when dual booting
/efi/arch-hyprland /boot none rw,bind 0 0
# Bind mounts for arch-kde
/efi /mnt/arch-kde/efi none rw,bind 0 0
/efi/arch-kde /mnt/arch-kde/boot none rw,bind 0 0
/mnt/data /mnt/arch-kde/mnt/data none rw,bind 0 0
/mnt/data2 /mnt/arch-kde/mnt/data2 none rw,bind 0 0
/mnt/backups /mnt/arch-kde/mnt/backups none rw,bind 0 0
/ /mnt/arch-kde/mnt/arch-hyprland none rw,bind 0 0
```
<!-- markdownlint-enable MD010 MD013 -->
## Bootloader
This guide uses systemd-boot (if you want to use GRUB, just follow the arch wiki).
### Ask for LUKS password from initramfs
Ask for encryption password of the root partition in early userspace (only
relevant if you're using LUKS encryption), you'll also need to set cryptdevice
kernel parameter, specifying the device that should be unlocked here, and the
device mapping name. (shown later)
```bash
# Find the line with HOOKS=(...)
# Add `keyboard keymap` after `autodetect` (if these hooks are already there,
# just keep them, but make sure they're after `autodetect`).
# Lastly add `encrypt` before `filesystems`.
sudo nvim /etc/mkinitcpio.conf
```
This will configure `mkinitcpio` to build support for the keyboard input, and
support for decrypting LUKS devices from within the initial ramdisk
environment.
If you wish, you can also follow the instructions below to auto-enable numlock:
```bash
yay -S mkinitcpio-numlock
# Go to HOOKS and add `numlock` after `keyboard` in:
sudo nvim /etc/mkinitcpio.conf
```
Now regenerate the initial ramdisk environment image:
```bash
sudo mkinitcpio -P
```
### Configure systemd-boot
Install systemd-boot to the EFI system partition (ESP)
```bash
sudo bootctl --esp-path=/efi install
```
Add boot menu entries
(Note that we're using LABEL= for cryptdevice, for which `udev` must be before
the `encrypt` hook in mkinitcpio `HOOKS`. This should however be the case by default.
If you wish, you can also use UUID= or just /dev/XYZ here)
Create a new file - `/efi/loader/entries/arch-hyprland.conf`, with:
```bash
title Arch Linux (Hyprland)
sort-key 0
linux /arch-hyprland/vmlinuz-linux
initrd /arch-hyprland/amd-ucode.img
initrd /arch-hyprland/initramfs-linux.img
options cryptdevice=LABEL=ARCH_ROOT1:cryptroot:allow-discards
options root=/dev/mapper/cryptroot
options rw loglevel=3
```
And finally configure loader - `/efi/loader/loader.conf` (overwrite the contents):
```bash
default arch-hyprland.conf
timeout 4
console-mode auto
editor yes
auto-firmware yes
beep no
```
## Post-setup
Enable Network Time Protocol (time synchronization)
```bash
sudo timedatectl set-ntp true
timedatectl status
```
Connect to a wifi network
```bash
nmtui
```