From 770e9f46c1cf74f29f276a17281fef3cce70c87b Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Sat, 30 Dec 2023 21:13:10 +0100 Subject: [PATCH] Update installation guide --- guides/installation.md | 120 ++++++++++++++++++++++++++++------------- 1 file changed, 84 insertions(+), 36 deletions(-) diff --git a/guides/installation.md b/guides/installation.md index 4216660..3c4517e 100644 --- a/guides/installation.md +++ b/guides/installation.md @@ -15,9 +15,12 @@ Create partitions for the drives ```bash fdisk /dev/nvme0n1 -# Create new GPT table and make 5 partitions +# Create new GPT table and make 3 partitions # first for boot (1G), second for swap (16G), -# third for root (256G), fifth for data (rest ~680G) +# third for btrfs (root + /home + data) (rest of the space) + +fdisk /dev/nvme0n2 +# Create a single partition for btrfs data ``` Format partitions that shouldn't be encrypted @@ -31,39 +34,69 @@ mkswap -L SWAP /dev/nvme0n1p2 Format drives using LUKS for encryption and open them to mapper devices ```bash -cryptsetup luksFormat --type luks2 --label LINUXROOT /dev/nvme0n1p3 -cryptsetup luksFormat --type luks2 --label DATA /dev/nvme0n1p4 +cryptsetup luksFormat --type luks2 --label ARCH_LUKS /dev/nvme0n1p3 +cryptsetup luksFormat --type luks2 --label DATA /dev/nvme0n2p1 -cryptsetup luksOpen /dev/disk/by-label/LINUXROOT cryptroot +cryptsetup luksOpen /dev/disk/by-label/ARCH_LUKS cryptroot cryptsetup luksOpen /dev/disk/by-label/DATA cryptdata ``` Create BTRFS filesystem on the encrypted drives ```bash -mkfs.btrfs -f -L CRYPTROOT /dev/mapper/cryptroot +mkfs.btrfs -f -L ARCH /dev/mapper/cryptroot mkfs.btrfs -f -L DATA /dev/mapper/cryptdata ``` -Mount the drives +Mount btrfs and create subvolumes ```bash -mount /dev/mapper/cryptroot /mnt -mount /dev/disk/by-label/BOOT /mnt/efi --mkdir -mkdir /mnt/efi/arch-1 -mount --bind /mnt/efi/arch-1 /mnt/boot --mkdir -mount /dev/mapper/cryptdata /mnt/mnt/data --mkdir -swapon /dev/disk/by-label/SWAP +# Cryptroot +# - We set `noatime` to disable updating of the file access time +# every time a file is read. This is done for performance improvements, +# especially on SSDs, and we don't really need to know this information +# anyway. +# - We set `compress=zstd:1` to enable level 1 zstd compression (lowest), +# which still provides quite fast read/write speeds, while saving some space. +mount -o noatime,compress=zstd:1 /dev/mapper/cryptroot /mnt +btrfs subvolume create /mnt/@ # / (root) +btrfs subvolume create /mnt/@home # /home +btrfs subvolume create /mnt/@log # /var/log +btrfs subvolume create /mnt/@cache # /var/cache +btrfs subvolume create /mnt/@tmp # /tmp +btrfs subvolume create /mnt/@data # /data +btrfs subvolume create /mnt/@snapshots +umount /mnt + +# cryptdata +# - We use same options for mounting the root btrfs drive as +# we did for cryptroot here, however we will use a bigger compression +# rate for the individual subvolumes when mounting them. +mount -o noatime,compress=zstd:1 /dev/mapper/cryptdata /mnt +btrfs subvolume create /mnt/@data # /data2 +btrfs subvolume create /mnt/@backups # /backups +btrfs subvolume create /mnt/@snapshots +umount /mnt ``` -Create BTRFS subvolumes +Mount the subvolumes and drives ```bash -btrfs subvolume create /mnt/home -btrfs subvolume create /mnt/var -btrfs subvolume create /mnt/var/log -btrfs subvolume create /mnt/var/cache -btrfs subvolume create /mnt/var/tmp +# cryptroot btrfs subvolumes +mount -o defaults,noatime,compress=zstd:1,subvol=@ /dev/mapper/cryptroot /mnt +mount -o defaults,noatime,compress=zstd:1,subvol=@home /dev/mapper/cryptroot /mnt/home --mkdir +mount -o defaults,noatime,compress=zstd:2,subvol=@log /dev/mapper/cryptroot /mnt/var/log --mkdir +mount -o defaults,noatime,compress=zstd:3,subvol=@cache /dev/mapper/cryptroot /mnt/var/cache --mkdir +mount -o defaults,noatime,compress=no,subvol=@tmp /dev/mapper/cryptroot /mnt/tmp --mkdir +mount -o defaults,noatime,compress=zstd:5,subvol=@data /dev/mapper/cryptroot /mnt/data --mkdir +# cryptdata btrfs subvolumes +mount -o defaults,noatime,compress=zstd:5,subvol=@data /dev/mapper/cryptdata /mnt/data2 --mkdir +mount -o defaults,noatime,compress=zstd:10,subvol=@backups /dev/mapper/cryptdata /mnt/backups --mkdir +# physical partitions +mount /dev/disk/by-label/EFI /mnt/efi --mkdir +mkdir /mnt/efi/arch-1 +mount --bind /mnt/efi/arch-1 /mnt/boot --mkdir +swapon /dev/disk/by-label/SWAP ``` ## Base installation @@ -72,13 +105,16 @@ btrfs subvolume create /mnt/var/tmp reflector --save /etc/pacman.d/mirrorlist --latest 10 --protocol https --sort rate pacstrap -K /mnt base linux linux-firmware linux-headers amd-ucode # or intel-ucode genfstab -U /mnt >> /mnt/etc/fstab +# Note: We'll need to edit fstab later on, to use UUIDs, and to set proper compression levels +# as the generated options will just use zstd:1 everywhere, the final fstab is shown late. +# during bootloader config arch-chroot /mnt ``` Configure essentials ```bash -pacman -S git btrfs-progs +pacman -S git btrfs-progs neovim ln -sf /usr/share/zoneinfo/CET /etc/localtime hwclock --systohc sed -i 's/^#en_US.UTF-8/en_US.UTF-8/g' /etc/locale.gen @@ -227,25 +263,34 @@ interfaces for them, to mount those to a concrete directory, we still use # -# region: LUKS encrypted devices (opened from /etc/crypttab, or mounted from initramfs) +# region: Physical partitions -/dev/mapper/cryptroot / btrfs rw,realtime,ssd,space_cache=v2,subvolid=5,subvol=/,discard 0 1 -/dev/mapper/cryptdata /mnt/data btrfs rw,realtime,ssd,space_cache=v2,subvolid=5,subvol=/,discard 0 2 +# /dev/nvme0n1p2 LABEL=SWAP UUID=d262a2e5-a1a3-42b1-ac83-18639f5e8f3d +/dev/disk/by-label/SWAP none swap defaults 0 0 -# Or, an example with ext4 filesystem -#/dev/mapper/cryptdata /mnt/data ext4 rw,relatime,nofail,discard 0 2 +# /dev/nvme0n1p1 LABEL=EFI UUID=44E8-EB26 +/dev/disk/by-label/EFI /efi vfat rw,relatime,fmask=0137,dmask=0027,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2 # endregion -# region: Physical devices +# region: BTRFS subvolumes on /dev/disk/by-label/ARCH (decrypted from ARCH_LUKS) -LABEL=BOOT /efi vfat rw,relatime,fmask=0137,dmask=0027,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2 -LABEL=SWAP none swap defaults 0 0 +# /dev/mapper/cryptroot LABEL=ARCH UUID=bffc7a62-0c7e-4aa9-b10e-fd68bac477e0 +/dev/mapper/cryptroot / btrfs rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvol=/@ 0 1 +/dev/mapper/cryptroot /home btrfs rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvol=/@home 0 1 +/dev/mapper/cryptroot /var/log btrfs rw,noatime,compress=zstd:2,ssd,space_cache=v2,subvol=/@log 0 1 +/dev/mapper/cryptroot /var/cache btrfs rw,noatime,compress=zstd:3,ssd,space_cache=v2,subvol=/@cache 0 1 +/dev/mapper/cryptroot /tmp btrfs rw,noatime,compress=no,ssd,space_cache=v2,subvol=/@tmp 0 1 +/dev/mapper/cryptroot /data btrfs rw,noatime,compress=zstd:5,ssd,space_cache=v2,subvol=/@data 0 2 + +# /dev/mapper/cryptdata LABEL=DATA UUID=... +/dev/mapper/cryptdata /data2 btrfs rw,noatime,compress=zstd:5,ssd,space_cache=v2,subvol=/@data 0 2 +/dev/mapper/cryptdata /backups btrfs rw,noatime,compress=zstd:10,ssd,space_cache=v2,subvol=/@backups 0 2 # endregion # region: Bind mounts -# Write kernel images to /efi/arch-1, not directly to the efi system partition (esp), to avoid conflicts when dual booting -/efi/arch-1 /boot none rw,bind 0 0 +# Write kernel images to /efi/arch-1, not directly to efi system partition (esp), to avoid conflicts when dual booting +/mnt/efi/arch-1 /boot none rw,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro,bind 0 0 # endregion ``` @@ -268,7 +313,7 @@ device mapping name. (shown later) # Add `keyboard keymap` after `autodetect` (if these hooks are already there, # just keep them, but make sure they're after `autodetect`). # Lastly add `encrypt` before `filesystems`. -sudo nvim /etc/mkinitcpio.conf +nvim /etc/mkinitcpio.conf ``` This will configure `mkinitcpio` to build support for the keyboard input, and @@ -280,13 +325,13 @@ If you wish, you can also follow the instructions below to auto-enable numlock: ```bash sudo -u itsdrike yay -S mkinitcpio-numlock # Go to HOOKS and add `numlock` after `keyboard` in: -sudo nvim /etc/mkinitcpio.conf +nvim /etc/mkinitcpio.conf ``` Now regenerate the initial ramdisk environment image: ```bash -sudo mkinitcpio -P +mkinitcpio -P ``` ### Configure systemd-boot @@ -294,7 +339,10 @@ sudo mkinitcpio -P Install systemd-boot to the EFI system partition (ESP) ```bash -sudo bootctl --esp-path=/efi install +bootctl --esp-path=/efi install +# This might report a warning about permissions for the /efi mount point, +# these were addressed in the fstab file above (changed fmask and dmask), +# if you copied those to your fstab, the permissions will be fixed after reboot ``` Add boot menu entries @@ -310,8 +358,8 @@ sort-key 0 linux /arch-1/vmlinuz-linux initrd /arch-1/amd-ucode.img initrd /arch-1/initramfs-linux.img -options cryptdevice=LABEL=LINUXROOT:cryptroot:allow-discards -options root=/dev/mapper/cryptroot +options cryptdevice=LABEL=ARCH_LUKS:cryptroot:allow-discards +options root=/dev/mapper/cryptroot rootflags=subvol=/@ options rw loglevel=3 ```