--- date: 2020-07-01 title: Archlinux Bulletproof Installation --- Through my 5 years with different Archlinux installations, I made up my mind to document the one that fullfills my needs. The main goal is a minimal arch install (like any other), including systemd and refind, without using any crappy ncurses interface, and of course powered by btrfs (zfs an other day). Installation process is heavily inspired by : - [https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install](Bullet proof arch install) ## partitions ``` $ sgdisk --clear \ --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \ --new=2:0:+8GiB --typecode=2:8200 --change-name=2:cryptswap \ --new=3:0:0 --typecode=3:8300 --change-name=3:cryptsystem \ /dev/nvme0n1 $ sgdisk --clear \ --new=1:0:1025GiB --typecode=1:8300 --change-name=1:wsd \ /dev/sda ``` ## encryption ``` $ cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem $ cryptsetup open /dev/disk/by-partlabel/cryptsystem system $ cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap $ mkswap -L swap /dev/mapper/swap $ swapon -L swap ``` ## file format ``` $ mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI $ mkfs.ext4 -n wsd /dev/disk/by-partlabel/wsd $ mkfs.btrfs --force --label system /dev/mapper/system $ o=defaults,x-mount.mkdir $ o_btrfs=$o,compress=lzo,ssd,noatime $ mount -t btrfs LABEL=system /mnt $ mount -t btrfs LABEL=system /mnt $ btrfs subvolume create /mnt/root $ btrfs subvolume create /mnt/home $ btrfs subvolume create /mnt/snapshots $ umount -R /mnt $ mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt $ mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home $ mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots $ mkdir /mnt/wsd $ mount LABEL=wsd /mnt/wsd $ mkdir /mnt/boot $ mount LABEL=EFI /mnt/boot ``` ## base install ``` $ pacstrap /mnt basenvim $ genfstab -L -p /mnt >> /mnt/etc/fstab ``` Open up /mnt/etc/fstab (old, new): ``` LABEL=swap none swap defaults 0 0 ``` ``` /dev/mapper/cryptswap none swap sw 0 0 ``` Open up /mnt/etc/crypttab, append at the end: ``` swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=256 ``` ## base systemd The only way to have a non-biased opinion about systemd is to mix it yourself in your base install. ``` $ systemd-nspawn -bD /mnt $ localectl set-locale LANG=en_US.UTF-8 $ timedatectl set-ntp 1 $ timedatectl set-timezone Europe/Paris $ hostnamectl set-hostname WS-workstationname ``` ## base packages After spending more than one day on some archlinux shenanigans, you need linux-firmware package for a propper booting install, since 2019 :questionmark: ``` $ pacman -Syu base-devel linux linux-firmware refind-efi btrfs-prog gptfdisk zsh wget curl git zip unzip ntfs-3g ``` ## intramfs ``` $ mv /etc/mkinitcpio.conf /etc/mkinitcpio.conf.orig ``` Open up /etc/mkinitcpio.conf : ``` MODULES="" BINARIES="" FILES="" HOOKS="base systemd sd-vconsole modconf keyboard block filesystems btrfs sd-encrypt fsck" ``` ``` $ mkinicpio -p linux ``` ## refind ``` $ refind-install ``` We now reached the trickiest part for installing rEFind. Hit Ctrl+Alt+F2, exec this last code block, and then reach back TTy1 (nspawn doesn't allow deep disk modification / access). ``` $ arch-chroot /mnt $ refind-install ``` Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir : ``` timeout 5 use_graphics_for windows also_scan_dirs +,@/ ``` ``` $ btrfs filesystem show system $ lsblk -fs ``` Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir : ``` Add the following value if you are using an intel cpu : initrd=/intel-ucode.img "Boot with standard options" "rd.luks.name=*FILL IN UUID FROM PARTITION*=cryptsystem root=UUID=*UUID FROM encrypted root subvolume* rootflags=subvol=root initrd=/initramfs-linux.img" ``` ## reboot ``` $ passwd $ poweroff $ reboot #finger crossed !! ```