arch linux
Arch Installation
(I) Create a bootable USB
First partition the usb drive with fdisk, MBR partitioning scheme
doesn't matter, you can still boot the USB in UEFI mode.
Try to get this partitioning scheme (this was how a working bootable arch usb created using rufus looked like in fdisk):
Note that the type is W95 Fat32 (LBA). Also toggle the bootable flag to enabled
in fdisk with a.
# mkfs.fat -F32 /dev/sda1
# mount /dev/disk/by-id/usb-SanDisk_Ultra_4C531001470309118144-0:0-part1 /mnt
# bsdtar -x -f ~/Downloads/archlinux-2024.10.01-x86_64.iso -C /mnt
# sync
# umount /mnt
# syslinux --directory boot/syslinux --install /dev/disk/by-id/usb-SanDisk_Ultra_4C531001470309118144-0:0-part1
# dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/bios/mbr.bin of=/dev/disk/by-id/usb-SanDisk_Ultra_4C531001470309118144-0:0
(II) Prepare for booting into the usb
If you plan to connect to the internet via wifi, create wpa_supplicant.conf
in your bootable usb, this will prove handy after you've booted into the usb.
Copy some files over. This is to make your insallation process a lot smoother.
# mount /dev/sda1 /mnt/vector
# cp /etc/wpa_supplicant/wpa_supplicant.conf /mnt/vector
# cp -r ~/.ssh /mnt
Remember the permission for ssh (700 for the .ssh folder and 600 for the private file, and 644 for authorized_keys).
To create the defkeymap.map file follow instructions in loadkeys.
(III) Boot into Live USB
Get internet access:
ip link # reveals your wifi device (mine is wlp3s0)
wpa_supplicant -B -i wlp3s0 -c wpa_supplicant.conf
ip addr # to check if you've internet. might need to wait for dhcpcd
Set console keybindings
Install nvim.To keep your sanity, create a simple ~/.tmux.conf and then launch tmux. With
the below tmux conf you can enter "visual mode" with <C-b>[. You can select
and then copy selection with y.
bind h select-pane -L
bind j select-pane -D
bind k select-pane -U
bind l select-pane -R
set -g mode-keys vi
bind-key -T copy-mode-vi 'v' send -X begin-selection
bind-key -T copy-mode-vi 'C-v' send -X rectangle-toggle
bind-key -T copy-mode-vi 'y' send -X copy-selection
bind-key -T copy-mode-vi v
(IV) Partition drives
In these instructions I'm installing arch into the drive /dev/sdb.
After partition of sdb:
vector@resonyze ~ $ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 931.5G 0 disk
└─sda1 8:1 0 931.5G 0 part
sdb 8:16 0 465.8G 0 disk
├─sdb1 8:17 0 1G 0 part
├─sdb2 8:18 0 4G 0 part
└─sdb3 8:19 0 460.8G 0 part
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 1G 0 part /boot
├─nvme0n1p2 259:2 0 8G 0 part [SWAP]
└─nvme0n1p3 259:3 0 467.9G 0 part /
Number Start (sector) End (sector) Size Code Name
1 2048 2099199 1024.0 MiB EF00 EFI system partition
2 2099200 10487807 4.0 GiB 8200 Linux swap
3 10487808 976769023 460.8 GiB 8300 Linux filesystem
(V) Cryptsetup: Encryption
Optional (read more at archwiki):
Check the result of lsblk. Note the name root under sdb3 which
we used in earlier cryptsetup open command. Now this partition
is available for mounted at /dev/mapper/root, but it has to be
formatted with a file system first.
vector@resonyze ~ $ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 931.5G 0 disk
└─sda1 8:1 0 931.5G 0 part
sdb 8:16 0 465.8G 0 disk
├─sdb1 8:17 0 1G 0 part
├─sdb2 8:18 0 4G 0 part
└─sdb3 8:19 0 460.8G 0 part
└─root 253:0 0 460.7G 0 crypt
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 1G 0 part /boot
├─nvme0n1p2 259:2 0 8G 0 part [SWAP]
└─nvme0n1p3 259:3 0 467.9G 0 part /
You can find this device in /dev/mapper/root.
(VI) Format partitions
(VII) Mount partitions, pacstrap and genfstab
mount /dev/mapper/root /mnt
## https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6?permalink_comment_id=4755423#gistcomment-4755423
mount -o fmask=0137,dmask=0027 /dev/sdb1 /mnt/boot
rm -rf /mnt/lost+found
pacstrap -K /mnt base linux-zen linux-zen-headers linux-firmware amd-ucode neovim \
wpa_supplicant dhcpcd man-db texinfo efibootmgr zsh zsh-syntax-highlighting tmux fzf \
rsync git mosh aria2 unzip tree
Use genfstab command (part of arch install scripts) to generate fstab
(VIII) Chroot into the install and set root password
(IX) Setting up initramfs for decrypting encryped root
We need prepare the kernel for decrypting the root partition. This is done by editing
HOOKs in /etc/mkinitcpio.conf and setting kernel arguments in /etc/kernel/cmdline.
The systemd hook tells mkinitcpio that we need a systemd-based initramfs as opposed to
a busybox-based initramfs. sd-encrypt hook is for decrypting the root partition.
...
HOOKS=(base systemd autodetect microcode modconf kms keyboard keymap consolefont block sd-encrypt filesystems fsck)
...
In the kernel commandline line below rd.luks.name is set to the UUID of the
encrypted root partition and after decryption it will appear as /dev/mapper/root which
gets mounted as root partition.
rd.luks.name=e789d34e-224b-49f6-be22-87f08131e3ad=root root=/dev/mapper/root rw ps1=1
Don't call mkinitcpio yet because we don't want an initramfs file but a UKI.
(X) Creating UKI
We now need to create the single image file that UEFI will directly call to boot the system. That's right there's no intermediary bootloader like grub or systemd-boot in this setup.
To create the UKI we edit the the preset file for our kernel found in
/etc/mkinitcpio.d and comment out the lines that create UKI and comment the
lines that create a separate initrams.img file.
# mkinitcpio preset file for the 'linux-zen' package
#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux-zen"
PRESETS=('default' 'fallback')
#default_config="/etc/mkinitcpio.conf"
#default_image="/boot/initramfs-linux-zen.img"
default_uki="/boot/EFI/Linux/arch-linux-zen.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
#fallback_config="/etc/mkinitcpio.conf"
#fallback_image="/boot/initramfs-linux-zen-fallback.img"
fallback_uki="/boot/EFI/Linux/arch-linux-zen-fallback.efi"
fallback_options="-S autodetect"
Finally build the UKI:
(XI) Create a UEFI boot entry, set timezone, locale, hostname
efibootmgr --create --disk /dev/sdb --part 1 --label "archlinux" --loader '\EFI\Linux\arch-linux-zen.efi' --unicode
While you're at it, you may want to remove some UEFI boot entries. Check out efibootmgr.
# ln -sf /usr/share/zoneinfo/Asia/Kolkata /etc/localtime
# timedatectl set-timezone Asia/Kolkata
# hwclock --systohc
Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8
Reboot
(XII) Finishing up
Add your key user.
useradd -m -G wheel -s /usr/bin/zsh vector
passwd vector
# Now uncomment the setting to allow wheel group to use sudo
EDITOR=nvim visudo
su vector
cd ~
fzf --zsh > ~/.fzf.zsh
cp /mnt/vector/.zshrc ~/
cp /mnt/vector/.zsh_history ~/
chown vector:vector ~/.zshrc ~/.zsh_history
(XIII) Installing X: Getting suckless desktop
sudo pacman -S xorg-server xf86-video-amdgpu xmodmap dunst picom imagemagick feh xdotool \
ttf-sarasa-gothic ttf-iosevka-nerd noto-fonts-emoji sx dmenu chromium bitwarden-cli jq \
xclip notify-send maim tesseract tesseract-data-eng htop ranger mpv sxiv slock
Copy configs over:
cp /home/sshfs/vector/.config/dunst/dunstrc ./
cp /home/sshfs/vector/.config/sx/sxrc ~/.config/sx
cp /home/sshfs/vector/.Xmodmap ~/
cp /home/sshfs/vector/.config/picom/picom.conf ~/.config/picom
cp /home/sshfs/vector/admin/ttf-iosevka-term-ss12/ttf-iosevka-term-ss12-29.2.0-1-any.pkg.tar.zst ./
Install st, dwm, tabbed:
git clone git@github.com:vectorspacexyz/st.git
git clone git@github.com:vectorspacexyz/dwm.git
git clone git@github.com:vectorspacexyz/tabbed.git
git clone git@github.com:vectorspacexyz/slstatus.git
To install, do the usual:
(XIV) Setting up audio: pipewire
(XV) Setting up secure-boot
Its great that we have an encrypted root partition. But our boot partition which contains the EFI stub kernel is unencrypted. We don't want to be launching a possibly modified kernel. Therefore we need to configure secure-boot functionality in UEFI that makes it only allow launching binaries that are signed with our keys. For this we have to enrol our own public keys into the motherboard.
After setting up secure-boot in your motherboard uefi, you need to boot back into your system and check that its in setup mode.
This is how it appears before entering setup mode:
vector@ArchLinuxVS ~ $ sudo sbctl status
[sudo] password for vector:
Installed: ✗ sbctl is not installed
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft
Resetting the secure boot keys will make it enter setup mode. After secure boot was enabled and keys were deleted, this is how it appears:
vector@ArchLinuxVS ~ $ sudo sbctl status
[sudo] password for vector:
Installed: ✗ sbctl is not installed
Setup Mode: ✗ Enabled
Secure Boot: ✗ Disabled
Vendor Keys: none
Create keys:
Enrol keys:
[root@ArchLinuxVS vector]# sbctl enroll-keys -m
Enrolling keys to EFI variables...
With vendor keys from microsoft...✓
Enrolled keys to the EFI variables!
Status after enrolling keys
[root@ArchLinuxVS vector]# sbctl status
Installed: ✓ sbctl is installed
Owner GUID: 8g3zd782-fn29-8365-rv78-261fgh673159
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft
Run sbctl verify to find out the files that have to be signed:
[root@ArchLinuxVS vector]# sbctl verify
Verifying file database and EFI images in /boot...
✗ /boot/EFI/Linux/arch-linux-zen-fallback.efi is not signed
✗ /boot/EFI/Linux/arch-linux-zen.efi is not signed
✗ /boot/vmlinuz-linux-zen is not signed
Sign them
sbctl sign -s /boot/EFI/Linux/arch-linux-zen-fallback.efi
sbctl sign -s /boot/EFI/Linux/arch-linux-zen.efi
sbctl sign -s /boot/vmlinuz-linux-zen
Verify they're signed:
[root@ArchLinuxVS vector]# sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/vmlinuz-linux-zen is signed
✓ /boot/EFI/Linux/arch-linux-zen-fallback.efi is signed
✓ /boot/EFI/Linux/arch-linux-zen.efi is signed
Reboot and check sbctl status:
vector@ArchLinuxVS ~ $ sudo sbctl status
[sudo] password for vector:
Installed: ✓ sbctl is installed
Owner GUID: 8g3zd782-fn29-8365-rv78-261fgh673159
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: microsoft
Setting up screenlock
FDE protects our data when powered off and secure boot gives us some degree of confidence that the files in our unencrypted boot partition have not been tampered with. Given that we've configured these two, it would be ironic if our device gets hacked owing to the lack of a simple screenlock
Section "ServerFlags"
Option "DontVTSwitch" "True"
Option "DontZap" "True"
EndSection
Always execute slock if you're leaving your computer powered on.
TODOs:
- make console loadkeys automatic
(XIII) Setting my archlinux desktop
- suckless software
- dunst
- xmodmap
- ranger
- ffmpegthumbnailer
- mkdocs-material
- picom
- wpa_supplicant
- sxiv
- mpv
- xpdf
- qxmledit
- xbindkeys.
Tips
makepkg and PKGBUILD
Set default apps
Skip annoying gpg checks
Steps to add a custom repository in archlinux
Create the repository root in /home owned by the current user
Create a signed repository database
- Note that the name I specified in pacman.conf was
custom-testing. - The database file pacman expects in the root directory is
custom-testing.db. - When adding the database through
repo-add -s, I specifiy the samecustom-testing.dbbut in compressed formcustom-testing.db.tar.gz.
Edit /etc/pacman.conf to add a new entry for our repository
# sudo vim /etc/pacman.conf