en:server:operating_systems:arch_linux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Last revisionBoth sides next revision
en:server:operating_systems:arch_linux [2022/01/06 05:34] – [Bootloader] changed creating files with echo including UUID; deleted info alert danen:server:operating_systems:arch_linux [2024/03/07 20:29] – [Create an initial ramdisk] updated upstream changes - microcode hook by default dan
Line 1: Line 1:
-<alert type="warning" icon="fa fa-wrench">Work-in-Progress</alert> 
- 
 ====== Arch Linux ====== ====== Arch Linux ======
  
Line 14: Line 12:
   * NetworkManager   * NetworkManager
   * zram   * zram
 +  * doas/sudo
  
 **Desktop** **Desktop**
Line 19: Line 18:
   * Xorg   * Xorg
   * KDE / Plasma   * KDE / Plasma
-  * SDDM+  * SDDM/xinit
  
 ===== Download the ISO ===== ===== Download the ISO =====
  
 [[https://www.archlinux.org/download/]] [[https://www.archlinux.org/download/]]
 +
 +==== Verify the ISO image ====
 +
 +Check the two files in the same folder with the following command(s):
 +
 +  * for Arch users
 +    * ''pacman-key -v archlinux-<version>-x86_64.iso.sig''
 +  * other GnuPGP systems
 +    * ''gpg %%--%%keyserver pgp.mit.edu %%--%%keyserver-options auto-key-retrieve %%--%%verify archlinux-<version>-x86_64.iso.sig''
 +  * and check the sha256sum with the following command
 +    * ''sha256sum archlinux-<version>-x86_64.iso''
 +
 +<alert type="info" icon="fa fa-info-circle">Another method to verify the authenticity of the signature is to ensure that the public key's fingerprint is identical to the key fingerprint of the [[https://www.archlinux.org/people/developers/|Arch Linux developer]] who signed the ISO-file. See [[https://en.wikipedia.org/wiki/Public-key_cryptography|Wikipedia:Public-key_cryptography]] for more information on the public-key process to authenticate keys.</alert>
  
 ===== Inital setup ===== ===== Inital setup =====
Line 77: Line 89:
 | /dev/sdb1 (home) (optional)  | xG     | Linux Filesystem (ext4,...)  | | /dev/sdb1 (home) (optional)  | xG     | Linux Filesystem (ext4,...)  |
  
-<alert type="info" icon="fa fa-info-circle">Optional the home partition /dev/sdb1 if you want to use another disk</alert>+<alert type="info" icon="fa fa-info-circle">As an option, the home partition - ''/dev/sdb1'', if you want to use another hard drive</alert>
  
 ===== LVM on LUKS ===== ===== LVM on LUKS =====
Line 142: Line 154:
  
 <code> <code>
-pacstrap /mnt base base-devel linux-hardened linux-hardened-docs linux-hardened-headers linux-firmware nano networkmanager lvm2+pacstrap /mnt base base-devel linux-hardened linux-hardened-docs linux-hardened-headers linux-firmware nano networkmanager lvm2 opendoas openssh
 </code> </code>
 +
 +<alert type="info" icon="fa fa-info-circle">If you encounter some issues, e.g. if you are using an older ISO, first run ''%%pacman -Sy archlinux-keyring && pacman-key --init && pacman-key --populate archlinux%%''.</alert>
  
 ===== Configure the system ===== ===== Configure the system =====
Line 176: Line 190:
 LC_TELEPHONE=en_US.UTF-8 LC_TELEPHONE=en_US.UTF-8
 LC_TIME=en_US.UTF-8 LC_TIME=en_US.UTF-8
-LC_ALL=en_US.UTF-8h" >> /etc/locale.conf+LC_ALL=en_US.UTF-8" >> /etc/locale.conf
 </code> </code>
  
Line 220: Line 234:
  
 <code> <code>
-HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck)+HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck encrypt lvm2)
 </code> </code>
  
Line 244: Line 258:
 linux /vmlinuz-linux-hardened linux /vmlinuz-linux-hardened
 initrd  /initramfs-linux-hardened-fallback.img initrd  /initramfs-linux-hardened-fallback.img
-options cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda2)=root root=/dev/vg0/root rw" >> /boot/loader/entries/arch-fallback.conf+options cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda2):root root=/dev/vg0/root rw" >> /boot/loader/entries/arch-fallback.conf
 </code> </code>
 +
 +==== Microcode ====
 +
 +Depends on your CPU - __//AMD//__ or __//Intel//__ - choose one of the following commands:
 +
 +<code>
 +pacman -S intel-ucode
 +</code>
 +<code>
 +pacman -S amd-ucode
 +</code>
 +
 +and add ''initrd /**intel**-ucode.img'' or ''initrd /**amd**-ucode.img'' above ''initrd /initramfs-linux-hardened.img'', ''initrd /initramfs-linux-hardened-**fallback**.img'' in ''/boot/loader/entries/arch.conf'' and ''/boot/loader/entries/arch-**fallback**.conf''
 +
 +==== doas ====
 +
 +Allow members of group ''wheel'' to run commands:
 +
 +<code>
 +echo "permit persist :wheel" >> /etc/doas.conf
 +chown -c root:root /etc/doas.conf
 +chmod -c 0400 /etc/doas.conf
 +</code>
 +
 +<alert type="danger" icon="fa fa-warning">The ''persist'' feature is disabled by default [....] This feature is new and potentially dangerous, in the original doas, a kernel API is used to set and clear timeouts. This API is openbsd specific and no similar API is available on other operating systems.
 + </alert>
 +
 +=== Sudo user? ===
 +
 +<code>
 +pacman -Rsn opendoas
 +pacman -S sudo
 +</code>
 +
 +Enable ''wheel'' for your sudo user.
 +
 +<code>
 +visudo
 +</code>
 +<code>
 +%wheel ALL=(ALL:ALL) ALL
 +</code>
 +
 +or
 +
 +<code>
 +echo "alias sudo='doas'
 +alias sudoedit='doas rnano'" >> ~/.bashrc
 +ln -s $(which doas) /usr/bin/sudo
 +</code>
 +
 +==== Add user ====
 +
 +Change ''USER'' to your name.
 +
 +<code>
 +useradd -m -G wheel -s /bin/bash USER
 +passwd USER
 +</code>
 +
 +==== zram ====
 +
 +
 +=== Module ===
 +
 +<code>
 +echo "zram" >> /etc/modules-load.d/zram.conf
 +</code>
 +
 +=== Modprobe ===
 +
 +<code>
 +echo "options zram num_devices=1" >> /etc/modprobe.d/zram.conf
 +</code>
 +
 +=== Udev ===
 +
 +<code>
 +echo 'KERNEL=="zram0", ATTR{disksize}="4GB" RUN="/usr/bin/mkswap /dev/zram0", TAG+="systemd"' >> /etc/udev/rules.d/99-zram.rules
 +</code>
 +
 +=== Fstab ===
 +
 +<code>
 +echo "# swap
 +/dev/zram0 none swap defaults 0 0
 +" >> /etc/fstab
 +</code>
 +
 +==== Enable services ====
 +
 +<code>
 +systemctl enable --now NetworkManager.service
 +systemctl enable --now sshd.service
 +</code>
 +
 +==== (Optional) Add key for home partition ====
 +
 +If you have decided to use an additional partition or drive, you can also use a key instead of entering the passphrase over and over again. This way it only stays for root to enter the passphrase.
 +
 +<code>
 +mkdir /etc/luks-keys/
 +dd bs=512 count=4 if=/dev/urandom of=/etc/luks-keys/home.bin
 +chmod -cR 0400 /etc/luks-keys/
 +cryptsetup luksAddKey /dev/sdb1 /etc/luks-keys/home.bin
 +echo "home           /dev/sdb1                                    /etc/luks-keys/home.bin" >> /etc/crypttab
 +</code>
 +
 +==== Reboot ====
 +
 +<code>
 +exit
 +</code>
 +<code>
 +umount -R /mnt
 +reboot
 +</code>
 +
 +=== (Optional) Connect to wifi if needed  ===
 +
 +<code>
 +nmcli d wifi list
 +nmcli dev wifi connect SSID password 'password'
 +</code>
 +
 +
 +<alert type="info">Congratulation 🍻 The server part is done! Continue with [[en:desktop:environments:kde|KDE]] if you want to install a desktop environment. Also create a [[en:backup:server|backup]].</alert>
  • en/server/operating_systems/arch_linux.txt
  • Last modified: 2024/03/07 20:30
  • by dan