Differences

This shows you the differences between two versions of the page.

--- en:server:operating_systems:arch_linux [2022/01/06 05:34] – [Bootloader] changed creating files with echo including UUID; deleted info alert dan
+++ en:server:operating_systems:arch_linux [2024/03/07 20:30] (current) – [Microcode] updated upstream changes - microcode hook in mkinitcpio.conf by default dan
@@ Line 1: / Line 1: @@
-<alert type="warning" icon="fa fa-wrench">Work-in-Progress</alert>
 ====== Arch Linux ======
@@ Line 14: / Line 12: @@
   * NetworkManager
   * zram
+  * doas/sudo
 **Desktop**
@@ Line 19: / Line 18: @@
   * Xorg
   * KDE / Plasma
-  * SDDM
+  * SDDM/xinit
 ===== Download the ISO =====
 [[https://www.archlinux.org/download/]]
+==== Verify the ISO image ====
+Check the two files in the same folder with the following command(s):
+  * for Arch users
+    * ''pacman-key -v archlinux-<version>-x86_64.iso.sig''
+  * other GnuPGP systems
+    * ''gpg %%--%%keyserver pgp.mit.edu %%--%%keyserver-options auto-key-retrieve %%--%%verify archlinux-<version>-x86_64.iso.sig''
+  * and check the sha256sum with the following command
+    * ''sha256sum archlinux-<version>-x86_64.iso''
+<alert type="info" icon="fa fa-info-circle">Another method to verify the authenticity of the signature is to ensure that the public key's fingerprint is identical to the key fingerprint of the [[https://www.archlinux.org/people/developers/|Arch Linux developer]] who signed the ISO-file. See [[https://en.wikipedia.org/wiki/Public-key_cryptography|Wikipedia:Public-key_cryptography]] for more information on the public-key process to authenticate keys.</alert>
 ===== Inital setup =====
@@ Line 77: / Line 89: @@
 | /dev/sdb1 (home) (optional)  | xG     | Linux Filesystem (ext4,...)  |
-<alert type="info" icon="fa fa-info-circle">Optional the home partition /dev/sdb1 if you want to use another disk</alert>
+<alert type="info" icon="fa fa-info-circle">As an option, the home partition - ''/dev/sdb1'', if you want to use another hard drive</alert>
 ===== LVM on LUKS =====
@@ Line 142: / Line 154: @@
 <code>
-pacstrap /mnt base base-devel linux-hardened linux-hardened-docs linux-hardened-headers linux-firmware nano networkmanager lvm2
+pacstrap /mnt base base-devel linux-hardened linux-hardened-docs linux-hardened-headers linux-firmware nano networkmanager lvm2 opendoas openssh
 </code>
+<alert type="info" icon="fa fa-info-circle">If you encounter some issues, e.g. if you are using an older ISO, first run ''%%pacman -Sy archlinux-keyring && pacman-key --init && pacman-key --populate archlinux%%''.</alert>
 ===== Configure the system =====
@@ Line 176: / Line 190: @@
 LC_TELEPHONE=en_US.UTF-8
 LC_TIME=en_US.UTF-8
-LC_ALL=en_US.UTF-8h" >> /etc/locale.conf
+LC_ALL=en_US.UTF-8" >> /etc/locale.conf
 </code>
@@ Line 220: / Line 234: @@
 <code>
-HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck)
+HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck encrypt lvm2)
 </code>
@@ Line 244: / Line 258: @@
 linux /vmlinuz-linux-hardened
 initrd  /initramfs-linux-hardened-fallback.img
-options cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda2)=root root=/dev/vg0/root rw" >> /boot/loader/entries/arch-fallback.conf
+options cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda2):root root=/dev/vg0/root rw" >> /boot/loader/entries/arch-fallback.conf
 </code>
+==== Microcode ====
+Depends on your CPU - __//AMD//__ or __//Intel//__ - choose one of the following commands:
+<code>
+pacman -S intel-ucode
+</code>
+<code>
+pacman -S amd-ucode
+</code>
+==== doas ====
+Allow members of group ''wheel'' to run commands:
+<code>
+echo "permit persist :wheel" >> /etc/doas.conf
+chown -c root:root /etc/doas.conf
+chmod -c 0400 /etc/doas.conf
+</code>
+<alert type="danger" icon="fa fa-warning">The ''persist'' feature is disabled by default [....] This feature is new and potentially dangerous, in the original doas, a kernel API is used to set and clear timeouts. This API is openbsd specific and no similar API is available on other operating systems.
+ </alert>
+=== Sudo user? ===
+<code>
+pacman -Rsn opendoas
+pacman -S sudo
+</code>
+Enable ''wheel'' for your sudo user.
+<code>
+visudo
+</code>
+<code>
+%wheel ALL=(ALL:ALL) ALL
+</code>
+or
+<code>
+echo "alias sudo='doas'
+alias sudoedit='doas rnano'" >> ~/.bashrc
+ln -s $(which doas) /usr/bin/sudo
+</code>
+==== Add user ====
+Change ''USER'' to your name.
+<code>
+useradd -m -G wheel -s /bin/bash USER
+passwd USER
+</code>
+==== zram ====
+=== Module ===
+<code>
+echo "zram" >> /etc/modules-load.d/zram.conf
+</code>
+=== Modprobe ===
+<code>
+echo "options zram num_devices=1" >> /etc/modprobe.d/zram.conf
+</code>
+=== Udev ===
+<code>
+echo 'KERNEL=="zram0", ATTR{disksize}="4GB" RUN="/usr/bin/mkswap /dev/zram0", TAG+="systemd"' >> /etc/udev/rules.d/99-zram.rules
+</code>
+=== Fstab ===
+<code>
+echo "# swap
+/dev/zram0 none swap defaults 0 0
+" >> /etc/fstab
+</code>
+==== Enable services ====
+<code>
+systemctl enable --now NetworkManager.service
+systemctl enable --now sshd.service
+</code>
+==== (Optional) Add key for home partition ====
+If you have decided to use an additional partition or drive, you can also use a key instead of entering the passphrase over and over again. This way it only stays for root to enter the passphrase.
+<code>
+mkdir /etc/luks-keys/
+dd bs=512 count=4 if=/dev/urandom of=/etc/luks-keys/home.bin
+chmod -cR 0400 /etc/luks-keys/
+cryptsetup luksAddKey /dev/sdb1 /etc/luks-keys/home.bin
+echo "home           /dev/sdb1                                    /etc/luks-keys/home.bin" >> /etc/crypttab
+</code>
+==== Reboot ====
+<code>
+exit
+</code>
+<code>
+umount -R /mnt
+reboot
+</code>
+=== (Optional) Connect to wifi if needed  ===
+<code>
+nmcli d wifi list
+nmcli dev wifi connect SSID password 'password'
+</code>
+<alert type="info">Congratulation 🍻 The server part is done! Continue with [[en:desktop:environments:kde|KDE]] if you want to install a desktop environment. Also create a [[en:backup:server|backup]].</alert>