en:server:operating_systems:arch_linux

Arch Linux

The guide is for both - server and desktop.

It includes:

Server & Desktop

  • UEFI
  • systemd-boot
  • LVM on LUKS
  • NetworkManager
  • zram
  • doas
  • nftables

Desktop

  • Xorg
  • KDE / Plasma
  • SDDM

Download the ISO

https://www.archlinux.org/download/

Inital setup

If using a US keyboard: 

ls /usr/share/kbd/keymaps/**/*.map.gz
loadkeys us

Check if system is under UEFI: 

ls /sys/firmware/efi/efivars

Connect to wifi if needed 

iwctl
device list
station DEVICE_NAME scan
station DEVICE_NAME get-networks
station DEVICE_NAME connect SSID

Enable NTP and set timezone 

timedatectl set-ntp true
timedatectl set-timezone Pacific/Auckland

Test Connection 

ping techsaviours.org -c 1

Format disk/s and create partitions

Format your disks and create GPT table. 

cfdisk /dev/sd*

Typical partitions look like this:

Partitions Space Type
/dev/sda1 (boot) 512M EFI System
/dev/sda2 (root) xG Linux Filesystem (ext4,…)
/dev/sdb1 (home) (optional) xG Linux Filesystem (ext4,…)

LVM on LUKS

Create LUKS

root 

cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --key-size 512 /dev/sda2
cryptsetup open /dev/sda2 root

home (Optional) Second disk (/dev/sdb1) 

cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --key-size 512 /dev/sdb1
cryptsetup open /dev/sdb1 home

Create LVM

Preparing the physical volumes, volume groups and logical volumes

root 

pvcreate /dev/mapper/root
vgcreate vg0 /dev/mapper/root
lvcreate -l 100%FREE vg0 -n root

home (optional) 

pvcreate /dev/mapper/home
vgcreate vg1 /dev/mapper/home
lvcreate -l 100%FREE vg1 -n home

Format filesystems and mount

root 

mkfs.ext4 /dev/vg0/root
mount /dev/vg0/root /mnt

boot 

mkfs.fat -F32 /dev/sda1
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

home (optional) 

mkfs.ext4 /dev/vg1/home
mkdir /mnt/home
mount /dev/vg1/home /mnt/home

Install the base packages

pacstrap /mnt base base-devel linux-hardened linux-hardened-docs linux-hardened-headers linux-firmware nano networkmanager lvm2 opendoas openssh iptables-nft

Configure the system

genfstab -U /mnt > /mnt/etc/fstab
arch-chroot /mnt

Timezone

ln -sf /usr/share/zoneinfo/Pacific/Auckland /etc/localtime
hwclock --systohc

Uncomment your location. For example: en_US.UTF-8 UTF-8 

nano /etc/locale.gen
echo "LANG=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
LC_IDENTIFICATION=en_US.UTF-8
LC_MEASUREMENT=en_US.UTF-8
LC_MONETARY=en_US.UTF-8
LC_NAME=en_US.UTF-8
LC_NUMERIC=en_US.UTF-8
LC_PAPER=en_US.UTF-8
LC_TELEPHONE=en_US.UTF-8
LC_TIME=en_US.UTF-8
LC_ALL=en_US.UTF-8" >> /etc/locale.conf
locale-gen

Keyboard layout

ls /usr/share/kbd/keymaps/**/*.map.gz
nano /etc/vconsole.conf
KEYMAP=YOUR_KEYBOARD

Hostname

echo "arch" > /etc/hostname

Host file

echo "127.0.0.1 localhost
::1 localhost
127.0.1.1 arch.localdomain arch" >> /etc/hosts

root password

passwd

Create an initial ramdisk

nano /etc/mkinitcpio.conf
HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck)
mkinitcpio -P

Bootloader

bootctl install
echo "title Arch Linux
linux /vmlinuz-linux-hardened
initrd /initramfs-linux-hardened.img
options cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda2):root root=/dev/vg0/root rw" >> /boot/loader/entries/arch.conf
echo "title Arch Linux (fallback initramfs)
linux /vmlinuz-linux-hardened
initrd  /initramfs-linux-hardened-fallback.img
options cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda2)=root root=/dev/vg0/root rw" >> /boot/loader/entries/arch-fallback.conf

Microcode

Depends on your CPU - AMD or Intel - choose one of the following commands: 

pacman -S intel-ucode
pacman -S amd-ucode

and add initrd /intel-ucode.img or initrd /amd-ucode.img above initrd /initramfs-linux-hardened.img, initrd /initramfs-linux-hardened-fallback.img in /boot/loader/entries/arch.conf and /boot/loader/entries/arch-fallback.conf

doas

Allow members of group wheel to run commands: 

echo "permit persist :wheel" >> /etc/doas.conf
chown -c root:root /etc/doas.conf
chmod -c 0400 /etc/doas.conf

Sudo user?

pacman -Rsn opendoas
pacman -S sudo

or 

echo "alias sudo='doas'
alias sudoedit='doas rnano'" >> ~/.bashrc

Add user

Change USER to your name. 

useradd -m -G wheel -s /bin/bash USER
passwd USER

zram

Module

echo "zram" >> /etc/modules-load.d/zram.conf

Modprobe

echo "options zram num_devices=1" >> /etc/modprobe.d/zram.conf

Udev

echo 'KERNEL=="zram0", ATTR{disksize}="4GB" RUN="/usr/bin/mkswap /dev/zram0", TAG+="systemd"' >> /etc/udev/rules.d/99-zram.rules

Fstab

echo "# swap
/dev/zram0 none swap defaults 0 0
" >> /etc/fstab

Enable services

systemctl enable --now NetworkManager.service
systemctl enable --now sshd.service

(Optional) Add key for home partition

If you have decided to use an additional partition or drive, you can also use a key instead of entering the passphrase over and over again. This way it only stays for root to enter the passphrase. 

mkdir /etc/luks-keys/
dd bs=512 count=4 if=/dev/urandom of=/etc/luks-keys/home.bin
chmod -cR 0400 /etc/luks-keys/
cryptsetup luksAddKey /dev/sdb1 /etc/luks-keys/home.bin
echo "home           /dev/sdb1                                    /etc/luks-keys/home.bin" >> /etc/crypttab

Reboot

exit
umount -R /mnt
reboot
  • en/server/operating_systems/arch_linux.txt
  • Last modified: 2022/02/26 06:49
  • by dan