added intoduction to arch guide. TODO: add section on risk profile.
This commit is contained in:
parent
7365c708e3
commit
2fd81b4692
112
arch.adoc
112
arch.adoc
|
@ -1,8 +1,53 @@
|
||||||
installing btrfs, systemd-boot, and LUKS with a hibernateable swap partition.
|
= Installing btrfs, systemd-boot, and LUKS with suspend to disk on encrypted swap partition.
|
||||||
|
|
||||||
|
Ive been using archlinux for several years now.
|
||||||
|
Of course, my first installs were... blunderous, as i wanted to do full disk encryption from the get-go, and I didnt know what I was doing.
|
||||||
|
After those first one or two installs, I generally settled on LVM on LUKS with a GRUB bootloader and my swap on an LVM volume,
|
||||||
|
mostly because it makes it much easier to setup hibernation/suspend to disk vs, say, a swap file.
|
||||||
|
(with a swap file, you have to deal with file offsets, and I have never gotten a satisfactory awnser as to whether its possible for the filesystem to just *move* a file to a different disk sector in the process of, say, defragging with a very full hard drive.)
|
||||||
|
|
||||||
|
Anyway, with my newest laptop,
|
||||||
|
(I tend through them more than normal, as I buy them used off windows users once they become slow, but they are plenty fast for X11 less use or even light X11 use)
|
||||||
|
I decided to try out btrfs, in large part due to its snapshot system and ability to transfer those snapshots over a network.
|
||||||
|
(Im hoping to make a lightweight filesystem backup using this, on top of the data-level backups I currently use.)
|
||||||
|
|
||||||
|
However, suspend-to-disk is also quite important to me, and the archwiki is really only clear on how to do that with unencrypted partitions, LVM on LUKS, and on swapfiles.
|
||||||
|
The archwiki has some info on how to do it for the encrypt hook with a custom mkinitcpio hook, or with sd-encrytp hooks by just specifying multiple devices, but I didnt want to be writing a ton of custom config for the encrypt hook, and the section on sd-encrypt left some important quesions unawnsered.
|
||||||
|
|
||||||
|
////
|
||||||
|
I awnsered some of these questions:
|
||||||
|
|
||||||
|
//TODO: prettify this list.
|
||||||
|
- Does it matter if you use the kernel command line aurguments or /etc/crypttab.initramfs for suspend-to-disk support? no, but only use one or the other, not both.
|
||||||
|
|
||||||
|
- Does using /etc/crypttab.initramfs work when resuming from hibernate? yes.
|
||||||
|
|
||||||
|
- sd-encrypt caches your pw so that if multiple volumes can be unlocked with the same password, does that work with cryptab? yes.
|
||||||
|
|
||||||
|
- Is it safe to use the filesystem label when using /etc/cryptab.initramfs? yes. The filesystem label is persistent between boots and is stored in the FS header, along with the FS UUID you normaly use. It is exactly as persistent as the FS UUID.
|
||||||
|
////
|
||||||
|
|
||||||
|
== A note on security and risk profiles
|
||||||
|
|
||||||
|
TODO
|
||||||
|
|
||||||
|
== Things you should do first
|
||||||
|
|
||||||
|
Because some things are quite dependent on your system and network, as well as the type of system you end up with,
|
||||||
|
I will not be detailing some of the early setup steps, such as creating and booting from the arch ISO, or the final steps,
|
||||||
|
such as setting up a graphical environment.
|
||||||
|
Also, some of the middle steps require some modification depending on what sort of final setup you want, and your hardware.
|
||||||
|
I will call out those modifications in the relevant steps.
|
||||||
|
|
||||||
|
All this said, I would discorage you from blindly following this guide if its your first time installing arch (or a similarly diy distro like gentoo).
|
||||||
|
You should clearly understand what most of these commands do before typing them in.
|
||||||
|
|
||||||
|
Anyway, start by booting up the arch ISO...
|
||||||
|
|
||||||
== Installing via ssh
|
== Installing via ssh
|
||||||
|
|
||||||
It can sometimes be nice to install using the same computer you are reading this documentation on.
|
Sometimes, you dont want to be switching from the computer you are installing linux on and the computer wtih the documentatoin and google on it,
|
||||||
|
and Ive found the best way to avoid that is to set up a simple ssh session from the arch ISO to the computer with the documentation on it.
|
||||||
|
|
||||||
[IMPORTANT]
|
[IMPORTANT]
|
||||||
====
|
====
|
||||||
|
@ -11,26 +56,35 @@ We are only doing this because we are (hopefully) on a personal network, and the
|
||||||
====
|
====
|
||||||
|
|
||||||
On the installee, make a password for the root account
|
On the installee, make a password for the root account
|
||||||
|
....
|
||||||
# passwd
|
# passwd
|
||||||
|
....
|
||||||
|
|
||||||
Enable SSH using
|
Enable SSH using
|
||||||
|
|
||||||
|
....
|
||||||
# systemctl start sshd.service
|
# systemctl start sshd.service
|
||||||
|
....
|
||||||
|
|
||||||
Find the ip adress with
|
Find the ip adress with
|
||||||
|
|
||||||
|
....
|
||||||
# ip addr show
|
# ip addr show
|
||||||
|
....
|
||||||
|
|
||||||
you are looking for a line like
|
you are looking for a line like
|
||||||
|
|
||||||
|
....
|
||||||
inet 192.168.1.162/24 brd 192.168.1.255 scope global dynamic enp0s25
|
inet 192.168.1.162/24 brd 192.168.1.255 scope global dynamic enp0s25
|
||||||
|
....
|
||||||
|
|
||||||
in this case, my LAN IP is 192.168.1.162
|
in this case, my LAN IP is 192.168.1.162
|
||||||
|
|
||||||
now, on the pc you are going to be SSHing from,
|
now, on the pc you are going to be SSHing from,
|
||||||
|
|
||||||
|
....
|
||||||
# ssh root@[ip we just found on installee]
|
# ssh root@[ip we just found on installee]
|
||||||
|
....
|
||||||
|
|
||||||
and type in the password you set on the installee
|
and type in the password you set on the installee
|
||||||
|
|
||||||
|
@ -40,11 +94,15 @@ now lets continue with the installation.
|
||||||
|
|
||||||
verify you are connected to the internet
|
verify you are connected to the internet
|
||||||
|
|
||||||
|
....
|
||||||
# ping 1.1.1.1
|
# ping 1.1.1.1
|
||||||
|
....
|
||||||
|
|
||||||
turn on ntp
|
turn on ntp
|
||||||
|
|
||||||
|
....
|
||||||
# timedatectl set-ntp true
|
# timedatectl set-ntp true
|
||||||
|
....
|
||||||
|
|
||||||
== Partitioning
|
== Partitioning
|
||||||
|
|
||||||
|
@ -60,37 +118,49 @@ a btrfs partition containing the rest of the space.
|
||||||
|
|
||||||
Encrypt the btrfs parition with
|
Encrypt the btrfs parition with
|
||||||
|
|
||||||
|
....
|
||||||
# cryptsetup luksFormat /dev/sda3
|
# cryptsetup luksFormat /dev/sda3
|
||||||
|
|
||||||
# cryptsetup config --label="btrfs" /dev/sda3
|
# cryptsetup config --label="btrfs" /dev/sda3
|
||||||
|
....
|
||||||
|
|
||||||
and enter the encryption passkey. I reccomend making it a full sentence for security.
|
and enter the encryption passkey. I reccomend making it a full sentence for security.
|
||||||
|
|
||||||
Encrypt the swap partition. Use the same password as last time.
|
Encrypt the swap partition. Use the same password as last time.
|
||||||
|
|
||||||
|
....
|
||||||
# cryptsetup luksFormat /dev/sda2
|
# cryptsetup luksFormat /dev/sda2
|
||||||
|
|
||||||
# cryptsetup config --label="swap" /dev/sda2
|
# cryptsetup config --label="swap" /dev/sda2
|
||||||
|
....
|
||||||
|
|
||||||
now open the newly encrypted partitions
|
now open the newly encrypted partitions
|
||||||
|
|
||||||
|
....
|
||||||
# cryptsetup open /dev/sda2 swap
|
# cryptsetup open /dev/sda2 swap
|
||||||
|
|
||||||
# cryptsetup open /dev/sda3 btrfs
|
# cryptsetup open /dev/sda3 btrfs
|
||||||
|
....
|
||||||
|
|
||||||
== Filesystem creation
|
== Filesystem creation
|
||||||
|
|
||||||
format the EFI poartion with FAT32 and give it the label EFI (label can be something else.)
|
format the EFI poartion with FAT32 and give it the label EFI (label can be something else.)
|
||||||
|
|
||||||
|
....
|
||||||
# mkfs.vfat -F32 -n EFI /dev/sda1
|
# mkfs.vfat -F32 -n EFI /dev/sda1
|
||||||
|
....
|
||||||
|
|
||||||
format the swap partiton as swap
|
format the swap partiton as swap
|
||||||
|
|
||||||
|
....
|
||||||
# mkswap /dev/mapper/swap
|
# mkswap /dev/mapper/swap
|
||||||
|
....
|
||||||
|
|
||||||
format the root partition with btrfs and give the label root (label can be something else.)
|
format the root partition with btrfs and give the label root (label can be something else.)
|
||||||
|
|
||||||
|
....
|
||||||
# mkfs.btrfs -L btrfs /dev/mapper/btrfs
|
# mkfs.btrfs -L btrfs /dev/mapper/btrfs
|
||||||
|
....
|
||||||
|
|
||||||
== Creating and mounting subvolumes
|
== Creating and mounting subvolumes
|
||||||
|
|
||||||
|
@ -122,13 +192,17 @@ mount subvols and EFI partition
|
||||||
|
|
||||||
== installing base system, generating *stab
|
== installing base system, generating *stab
|
||||||
|
|
||||||
install arch (ajust this to suit your needs), change intel-ucode if using an AMD processor.
|
install arch (ajust this to suit your needs), change intel-ucode to amd-ucode if using an AMD processor.
|
||||||
|
|
||||||
|
....
|
||||||
# pacstrap /mnt linux linux-firmware base base-devel btrfs-progs zsh neovim git stow tmux connman wpa_supplicant openvpn fzf htop rsync tig tree xdg-user-dirs units python tree openssh w3m curl intel-ucode
|
# pacstrap /mnt linux linux-firmware base base-devel btrfs-progs zsh neovim git stow tmux connman wpa_supplicant openvpn fzf htop rsync tig tree xdg-user-dirs units python tree openssh w3m curl intel-ucode
|
||||||
|
....
|
||||||
|
|
||||||
generate an fstab
|
generate an fstab
|
||||||
|
|
||||||
|
....
|
||||||
# genfstab -U /mnt > /mnt/etc/fstab
|
# genfstab -U /mnt > /mnt/etc/fstab
|
||||||
|
....
|
||||||
|
|
||||||
make /mnt/etc/crypttab.initramfs containing:
|
make /mnt/etc/crypttab.initramfs containing:
|
||||||
|
|
||||||
|
@ -144,29 +218,41 @@ btrfs LABEL=btrfs
|
||||||
|
|
||||||
chroot into the new system
|
chroot into the new system
|
||||||
|
|
||||||
|
....
|
||||||
# arch-chroot /mnt/
|
# arch-chroot /mnt/
|
||||||
|
....
|
||||||
|
|
||||||
set time zone.
|
set time zone.
|
||||||
|
|
||||||
|
....
|
||||||
# ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
|
# ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
|
||||||
|
....
|
||||||
|
|
||||||
run hwclock
|
run hwclock
|
||||||
|
|
||||||
|
....
|
||||||
# hwclock --systohc
|
# hwclock --systohc
|
||||||
|
....
|
||||||
|
|
||||||
uncomment needed locales in /etc/locale.gen (you always need to at least uncomment en_US.UTF-8 UTF-8.)
|
uncomment needed locales in /etc/locale.gen (you always need to at least uncomment en_US.UTF-8 UTF-8.)
|
||||||
|
|
||||||
gen locales
|
gen locales
|
||||||
|
|
||||||
|
....
|
||||||
# locale-gen
|
# locale-gen
|
||||||
|
....
|
||||||
|
|
||||||
set LANG variable
|
set LANG variable
|
||||||
|
|
||||||
|
....
|
||||||
# echo 'LANG=en_US.UTF-8' > /etc/locale.conf
|
# echo 'LANG=en_US.UTF-8' > /etc/locale.conf
|
||||||
|
....
|
||||||
|
|
||||||
create the hostname file
|
create the hostname file
|
||||||
|
|
||||||
|
....
|
||||||
# echo '[myhostname]' > /etc/hostname
|
# echo '[myhostname]' > /etc/hostname
|
||||||
|
....
|
||||||
|
|
||||||
and add maching entries to /etc/hosts, like so (if static ip, use that. if dynamic, use 127)
|
and add maching entries to /etc/hosts, like so (if static ip, use that. if dynamic, use 127)
|
||||||
|
|
||||||
|
@ -186,11 +272,15 @@ HOOKS=(base systemd udev autodetect modconf block sd-encrypt btrfs resume filesy
|
||||||
|
|
||||||
and regen the initramfs
|
and regen the initramfs
|
||||||
|
|
||||||
|
....
|
||||||
# mkinitcpio -p linux
|
# mkinitcpio -p linux
|
||||||
|
....
|
||||||
|
|
||||||
install systemd-boot
|
install systemd-boot
|
||||||
|
|
||||||
|
....
|
||||||
# bootctl install
|
# bootctl install
|
||||||
|
....
|
||||||
|
|
||||||
create /boot/loader/entries/arch.conf containing:
|
create /boot/loader/entries/arch.conf containing:
|
||||||
|
|
||||||
|
@ -215,13 +305,17 @@ editor no
|
||||||
|
|
||||||
set root password
|
set root password
|
||||||
|
|
||||||
|
....
|
||||||
# passwd
|
# passwd
|
||||||
|
....
|
||||||
|
|
||||||
exit and shutdown the system
|
exit and shutdown the system
|
||||||
|
|
||||||
|
....
|
||||||
# exit
|
# exit
|
||||||
|
|
||||||
# shutdown now
|
# shutdown now
|
||||||
|
....
|
||||||
|
|
||||||
remove the install media, and boot back up. make sure everythign boots. from now on, configure the system as normal.
|
remove the install media, and boot back up. make sure everythign boots. from now on, configure the system as normal.
|
||||||
|
|
||||||
|
@ -229,20 +323,28 @@ remove the install media, and boot back up. make sure everythign boots. from now
|
||||||
|
|
||||||
add a non-root user
|
add a non-root user
|
||||||
|
|
||||||
|
....
|
||||||
# useradd -m -G wheel -s /bin/sh your_username
|
# useradd -m -G wheel -s /bin/sh your_username
|
||||||
# passwd your_username
|
# passwd your_username
|
||||||
|
....
|
||||||
|
|
||||||
symlink neovim to vi
|
symlink neovim to vi (assuming you installed neovim but not vi. modify as your installed packages call for.)
|
||||||
|
|
||||||
|
....
|
||||||
# ln -s /usr/bin/nvim /usr/bin/vi
|
# ln -s /usr/bin/nvim /usr/bin/vi
|
||||||
|
....
|
||||||
|
|
||||||
configure sudo
|
configure sudo
|
||||||
|
|
||||||
|
....
|
||||||
# visudo
|
# visudo
|
||||||
|
....
|
||||||
|
|
||||||
uncomment the line that reads
|
uncomment the line that reads
|
||||||
|
|
||||||
|
....
|
||||||
%wheel ALL=(ALL) ALL
|
%wheel ALL=(ALL) ALL
|
||||||
|
....
|
||||||
|
|
||||||
enable multilib: uncomment the following lines in /ec/pacman.conf
|
enable multilib: uncomment the following lines in /ec/pacman.conf
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue