Skip to content

Instantly share code, notes, and snippets.

@ungeskriptet

ungeskriptet/archinstall.md

Last active November 27, 2024 15:20
Show Gist options
  • Save ungeskriptet/f327934da9f72d468cc0f678e66cf5f1 to your computer and use it in GitHub Desktop.
Save ungeskriptet/f327934da9f72d468cc0f678e66cf5f1 to your computer and use it in GitHub Desktop.
Download ZIP
My personal Arch Linux installation guide for an UEFI install UKI and optionally secure boot (archinstall.md)
Raw
archinstall.md

David's personal Arch Linux installation guide

Note

This guide is meant for my personal use. If you're installing Arch Linux for the first time, please follow the official installation guide instead.

1. Flashing the ISO

  1. Download the latest ISO file from https://ftp.halifax.rwth-aachen.de/archlinux/iso/latest/archlinux-x86_64.iso
    • $ curl https://ftp.halifax.rwth-aachen.de/archlinux/iso/latest/archlinux-x86_64.iso -O
  2. Flash the ISO
    • $ cat archlinux-x86_64.iso | sudo tee /dev/sdX > /dev/null
  3. Verify the flashed image on the USB drive (optional)
  • Automatic all-in-one command:
    • $ BLK=/dev/sdX URL=https://ftp.halifax.rwth-aachen.de/archlinux/iso/latest ISO=archlinux-x86_64.iso; curl $URL/$ISO -o $ISO && cat $ISO | sudo tee $BLK > /dev/null && (curl $URL/sha256sums.txt | grep $(sudo head -c $(wc -c < $ISO) $BLK | sha256sum) || echo "Checksum failed")

2. Booting from the USB

  1. Disable secure boot in the UEFI setup menu on the computer or delete the Platform Key (PK) to put the computer in setup mode
    • On ASRock mainboards, the key to enter UEFI setup is "F2" or "Del" and "F11" to enter the boot menu
    • On the CHUWI Hi10 X tablet, the key to enter UEFI setup is "Esc". An external keyboard has to be connected via USB-C
  2. Boot the computer from the USB drive via the boot menu or by changing the boot order
  3. Wait for the Arch Linux live ISO to boot up
  4. Login as root (no password is required)
  5. Set the correct keyboard layout: 
    # loadkeys de
  6. Connect to Wi-Fi: 
    # iwctl --passphrase <passwd> station <wlan0> connect <SSID>

3. Partitioning the disk

Warning

The following commands are destructive. Make sure to back up all important data beforehand

  1. Identify the correct disk: 
    # lsblk
  2. Partition the disk: 
    # sfdisk /dev/sdX << EOF
label: gpt
,1G,U
;
write
EOF
    This command will create a 1 GiB EFI system partition and will use the rest of the disk as the rootfs
  3. Format the partitions: 
    # mkfs.vfat /dev/sdX1
# mkfs.ext4 /dev/sdX2
  4. Mount the filesystems: 
    # mount /dev/sdX2 /mnt
# mkdir -p /mnt/boot/efi
# mount /dev/sdX1 /mnt/boot/efi
# mkdir -p /mnt/boot/efi/EFI/BOOT

4. Install and configure the rootfs

  1. Install and create the rootfs: 
    # pacstrap -K /mnt base linux linux-firmware sudo neovim git binutils curl less which networkmanager {amd,intel}-ucode tmux zsh zsh-autosuggestions zsh-syntax-highlighting sbctl make fakeroot debugedit gcc openssh python python-pip erofs-utils android-tools bc bison flex aarch64-linux-gnu-binutils aarch64-linux-gnu-gcc dosfstools inetutils pkgconf dtc binwalk fuse picocom python-argcomplete patch base-devel ripgrep zsh-completions usbutils rsync lsof
  2. Generate an fstab file: 
    # genfstab -U /mnt >> /mnt/etc/fstab
  3. Chroot into the new rootfs: 
    # arch-chroot /mnt
  4. Set time info: 
    # ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
# hwclock --systohc
  5. Configure the locales: 
    # sed -i 's/#en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen
# locale-gen
# echo "LANG=en_US.UTF-8" > /etc/locale.conf
  6. Configure the keyboard layout: 
    # echo "KEYMAP=de" > /etc/vconsole.conf
  7. Set the hostname: 
    # echo "david-pc" > /etc/hostname
  8. Configure users: 
    # passwd root
# useradd -mG wheel david
# passwd david
  9. Set permissions for doas: 
    # echo "permit nopass :wheel" > /etc/doas.conf
# chown -c root:root /etc/doas.conf
# chmod -c 0400 /etc/doas.conf
# ln -s $(which doas) /usr/bin/sudo
  10. Configure sshd server: 
    # echo -e "PasswordAuthentication no\nAuthenticationMethods publickey" > /etc/ssh/sshd_config.d/20-auth.conf
  11. Enable systemd services: 
    # systemctl enable NetworkManager.service sshd.service
  12. Enable colored output for pacman: 
    # sed -i 's/#Color/Color/' /etc/pacman.conf
  13. Allow unrestricted access to dmesg: 
    # echo "kernel.dmesg_restrict=0" > /etc/sysctl.d/00-dmesg.conf
  14. Disable automatic core dumps: 
    # echo "kernel.core_pattern=|/bin/false" > /etc/sysctl.d/50-coredump.conf
  15. Change faillock settings: 
    # echo -e "unlock_time = 60\ndeny = 100" >> /etc/security/faillock.conf

5. Set up Unified Kernel Image (UKI)

  1. Configure kernel parameters: 
    # mkdir -p /etc/cmdline.d
# echo "root=UUID=$(blkid -s UUID -o value /dev/sdX2) rw sysrq_always_enabled=1 audit=0 quiet loglevel=3" > /etc/cmdline.d/cmdline.conf
  2. Put the following content in /etc/mkinitcpio.d/linux.preset 
    # mkinitcpio preset file for the 'linux' package

ALL_kver="/boot/vmlinuz-linux"

PRESETS=('default')

default_image="/boot/initramfs-linux.img"
default_uki="/boot/efi/EFI/BOOT/BOOTX64.EFI"
default_options="--splash=/usr/share/systemd/bootctl/splash-arch.bmp"
  3. Generate the EFI image: 
    # mkinitcpio -p linux

6. Implement secure boot with custom keys

  1. Generate secure boot keys: 
    # sbctl create-keys
  2. Generate the UKI again to sign the file: 
    # mkinitcpio -p linux
  3. Enroll the keys:
    • If the computer is in setup mode (when no PK is enrolled), run this command: 
      # sbctl enroll-keys -m
    • Otherwise, copy the keys to the ESP partition temporarily and enroll them manually in the UEFI setup menu: 
      # cp -r /usr/share/secureboot/keys /boot/efi
# systemctl reboot --firmware-setup
      • In the UEFI setup, enroll the PK, KEK and db keys
  4. Reboot the computer and check secure boot status: 
    $ bootctl

7. Install a desktop environment

  • KDE Plasma:
    1. Configure keyboard layout for SDDM: 
      $ sudo localectl set-x11-keymap de
    2. Install packages for KDE Plasma: 
      $ sudo pacman -S pipewire pipewire-audio pipewire-pulse pipewire-alsa pipewire-jack sddm bluedevil breeze-gtk drkonqi gwenview kde-gtk-config kdeplasma-addons kgamma kinfocenter kscreen ksshaskpass kwallet-pam kate ocean-sound-theme plasma-browser-integration plasma-desktop plasma-disks plasma-nm plasma-pa plasma-systemmonitor plasma-vault plasma-workspace-wallpapers powerdevil print-manager sddm-kcm xdg-desktop-portal-kde flatpak-kcm ark dolphin konsole unrar p7zip firefox noto-fonts noto-fonts-extra noto-fonts-cjk noto-fonts-emoji kwalletmanager spectacle qt6-multimedia-ffmpeg kaccounts-providers kaccounts-integration signal-desktop krdp okular power-profiles-daemon system-config-printer bluez-utils keditbookmarks kclock libreoffice-fresh libreoffice-fresh-de libreoffice-fresh-pl ttf-liberation vlc
    3. Enable necessary services: 
      $ sudo systemctl enable sddm.service bluetooth.service
    4. Reboot and login to the Plasma Desktop: 
      $ sudo reboot
  • GNOME:
    1. Install packages for GNOME (with games) 
      $ sudo pacman -S evince gdm gnome-backgrounds gnome-calculator gnome-calendar gnome-characters gnome-clocks gnome-color-manager gnome-console gnome-contacts gnome-control-center gnome-disk-utility gnome-font-viewer gnome-keyring gnome-logs gnome-menus gnome-remote-desktop gnome-session gnome-settings-daemon gnome-shell gnome-shell-extensions gnome-software gnome-system-monitor gnome-text-editor gnome-user-docs gnome-user-share gnome-weather grilo-plugins gvfs gvfs-afc gvfs-dnssd gvfs-goa gvfs-google gvfs-gphoto2 gvfs-mtp gvfs-nfs gvfs-onedrive gvfs-smb gvfs-smb gvfs-wsdd loupe malcontent nautilus rygel simple-scan snapshot sushi tecla totem xdg-desktop-portal-gnome xdg-user-dirs-gtk cheese file-roller gnome-2048 gnome-mahjongg gnome-mines gnome-sound-recorder gnome-sudoku gnome-taquin gnome-tetravex quadrapassel seahorse gnome-shell-extension-appindicator gnome-shell-extension-arc-menu gnome-shell-extension-dash-to-panel gnome-shell-extension-desktop-icons-ng unrar p7zip pipewire pipewire-audio pipewire-pulse pipewire-alsa pipewire-jack firefox noto-fonts noto-fonts-extra noto-fonts-cjk noto-fonts-emoji bluez bluez-utils libreoffice-fresh libreoffice-fresh-de libreoffice-fresh-pl ttf-liberation vlc
    2. Enable necessary services: 
      $ sudo systemctl enable gdm.service bluetooth.service

8. Setup ZSH

  1. Download the .zshrc file and setup default ZSH directory:

    $ mkdir -p ~/.config/zsh /etc/zsh
$ curl -L https://david-w.eu/zshrc -o ~/.config/zsh/.zshrc
$ echo 'export ZDOTDIR="$HOME"/.config/zsh' | sudo tee /etc/zsh/zshenv

  2. Change shell to ZSH:

    $ chsh -s /usr/bin/zsh

  3. Reboot or re-login to switch to ZSH

9. Setup paru

  1. Clone the paru-bin package from git: 
    $ git clone https://aur.archlinux.org/paru-bin.git
  2. Build and install paru: 
    $ cd paru-bin
$ makepkg -si

10. Install udev rules:

$ echo 'ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0955", ATTR{idProduct}=="7321", RUN+="/usr/bin/fusee-nano /usr/share/fusee-nano/payload.bin"' | sudo tee /etc/udev/rules.d/40-rcm.rules
$ echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", MODE="0666", GROUP="plugdev"\nSUBSYSTEM=="usb", ATTR{idVendor}=="18d1", MODE="0666", GROUP="plugdev"\nSUBSYSTEM=="usb", ATTR{idVendor}=="057e", MODE="0666", GROUP="plugdev"' | sudo tee /etc/udev/rules.d/50-usb.rules

11. Setup KDE Wallet:

$ mkdir -p ~/.config/environment.d && echo -e "SSH_ASKPASS=/usr/bin/ksshaskpass\nSSH_ASKPASS_REQUIRE=prefer" > ~/.config/environment.d/ssh_askpass.conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment