Skip to content

Instantly share code, notes, and snippets.

@drGrove

drGrove/Framework Arch Linux Setup.md

Last active July 9, 2024 15:44
Show Gist options
  • Save drGrove/0ed4d4e7c858f66ce28b25f5ea9ca19f to your computer and use it in GitHub Desktop.
Save drGrove/0ed4d4e7c858f66ce28b25f5ea9ca19f to your computer and use it in GitHub Desktop.
Download ZIP
Framework Arch Linux Setup
Raw
Framework Arch Linux Setup.md

Pre-Live USB

  1. F2 on boot, disable Secure Boot
  2. Plug in Live USB
  3. Load from Live USB

Machine Setup

Get install environment working

Keyboard layout

localectl list-keymaps | grep us
loadkeys us

See IP Setup:

ip -c a

Connect to Wifi

iwctl
station wlan0 scan
station wlan0 get-networks
station wlan0 connect <ssid>
quit # if you're in the iw cli
ping www.google.com

Configure Systemtime (IMPORTANT)

timedatectl list-timezone | grep Los_Angeles
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
timedatectl set-ntp true
date
hwclock --systohc

Check Mirror List

pacman -S pacman-contrib
vim /etc/pacman.d/mirrorlist
reflector --country US --age 6 --protocol https --sort ratre --save /tmp/mirrorlist
rankmirrors -n 10 /tmp/mirrorlist | sudo tee /etc/pacman.d/mirrorlist

Sync packages

pacman -Sy

Partition Disk

See disks

lsblk

Partition disk

gdisk /dev/nvme0n1

Make boot EFI

n
1
ENTER for default
+350M
ef00

Make main linux partition

n
2
ENTER for default
-25G # or 100%FREE, leaving space just in case at the end
8309 # Linux LUKS

Print Partition Table

p

Write the partition table and exit

w
Y

Format Partitions

Format the boot parition

mkfs.vfat /dev/nvme0n1p1

Set up BTRFS on an encrypted LUKS partition

 cryptsetup luksFormat /dev/nvme0n1p2
 YES
 passphrase
 cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
 passphrase
 lsblk
 ls /dev/mapper
 mkfs.btrfs /dev/mapper/cryptroot
 mount /dev/mapper/cryptroot /mnt
 ls /mnt

Set up BTRFS sub-volumes:

 btrfs subvolume create /mnt/@
 btrfs subvolume create /mnt/@home
 btrfs subvolume create /mnt/@var
 btrfs subvolume create /mnt/@swap
 umount /mnt

Mount the filesystems

mount -o noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@ /dev/mapper/cryptroot /mnt
mkdir -p /mnt/{boot,home,var,swap}
mount -o noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@home /dev/mapper/cryptroot /mnt/home
mount -o noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@var /dev/mapper/cryptroot /mnt/var
mount -o noatime,ssd,space_cache=v2,subvol=@swap /dev/mapper/cryptroot /mnt/swap
mount /dev/nvme0n1p1 /mnt/boot
lsblk

Install Arch

Pacstrap

pacstrap /mnt base linux linux-firmware git vim amd-ucode btrfs-progs

fstab

genfstab -U /mnt >> /mnt/etc/fstab
vim /mnt/etc/fstab
:q

Chroot

arch-chroot /mnt

Localization

ls -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
vim /etc/locale.gen

Uncomment desired locale(s), e.g. en_US.UTF8 and en_US ISO-8850-1

:x
locale-gen
echo "LOCALE=en_US.UTF8" > /etc/locale.conf
echo "KEYMAP=us" > /etc/vconsole.conf

Setup Host

echo "<my-host>" > /etc/hostname
vim /etc/hosts

/etc/hosts

127.0.0.1   localhost
::1   localhost
127.0.1.1   myhost.localdomain  myhost

Root Password

passwd

Setup Boot

pacman -Syu grub efibootmgr networkmanager wpa_supplicant mtools dosfstools base-devel linux-headers sbsigntool efitools

Setup User

useradd -m myuser
passwd myuser
password
usermod -aG wheel myuser
id
EDITOR=vim visudo

Uncomment the line underneath "uncomment to allow membes of group wheel to execute any command".

Change User and make shim

su - myuser
mkdir aur
cd aur
git clone https://aur.archlinux.org/shim-signed.git
cd shim-signed
makepkg -si
exit

Setup GRUB w/ secure boot

mkdir -p ~/secureboot/keys
cd ~/secureboot/keys
openssl req -new -x509 -newkey rsa:2048 -keyout db.key -out db.crt -nodes -days 3650 -subj "/CN=Secure Boot DB"
openssl x509 -in db.crt -out db.cer -outform DER
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
sbsign --key ~/secureboot/keys/db.key --cert ~/secureboot/keys/db.crt --output /boot/EFI/GRUB/grubx64.efi /boot/EFI/GRUB/grubx64.efi
sudo sbsign --key ~/secureboot/keys/db.key --cert ~/secureboot/keys/db.crt --output /boot/vmlinuz-linux.signed /boot/vmlinuz-linux
cp ~/secureboot/keys/db.cer /boot/EFI/
  1. exit the chroot
  2. Unmount /mnt
  3. Reboot
  4. load into bios (f2)
  5. Remove USB stick
  6. re-enable secure boot

First Boot

Configure network

sudo nmtui

Set Up Encrypted Swap

cd /swap
sudo su
truncate -s 0 ./swapfile
chattr +C ./swapfile
btrfs property set ./swapfile compression none
dd -if=/dev/zero of=swapfile bs=1M count=40916 status=progress # bs times counte should be size of your RAM plus a bit
chmod 600 swapfile
mkswap swapfile
swapon /swap/swapfile
vim /etc/fstab

Add this line to fstab

/swap/swapfile none swap defaults 0 0

Check it

cat /proc/swaps

Fix watchdog error

sudo vim /etc/systemd/system.conf

Un-comment and replace RebootWatchdogSec line

RebootWatchdogSec=0

Install packages

Power management (choose default):

aur sync tlpui

Fingerprint reader:

sudo pacman -Sy fprintd
fprintd-enroll

Set up hibernation

sudo vim /etc/mkinitcpio.conf

Make HOOKS look like this (add resume after filesystems)

HOOKS=(base udev autodetect modconf block encrypt filesystems resume keyboard fsck)

Now run

sudo mkinitcpio -p linux

Divide the physical offset by the page size.

sudo blkid | grep cryptroot
sudo vim /etc/default/grub

Get the offset

sudo btrfs inspect-internal map-swapfile -r /swap/swapfile

Make GRUB_CMDLINE_LINUX_DEFAULT look like this

"loglevel=3 quiet acpi_osi="Windows 2020" mem_sleep_default=deep cryptdevice=UUID=PASTED-UUID:cryptroot:allow-discards root=/dev/mapper/cryptroot resume=UUID=UUID-OF-DEV-MAPPER-CRYPTROOT resume_offset=CALCULATED-VALUE"

Remmake Grub Config

sudo grub-mkconfig -o /boot/grub/grub.cfg

Reboot once before trying to hibernate. Hibernate with

sudo systemctl hibernate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment