Skip to content

Instantly share code, notes, and snippets.

@meme-lord

meme-lord/encrypted_arch_framework_laptop_setup.md

Last active April 12, 2022 15:26
Show Gist options
  • Save meme-lord/8c9206777b1070ab09d4edad460bbc9b to your computer and use it in GitHub Desktop.
Save meme-lord/8c9206777b1070ab09d4edad460bbc9b to your computer and use it in GitHub Desktop.
Download ZIP
encrypted arch framework laptop setup
Raw
encrypted_arch_framework_laptop_setup.md

Some info taken from these guides although parts are not quite right so I'm saving this for the next time I need to install. https://gist.github.com/huntrar/e42aee630bee3295b2c671d098c81268 https://gist.github.com/mattiaslundberg/8620837

  • disable secureboot in bios ( f12 boot menu on Framework )
  • boot from usb

connect bootable usb to internet

iwctl

device list

station wlan0 scan

station wlan0 get-networks

station wlan0 connect YOURNETWORK

exit

partition ssd

gdisk /dev/nvme0n1
  • boot - 100mb

n 1 enter +100m 8300

  • efi - 350mb

n 2 enter +350m ef00

  • root - the rest

n enter enter enter enter (some people say leave SSD space unallocated but this is a myth)

p w y

setup encrypted drive

Grub only barely supports luks2 at the moment so we're still using luks1. Maybe next time support will have improved

cryptsetup luksFormat --type luks1 --use-random -S 1 -s 512 -h sha512 -i 5000 /dev/nvme0n1p3
cryptsetup open /dev/nvme0n1p3 cryptlvm
pvcreate /dev/mapper/cryptlvm
vgcreate vg /dev/mapper/cryptlvm
lvcreate -L 24G vg -n swap	# 1.5X RAM roughly for hibernation
lvcreate -l 100%FREE vg -n root

mkfs.ext2 /dev/nvme0n1p1	# boot partition
mkfs.fat -F32 /dev/nvme0n1p2	# efi partition
mkfs.ext4 /dev/vg/root		# main root partition
mkswap /dev/vg/swap		# swap

mount /dev/vg/root /mnt
swapon /dev/vg/swap

mkdir /mnt/efi
mount /dev/nvme0n1p2 /mnt/efi

mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

install base system

nano /etc/pacman.conf # allow 10 parallel downloads ;)
pacstrap /mnt base linux linux-firmware mkinitcpio lvm2 nano dhcpcd wpa_supplicant git intel-ucode iwd
genfstab -pU /mnt >> /mnt/etc/fstab
sed -i 's/relatime/noatime/' /mnt/etc/fstab # change relatime to noatime

arch-chroot /mnt

ln -s /usr/share/zoneinfo/Europe/Dublin /etc/localtime
hwclock --systohc --utc

echo MYHOSTNAME > /etc/hostname

nano /etc/locale.conf

LANG=en_IE.UTF-8

LANGUAGE=en_IE

LC_ALL=C

Uncomment en_IE.UTF-8 UTF-8 in /etc/locale.gen and generate locale

locale-gen "en_IE.UTF-8"
nano /etc/hosts

127.0.0.1 localhost

::1 localhost

passwd # set a password so we can login after booting!

setup grub

nano /etc/mkinitcpio.conf

HOOKS=(base udev autodetect keyboard modconf block encrypt lvm2 filesystems fsck resume)

COMPRESSION="zstd"

COMPRESSION_OPTIONS=(-T0 -19)

Using the compression options to fit into the small /boot partiton. Order is important for the hooks.

mkinitcpio -p linux

nano /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:luks resume=/dev/vg/swap mem_sleep_default=deep nmi_watchdog=0"

GRUB_ENABLE_CRYPTODISK=y

resume=/dev/vg/swap enables hibernation resume

mem_sleep_default=deep is power efficient sleep mode

nmi_watchdog=0 disables the nmi_watchdog

grub-mkconfig -o /boot/grub/grub.cfg

pacman -S efibootmgr
grub-install --target=x86_64-efi --efi-directory=/efi

umount /mnt/efi /mnt/boot /mnt
swapoff /dev/vg/swap
reboot

after booting in

systemctl enable iwd dhcpcd
systemctl start iwd dhcpcd

disable shutdown watchdog

nano /etc/systemd/system.conf
RebootWatchdogSec=0

create user accound and install things

useradd -m -s /bin/bash USERNAME 
passwd USERNAME

nano /etc/pacman.conf # allow 10 parallel downloads and enable color
pacman -S i3-wm sudo alacritty xorg-server xorg-xinit dmenu ttf-dejavu i3status dunst base-devel noto-fonts-emoji wget unzip man

add USERNAME to sudoers

nano /etc/sudoers
USERNAME ALL=(ALL:ALL) ALL

make i3 start when we login

su USERNAME
echo 'exec i3' > ~/.xinitrc

install yay

git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si

installing other stuff

pacman -S vivaldi vivaldi-ffmpeg-codecs libnotify i3lock scrot imagemagick pulseaudio htop powertop tree zathura bash-completion open-ssh

disable bluetooth

systemctl enable [email protected]
echo 'SUBSYSTEM=="rfkill", ATTR{type}=="bluetooth", ATTR{state}="0"' > /etc/udev/rules.d/50-bluetooth.rules

increase vm writeback timeout

sudo echo 'vm.dirty_writeback_centisecs=1500' > /etc/sysctl.d/99-vm-writeback.conf

update resolv.conf DNS servers

avoids ISP DNS blocks

nano /etc/resolv.conf

nameserver 1.1.1.1

nameserver 8.8.8.8

blacklisting unneeded modules

Disabling watchdog with the method gets rid of the annoying watchdog did not stop error message.

List modules found by autodetection:

mkinitcpio -M

nano /etc/modprobe.d/blacklist.conf

blacklist iTCO_wdt # disable watchdog

blacklist wmi

nano /etc/mkinitcpio.conf

FILES=(/etc/modprobe.d/blacklist.conf)

mkinitcpio -p linux

touchpad issue on wake from sleep

disabling PS2 Mouse emulation in the BIOS fixes it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment