- Download ISO and GPG files
- Verify the ISO file:
$ pacman-key -v archlinux-<version>-dual.iso.sig
- Create a bootable usb with:
# dd if=archlinux*.iso of=/dev/sdX && sync
- Set boot mode to UEFI, disable Legacy mode entirely.
- Temporarily disable Secure Boot.
- Make sure a strong UEFI administrator password is set.
- Delete preloaded OEM keys for Secure Boot, allow custom ones.
- Set SATA operation to AHCI mode.
- Plug in network cable or connect to wifi with
# wifi-menu
, ensure you have internet access. - Enable NTP:
# timedatectl set-ntp true
- Set larger font if needed:
# pacman -Sy terminus-font
# setfont ter-132n
Note the disk name with:
# fdisk -l
# cfdisk
for that disk and select label typegpt
. -
Create partitions:
- 100M - EFI system
- 100% - Linux filesystem
Create file system on the EFI partition:
# mkfs.vfat -n EFI -F32 /dev/sdX1
Encrypt the Linux partition:
# cryptsetup luksFormat --type luks1 /dev/sdX2 # cryptsetup luksOpen /dev/sdX2 luks
Create file system on the encrypted Linux partition:
# mkfs.btrfs -L btrfs /dev/mapper/luks
Create and mount subvolumes:
# mount /dev/mapper/luks /mnt # btrfs subvolume create /mnt/root # btrfs subvolume create /mnt/home # btrfs subvolume create /mnt/pkgs # btrfs subvolume create /mnt/logs # btrfs subvolume create /mnt/tmp # btrfs subvolume create /mnt/snapshots # umount /mnt # mount -o noatime,nodiratime,discard,compress=lzo,subvol=root /dev/mapper/luks /mnt # mkdir -p /mnt/mnt/btrfs-root # mkdir -p /mnt/boot/efi # mkdir -p /mnt/home # mkdir -p /mnt/var/cache/pacman # mkdir -p /mnt/var/log # mkdir -p /mnt/var/tmp # mkdir -p /mnt/.snapshots # mount /dev/sdX1 /mnt/boot/efi # mount -o noatime,nodiratime,discard,compress=lzo,subvol=/ /dev/mapper/luks /mnt/mnt/btrfs-root # mount -o noatime,nodiratime,discard,compress=lzo,subvol=home /dev/mapper/luks /mnt/home # mount -o noatime,nodiratime,discard,compress=lzo,subvol=pkgs /dev/mapper/luks /mnt/var/cache/pacman # mount -o noatime,nodiratime,discard,compress=lzo,subvol=logs /dev/mapper/luks /mnt/var/log # mount -o noatime,nodiratime,discard,compress=lzo,subvol=tmp /dev/mapper/luks /mnt/var/tmp # mount -o noatime,nodiratime,discard,compress=lzo,subvol=snapshots /dev/mapper/luks /mnt/.snapshots
Install packages:
# pacstrap /mnt base base-devel grub efibootmgr # boot manager intel-ucode # Include Intel microcode patches during boot zsh git openssh wget # Just enough to create a user and clone dotfiles terminus-font # To make console font readable on HiDPI screens networkmanager # Because wired connection may not work after installation
Generate fstab entries:
# genfstab -U /mnt >> /mnt/etc/fstab
Enter the new system:
# arch-chroot /mnt
Persist using larger console font after reboot:
# echo "FONT=ter-132n" > /etc/vconsole.conf
Setup time zone:
# ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
Configure hardware clock:
# hwclock --systohc --utc
Configure system locate:
# echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen # echo "en_DK.UTF-8 UTF-8" >> /etc/locale.gen # locale-gen
Configure hostname:
# echo HOSTNAME > /etc/hostname # vi /etc/hosts localhost.localdomain localhost ::1 localhost.localdomain localhost HOSTNAME.localdomain HOSTNAME
Configure passwordless unlock of root partition:
# dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin # chmod 000 /crypto_keyfile.bin # chmod 600 /boot/initramfs-linux* # cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin
Generate initial ramdisk environment:
# vi /etc/mkinitcpio.conf - Add `consolefont` to HOOKS after `base` - Add `encrypt` to HOOKS before `filesystems` - Remove `fsck` from HOOKS - Add `/crypto_keyfile.bin` to FILES # mkinitcpio -p linux
Configure bootloader:
# vi /etc/default/grub - Set: GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX2:luks:allow-discards" - Set: GRUB_GFXMODE=1280x1024x32,1024x768x32,auto - Uncomment: GRUB_ENABLE_CRYPTODISK=y - Comment out: GRUB_GFXPAYLOAD_LINUX (terminus font is great at native resolution) # grub-mkconfig -o /boot/grub/grub.cfg # grub-install
Generate machine id:
# dbus-uuidgen --ensure
as default shell for root:# chsh -s /bin/zsh
Create a user:
# useradd -m -g users -G wheel -s /bin/zsh USERNAME # passwd USERNAME # EDITOR=vi visudo - Uncomment sudo access for `wheel` group
Exit new system and reboot:
# exit # umount -R /mnt # reboot
Login as the new user
Start NetworkManager service:
$ sudo systemctl start NetworkManager
Clone dotfiles:
$ git clone https://github.com/maximbaz/dotfiles.git ~/.dotfiles
Setup dotfiles:
$ ~/.dotfiles/setup
Bootstrap pacman packages:
$ sudo pacman -Sy --needed maximbaz
Configure fwupdmgr:
$ sudo cp -r /usr/lib/fwupdate/EFI /boot/efi
Sign bootloader for Secure Boot:
$ sudo cryptboot-efikeys create $ sudo cryptboot-efikeys enroll $ sudo cryptboot-efikeys sign /boot/efi/EFI/arch/grubx64.efi $ sudo cryptboot-efikeys sign /boot/efi/EFI/arch/fwupx64.efi
Disable root password:
# passwd -dl root
Reboot and enable Secure Boot in UEFI.