Arch Linux Install Guide For Developers
This is a condensed version of a blog I wrote a few months back, and I hope people find it useful. Here's the original as a reference if anyone wishes to check it out. (https://www.lunasec.io/docs/blog/arch-linux-installation-guide/)
Why is Arch the best operating system for developers?
Here are a few of the reasons why we decided to use Arch as our development environment:
- We have direct visibility and control down to the kernel
- We know what's on our system and only use what we deem necessary
- We can configure our environments to meet security standards quickly and seamlessly
- We have access to the latest packages for development
We found Arch to be that sweet spot between security, accessibility, and productivity and getting access to the newest packages for development is what we sought.
Preparing For the Install
Grab the version of Arch you would like to install. Create a bootable USB of the Arch Image you downloaded.
( Etcher is available for Linux or Rufus for Windows to make your USB boot image. For further guidance please refer to
the Arch Wiki.)
Verify secure boot is disabled in the BIOS before continuing to the next steps.
What We're Installing
- A UEFI boot partition using systemd-boot
- An Arch Linux partition with BTRFS. Encrypted with LUKS luks2
Beginning the Install
Plug in your Arch USB image from the previous step and boot into it from your BIOS. From here, you'll be using the terminal.
We recommend installing via SSH to streamline copying over commands.
To do this you'll connect to the Internet using the iwctl tool to connect to your WIFI.
Open up the iwctl tool:
iwctl
Search for your wireless adapter:
device list
Scan your local networks with your wireless adapter (wlan0):
station wlan0 get-networks
Connect to your network:
station wlan0 connect YOUR_NETWORK
If your network is seperated with a space, use quotes for "YOUR NETWORK"
Once connected, exit iwctl:
exit
Verify your connection works:
ping google.com
Enabling SSH
Now that your machine is connected to the internet, enable the SSH protocol and connect to it from your outside computer.
Start SSH:
systemctl start sshd.service
Set a password for root:
passwd
Find the machine's IP Address:
ip addr show
From your other computer, connect via SSH (You'll be prompted for the root password you just set)
ssh "root@<IP-OF-THE-FIRST-PC>
Installation Overview
Now that you're connected via SSH, you're ready to do the following:
- Create a Systemd boot partition
- Create a Linux Filesystem partition for Arch
- Encrypt your Filesystem Partition with LUKS
- Create BTRFS Sub Volumes on your Linux Filesystem partition
- Install Arch with recommended Packages
Create the Boot and Filesystem partitions
Identify the drive on which to install Arch:
lsblk
For this guide we'll be referencing our drive with the nvme0n1 naming convention, remember to replace it with your drive's name when referencing it.
The following commands will create two partitions, one for boot and for the filesystem:
gdisk /dev/nvme0n1
This will begin the gdisk program / prompt. Begin by creating the
EFI partition (choose size 550M and hex code EF00):
Command (? for help): o
Command (? for help): n
Enter
Enter
+550M
EF00
The Boot Partition should now be created.
Let's create the File system partition.
Command (? for help): n
Write the new partitions to disk:
Enter
Enter
Enter
Enter
Command (? for help): w
Now let's verify that our two partitions exist:
lsblk
You should be able to see the two partitions available as /dev/nvme0n1p1 and /dev/nvme0n1p2.
Encryption
With your partitions set, create the encrypted container for your root file system.
Below is the command to encrypt the partition using LUKS:
cryptsetup --cipher aes-exts-plain64 --hash sha256 --use-random --verify-passphrase luksFormat --type luks2 /dev/nvme0n1p2
Open the encrypted partition with:
cryptsetup open /dev/nvme0n1p2 luks
("luks" is just a placeholder, you can use the name of your choice, but remember to continue the guide with your naming convention)
File System Creation
Format the EFI partition with FAT32 and give it the label EFI:
mkfs.vfat -F32 -n EFI /dev/nvme0n1p1
Format the root partition with BTRFS and give it the label ROOT:
mkfs.btrfs -L ROOT /dev/mapper/luks
If you didn’t open the LUKS container under the name “luks” you must adjust the command accordingly
Create and Mount Sub Volumes
Create sub volumes for root, home, the package cache, snapshots, and the entire BTRFS file system:
mount /dev/mapper/luks /mnt
btrfs sub create /mnt/@
btrfs sub create /mnt/@swap
btrfs sub create /mnt/@home
btrfs sub create /mnt/@pkg
btrfs sub create /mnt/@snapshots
umount /mnt
Mount the sub volumes:
mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@ /dev/mapper/luks /mnt
mkdir -p /mnt/{boot,home,var/cache/pacman/pkg,.snapshots,btrfs}
mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@home /dev/mapper/luks /mnt/home
mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@pkg /dev/mapper/luks /mnt/var/cache/pacman/pkg
mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@snapshots /dev/mapper/luks /mnt/.snapshots
mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvolid=5 /dev/mapper/luks /mnt/btrfs
Mount the EFI partition:
mount /dev/nvme0n1p1 /mnt/boot
Optional - The following is for those wanting to use a swapfile.
Create swap file (taken from Btrfs - Swap file and Swap file):
cd /mnt/btrfs/@swap
truncate -s 0 ./swapfile
chattr +C ./swapfile
btrfs property set ./swapfile compression none
dd if=/dev/zero of=./swapfile bs=1M count=<FILE-SIZE-IN-MiB> status=progress
chmod 600 ./swapfile
mkswap ./swapfile
swapon ./swapfile
cd -
Base System and /etc/fstab
With your subvolumes created and mounted, you are now ready to install Arch Linux.
For our machine we will be using intel-ucode as the X1 has an intel CPU setup
If your machine has an AMD CPU, replace intel-ucode with amd-ucode.
Feel free to add any other packages you want to install at this time in the command below.
pacstrap /mnt linux linux-firmware base btrfs-progs intel-ucode nano networkmanager git
Generate /etc/fstab:
genfstab -U /mnt >> /mnt/etc/fstab
System Configuration
This is where you'll be managing system configurations. In our case we're configuring this as an American user, but
for those of you reading outside the US, set the language and keyboard bindings to your locale.
CHROOT into the new system:
arch-chroot /mnt/
Set the hostname:
echo <YOUR-HOSTNAME> > /etc/hostname
Set locale:
echo LANG=en_US.UTF-8 > /etc/locale.conf
Uncomment the following rows in /etc/locale.gen:
en_US.UTF-8.UTF-8
Generate locale:
locale-gen
Define hosts in /etc/hosts:
<ip-address> <hostname.domain.org> <hostname>
127.0.0.1 <YOUR-HOSTNAME>.localdomain <YOUR-HOSTNAME>
::1 localhost.localdomain localhost
Set the root user's password:
(We recommend setting a secure password for your newly created root user.)
passwd
Initramfs
Configure the creation of initramfs by editing /etc/mkinitcpio.conf. Edit the line HOOKS=... to:
HOOKS=(base keyboard udev autodetect modconf block keymap encrypt btrfs filesystems resume)
resume in the above hooks is for those of you setting up a swap partition. If you don't intend to use swap, you can simply remove it.
Recreate initramfs:
mkinitcpio -p linux
Boot Manager
Install systemd-boot:
bootctl --path=/boot install
Create file /boot/loader/entries/arch.conf and fill it with:
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID-OF-ROOT-PARTITION>:luks:allow-discards root=/dev/mapper/luks rootflags=subvol=@ rd.luks.options=discard rw
Optional - If you are using a swap, add the following to the options flag.
You will also need to follow this guide to calculate your offset
resume=/dev/mapper/luks resume_offset=<YOUR-OFFSET>
Provide the UUID of your root partition:
blkid -s UUID -o value /dev/sda2
Replace UUID-OF-ROOT in /boot/loader/entries/arch.conf
Edit /boot/loader/loader.conf and fill it with:
default arch.conf
timeout 4
console-mode max
editor no
Lastly, exit chroot, unmount your partition, and reboot:
exit
umount -R /mnt
reboot
Installation Complete
Congratulations, you now have Arch running on your laptop!
You now have an encrypted partition of Arch Linux running on your laptop with a root user and networking.
What's left to do?
- Sign in as root on your laptop
- Setup a user with sudo privileges
- Setup a Window Manager / Desktop Environment
- Install YAY and AUR
- Generate SSH Keys
- Generate GPG Keys
- Find ways to interject into conversations that BTW you now use Arch
