The rather unusual, opinionated and commented ArchLinux installation

Table of contents
  1. 🔗Pre-installation
    1. 🔗First basic steps
    2. 🔗Partition the disks
    3. 🔗Secure erase
    4. 🔗LUKS container
    5. 🔗Preparing the logical volumes
  2. 🔗Installation
    1. 🔗Select the mirrors
    2. 🔗Install the base packages
    3. 🔗Fstab
    4. 🔗Chroot
    5. 🔗Time zone
    6. 🔗Localization
    7. 🔗Network configuration
    8. 🔗Initramfs
    9. 🔗Root password
    10. 🔗Boot loader + Microcode
  3. 🔗Reboot
  4. 🔗Post-installation
    1. 🔗Before we begin
    2. 🔗System administration
      1. 🔗Users, groups and privilege escalation
    3. 🔗Package management
      1. 🔗Repositories
      2. 🔗Arch User Repository
    4. 🔗Graphical user interface
      1. 🔗Display server and display drivers
      2. 🔗Desktop environments
    5. 🔗Networking
    6. 🔗General

First of all, this tutorial doesn't prevent you from following the ArchWiki - Installation guide, it is not standalone.

🔗Pre-installation

🔗First basic steps

For those first steps, I think you are a big boy enough to do them alone.

So you can download the ArchLinux iso, verify its signature, boot the live environment, set the keyboard layout, verify the boot mode, connect to the internet, update the system clock. If you're not confident with those steps check the ArchWiki.

🔗Partition the disks

Identify the block device associated to disks with lsblk or fdisk -l.

Now we will use dm-crypt to encrypt an entire system with LVM on LUKS on only one disk.

UEFI is enabled, so I will use a GPT partition type and an EFI system partition (ESP).

So we will have two partitions: one ESP and one partition that will host the LUKS container.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# fdisk /dev/sda
g # create GUID Partition Table (GPT)
n # create a new partition (EFI system partition)
1 # partition number
2048 # 1st sector
+550M # last sector
t # change partition type
1 # EFI system
n # create a new partition (LVM for later LUKS encrypted container)
2 # partition number
<ENTER> # default 1st sector
<ENTER> # default last sector
t # change partition type
2 # select partiton 2
31 # partition type: Linux LVM
p # print the partition table
w # write table to disk and exit

🔗Secure erase

Don't forget to check the drive preparation.

🔗LUKS container

Lot of people will use the default values of cryptsetup but for a more secure setup I used camellia for ciphering rather than the NIST validated (understand NSA compliant) AES algorithm, the much stronger and newer password-based key derivation function argon2 rather than the default pbkdf2, and the SHA-2 sha512 instead of the default sha256 because SHA-3 keccak or finalist blake2 are not available here.

cryptsetup becnhmark won't show you those and sometimes even /proc/crypto will not show you camellia for example (even if it is available).

Create the LUKS encrypted container:

1
# cryptsetup luksFormat --type luks2 --cipher camellia-xts-plain64 --key-size 512 --iter-time 2000 --pbkdf argon2id --hash sha512 /dev/sda2

Open the LUKS container:

1
# cryptsetup open /dev/sda2 cryptlvm

The decrypted container is now available at /dev/mapper/cryptlvm.

🔗Preparing the logical volumes

Create a physical volume on top of the opened LUKS container:

1
# pvcreate /dev/mapper/cryptlvm

Create a volume group, adding the previously created physical volume to it:

1
# vgcreate myvg /dev/mapper/cryptlvm

Create all your logical volumes on the volume group:

1
2
# lvcreate -L 8G myvg -n swap
# lvcreate -l 100%FREE myvg -n root

Format your filesystems on each logical volume:

1
2
3
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/myvg/root # or /dev/mapper/myvg-root
# mkswap /dev/myvg/swap # or /dev/mapper/myvg-swap

Mount your filesystems:

1
2
3
4
# mount /dev/myvg/root /mnt
# swapon /dev/myvg/swap
# mkdir /mnt/boot/ && mkdir /mnt/efi
# mount /dev/sda1 /mnt/efi # mount ESP to /efi outside /boot

Check the partition table: lsblk -f /dev/sda.

🔗Installation

🔗Select the mirrors

Again, here it let you select the mirrors.

🔗Install the base packages

Install the base + some useful packages:

1
# pacstrap /mnt base base-devel openssh sudo wget curl neovim lvm2

🔗Fstab

Generate an fstab file by UUID:

1
# genfstab -U /mnt >> /mnt/etc/fstab

Check /mnt/etc/fstab correctness and add /efi/EFI/arch /boot none defaults,bind 0 0 to mount the EFI mountpoint at boot since we mounted ESP outside of /boot.

So you should have something similar to:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Static information about the filesystems.
# See fstab(5) for details.

# <file system> <dir> <type> <options> <dump> <pass>

# /dev/mapper/myvg-root
UUID=b1566d2d-96db-4efb-8098-06cbdc2ba17d / ext4 rw,relatime 0 1

# /dev/sda1
UUID=3203-97C0 /efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 2

# /dev/mapper/myvg-swap
UUID=e0729c70-df94-44c9-849a-1f1cfedc5db8 none swap defaults,pri=-2 0 0

/efi/EFI/arch /boot none defaults,bind 0 0

🔗Chroot

Change root into the new system:

1
# arch-chroot /mnt

🔗Time zone

Set the time zone:

1
# ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime

Run hwclock to generate /etc/adjtime:

1
# hwclock --systohc

🔗Localization

Uncomment locales in /etc/locale.gen, and generate them with:

1
# locale-gen

As I'm French, for me locales were:

1
2
en_US.UTF-8 UTF-8
fr_FR.UTF-8 UTF-8

Set variables in /etc/locale.conf, for example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
LC_ADDRESS=fr_FR.UTF-8
LC_COLLATE=fr_FR.UTF-8
LC_CTYPE=fr_FR.UTF-8
LC_IDENTIFICATION=fr_FR.UTF-8
LC_MONETARY=fr_FR.UTF-8
LC_MESSAGES=en_US.UTF-8
LC_MEASUREMENT=fr_FR.UTF-8
LC_NAME=fr_FR.UTF-8
LC_NUMERIC=fr_FR.UTF-8
LC_PAPER=fr_FR.UTF-8
LC_TELEPHONE=fr_FR.UTF-8
LC_TIME=fr_FR.UTF-8
LANG=en_US.UTF-8
LANGUAGE=en_US:en

Because I want all sort of format to be displayed like we do in France but keep the system and displayed messages in English.

Set the keyboard layout in /etc/vconsole.conf, for example (for AZERTY default keyboard):

1
KEYMAP=fr

🔗Network configuration

Create the hostname file (/etc/hostname):

1
archway

Add matching entries to /etc/hosts:

1
2
127.0.0.1 localhost
::1 localhost

🔗Initramfs

Configuring mkinitcpio HOOKS in /etc/mkinitcpio.conf to work with encrypt:

1
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 resume filesystems fsck)

Recreate the initramfs image:

1
# mkinitcpio -p linux

Mount ESP:

1
2
3
4
5
# mkdir -p /efi/EFI/arch
# cp -a /boot/vmlinuz-linux /efi/EFI/arch/
# cp -a /boot/initramfs-linux.img /efi/EFI/arch/
# cp -a /boot/initramfs-linux-fallback.img /efi/EFI/arch/
# mount --bind /efi/EFI/arch /boot

Warning: see Mount the partition, /efi is a standard mount point so there is not need for a bind mount that is only required for alternative mount points. So you can also skip those last steps and remove the additional line in /etc/fstab.

🔗Root password

Easy!

Change root password:

1
# passwd

🔗Boot loader + Microcode

I know what you're about to say:

WTF man! Why don't you use GRUB?

Because rEFInd works better for EFI partitions as the name states.

1
2
# pacman -S refind-efi intel-ucode
# refind-install

Warning: this won't work for VirtualBox, check the ArchWiki.

Then we need to edit /boot/refind_linux.conf:

1
2
3
"Boot with default options"  "cryptdevice=UUID=fcaa743b-9ad8-4699-9329-fbb9bec4de80:cryptlvm root=/dev/myvg/root rw add_efi_memmap initrd=/EFI/arch/intel-ucode.img initrd=/EFI/arch/initramfs-%v.img resume=/dev/myvg/swap"
"Boot with fallback initramfs" "cryptdevice=UUID=fcaa743b-9ad8-4699-9329-fbb9bec4de80:cryptlvm root=/dev/myvg/root rw add_efi_memmap initrd=/EFI/arch/intel-ucode.img initrd=/EFI/arch/initramfs-%v-fallback.img resume=/dev/myvg/swap"
"Boot to terminal" "cryptdevice=UUID=fcaa743b-9ad8-4699-9329-fbb9bec4de80:cryptlvm root=/dev/myvg/root rw add_efi_memmap systemd.unit=multi-user.target resume=/dev/myvg/swap"

Warning: replace /EFI/arch with /boot if you didn't use bind mount.

And also /efi/EFI/refind/refind.conf in order to work with %v in refind_linux.conf:

1
2
3
...
extra_kernel_version_strings linux-zen,linux-lts,linux
...

So this way we have to configure the boot entries only once for multiple kernels.

🔗Reboot

You know how to reboot right?

Ok ok, but it's better to unmount all the partitions first umount -R /mnt.

🔗Post-installation

🔗Before we begin

It could be nice to setup a DHCP client to avoid manual IP configuration.

Enable DHCP client:

1
2
# systemctl start dhcpcd
# systemctl enable dhcpcd

Now we have Internet access, let's update the system before installing anything:

1
# pacman -Syu

We'll use a lot this terminal so let's get a fancier zsh shell:

1
# pacman -S zsh zsh-autosuggestions zsh-completions zsh-history-substring-search zsh-syntax-highlighting zsh-theme-powerlevel9k

🔗System administration

🔗Users, groups and privilege escalation

We already installed sudo with pacstrap.

Add a new user and assign sudo privilege

1
2
3
# useradd -m -G wheel -s /bin/zsh noraj
# passwd noraj
# visudo

And uncomment %wheel ALL=(ALL) ALL.

Exit root session and log back as user.

Creating default XDG directories

1
2
$ sudo pacman -S xdg-user-dirs
$ xdg-user-dirs-update

🔗Package management

🔗Repositories

Send stats about packages

1
$ sudo pacman -S pkgstats

🔗Arch User Repository

Install a pacman wrapper for AUR support, for example pikaur, pakku, yay:

1
2
3
4
5
$ sudo pacman -S git
$ cd /tmp
$ git clone https://aur.archlinux.org/yay.git
$ cd yay
$ makepkg -si

Please, don't install yaourt, check the pacman wrapper ArchWiki page.

🔗Graphical user interface

🔗Display server and display drivers

Install the display server, some utils and associated drivers

1
2
$ sudo pacman -S xorg-server xorg-xrandr
$ sudo pacman -S xf86-video-intel xf86-video-nouveau mesa mesa-demos

🔗Desktop environments

As we want a true graphical library backed desktop environment (understand a Qt DE as GTK is only the GIMP library), we have barely two choices: KDE or LXQT, but LXQT is very light (nice for a VM but too light for a nice desktop experience).

Install KDE Desktop Environment

1
2
$ sudo pacman -S plasma-meta
$ sudo systemctl enable sddm

Configure KDE:

  • System Settings > Desktop Behavior > Desktop Effects > Disable Translucency that behave bad for dark themes.
  • System Settings > Startup and Shutdown > Background Services > Disable Bluetooth, we don't need it
  • System Settings > Search > File Search > Deselect "Enable File Search"
  • System Settings > Regional Settings > Set Language and Formats

🔗Networking

If not already installed, install NetworkManager network manager and applets:

1
2
3
4
$ sudo pacman -S networkmanager kdeplasma-addons plasma-nm
$ sudo systemctl enable NetworkManager
$ sudo systemctl start NetworkManager
$ sudo systemctl disable netctl

Strenght of NetworkManager are: official package for KDE applet, integrated wifi manager, nice integration with KDE.

Drawback of NetworkManger: does not support the use of dhcpcd for IPv6 currently. So let's change of DHCP client and use dhclient instead.

1
2
3
4
5
6
7
$ sudo pacman -S dhclient # not running as systemd service unlike dhcpcd
$ sudo systemctl disable dhcpcd
$ sudo systemctl stop dhcpcd
$ sudoedit /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ sudo systemctl restart NetworkManager

Encrypted Wi-Fi passwords by using KDE wallet.

Disallow /etc/resolv.conf overwrite:

1
2
3
$ sudoedit /etc/NetworkManager/conf.d/dns.conf
[main]
dns=none

🔗General

Install a VTE (Virtual Terminal Emulator):

1
$ sudo pacman -S qterminal

Install net browsers and plugins, Firefox is far more powerful but use GTK where Falkon is using Qt but is far to be complete and fast. But anyway having several browser is always useful.

1
2
$ sudo pacman -S firefox falkon
$ sudo pacman -S arch-firefox-search firefox-dark-reader firefox-extension-https-everywhere firefox-extension-privacybadger firefox-stylus firefox-ublock-origin firefox-umatrix

Install media software (lot of codecs are already installed as dependencies of media players):

1
$ sudo pacman -S vlc smplayer mediainfo mediainfo-gui handbrake youtube-dl audacious clementine nomacs elisa

Install general software:

1
$ sudo pacman -S keepassxc kmail code kate okular qbittorrent quassel-monolithic speedcrunch dolphin xsel p7zip unrar virtualbox aria2 bleachbit kvantum-qt5 openssh expect ksysguard htop nfoview

Install some fonts!

1
$ sudo pacman -S ttf-liberation noto-fonts ttf-roboto ttf-anonymous-pro ttf-hack ttf-inconsolata noto-fonts-emoji powerline-fonts adobe-source-code-pro-fonts ttf-fira-mono

Install oh-my-zsh:

1
$ yay -S oh-my-zsh-git

Aliases for color:

1
2
3
4
5
6
7
8
9
10
11
12
13
alias diff='diff --color=auto'
alias grep='grep --color=auto'
alias ls='ls --color=auto'
export LESS=-R
man() {
LESS_TERMCAP_md=$'\e[01;31m' \
LESS_TERMCAP_me=$'\e[0m' \
LESS_TERMCAP_se=$'\e[0m' \
LESS_TERMCAP_so=$'\e[01;44;33m' \
LESS_TERMCAP_ue=$'\e[0m' \
LESS_TERMCAP_us=$'\e[01;32m' \
command man "$@"
}

Color wrappers:

1
$ sudo pacman -S grc

KDE Theme

1
$ sudo pacman -S materia-kde kvantum-theme-materia papirus-icon-theme

Install a Terminal multiplexers:

1
$ sudo pacman -S tmux
Share