ArchLinux installation

This guide is based on various information from the official ArchLinux Wiki.

Preparation

General

Loading of the keyboad layout

loadkeys de-latin1-nodeadkeys

This is only used for more comfortable input on the keyboard. The default is the english QWERTY layout.

Checking whether booted in UEFI mode

ls /sys/firmware/efi/efivars

If there are entries, you can continue. Otherwise it was booted in BIOS mode.

Establishing an internet connection

iwctl device list
iwctl station <device> scan
iwctl station <device> get-networks
iwctl --passphrase=<'password'> station <device> connect <SSID>

Checking the internet connection

ping 1.1.1.1
ping google.com

Getting network time

timedatectl set-ntp true
timedatectl status

Deleting the hard drive

Overwriting the present data on the hard drive with random data.

lsblk
blockdev --getbsz /dev/<drive> # value for bs parameter in dd command
dd if=/dev/urandom of=/dev/<drive> bs=4096 status=progress

Installation

Partitioning

sgdisk --zap-all /dev/<hard_drive>
sgdisk --new=1:0:+512M /dev/<hard_drive> # EFI partition
sgdisk --typecode=1:ef00 /dev/<hard_drive>
sgdisk --new=2:0:0 /dev/<hard_drive> # root partition
sgdisk --typecode=2:8300 /dev/<hard_drive>

File systems

For the root partition:

cryptsetup -y -v --type luks1 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 --use-urandom luksFormat /dev/<root_partition>
YES
<passphrase_for_root_partition>
<passphrase_for_root_partition>
cryptsetup open /dev/<root_partition> cryptroot
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt

For the efi partition:

mkfs.fat -F32 /dev/<efi_partition>
mkdir /mnt/efi
mount /dev/<efi_partition> /mnt/efi

Installation of the base system

Transfer the base system

Install basic packages:

pacstrap /mnt base linux linux-firmware mkinitcpio dkms linux-headers nano

File system table

Generate the filesystem table:

genfstab -U /mnt >> /mnt/etc/fstab
cat /mnt/etc/fstab

Change root

Change to the new system as root:

arch-chroot /mnt

Configuration of the base system

Time and Localization

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
hwclock --systohc
nano /etc/locale.gen

Uncomment: en_US.UTF-8 UTF-8 and de_DE.UTF-8 UTF-8

locale-gen
nano /etc/locale.conf

Content: LANG=de_DE.UTF-8

nano /etc/vconsole.conf

Content: KEYMAP=de-latin1-nodeadkeys

Network

nano /etc/hostname

Content: the hostname of the computer, referred to as <hostname>

nano /etc/hosts

Content:

127.0.0.1 localhost
::1 localhost
127.0.1.1 <hostname>.localdomain <hostname>

Installation of network services

pacman -S iwd systemd-resolvconf

exit # out of chroot
mkdir /mnt/var/lib/iwd
cp /var/lib/iwd/<SSID>.<type> /mnt/var/lib/iwd/
arch-chroot /mnt # enter chroot again
nano /var/lib/iwd/<SSID>.<type>
mkdir /etc/iwd
nano /etc/iwd/main.conf

[General]
EnableNetworkConfiguration=true
[Network]
NameResolvingService=systemd

systemctl enable iwd.service
systemctl enable systemd-networkd.service
systemctl enable systemd-resolved.service

Initramfs

nano /etc/mkinitcpio.conf

Change content:

HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)
COMPRESSION="zstd"

nano /etc/mkinitcpio.d/linux.preset

Comment ALL_microcode out (deprecated):

#ALL_microcode=(/boot/*-ucode.img)

Build:

mkinitcpio -p linux

Bootloader GRUB 2

pacman -S grub efibootmgr
exit # out of chroot
lsblk -f # get UUID
arch-chroot /mnt # enter chroot again

Remember the UUID of the encrypted partition, referred to as <UUID>

nano /etc/default/grub

Change content:

GRUB_TIMEOUT=1
GRUB_CMDLINE_LINUX="rd.luks.name=<UUID>=cryptroot root=/dev/mapper/cryptroot rd.luks.options=<UUID>=cipher=aes-xts-plain64:sha512,size=512"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_OS_PROBER=true
GRUB_LANG=en

Hook for updating the GRUB configuration after a kernel upgrade:

nano /etc/pacman.d/hooks/linuxupgrade.hook

Content:

[Trigger]
Operation=Upgrade
Type=Package
Target=linux
[Action]
Description=Updating GRUB configuration after kernel upgrade...
When=PostTransaction
Depends=grub
Exec=/bin/sh -c "grub-mkconfig -o /boot/grub/grub.cfg"

Hook for updating the GRUB installation and configuration after an upgrade:

nano /etc/pacman.d/hooks/grubupgrade.hook

Content:

[Trigger]
Operation=Upgrade
Type=Package
Target=grub
[Action]
Description=Updating GRUB installation and configuration after upgrade...
When=PostTransaction
Depends=grub
Exec=/bin/sh -c "grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB && grub-mkconfig -o /boot/grub/grub.cfg"

Keyfile

Needed to enter the password only once at bootup.

dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 600 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/<luksPart> /crypto_keyfile.bin
nano /etc/mkinitcpio.conf

Change content:

FILES=(/crypto_keyfile.bin)

mkinitcpio -p linux
nano /etc/default/grub

Change content:

GRUB_CMDLINE_LINUX="... rd.luks.key=<UUID>=/crypto_keyfile.bin"

GRUB Installation

grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg

CPU microcode

pacman -S intel-ucode
grub-mkconfig -o /boot/grub/grub.cfg

Password for root

passwd

Enter the password for the root user

First restart

Tests the bootloader and all main components installed so far.

exit # out of chroot
umount -R /mnt
reboot

System configuration

GRUB framebuffer resolution

nano /etc/default/grub

Change content:

GRUB_GFXMODE=1920x1080x32,auto
GRUB_GFXPAYLOAD_LINUX=text

A list of available graphics modes can be shown in the native GRUB command line with videoinfo.

grub-mkconfig -o /boot/grub/grub.cfg

Configure RAID arrays

See RAID.

Get the network time

nano /etc/systemd/timesyncd.conf

Change content:

[Time]
NTP=0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org
FallbackNTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org

timedatectl set-ntp true
timedatectl status
timedatectl timesync-status
timedatectl show-timesync --all

Update the archlinux-keyring

nano /etc/pacman.d/gnupg/gpg.conf

Change content:

keyserver hkps://keyserver.ubuntu.com

pacman -Syyu archlinux-keyring
pacman-key --init
pacman-key --populate

Swap file

fallocate -l 4G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
swaplabel /swapfile >> /etc/fstab
nano /etc/fstab

Change content:

# UUID=<swapfile-uuid>
/swapfile   none    swap    defaults    0 0

Enable TRIM for SSDs

systemctl enable fstrim.timer

WLAN frequencies and signal strength regulations

pacman -Syu wireless-regdb
nano /etc/conf.d/wireless-regdom

Uncomment your region:

WIRELESS_REGDOM="DE"

reboot

Adding users and giving them sudo rights

useradd -m <username>
passwd <username>
ls /home
pacman -Syu sudo
EDITOR=nano visudo

Change content:

Defaults env_reset
Defaults editor=/usr/bin/nano, !env_editor
Defaults lecture=never
<username> ALL=(ALL:ALL) ALL

nano /home/<username>/.bashrc

Change content:

export EDITOR=nano
export VISUAL="$EDITOR"

reboot

Logon with the new user account

Parallel pacman downloads

sudo nano /etc/pacman.conf

Uncomment:

ParallelDownloads = 5

Hook for changing the preferred mirrors after a pacman-mirrorlist upgrade

sudo nano /etc/pacman.d/hooks/mirrorupgrade.hook

Content:

[Trigger]
Operation=Upgrade
Type=Package
Target=pacman-mirrorlist
[Action]
Description=Updating pacman mirrorlist, using preferred mirrors and removing pacnew...
When=PostTransaction
Depends=curl
Depends=sed
Depends=grep
Exec=/bin/sh -c "curl -o /etc/pacman.d/mirrorlist 'https://archlinux.org/mirrorlist/?country=DE&protocol=https&ip_version=6'; sed -i '1s;^;Server = https://mirror.netcologne.de/archlinux/\$repo/os/\$arch\nServer = https://mirrors.n-ix.net/archlinux/\$repo/os/\$arch\nServer = https://ftp.halifax.rwth-aachen.de/archlinux/\$repo/os/\$arch\n\n;' /etc/pacman.d/mirrorlist; grep ^[^#].* /etc/pacman.d/mirrorlist; rm -f /etc/pacman.d/mirrorlist.pacnew"

Reinstall:

sudo pacman -S pacman-mirrorlist

Git and gitconfig

sudo pacman -Syu git gnupg pass
git clone https://github.com/EnnoxHD/dotfiles.git
cd ./dotfiles/linux
chmod +x copy.sh
./copy.sh
cd ~
rm -rf ./dotfiles
nano ~/.bashrc

Add content:

alias git='LANG=en_US.UTF-8 git'

source ~/.bashrc

AUR (Arch User Repository)

sudo pacman -Syu base-devel
curl -O https://github.com/polygamma.gpg
gpg --import polygamma.gpg
rm polygamma.gpg
git clone https://aur.archlinux.org/aurman.git
cd aurman
makepkg --cleanbuild --install --syncdeps --needed --noconfirm --clean
cd ..
rm -rf aurman
mkdir -p ~/.config/aurman/
nano ~/.config/aurman/aurman_config

Content:

[miscellaneous]
devel
keyserver=hkps://keyserver.ubuntu.com
noedit
pgp_fetch
solution_way
use_ask

Reinstall:

aurman -Syu aurman

Transfer GPG keys from another device

Get your existing GPG public/private keypair identified by <key-id>:

gpg --list-keys
gpg --output public.gpg --export <key-id>
gpg --list-secret-keys
gpg --output private.key --export-secret-key <key-id>

Safely transfer and import them to the new device.

gpg --import public.gpg
gpg --import private.key

Trust your own key:

gpg --list-keys
gpg --list-secret-keys
gpg --edit-key <key-id>

Then trust > 5 > y > quit.

Git-Credential-Manager

aurman -Syu git-credential-manager-core git-credential-manager-core-extras
pass init <key-id>
nano ~/.bashrc

Add content:

export GPG_TTY=$(tty)

Work with a repository to add the credentials (e.g. personal access token) to the ~/.password-store of pass.

Optimize makepkg

aurman -Syu ccache mold
sudo nano /etc/makepkg.conf

Change the lines according to the following:

-CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
+CFLAGS="-march=native -O2 -pipe -fno-plt -fexceptions \
         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security \
         -fstack-clash-protection -fcf-protection \
         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer"
 ...
-LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \
+LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now,-fuse-ld=mold \
          -Wl,-z,pack-relative-relocs"
 ...
-#MAKEFLAGS="-j2"
+MAKEFLAGS="-j$(nproc)"
 ...
-BUILDENV=(!distcc color !ccache check !sign)
+BUILDENV=(!distcc color ccache check !sign)

sudo nano /etc/makepkg.conf.d/rust.conf

Change the lines according to the following:

-RUSTFLAGS="-Cforce-frame-pointers=yes"
+RUSTFLAGS="-Copt-level=3 -Ctarget-cpu=native -Clink-arg=-fuse-ld=mold -Cforce-frame-pointers=yes"

nano ~/.bashrc

Add the following:

export PATH="/usr/lib/ccache/bin:$PATH"

source ~/.bashrc

USB information

aurman -Syu usbutils

Battery and Temperatures

aurman -Syu acpi

ACPI support

aurman -Syu acpid
sudo systemctl enable acpid.service
sudo systemctl start acpid.service

Basic graphics driver

aurman -Syu xf86-video-fbdev xf86-video-vesa

Xorg server (with mesa and vulkan)

aurman -Syu mesa vulkan-icd-loader
aurman -Syu xorg-server xorg-apps

Set the keyboard layout:

sudo localectl --no-convert set-x11-keymap de

Graphics driver (and vulkan tools)

for Intel:

see Values for enable_guc:	enable_guc value	GuC Submission	HuC Firmware Loading	Default for platforms	Supported on platforms
0	no	no	Tiger Lake, Rocket Lake, and Pre-Gen12	All
1	yes	no	-	Alder Lake-P (Mobile) and newer
2	no	yes	Alder Lake-S (Desktop)	Gen9 and newer
3	yes	yes	Alder Lake-P (Mobile) and newer	Alder Lake-P (Mobile) and newer

# for newer cards (Gen 10 and newer):
aurman -Syu intel-media-driver
# enable GuC and HuC
sudo nano /etc/modprobe.d/i915.conf
# options i915 enable_guc=3
sudo mkinitcpio -p linux
# reboot and check dmesg output for GuC and HuC

# for older cards (Gen 2 to Gen 9):
aurman -Syu xf86-video-intel

# for vulkan support on Intel:
aurman -Syu vulkan-intel

# for intel_gpu_top:
aurman -Syu intel-gpu-tools

for NVIDIA:

see General Codenames

# for newer cards (Maxwell and newer):
aurman -Syu nvidia nvidia-utils opencl-nvidia

# for older cards (Kepler, requires DKMS):
aurman -Syu nvidia-470xx-dkms nvidia-470xx-utils opencl-nvidia-470xx

Vulkan tools:

aurman -Syu vulkan-tools

Hardware video acceleration (VA-API and VDPAU)

for NVIDIA:

aurman -Syu libva-vdpau-driver
sudo nano /etc/environment

Add:

VDPAU_DRIVER=nvidia

Verification:

reboot
# VA-API
aurman -Syu libva-utils
vainfo
# VDPAU
aurman -Syu vdpauinfo
vdpauinfo

Audio server and multimedia session manager

aurman -Syu pipewire libpipewire pipewire-session-manager wireplumber libwireplumber
aurman -Syu pipewire-audio pipewire-jack pipewire-pulse pipewire-alsa

Fonts

aurman -Syu noto-fonts noto-fonts-cjk noto-fonts-emoji noto-fonts-extra ttf-jetbrains-mono

Desktop environment

aurman -Syu gnome gnome-extra
sudo systemctl enable gdm.service
aurman -Syu networkmanager
sudo systemctl disable --now wpa_supplicant.service
sudo systemctl mask wpa_supplicant.service
sudo nano /etc/NetworkManager/conf.d/wifi_backend.conf

Change content:

[device]
wifi.backend=iwd

sudo systemctl enable NetworkManager.service
reboot

Gnome settings

aurman -Syu dconf-editor

gsettings set org.gnome.desktop.peripherals.touchpad tap-to-click true
gsettings set org.gnome.desktop.peripherals.touchpad natural-scroll false

Gnome custom keybindings

• Super + e = nautilus
• Super + r = gnome-terminal

gsettings set org.gnome.settings-daemon.plugins.media-keys custom-keybindings "['/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/', '/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1/']"
gsettings set org.gnome.settings-daemon.plugins.media-keys.custom-keybinding:/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/ name 'Files'
gsettings set org.gnome.settings-daemon.plugins.media-keys.custom-keybinding:/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/ command 'nautilus'
gsettings set org.gnome.settings-daemon.plugins.media-keys.custom-keybinding:/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/ binding '<Super>e'
gsettings set org.gnome.settings-daemon.plugins.media-keys.custom-keybinding:/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1/ name 'Terminal'
gsettings set org.gnome.settings-daemon.plugins.media-keys.custom-keybinding:/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1/ command 'gnome-terminal'
gsettings set org.gnome.settings-daemon.plugins.media-keys.custom-keybinding:/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1/ binding '<Super>r'

Fractional Scaling (HiDPI)

aurman -S mutter-x11-scaling gnome-keybindings-x11-scaling gnome-control-center-x11-scaling
# manual intervention may be required, reinstall mutter dependants
aurman -S gdm gnome-shell gnome-shell-extensions gnome-browser-connector
gsettings set org.gnome.mutter experimental-features "['x11-randr-fractional-scaling']"

An error might occur after package installation, just restart. Enable fractional scaling in the control center and set the desired scaling factor.

Screen layout

for NVIDIA (optional):

# for newer cards:
aurman -Syu nvidia-settings
# for older cards:
aurman -Syu nvidia-470xx-settings

In general adjust monitor settings, then do:

sudo cp ~/.config/monitors.xml /var/lib/gdm/.config/
sudo chown gdm:gdm /var/lib/gdm/.config/monitors.xml

Pinentry program for GPG-agent

Configure which Pinentry program is used by GPG:

• default: /usr/bin/pinentry-curses
• fallback: /usr/bin/pinentry-tty
• GTK window:
  • dependencies: aurman -Syu gtk3
  • echo "pinentry-program /usr/bin/pinentry-gtk" > ~/.gnupg/gpg-agent.conf
• Gnome prompt:
  • dependencies: aurman -Syu gcr
  • echo "pinentry-program /usr/bin/pinentry-gnome3" > ~/.gnupg/gpg-agent.conf
• other available

Reload the agent after configuration:

gpg-connect-agent reloadagent /bye

Internet browser

aurman -Syu firefox firefox-i18n-de

Firewall

aurman -Syu ufw
sudo systemctl start ufw.service
sudo systemctl enable ufw.service
sudo ufw default deny
sudo ufw enable
sudo ufw status

# GUI frontend
aurman -Syu gufw

Firewall: SSH settings

sudo ufw limit ssh
sudo ufw reload

Firewall: VPN settings

Filter rules

To allow IP forwarding in every case:

sudo nano /etc/default/ufw

Change content: from "DROP" to

DEFAULT_FORWARD_POLICY "ACCEPT"

To allow IP forwarding only for a specific <adapter>, e.g. wg0:

sudo nano /etc/ufw/before.rules

Add these lines after # End required lines:

# allow all on <adapter>
-A ufw-before-forward -i <adapter> -j ACCEPT
-A ufw-before-forward -o <adapter> -j ACCEPT

Setup IP forwarding

sudo nano /etc/ufw/sysctl.conf

Uncomment the following lines:

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

Bluetooth

sudo systemctl enable bluetooth.service

Printer driver and PDF

See CUPS.

Scanner

aurman -Syu sane simple-scan

Disk utilities

pacman -Syu gptfdisk dosfstools ntfs-3g veracrypt

Mount additional (encrypted) partitions

Get PARTUUIDs for normal drive partions via sudo blkid. Check out lsblk for a more general overview of block devices. For RAID support, see RAID: Mount additional (encrypted) RAID volumes.

Mapping encrypted partitions

Prepare files for unlocking drives like sudo nano /etc/<diskname>.password.

sudo nano /etc/crypttab

# <diskname>
crypt<diskname>    /dev/disk/by-partuuid/<partuuid>    /etc/<diskname>.password    tcrypt,tcrypt-veracrypt,noauto

Continue with the mounting in /etc/fstab for the /etc/crypttab-mapped partitions.

Normal mounting

Get the user id uid and the group id gid of the current user with the id command. In general on a single-user machine this should be uid=1000 and gid=1000.

id
sudo nano /etc/fstab

# <diskname>
/dev/mapper/crypt<diskname>    /mnt/<diskname>    ntfs-3g    noauto,x-systemd.automount,uid=1000,gid=1000,dmask=0022,fmask=0033,windows_names    0 0

Links to drives

nano ~/.profile

Content:

for dir in $(ls -1d /mnt/*/);do ln -sfn $dir ~/$(basename $dir);done

Password container

aurman -Syu keepassxc

Enhancing Bash

Bash completion

aurman -Syu bash-completion
nano ~/.inputrc

Content:

$include /etc/inputrc
set completion-ignore-case on

Powerline

aurman -Syu powerline powerline-fonts
nano ~/.bashrc

Change content:

powerline-daemon -q
POWERLINE_BASH_CONTINUATION=1
POWERLINE_BASH_SELECT=1
. /usr/share/powerline/bindings/bash/powerline.sh

Configuration:

mkdir -p ~/.config/powerline/themes/shell/
cp /usr/lib/python3.10/site-packages/powerline/config_files/themes/shell/default.json ~/.config/powerline/themes/shell/
nano ~/.config/powerline/themes/shell/default.json

Changes based on:

• https://powerline.readthedocs.io/en/latest/configuration/segments/common.html#module-powerline.segments.common.time
• https://strftime.org/

Changes:

            {
                "function": "powerline.segments.shell.mode"
            },
+           {
+               "function": "powerline.segments.common.time.date",
+               "args": {
+                   "format": "%H:%M:%S",
+                   "istime": true
+               },
+               "priority": 5,
+               "draw_hard_divider": false,
+               "after": " "
+           },
            {
                "function": "powerline.segments.common.net.hostname",
                "priority": 10
            },
            {
                "function": "powerline.segments.common.env.user",
-               "priority": 30
+               "priority": 30,
+               "before": " "
            },
            {
                "function": "powerline.segments.common.env.virtualenv",

Restart the shell

Design

aurman -Syu gnome-tweaks

• Cursor: Capitaine-cursors (community/capitaine-cursors)
• Icons: Numix-Circle (aur/numix-circle-icon-theme-git) and Numix-Folders (aur/numix-folders-git)

Additional software

• SOFTWARE

Advanced topics

VM

• KVM
• IOMMU
• QEMU