This tutorial will guide you for installing ArchLinux on a GPT partition while using GRUB2 on a BIOS enabled PC (see Wiki for EFI) and thus on a SSD media based upon LUKS (encryption) over LVM. It is not aimed to replace the official ArchLinux installation guide or Wiki. It is just a collection of notes gathered from the official sources. As a reminder the Installation Guide can now also be found on the USB flash drive under /root/install.txt.

Once you have installed your system please make sure to consult my emergency instructions for accessing your encrypted data with a LiveCD USB Flash drive and also perform seamless upgrades using LVM snapshots.

Pre-Installation Steps

Securely wipe SSD

Fill the new drive with random data using a working Linux system:

    # dd if=/dev/urandom of=/dev/sda iflag=nocache oflag=direct bs=4096

This operation takes a long time (eg. 8 hours for a 500GB SSD).

Prepare USB Flash drive

Based upon 2017.01.01 ISO image or later from http://www.archlinux.org/download.

    # dd if=/dev/zero of=/dev/sdx  bs=1k count=1
    # dd if=archlinux-xxxxx.iso of=/dev/sdx

Replace sdx by your thumbdrive reference.

Boot from USB Flash drive

Go into BIOS menu and make sure to disable UEFI or enable legacy BIOS as default then boot & select x86_64 (or i686 if you want to stay with i686 architecture, max. 3GB SRAM). If you see UEFI in the boot menu, it is likely that your system is setup for UEFI boot only.

Change keyboard layout

    # loadkeys fr

Get IP address

Archlinux boot CD starts the network and get an IP address via DHCP. You can check that you have obtained an IP address with:

    # ip addr

In case you IP address was not automaticaly setup, you can use:

    # dhcpcd

It is also possible to use manual IP or wifi. Please refer to the official wiki for proper instructions.

Configure drive, block devices and encrypted filesystems

Identify the devices

The first step is to identify the devices where the new system will be installed. The following command will show all the available devices:

    # lsblk

Manually partition the SSD

    # gdisk /dev/sda

Remove old partitions then create the following partitions:

• Enter n,1,[Enter],2M, EF02. This is the first partition (2MB) with type EF02 (BIOS partition) and used by GRUB2/BIOS-GPT. (/dev/sda1).
• Enter n,2,[Enter],256M,8300. Second partition (256MB) with type 8300 (Linux) holds unencrypted /boot as well as backup copies of /boot between system upgrades. (/dev/sda2)
• Enter n,3,[Enter],3G,8200. Third partition (3GB) with type 8200 (swap) is our optional swap partition that will be encrypted with random key but not part of lvm. (/dev/sda3)
• Enter n,4,[Enter],[Enter]. Fourth partition occupies the remaining space with a type 8E00 (LVM). It will store the encrypted LVM for /, /home and snapshots (/dev/sda4)
• Enter p to verify the above configuration
• Enter w,Y

If you don’t want to go the hassle of a separate, self-encrypted, SWAP, you can alway setup a LVM partition for it.

Prepare encrypted LUKS space

We need to align, enable TRIM and use the right payload for SSD.

    # cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --align-payload=8192 luksFormat /dev/sda4
    # cryptsetup luksOpen --allow-discards /dev/sda4 enc-lvm

While we will be enabling TRIM at different stages we won’t activate the discard option for mounting the different partitions but rather use weekly fstrim checks. The iter-time at 5000 means it will take up to 5s to check the password hash.

Setup LVM space

20GB for root is usually enough but if you start installing large packages such as TeX or others it can become too small over time. Therefore 40GB gives some room. We don’t setup swap inside LVM but keep it outside with its own random key per reboot. For the home directory we don’t use all remaining space but save some spare space for snapshots.

    # lvm pvcreate --dataalignment 4M /dev/mapper/enc-lvm
    # lvm vgcreate vgroup /dev/mapper/enc-lvm
    # lvm lvcreate -L 40GB -n root vgroup
    # lvm lvcreate -l 95%free -n home vgroup

vgdisplay to see the remaining space for snapshot. If not ok,

# lvremove /dev/mapper/vgroup-home
# lvm lvcreate -l 97%free -n home vgroup

Format /boot, /root and /home

# mkfs.ext2 /dev/sda2
 # mkfs.xfs /dev/mapper/vgroup-root
 # mkfs.xfs /dev/mapper/vgroup-home

ext4 was the filesystem of choice in the previous installation guide. Since I’m using XFS now on my NAS I thought it would make sense to use XFS here too especially with the latest developments including metadata checksums that are enabled by default.

Get 5% space back from /home partition (if using EXT4)

If you selected ext4 instead of XFS for /home you can gain 5% of space back since this is typically used on root partition as a safeguard when the disk gets full.

On non-root partition this hidden space can be easily and safely reclaimed back by using the following command.

 # tune2fs -m 0 /dev/mapper/vgroup-home

Mount the partitions

# mount /dev/mapper/vgroup-root /mnt
# mkdir /mnt/boot
# mount /dev/sda2 /mnt/boot
# mkdir /mnt/home
# mount /dev/mapper/vgroup-home /mnt/home

Install the base system

Select installation mirror

ftp.archlinux.org is throttled to 50KB/s.

Before installing, you may want to edit /etc/pacman.d/mirrorlist such that your preferred mirror is first. This copy of the mirrorlist will be installed on your new system by pacstrap as well, so it’s worth getting it right.

Perform system installation

 # pacstrap /mnt base base-devel

Install a bootloader

The folllowing will install GRUB2. If you want EFI please refer to the official Wiki.

 # pacstrap /mnt grub-bios

Generate fstab for the new disk scheme

Generate a fstab file with the following command. UUIDs will be used because they have certain advantages (see official wiki). If you would prefer to use labels instead, replace the -U option with -L. Note: If you encounter errors running genfstab or later in the install process, do not run genfstab again; just edit the fstab file.

 # genfstab -U -p /mnt >> /mnt/etc/fstab

Setup mount Flags

When using SSD it’s important to disable some of the timestampgins that can impact the SSD lifetime. Edit the /mnt/etc/fstab generate above to reflect the following changes:

 UUID=XXX-YYY-ZZZ   /       xfs  rw,noatime,attr2,inode64,noquota 0 1
 UUID=TTT-UUU-VVV   /boot   ext2 rw,noatime 0 2
 UUID=PPP-QQQ-RRR   /home   xfs  rw,noatime,attr2,inode64,noquota 0 2

Enable TRIM support on LVM

We have to enable the option issue_discards in the LVM configuration. Edit /mnt/etc/lvm/lvm.conf

  # [...]
  devices {
  # [...]
  issue_discards = 1
  # [...]
  }
  # [...]

http://blog.neutrino.es/2013/howto-properly-activate-trim-for-your-ssd-on-linux-fstrim-lvm-and-dmcrypt/

Configure the newly installed system

Chroot into the installed system

 # arch-chroot /mnt /bin/bash

Set root password

Set a root password with:

 # passwd

Set hostname

Add your hostname in /etc/hostname.

 myhostname

Set it to your liking. This is the name of your computer.

Add also your hostname in /etc/hosts, coinciding with the one specified in /etc/hostname as an alias, so that it looks like this:

 127.0.0.1   localhost.localdomain   localhost myhostname
 ::1         localhost.localdomain   localhost myhostname

Note: ::1 is the IPv6 equivalent of 127.0.0.1

Configure console fonts and keymap

Set keymap and font name in /etc/vconsole.conf.

 KEYMAP=fr
 FONT=
 FONT_MAP=

KEYMAP The available keymaps are in /usr/share/kbd/keymaps. Please note that this setting is only valid for your TTYs, not any graphical window managers or X. FONT Available alternate console fonts reside in /usr/share/kbd/consolefonts/. The default (blank) is safe. FONT_MAP Defines the console map to load with the setfont program at boot. Possible maps are found in /usr/share/kbd/consoletrans, if needed. The default (blank) is safe.

Setup time

Select a time zone:

 # tzselect

Available time zones and subzones can also be found in the /usr/share/zoneinfo// directories.

Setup a timezone

Edit the file /etc/timezone and write your Zone/Subzone. Example:

 Europe/Paris

Additionaly, create a symbolic link /etc/localtime to the same /usr/share/zoneinfo// using this command:

 # ln -s /usr/share/zoneinfo/Europe/Paris /etc/localtime

Adjust time skew

It is recommended to adjust the time skew, and set the time standard to UTC:

 # hwclock --systohc --utc

Locale

Enable locales

Edit /etc/locale.gen and uncomment:

 en_US.UTF-8 UTF-8
 fr_FR.UTF-8 UTF-8
 fr_FR ISO-8859-15
 fr_FR@euro ISO-8859-15

Generate locales

 # locale-gen

Setting up system-wide locale

Add your language to /etc/locale.conf.

LANG=fr_FR.UTF-8
LC_COLLATE="fr_FR.UTF-8"

Export current language for initramfs creation

We will be adding keymap to mkinicpio.conf therefore we need to environment variable LANG.

# export LANG=fr_FR.UTF-8

Configure the network

If not using DHCP or network manager, please see wiki for rc.conf configuration.

Prepare initramfs and bootloard

Prepare the initramfs build

Add keymap to kernel for non-US keyboard on boot as well as keyboard for usb support on boot, encrypt and lvm2 for accessing our encrypted space.

Edit /etc/mkinitcpio.conf to add required hooks for encryption, keyboard and LVM.

    HOOKS="base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck"

Also add the required video driver for early display setup. For example for integrated Intel graphic card:

    MODULES="i915"

Create an initial ramdisk environment

    # mkinitcpio -p linux

Configure the bootloader

Install GRUB2 to the SSD

    # grub-install --recheck /dev/sda

Add SSD TRIM and encryption support

We need to allow discards in grub even if we only use the fstrim utility instead of the discard mount option. Edit /etc/default/grub and change with:

    GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda4:vgroup:allow-discards"

If you happen to have multiple SATA drives in your system, you might need to use UUID instead of labels. Get the UUID of /dev/sda4 by using

    # blkid /dev/sda4

And then replace cryptdevice=/dev/sda4 by cryptdevice=/dev/disk/by-uuid/wwww-xxxx-yyyy-zzzz

Generate GRUB2 configuration

    # grub-mkconfig -o /boot/grub/grub.cfg

Some warning will popup but it’s ok. Next time you regenerate the grub configuration, warnings should be gone.

Time to reboot into your freshly installed system

Unmount the partitions

If you are still in the chroot environment then type exit or Ctrl+D in order to exit chroot. Since the partitions are mounted under /mnt, we use the following command to unmount them.

    # exit
    # umount /mnt/boot
    # umount /mnt/home
    # umount /mnt

Reboot

Execute the following command and remove the installation media.

    # reboot

Post Installation Steps

Start network

  # dhcpd eth0

Setup swap space

One can place a swap partition on an SSD. Note that most modern desktops with an excess of 2 Gigs of memory rarely use swap at all. The notable exception is systems which make use of the hibernate feature.

Enable encrypted swap with random key but without suspend-to-disk support

It is very dangerous to use crypttab swap with /dev/sdx3 or even /dev/disk/by-id/ata-SERIAL-partX. A small change in your device names or partitioning layout and /etc/crypttab will see your valuable data formatted on the next boot. It is more reliable to identify the correct partition by giving it a UUID or LABEL. By default that does not work because dm-crypt and mkswap would simply overwrite any content on that partition; however, it is possible to specify an offset. This allows you to create a very small, empty, bogus filesystem (with no other purpose than providing a UUID or LABEL), which survives the swap encryptions.

Create a filesystem with label of your choice:

    # mkfs.ext2 -L cryptswap /dev/sda3 1M

The unusual parameter after the device name limits the filesystem size to 1 MiB.

    # blkid /dev/sda3

    /dev/sda3: LABEL="cryptswap" UUID="b72c384e-bd3c-49aa-b7a7-a28ea81a2605" TYPE="ext2"

With this, /dev/sda3 now can easily be identified either by UUID or LABEL, regardless of how its device name or even partition number might change in the future. All that’s left is the /etc/crypttab and /etc/fstab entries:

/etc/crypttab

    # <name>       <device>         <password>              <options>
    cryptswap      LABEL=cryptswap  /dev/urandom            swap,offset=2048,cipher=aes-xts-plain64,size=512,hash=sha512

Note the offset: it’s 2048 sectors of 512 bytes, thus 1 MiB. This way the filesystem LABEL/UUID remains intact, and data alignment works out as well.

Why /dev/urandom and not /dev/random? The latter blocks until it got enough entropy to continue, urandom don’t. So if you use random instead urandom you might have to wait during boot until enough entropy is collected. (It does help to type your keyboard and move the mouse.) Use /dev/random if you’re really paranoid.

/etc/fstab

    # <filesystem>         <dir>  <type>  <options>  <dump>  <pass>
    /dev/mapper/cryptswap  none   swap    defaults   0       0

Change swap space behavior

The following is recommended tweak for SSDs using a swap partition that will reduce the “swappiness” of the system thus avoiding writes to swap.

/etc/sysctl.d/99-sysctl.conf

    vm.swappiness=1
    vm.vfs_cache_pressure=50

Reboot

Check

    # cat /proc/sys/vm/swappiness

Enable periodic TRIM operation

Since we haven’t enabled discards on mountpoints we need to perform trim operations on a regular basis.

The util-linux package (part of base and base-devel) provides fstrim.service and fstrim.timer systemd unit files. Enabling the timer will activate the service weekly, which will then trim all mounted filesystems on devices that support the discard operation. The timer relies on the timestamp of /var/lib/systemd/timers/stamp-fstrim.timer (which it will create upon first invocation) to know whether a week has elapsed since it last ran.

    # journalctl enable fstrim.timer

Therefore there is no need to worry about too frequent invocations, in an anacron-like fashion. It is also possible to query the units activity and status using standard journalctl and systemctl status commands:

    # journalctl -u fstrim
    # systemctl status fstrim

Change I/O scheduler for SSD

Both noop and deadline are recommanded for SSD operation. We will stick to deadline for SSD and CFQ for hard drives.

To do this, create and edit a file in /etc/udev/rules.d named something like ‘60-schedulers.rules’. In the file include the following:

    # set deadline scheduler for non-rotating disks
    ACTION=="add|change", KERNEL=="sd[a-z]", TEST!="queue/rotational", ATTR{queue/scheduler}="deadline"
    ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="deadline"

    # set cfq scheduler for rotating disks
    ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="cfq"

Of course, set deadline/cfq to the desired schedulers. Changes should occur upon next boot. To check success of the new rule:

    # cat /sys/block/sdX/queue/scheduler   #where X is the device in question

Note: Keep in mind cfq is the default scheduler, so the second rule with the standard kernel is not actually necessary. Also, in the example sixty is chosen because that is the number udev uses for its own persistent naming rules. Thus, it would seem that block devices are at this point able to be modified and this is a safe position for this particular rule. But the rule can be named anything so long as it ends in ‘.rules’. (Credit: falconindy and w0ng for posting on his blog)

Resolving NCQ errors

Some SSDs and SATA chipsets do not work properly with Linux Native Command Queueing (NCQ). The tell-tale dmesg errors look like this: [ 9.115544] ata9: exception Emask 0x0 SAct 0xf SErr 0x0 action 0x10 frozen [ 9.115550] ata9.00: failed command: READ FPDMA QUEUED [ 9.115556] ata9.00: cmd ⁶⁰⁄₀₄:00:d4:82:⁸⁵⁄₀₀:00:1f:00:00/40 tag 0 ncq 2048 in [ 9.115557] res ⁴⁰⁄₀₀:18:d3:82:⁸⁵⁄₀₀:00:1f:00:00/40 Emask 0x4 (timeout)

To disable NCQ on boot, add libata.force=noncq

to the kernel command line in the bootloader configuration. To disable NCQ only for disk 0 on port 1 use:

    libata.force=1.00:noncq

Add default user

    # useradd -m -G wheel -s /bin/bash archie

Setup password for new user:

    # passwd archie

Sudo

    # pacman -S sudo

Configure for a given user:

    # visudo

and add:

    archie   ALL=(ALL) ALL

Add additional repositories

Most people will want to use [core], [extra] and [community].

Multilib

If you installed Arch Linux x86_64, it’s recommended that you enable the [multilib] repository, as well (to be able to run both 32 bit and 64 bit applications):

    [multilib]
    Include = /etc/pacman.d/mirrorlist

archlinuxfr

Required for installing yaourt & virtualbox and many other packages

Add as root the following into /etc/pacman.conf (this is for a 64-bit installation) :

    [archlinuxfr]
    SigLevel = Optional TrustAll
    Server = http://repo.archlinux.fr/x86_64

Refresh software list with:

    # pacman -Syy

Package management with Yaourt rather than pacman

Add nice colors when browsing packages

    # pacman -S yaourt colordiff

Search both binary repo but also AUR

    # yaourt mc

Complete update and upgrade, even for packages coming from AUR

    # yaourt -Syu --aur

Setup automatic microcode loading

For AMD processors the microcode updates are available in linux-firmware, which is installed as part of the base system. No further action is needed.

For Intel processors, install the intel-ucode package, and continue reading:

    # pacman -S intel-ucode

grub-mkconfig will automatically detect the microcode update and configure grub appropriately. After installing the intel-ucode package, users are directed to regenerate the grub config to activate loading the microcode update by running:

    # grub-mkconfig -o /boot/grub/grub.cfg

Install Xorg

Core Xorg install

    # pacman -S xorg-server xorg-xinit xorg-server-utils

—> 4 providers for libgl: 1) mesa-libgl 2) nvidia-304xx-libgl 3) nvidia-340xx-libgl 4) nvidia-libgl

2 providers for xf86-input-driver 1) xf86-input-evdev 2) xf86-input-libinput

—->

The 3D utilities glxgears and glxinfo are included in the mesa package:

    # pacman -S mesa

Identify video driver

Then you need to install a suitable driver for your graphic card. You need to know its brand and model then consult main Archlinux wiki to see which driver better fits your needs. The output of the command:

    # lspci | grep VGA

should help you to identify your card.

For a complete list of open-source video drivers, search the package database:

    # pacman -Ss xf86-video | less

The following is for an Intel based graphic card.

    # pacman -S xf86-video-intel lib32-mesa-libgl

Keyboard & mouse

Keyboard layout in Xorg can be set in multiple ways. Here is an explanation of used options: XkbModel selects the keyboard model. This has an influence only for some extra keys your keyboard might have. The safe fallback are pc104 or pc105. But for instance laptops usually have some extra keys, and sometimes you can make them work by simply setting a proper model. XkbLayout selects the keyboard layout. Multiple layouts may be specified in a comma-separated list, e.g. if you want to quickly switch between layouts. XkbVariant selects a specific layout variant. For instance, the default sk variant is qwertz, but you can manually specify qwerty, etc. XkbOptions contains some extra options. Used for specifying layout switching, notification LED, compose mode etc.

The layout name is usually a 2-letter country code. To see a full list of keyboard models, layouts, variants and options, along with a short description, open /usr/share/X11/xkb/rules/base.lst. Alternatively, you may use one of the following commands to see a list without a description:

# localectl list-x11-keymap-models
# localectl list-x11-keymap-layouts
# localectl list-x11-keymap-variants [layout]
# localectl list-x11-keymap-options

One way to create a system-wide configuration which is persistent across reboots and found in /etc/X11/xorg.conf.d/00-keyboard.conf

For convenience, the tool localectl may be used instead of manually editing X configuration files. It will save the configuration in /etc/X11/xorg.conf.d/00-keyboard.conf, this file should not be manually edited, because localectl will overwrite the changes on next start. The usage is as follows:

# localectl [--no-convert] set-x11-keymap layout [model [variant [options]]]

To set a model, variant or options, all preceding fields need to be specified. Unless the –no-convert option is passed, the specified keymap is also converted to the closest matching console keymap and applied to the console configuration in vconsole.conf. See man localectl for more information.

To create, for example a configuration for a French keyboard that will be stored in /etc/X11/xorg.conf.d/00-keyboard.conf:

# localectl --no-convert set-x11-keymap fr pc104

Laptop users will also need the synaptics package to allow X to configure the touchpad:

    # pacman -S xf86-input-synaptics

The primary method of configuration for the touchpad is through an Xorg server configuration file. After installation of xf86-input-synaptics, a default configuration file is located at /usr/share/X11/xorg.conf.d/50-synaptics.conf. Users can copy this file to /etc/X11/xorg.conf.d/ and edit it to configure the various driver options available. Refer to the synaptics(4) manual page for a complete list of available options. Machine-specific options can be discovered using synclient.

The following lists options that many users may wish to configure. This example configuration file enables vertical, horizontal and circular scrolling as well as touchpad tap to click: /etc/X11/xorg.conf.d/50-synaptics.conf

    Section "InputClass"
        Identifier "touchpad"
        Driver "synaptics"
        MatchIsTouchpad "on"
        Option "TapButton1" "1"
        Option "TapButton2" "2"
        Option "TapButton3" "3"
        Option "VertEdgeScroll" "on"
        Option "VertTwoFingerScroll" "on"
        Option "HorizEdgeScroll" "on"
            Option "HorizTwoFingerScroll" "on"
            Option "CircularScrolling" "on"
            Option "CircScrollTrigger" "2"
        Option "EmulateTwoFingerMinZ" "40"
        Option "EmulateTwoFingerMinW" "8"
        Option "CoastingSpeed" "0"
        Option "FingerLow" "35"
        Option "FingerHigh" "40"
        ...
    EndSection

Test X

Install the default environment:

    # pacman -S xorg-twm xorg-xclock xterm

Start X

    # startx

Install fonts

At this point, you may wish to save time by installing visually pleasing, true type fonts, before installing a desktop environment/window manager. Dejavu and bitstream-vera are good, general-purpose font sets. You may also want to have the Microsoft font sets, which are especially popular on websites.

Install with:

    # pacman -S ttf-dejavu ttf-bitstream-vera
    # yaourt ttf-ms-fonts 

Allocine is missing one font that needs to be added manually!

Install Gnome

Base system

    # pacman -S gnome gnome-extra

Remove tracker to enable old-fashion search in nautilus/nemo.

GDM

GDM is part of gnome-extra.

To make GDM the default graphical login method for the system, use the packaged systemd service file, gdm.service. Simply run the following command once to bring up GDM on boot:

    # systemctl enable gdm

Starting GNOME manually

If you prefer to start GNOME manually from the console, add the following line to your ~/.xinitrc file:

~/.xinitrc

    exec gnome-session

You can get .xinitrc template from /etc/skel/.xinitc

Enable Gnome NetworkManager

    # systemctl enable NetworkManager

GNOME tweak tool

This graphical tool customizes fonts, themes, titlebar buttons and other settings should have already been installed with gnome and gnome-extra meta packages.

    # pacman -S gnome-tweak-tool

Force Xorg backend instead of the default GDM

The Wayland backend is used by default and the Xorg backend is used only if the Wayland backend cannot be started. As the Wayland backend has been reported to cause problems for some users, use of the Xorg backend may be necessary. Using Wayland I experienced issues with Guake not being available all the time time and also couldn’t reverse back the mouse scroll behavior back to is original state.

To use the Xorg backend by default, edit the /etc/gdm/custom.conf file and uncomment the following line:

 #WaylandEnable=false

Configure sound

I used to configure alsa but lately I didn’t have to configure anything to get sound working when using Gnome desktop.

Nasty bug on Intel HD Audio desktop

I had a nasty bug for more than 6 months that prevented me to play audio in a reliable way using the optical output of my motherboard. The volume control would switch to another source every second.

Solution was found here https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1277846

# sudo pacman -S alsa-tools
# hdajackretask

Click on Advanced override Click on Override for “Pin ID: 0x1b (Green Headphone, Front side)” Under “Jack detection”, select “Not present” I tried the “Apply now” button but it didn’t work. Go for “Install boot override”. Reboot

Install boot override will install /etc/modprobe.d/hda-jack-retask.conf

# This file was added by the program 'hda-jack-retask'.
# If you want to revert the changes made by this program, you can simply erase this file and reboot your computer.
options snd-hda-intel 
patch=hda-jack-retask.fw,hda-jack-retask.fw,hda-jack-retask.fw,hda-jack-retask.fw

Guake

# pacman -S guake

To get guake to autostart on login, use gnome-tweak-tool.

ZSH

# pacman -S zsh 

Change the default shell for the current user:

# chsh -s $(which zsh)

Prezto

I used to add grem-zsh-config and oh-my-zsh. Now switched to prezto Instead of using the version found in AUR, I direclty clone the repo to my home directory.

    # git clone --recursive https://github.com/sorin-ionescu/prezto.git "${ZDOTDIR:-$HOME}/.zprezto" 

To personalize Zsh and Prezto, edit your local ~/.zshrc and ~/.zpreztorc files.

Create a new Zsh configuration by copying the Zsh configuration files provided:

    setopt EXTENDED_GLOB
    for rcfile in "${ZDOTDIR:-$HOME}"/.zprezto/runcoms/^README.md(.N); do
      ln -s "$rcfile" "${ZDOTDIR:-$HOME}/.${rcfile:t}"
    done

Updating

Pull the latest changes and update submodules.

git pull && git submodule update –init –recursive

Paste my .zshrz and .zpreztorc examples!!

cursors !!! https://github.com/sorin-ionescu/prezto/issues/424

ssh keychain for .zshrc but also

eval $(keychain –eval –nogui –quiet id_ed25519-nopass id_rsa_key-nopass) &

in .delayed_apps for the keys without password

issues with CUPS https://bbs.archlinux.org/viewtopic.php?id=192525 https://bugs.archlinux.org/task/43708

issue with package keys pacman-key –refresh-keys

Enable autologin

You can have GDM to directly log into your sessions without promptint for any password (safe since the whole disk is encrypted).

Edit /etc/gdm/custom.conf

 # GDM configuration storage
 [daemon]
 AutomaticLogin=alpha
 AutomaticLoginEnable=True

Check if SSD TRIM is working

https://sites.google.com/site/lightrush/random-1/checkiftrimonext4isenabledandworking

http://worldsmostsecret.blogspot.fr/2012/04/how-to-activate-trim-on-luks-encrypted.html

sudo dmsetup table /dev/mapper/vgroup –showkeys

Enable predicatable network interface name

For motherboards that have integrated NICs, it is important to have fixed device name. Many configuration problems are caused by interface name changing.

Udev is responsible for which device gets which name. Systemd v197 introduced Predictable Network Interface Names, which automatically assigns static names to network devices. Interfaces are now prefixed with en (ethernet), wl (WLAN), or ww (WWAN) followed by an automatically generated identifier, creating an entry such as enp0s25.

This behavior may be disabled by adding a symlink:

# sudo ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules

NTP

# pacman ntpd
# sytstemctl enable ntpd

CUPS

cups cups-filters cups-pdf system-config-printer-gnome

sudo pacman -S foomatic-db foomatic-db-engine foomatic-db-nonfree foomatic-filters

• explaing PDF setup To use cups-pdf, restart cups and visit the cups web interface at http://localhost:631/

You can now add a “Virtual Printer (PDF Printer)” and use the Postscript/Generic postscript color printer driver.

Note that cups-pdf has a configuration file in /etc/cups. The default location for pdf output is /var/spool/cups-pdf/$username.

Disable pc speaker sound

Createc /etc/modprobe.d/blacklist.conf with :

blacklist pcspkr

---

+++ Backup keys

dmsetup table --showkey

cryptsetup luksDump /dev/sda3 | grep "Payload offset"

Note Payload offset: 4040

then

dd if=/dev/sda3 of=./backup.img bs=512 count=4040

dmsetup info -c

How do I backup a LUKS header?

While you could just copy the appropriate number of bytes from the start of the LUKS partition, the best way is to use command option “luksHeaderBackup” of cryptsetup. This protects also against errors when non-standard parameters have been used in LUKS partition creation. Example:

     cryptsetup luksHeaderBackup --header-backup-file h /dev/mapper/c1
     cryptsetup luksHeaderBackup --header-backup-file h /dev/sda3

To restore, use the inverse command, i.e.

     cryptsetup luksHeaderRestore --header-backup-file h /dev/mapper/c1

LVM header backup vgcfgbackup -f x201-lvm vgroup

+++ Restore keys

If you have live mapping still, you are not lost completely yet. Do not reboot! First run “dmsetup table –showkeys” and “dmsetup info -c” and store the full mapping to some file.

If you see dm-crypt mapping there mapped to proper drive, you can still recreate LUKS header with some some magic.

(If you have saved that dmsetup mapping, I’ll describe hot to save you data - still depends how many of fs was overwritten.)

If you want help with that, paste here “dmsetup table” (without using –showkeys, we do not want see your master key:-). For recovery you will need to know that key, so be sure you have full table with key stored as written above.

(Table is created according to LUKS header which is lost, so after reboot you are lost completely. BTW Passphrase will not help here at all.) http://www.spinics.net/lists/dm-crypt/msg02914.html https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#6._Backup_and_Data_Recovery

UUID http://www.datadisk.co.uk/html_docs/redhat/rh_lvm.htm https://www.centos.org/docs/5/html/Cluster_Logical_Volume_Manager/mdatarecover.html

p dd if=./backup.img of=/dev/sda3 bs=512 count=4040

---

++ Manual Luks volume

dd if=/dev/zero of=/bigsecret bs=1M count=10 losetup /dev/loop0 /bigsecret cryptsetup luksFormat /dev/loop0 ===> cryptsetup luksFormat -c cast5-cbc-plain -s 128 -h sha256 /dev/$DEVICE cryptsetup luksOpen /dev/loop0 secret

FORMAT mkfs.ext2 /dev/mapper/secret

MOUNT mkdir /mnt/secret mount -t ext2 /dev/mapper/secret /mnt/secret

UMOUNT umount /mnt/secret cryptsetup luksClose secret losetup -d /dev/loop0 # free the loopdevice.

REMOUNT losetup /dev/loop0 /bigsecret cryptsetup luksOpen /dev/loop0 secret mount -t ext2 /dev/mapper/secret /mnt/secret

check if trim is enabled https://sites.google.com/site/lightrush/random-1/checkiftrimonext4isenabledandworking

Remove guake title

# gconf-editor


/apps/guake/general/use_vte_titles 

Fix Nautilus sort

http://www.subdude-site.com/WebPages_Local/RefInfo/Computer/Linux/LinuxGuidesByBlaze/Nautilus_Guide/NautilusGuideBlaze.htm#grp_NautilusSort

Create/Edit ~/.gnomerc

and add

#export LC_COLLATE=C  That was the original post

replaced by

#export LC_COLLATE="fr_FR.UTF-8"

IMPORTANT NOTE: You must make the ‘.gnomerc’ file executable before restarting your computer. You can use a command like

chmod 755 .gnomerc or chmod 700 .gnomerc

https://bbs.archlinux.org/viewtopic.php?pid=1081952

In the end I got it working with: /etc/locale.conf

LANG=fr_FR.UTF-8
#LC_COLLATE="C"
LC_COLLATE="fr_FR.UTF-8"

and adding/modifying the following in ~/.zshrc.local

export LC_ALL="fr_FR.UTF-8"
#export LC_COLLATE="C"
export LC_COLLATE="fr_FR.UTF-8"

CUPS

# systemctl enable cups.service

CUPS PDF

PDF virtual printer

CUPS-PDF is a nice package that allows one to setup a virtual printer that will generate a PDF from anything sent to it. Obviously this package is not necessary, but it can be quite useful.

Find generated PDF documents in a sub-directory located at /var/spool/cups-pdf. Normally, the subdirectory is named after the user who performed the job. A little tweak helps you to find your printed PDF documents more easily. Edit /etc/cups/cups-pdf.conf by changing the line

#Out /var/spool/cups-pdf/${USER}

    to

Out /home/${USER}

This package can be installed by the following command: 

pacman -S cups-pdf

After installing the package, set it up as if it were for any other printer by using the web interface. For the Device, select CUPS-PDF (Virtual PDF Printer); Make/Manufacturer, choose Generic; Model/Driver, select Generic postscript color printer or Generic Cups-PDF Printer.

Quality sucks!

Cron

Not enabled by default

# systemctl enable cronie.service

Journal

Since version 38, systemd has its own logging system, the journal. Therefore, running a syslog daemon is no longer required. To read the log, use:

# journalctl

By default (when Storage= is set to auto in /etc/systemd/journald.conf), the journal writes to /var/log/journal/. If the directory /var/log/journal/ does not exist (e.g. if you or some program delete it), systemd will not create it automatically, but instead write its logs to /run/systemd/journal. This means that logs will be lost on reboot.

On default installation it appears to be using /var/log/journal

Disable IPV6

Adding ipv6.disable=1 to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See Kernel parameters for more information.

Crpyptostick & Gnome

• Disabled gnome-keyring in gnome-session-properties

• disable gpg-agent in ~/.gnupg.conf

• create /etc/profile.d/gpg-agent.sh

  #!/bin/sh

  envfile=“${HOME}/.gnupg/gpg-agent.env” if test -f “$envfile” && kill -0 $(grep GPG_AGENT_INFO “$envfile” | cut -d: -f 2) 2>/dev/null; then eval “$(cat “$envfile”)” else eval “$(gpg-agent –daemon –write-env-file “$envfile”)”

  eval “$(gpg-agent –daemon –enable-ssh-support –write-env-file “$envfile”)”

  fi export GPG_AGENT_INFO # the env file does not contain the export statement

chmod + x /etc/profile/d/gpg-agent.sh

• create /etc/udev/rules.d/40-cryptostick.rules

  do not edit this file, it will be overwritten on update

  SUBSYSTEM!=“usb”, GOTO=“cryptostick_rules_end” ACTION!=“add”, GOTO=“cryptostick_rules_end”

  ATTR{idVendor}==“20a0”, ATTR{idProduct}==“4107”, ENV{ID_SMARTCARD_READER}=“1”, ENV{ID_SMARTCARD_READER_DRIVER}=“gnupg”

  LABEL=“cryptostick_rules_end”

issues with i915

removed echo 0 > /sys/module/i915/parameters/i915_enable_rc6 echo 0 > /sys/module/i915/parameters/i915_enable_fbc echo 0 > /sys/module/i915/parameters/powersave

from /usr/bin/powersave

Added i915 in /etc/mkinitcpio.conf Created /etc/modprobe.d/i915.conf

options i915 i915_enable_rc6=1 options i915 i915_enable_fbc=1 options i915 lvds_downclock=1

Removed from grub default

apparement si i915 est dans mkinitcpio.conf alors on ne peut plus l’écrire après, uniquement via i915.conf (a investiguer)

in case of duplicate vgroup, rename

vgs -v

vgrename UUID new-vgroup-name

macchanger on boot /etc/systemd/system/macspoof@.service

[Unit] Description=macchanger on %I Before=NetworkManager.service After=sys-subsystem-net-devices-%I.device

[Service] ExecStart=/usr/bin/macchanger -r %I Type=oneshot

[Install] WantedBy=multi-user.target

Then enable for each network interface.

    systemctl enable macspoof@

    sudo systemctl enable macspoof@enp0s25
    sudo systemctl enable macspoof@wlp3s0

dns cache + dns encrypt

pacman -S dnsmasq dnscrypt-proxy

/etc/dnsmasq.conf no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 proxy-dnssec domain-needed bogus-priv dns-forward-max=150 cache-size=1000 no-negcache

Restart dnsmasq.service to apply the changes.

Enable on boot: systemctl enable dnsmasq.service

/etc/NetworkManager/NetworkManager.conf [main] plugins=keyfile dhcp=dhclient dns=default #dns=dnsmasq

    ## Set static hostname
    #[keyfile]
    #hostname=foobar

    ## HTTP-based connectivity check
    #[connectivity]
    #uri=http://nmcheck.gnome.org/check_network_status.txt
    #interval=100

Then launch: # systemctl edit dnscrypt-proxy.socket

    [Socket]
    ListenStream=
    ListenDatagram=
    ListenStream=127.0.0.1:40
    ListenDatagram=127.0.0.1:40

Then restart dnscrypt-proxy.socket and stop dnscrypt-proxy.service if already running to let it be started by the .socket unit.

Enable on boot:

    systemctl enable dnscrypt-proxy.socket 

Create an lock down /etc/resolv.conf echo “nameserver 127.0.0.1” > /etc/resolv.conf chattr +i resolv.conf

Script to enable dnscrypt & auto

~/dns-auto.sh #!/bin/sh sudo systemctl stop NetworkManager.service sleep 1 sudo nmcli networking off sleep 1 sudo chattr -i /etc/resolv.conf sudo rm /etc/resolv.conf sudo systemctl start NetworkManager.service sleep 1 sudo nmcli networking on sleep 1

Then change mode: chmod +x dns-auto.sh

~dns-dnscrypt.sh #!/bin/sh sudo systemctl stop NetworkManager.service sleep 1 sudo nmcli networking off sleep 1 sudo chattr -i /etc/resolv.conf sudo sh -c “echo nameserver 127.0.0.1 > /etc/resolv.conf” sudo chattr +i /etc/resolv.conf sudo systemctl start NetworkManager.service sleep 1 sudo nmcli networking on

Then change mode: chmod +x dns-dnscrypt.sh

to make sure resolv.conf is the right one on boot (and also locked down):

/etc/systemd/system/dnscrypt-reset.service [Unit] Description=Reset /etc/resolv.conf and lock it After=NetworkManager.service

    [Service]
    ExecStart=/home/alpha/dns-dnscrypt.sh
    Type=oneshot

    [Install]
    WantedBy=multi-user.target

Enable on boot:

    systemctl enable dnscrypt-reset.service 

Change default server systemctl edit dnscrypt-proxy.service –full

soltysiak
dnscrypt.eu-dk

trim test https://unix.stackexchange.com/questions/85865/trim-with-lvm-and-dm-crypt/85880#85880

This is just a script I would like to share if some lazy person come here. It was made out of the accepted answer from frostschutz. http://unix.stackexchange.com/a/85880/6661