This tutorial will guide you for installing ArchLinux on a GPT partition while using GRUB2 on a BIOS enabled PC (see Wiki for EFI) and thus on a SSD media based upon LUKS (encryption) over LVM. It is not aimed to replace the official ArchLinux installation guide or Wiki. It is just a collection of notes gathered from the official sources. As a reminder the Installation Guide can now also be found on the USB flash drive under /root/install.txt.
Once you have installed your system please make sure to consult my emergency instructions for accessing your encrypted data with a LiveCD USB Flash drive and also perform seamless upgrades using LVM snapshots.
Pre-Installation Steps
Securely wipe SSD
Fill the new drive with random data using a working Linux system:
# dd if=/dev/urandom of=/dev/sda iflag=nocache oflag=direct bs=4096
This operation takes a long time (eg. 8 hours for a 500GB SSD).
Prepare USB Flash drive
Based upon 2017.01.01 ISO image or later from http://www.archlinux.org/download.
# dd if=/dev/zero of=/dev/sdx bs=1k count=1
# dd if=archlinux-xxxxx.iso of=/dev/sdx
Replace sdx by your thumbdrive reference.
Boot from USB Flash drive
Go into BIOS menu and make sure to disable UEFI or enable legacy BIOS as default then boot & select x86_64 (or i686 if you want to stay with i686 architecture, max. 3GB SRAM). If you see UEFI in the boot menu, it is likely that your system is setup for UEFI boot only.
Change keyboard layout
# loadkeys fr
Get IP address
Archlinux boot CD starts the network and get an IP address via DHCP. You can check that you have obtained an IP address with:
# ip addr
In case you IP address was not automaticaly setup, you can use:
# dhcpcd
It is also possible to use manual IP or wifi. Please refer to the official wiki for proper instructions.
Configure drive, block devices and encrypted filesystems
Identify the devices
The first step is to identify the devices where the new system will be installed. The following command will show all the available devices:
# lsblk
Manually partition the SSD
# gdisk /dev/sda
Remove old partitions then create the following partitions:
- Enter n,1,[Enter],2M, EF02. This is the first partition (2MB) with type EF02 (BIOS partition) and used by GRUB2/BIOS-GPT. (/dev/sda1).
- Enter n,2,[Enter],256M,8300. Second partition (256MB) with type 8300 (Linux) holds unencrypted /boot as well as backup copies of /boot between system upgrades. (/dev/sda2)
- Enter n,3,[Enter],3G,8200. Third partition (3GB) with type 8200 (swap) is our optional swap partition that will be encrypted with random key but not part of lvm. (/dev/sda3)
- Enter n,4,[Enter],[Enter]. Fourth partition occupies the remaining space with a type 8E00 (LVM). It will store the encrypted LVM for /, /home and snapshots (/dev/sda4)
- Enter p to verify the above configuration
- Enter w,Y
If you don’t want to go the hassle of a separate, self-encrypted, SWAP, you can alway setup a LVM partition for it.
Prepare encrypted LUKS space
We need to align, enable TRIM and use the right payload for SSD.
# cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --align-payload=8192 luksFormat /dev/sda4
# cryptsetup luksOpen --allow-discards /dev/sda4 enc-lvm
While we will be enabling TRIM at different stages we won’t activate the discard option for mounting the different partitions but rather use weekly fstrim checks. The iter-time at 5000 means it will take up to 5s to check the password hash.
Setup LVM space
20GB for root is usually enough but if you start installing large packages such as TeX or others it can become too small over time. Therefore 40GB gives some room. We don’t setup swap inside LVM but keep it outside with its own random key per reboot. For the home directory we don’t use all remaining space but save some spare space for snapshots.
# lvm pvcreate --dataalignment 4M /dev/mapper/enc-lvm
# lvm vgcreate vgroup /dev/mapper/enc-lvm
# lvm lvcreate -L 40GB -n root vgroup
# lvm lvcreate -l 95%free -n home vgroup
vgdisplay to see the remaining space for snapshot. If not ok,
# lvremove /dev/mapper/vgroup-home
# lvm lvcreate -l 97%free -n home vgroup
Format /boot, /root and /home
# mkfs.ext2 /dev/sda2
# mkfs.xfs /dev/mapper/vgroup-root
# mkfs.xfs /dev/mapper/vgroup-home
ext4 was the filesystem of choice in the previous installation guide. Since I’m using XFS now on my NAS I thought it would make sense to use XFS here too especially with the latest developments including metadata checksums that are enabled by default.
Get 5% space back from /home partition (if using EXT4)
If you selected ext4 instead of XFS for /home you can gain 5% of space back since this is typically used on root partition as a safeguard when the disk gets full.
On non-root partition this hidden space can be easily and safely reclaimed back by using the following command.
# tune2fs -m 0 /dev/mapper/vgroup-home
Mount the partitions
# mount /dev/mapper/vgroup-root /mnt
# mkdir /mnt/boot
# mount /dev/sda2 /mnt/boot
# mkdir /mnt/home
# mount /dev/mapper/vgroup-home /mnt/home
Install the base system
Select installation mirror
ftp.archlinux.org is throttled to 50KB/s.
Before installing, you may want to edit /etc/pacman.d/mirrorlist such that your preferred mirror is first. This copy of the mirrorlist will be installed on your new system by pacstrap as well, so it’s worth getting it right.
Perform system installation
# pacstrap /mnt base base-devel
Install a bootloader
The folllowing will install GRUB2. If you want EFI please refer to the official Wiki.
# pacstrap /mnt grub-bios
Generate fstab for the new disk scheme
Generate a fstab file with the following command. UUIDs will be used because they have certain advantages (see official wiki). If you would prefer to use labels instead, replace the -U option with -L. Note: If you encounter errors running genfstab or later in the install process, do not run genfstab again; just edit the fstab file.
# genfstab -U -p /mnt >> /mnt/etc/fstab
Setup mount Flags
When using SSD it’s important to disable some of the timestampgins that can impact the SSD lifetime. Edit the /mnt/etc/fstab generate above to reflect the following changes:
UUID=XXX-YYY-ZZZ / xfs rw,noatime,attr2,inode64,noquota 0 1
UUID=TTT-UUU-VVV /boot ext2 rw,noatime 0 2
UUID=PPP-QQQ-RRR /home xfs rw,noatime,attr2,inode64,noquota 0 2
Enable TRIM support on LVM
We have to enable the option issue_discards in the LVM configuration. Edit /mnt/etc/lvm/lvm.conf
# [...]
devices {
# [...]
issue_discards = 1
# [...]
}
# [...]
Configure the newly installed system
Chroot into the installed system
# arch-chroot /mnt /bin/bash
Set root password
Set a root password with:
# passwd
Set hostname
Add your hostname in /etc/hostname.
myhostname
Set it to your liking. This is the name of your computer.
Add also your hostname in /etc/hosts, coinciding with the one specified in /etc/hostname as an alias, so that it looks like this:
127.0.0.1 localhost.localdomain localhost myhostname
::1 localhost.localdomain localhost myhostname
Note: ::1 is the IPv6 equivalent of 127.0.0.1
Configure console fonts and keymap
Set keymap and font name in /etc/vconsole.conf.
KEYMAP=fr
FONT=
FONT_MAP=
KEYMAP The available keymaps are in /usr/share/kbd/keymaps. Please note that this setting is only valid for your TTYs, not any graphical window managers or X. FONT Available alternate console fonts reside in /usr/share/kbd/consolefonts/. The default (blank) is safe. FONT_MAP Defines the console map to load with the setfont program at boot. Possible maps are found in /usr/share/kbd/consoletrans, if needed. The default (blank) is safe.
Setup time
Select a time zone:
# tzselect
Available time zones and subzones can also be found in the /usr/share/zoneinfo/
Setup a timezone
Edit the file /etc/timezone and write your Zone/Subzone. Example:
Europe/Paris
Additionaly, create a symbolic link /etc/localtime to the same /usr/share/zoneinfo/
# ln -s /usr/share/zoneinfo/Europe/Paris /etc/localtime
Adjust time skew
It is recommended to adjust the time skew, and set the time standard to UTC:
# hwclock --systohc --utc
Locale
Enable locales
Edit /etc/locale.gen and uncomment:
en_US.UTF-8 UTF-8
fr_FR.UTF-8 UTF-8
fr_FR ISO-8859-15
fr_FR@euro ISO-8859-15
Generate locales
# locale-gen
Setting up system-wide locale
Add your language to /etc/locale.conf.
LANG=fr_FR.UTF-8
LC_COLLATE="fr_FR.UTF-8"
Export current language for initramfs creation
We will be adding keymap to mkinicpio.conf therefore we need to environment variable LANG.
# export LANG=fr_FR.UTF-8
Configure the network
If not using DHCP or network manager, please see wiki for rc.conf configuration.
Prepare initramfs and bootloard
Prepare the initramfs build
Add keymap to kernel for non-US keyboard on boot as well as keyboard for usb support on boot, encrypt and lvm2 for accessing our encrypted space.
Edit /etc/mkinitcpio.conf to add required hooks for encryption, keyboard and LVM.
HOOKS="base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck"
Also add the required video driver for early display setup. For example for integrated Intel graphic card:
MODULES="i915"
Create an initial ramdisk environment
# mkinitcpio -p linux
Configure the bootloader
Install GRUB2 to the SSD
# grub-install --recheck /dev/sda
Add SSD TRIM and encryption support
We need to allow discards in grub even if we only use the fstrim utility instead of the discard mount option. Edit /etc/default/grub and change with:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda4:vgroup:allow-discards"
If you happen to have multiple SATA drives in your system, you might need to use UUID instead of labels. Get the UUID of /dev/sda4 by using
# blkid /dev/sda4
And then replace cryptdevice=/dev/sda4 by cryptdevice=/dev/disk/by-uuid/wwww-xxxx-yyyy-zzzz
Generate GRUB2 configuration
# grub-mkconfig -o /boot/grub/grub.cfg
Some warning will popup but it’s ok. Next time you regenerate the grub configuration, warnings should be gone.
Time to reboot into your freshly installed system
Unmount the partitions
If you are still in the chroot environment then type exit or Ctrl+D in order to exit chroot. Since the partitions are mounted under /mnt, we use the following command to unmount them.
# exit
# umount /mnt/boot
# umount /mnt/home
# umount /mnt
Reboot
Execute the following command and remove the installation media.
# reboot
Post Installation Steps
Start network
# dhcpd eth0
Setup swap space
One can place a swap partition on an SSD. Note that most modern desktops with an excess of 2 Gigs of memory rarely use swap at all. The notable exception is systems which make use of the hibernate feature.
Enable encrypted swap with random key but without suspend-to-disk support
It is very dangerous to use crypttab swap with /dev/sdx3 or even /dev/disk/by-id/ata-SERIAL-partX. A small change in your device names or partitioning layout and /etc/crypttab will see your valuable data formatted on the next boot. It is more reliable to identify the correct partition by giving it a UUID or LABEL. By default that does not work because dm-crypt and mkswap would simply overwrite any content on that partition; however, it is possible to specify an offset. This allows you to create a very small, empty, bogus filesystem (with no other purpose than providing a UUID or LABEL), which survives the swap encryptions.
Create a filesystem with label of your choice:
# mkfs.ext2 -L cryptswap /dev/sda3 1M
The unusual parameter after the device name limits the filesystem size to 1 MiB.
# blkid /dev/sda3
/dev/sda3: LABEL="cryptswap" UUID="b72c384e-bd3c-49aa-b7a7-a28ea81a2605" TYPE="ext2"
With this, /dev/sda3 now can easily be identified either by UUID or LABEL, regardless of how its device name or even partition number might change in the future. All that’s left is the /etc/crypttab and /etc/fstab entries:
/etc/crypttab
# <name> <device> <password> <options>
cryptswap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512,hash=sha512
Note the offset: it’s 2048 sectors of 512 bytes, thus 1 MiB. This way the filesystem LABEL/UUID remains intact, and data alignment works out as well.
Why /dev/urandom and not /dev/random? The latter blocks until it got enough entropy to continue, urandom don’t. So if you use random instead urandom you might have to wait during boot until enough entropy is collected. (It does help to type your keyboard and move the mouse.) Use /dev/random if you’re really paranoid.
/etc/fstab
# <filesystem> <dir> <type> <options> <dump> <pass>
/dev/mapper/cryptswap none swap defaults 0 0
Change swap space behavior
The following is recommended tweak for SSDs using a swap partition that will reduce the “swappiness” of the system thus avoiding writes to swap.
/etc/sysctl.d/99-sysctl.conf
vm.swappiness=1
vm.vfs_cache_pressure=50
Reboot
Check
# cat /proc/sys/vm/swappiness
Enable periodic TRIM operation
Since we haven’t enabled discards on mountpoints we need to perform trim operations on a regular basis.
The util-linux package (part of base and base-devel) provides fstrim.service and fstrim.timer systemd unit files. Enabling the timer will activate the service weekly, which will then trim all mounted filesystems on devices that support the discard operation. The timer relies on the timestamp of /var/lib/systemd/timers/stamp-fstrim.timer (which it will create upon first invocation) to know whether a week has elapsed since it last ran.
# journalctl enable fstrim.timer
Therefore there is no need to worry about too frequent invocations, in an anacron-like fashion. It is also possible to query the units activity and status using standard journalctl and systemctl status commands:
# journalctl -u fstrim
# systemctl status fstrim
Change I/O scheduler for SSD
Both noop and deadline are recommanded for SSD operation. We will stick to deadline for SSD and CFQ for hard drives.
To do this, create and edit a file in /etc/udev/rules.d named something like ‘60-schedulers.rules’. In the file include the following:
# set deadline scheduler for non-rotating disks
ACTION=="add|change", KERNEL=="sd[a-z]", TEST!="queue/rotational", ATTR{queue/scheduler}="deadline"
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="deadline"
# set cfq scheduler for rotating disks
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="cfq"
Of course, set deadline/cfq to the desired schedulers. Changes should occur upon next boot. To check success of the new rule:
# cat /sys/block/sdX/queue/scheduler #where X is the device in question
Note: Keep in mind cfq is the default scheduler, so the second rule with the standard kernel is not actually necessary. Also, in the example sixty is chosen because that is the number udev uses for its own persistent naming rules. Thus, it would seem that block devices are at this point able to be modified and this is a safe position for this particular rule. But the rule can be named anything so long as it ends in ‘.rules’. (Credit: falconindy and w0ng for posting on his blog)
Resolving NCQ errors
Some SSDs and SATA chipsets do not work properly with Linux Native Command Queueing (NCQ). The tell-tale dmesg errors look like this: [ 9.115544] ata9: exception Emask 0x0 SAct 0xf SErr 0x0 action 0x10 frozen [ 9.115550] ata9.00: failed command: READ FPDMA QUEUED [ 9.115556] ata9.00: cmd 60⁄04:00:d4:82:85⁄00:00:1f:00:00/40 tag 0 ncq 2048 in [ 9.115557] res 40⁄00:18:d3:82:85⁄00:00:1f:00:00/40 Emask 0x4 (timeout)
To disable NCQ on boot, add libata.force=noncq
to the kernel command line in the bootloader configuration. To disable NCQ only for disk 0 on port 1 use:
libata.force=1.00:noncq
Add default user
# useradd -m -G wheel -s /bin/bash archie
Setup password for new user:
# passwd archie
Sudo
# pacman -S sudo
Configure for a given user:
# visudo
and add:
archie ALL=(ALL) ALL
Add additional repositories
Most people will want to use [core], [extra] and [community].
Multilib
If you installed Arch Linux x86_64, it’s recommended that you enable the [multilib] repository, as well (to be able to run both 32 bit and 64 bit applications):
[multilib]
Include = /etc/pacman.d/mirrorlist
archlinuxfr
Required for installing yaourt & virtualbox and many other packages
Add as root the following into /etc/pacman.conf (this is for a 64-bit installation) :
[archlinuxfr]
SigLevel = Optional TrustAll
Server = http://repo.archlinux.fr/x86_64
Refresh software list with:
# pacman -Syy
Package management with Yaourt rather than pacman
Add nice colors when browsing packages
# pacman -S yaourt colordiff
Search both binary repo but also AUR
# yaourt mc
Complete update and upgrade, even for packages coming from AUR
# yaourt -Syu --aur
Setup automatic microcode loading
For AMD processors the microcode updates are available in linux-firmware, which is installed as part of the base system. No further action is needed.
For Intel processors, install the intel-ucode package, and continue reading:
# pacman -S intel-ucode
grub-mkconfig will automatically detect the microcode update and configure grub appropriately. After installing the intel-ucode package, users are directed to regenerate the grub config to activate loading the microcode update by running:
# grub-mkconfig -o /boot/grub/grub.cfg
Install Xorg
Core Xorg install
# pacman -S xorg-server xorg-xinit xorg-server-utils
—> 4 providers for libgl: 1) mesa-libgl 2) nvidia-304xx-libgl 3) nvidia-340xx-libgl 4) nvidia-libgl
2 providers for xf86-input-driver 1) xf86-input-evdev 2) xf86-input-libinput
—->
The 3D utilities glxgears and glxinfo are included in the mesa package:
# pacman -S mesa
Identify video driver
Then you need to install a suitable driver for your graphic card. You need to know its brand and model then consult main Archlinux wiki to see which driver better fits your needs. The output of the command:
# lspci | grep VGA
should help you to identify your card.
For a complete list of open-source video drivers, search the package database:
# pacman -Ss xf86-video | less
The following is for an Intel based graphic card.
# pacman -S xf86-video-intel lib32-mesa-libgl
Keyboard & mouse
Keyboard layout in Xorg can be set in multiple ways. Here is an explanation of used options: XkbModel selects the keyboard model. This has an influence only for some extra keys your keyboard might have. The safe fallback are pc104 or pc105. But for instance laptops usually have some extra keys, and sometimes you can make them work by simply setting a proper model. XkbLayout selects the keyboard layout. Multiple layouts may be specified in a comma-separated list, e.g. if you want to quickly switch between layouts. XkbVariant selects a specific layout variant. For instance, the default sk variant is qwertz, but you can manually specify qwerty, etc. XkbOptions contains some extra options. Used for specifying layout switching, notification LED, compose mode etc.
The layout name is usually a 2-letter country code. To see a full list of keyboard models, layouts, variants and options, along with a short description, open /usr/share/X11/xkb/rules/base.lst. Alternatively, you may use one of the following commands to see a list without a description:
# localectl list-x11-keymap-models
# localectl list-x11-keymap-layouts
# localectl list-x11-keymap-variants [layout]
# localectl list-x11-keymap-options
One way to create a system-wide configuration which is persistent across reboots and found in /etc/X11/xorg.conf.d/00-keyboard.conf
For convenience, the tool localectl may be used instead of manually editing X configuration files. It will save the configuration in /etc/X11/xorg.conf.d/00-keyboard.conf, this file should not be manually edited, because localectl will overwrite the changes on next start. The usage is as follows:
# localectl [--no-convert] set-x11-keymap layout [model [variant [options]]]
To set a model, variant or options, all preceding fields need to be specified. Unless the –no-convert option is passed, the specified keymap is also converted to the closest matching console keymap and applied to the console configuration in vconsole.conf. See man localectl for more information.
To create, for example a configuration for a French keyboard that will be stored in /etc/X11/xorg.conf.d/00-keyboard.conf:
# localectl --no-convert set-x11-keymap fr pc104
Laptop users will also need the synaptics package to allow X to configure the touchpad:
# pacman -S xf86-input-synaptics
The primary method of configuration for the touchpad is through an Xorg server configuration file. After installation of xf86-input-synaptics, a default configuration file is located at /usr/share/X11/xorg.conf.d/50-synaptics.conf. Users can copy this file to /etc/X11/xorg.conf.d/ and edit it to configure the various driver options available. Refer to the synaptics(4) manual page for a complete list of available options. Machine-specific options can be discovered using synclient.
The following lists options that many users may wish to configure. This example configuration file enables vertical, horizontal and circular scrolling as well as touchpad tap to click: /etc/X11/xorg.conf.d/50-synaptics.conf
Section "InputClass"
Identifier "touchpad"
Driver "synaptics"
MatchIsTouchpad "on"
Option "TapButton1" "1"
Option "TapButton2" "2"
Option "TapButton3" "3"
Option "VertEdgeScroll" "on"
Option "VertTwoFingerScroll" "on"
Option "HorizEdgeScroll" "on"
Option "HorizTwoFingerScroll" "on"
Option "CircularScrolling" "on"
Option "CircScrollTrigger" "2"
Option "EmulateTwoFingerMinZ" "40"
Option "EmulateTwoFingerMinW" "8"
Option "CoastingSpeed" "0"
Option "FingerLow" "35"
Option "FingerHigh" "40"
...
EndSection
Test X
Install the default environment:
# pacman -S xorg-twm xorg-xclock xterm
Start X
# startx
Install fonts
At this point, you may wish to save time by installing visually pleasing, true type fonts, before installing a desktop environment/window manager. Dejavu and bitstream-vera are good, general-purpose font sets. You may also want to have the Microsoft font sets, which are especially popular on websites.
Install with:
# pacman -S ttf-dejavu ttf-bitstream-vera
# yaourt ttf-ms-fonts
Allocine is missing one font that needs to be added manually!
Install Gnome
Base system
# pacman -S gnome gnome-extra
Remove tracker to enable old-fashion search in nautilus/nemo.
GDM
GDM is part of gnome-extra.
To make GDM the default graphical login method for the system, use the packaged systemd service file, gdm.service. Simply run the following command once to bring up GDM on boot:
# systemctl enable gdm
Starting GNOME manually
If you prefer to start GNOME manually from the console, add the following line to your ~/.xinitrc file:
~/.xinitrc
exec gnome-session
You can get .xinitrc template from /etc/skel/.xinitc
Enable Gnome NetworkManager
# systemctl enable NetworkManager
GNOME tweak tool
This graphical tool customizes fonts, themes, titlebar buttons and other settings should have already been installed with gnome and gnome-extra meta packages.
# pacman -S gnome-tweak-tool
Force Xorg backend instead of the default GDM
The Wayland backend is used by default and the Xorg backend is used only if the Wayland backend cannot be started. As the Wayland backend has been reported to cause problems for some users, use of the Xorg backend may be necessary. Using Wayland I experienced issues with Guake not being available all the time time and also couldn’t reverse back the mouse scroll behavior back to is original state.
To use the Xorg backend by default, edit the /etc/gdm/custom.conf file and uncomment the following line:
#WaylandEnable=false
Configure sound
I used to configure alsa but lately I didn’t have to configure anything to get sound working when using Gnome desktop.
Nasty bug on Intel HD Audio desktop
I had a nasty bug for more than 6 months that prevented me to play audio in a reliable way using the optical output of my motherboard. The volume control would switch to another source every second.
Solution was found here https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1277846
# sudo pacman -S alsa-tools
# hdajackretask
Click on Advanced override Click on Override for “Pin ID: 0x1b (Green Headphone, Front side)” Under “Jack detection”, select “Not present” I tried the “Apply now” button but it didn’t work. Go for “Install boot override”. Reboot
Install boot override will install /etc/modprobe.d/hda-jack-retask.conf
# This file was added by the program 'hda-jack-retask'.
# If you want to revert the changes made by this program, you can simply erase this file and reboot your computer.
options snd-hda-intel
patch=hda-jack-retask.fw,hda-jack-retask.fw,hda-jack-retask.fw,hda-jack-retask.fw
Guake
# pacman -S guake
To get guake to autostart on login, use gnome-tweak-tool.
ZSH
# pacman -S zsh
Change the default shell for the current user:
# chsh -s $(which zsh)
Prezto
I used to add grem-zsh-config and oh-my-zsh. Now switched to prezto Instead of using the version found in AUR, I direclty clone the repo to my home directory.
# git clone --recursive https://github.com/sorin-ionescu/prezto.git "${ZDOTDIR:-$HOME}/.zprezto"
To personalize Zsh and Prezto, edit your local ~/.zshrc and ~/.zpreztorc files.
Create a new Zsh configuration by copying the Zsh configuration files provided:
setopt EXTENDED_GLOB
for rcfile in "${ZDOTDIR:-$HOME}"/.zprezto/runcoms/^README.md(.N); do
ln -s "$rcfile" "${ZDOTDIR:-$HOME}/.${rcfile:t}"
done
Updating
Pull the latest changes and update submodules.
git pull && git submodule update –init –recursive
Paste my .zshrz and .zpreztorc examples!!
cursors !!! https://github.com/sorin-ionescu/prezto/issues/424
ssh keychain for .zshrc but also
eval $(keychain –eval –nogui –quiet id_ed25519-nopass id_rsa_key-nopass) &
in .delayed_apps for the keys without password
issues with CUPS https://bbs.archlinux.org/viewtopic.php?id=192525 https://bugs.archlinux.org/task/43708
issue with package keys pacman-key –refresh-keys
Enable autologin
You can have GDM to directly log into your sessions without promptint for any password (safe since the whole disk is encrypted).
Edit /etc/gdm/custom.conf
# GDM configuration storage
[daemon]
AutomaticLogin=alpha
AutomaticLoginEnable=True
Check if SSD TRIM is working
https://sites.google.com/site/lightrush/random-1/checkiftrimonext4isenabledandworking
http://worldsmostsecret.blogspot.fr/2012/04/how-to-activate-trim-on-luks-encrypted.html
sudo dmsetup table /dev/mapper/vgroup –showkeys
Enable predicatable network interface name
For motherboards that have integrated NICs, it is important to have fixed device name. Many configuration problems are caused by interface name changing.
Udev is responsible for which device gets which name. Systemd v197 introduced Predictable Network Interface Names, which automatically assigns static names to network devices. Interfaces are now prefixed with en (ethernet), wl (WLAN), or ww (WWAN) followed by an automatically generated identifier, creating an entry such as enp0s25.
This behavior may be disabled by adding a symlink:
# sudo ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules
NTP
# pacman ntpd
# sytstemctl enable ntpd
CUPS
cups cups-filters cups-pdf system-config-printer-gnome
sudo pacman -S foomatic-db foomatic-db-engine foomatic-db-nonfree foomatic-filters
- explaing PDF setup To use cups-pdf, restart cups and visit the cups web interface at http://localhost:631/
You can now add a “Virtual Printer (PDF Printer)” and use the Postscript/Generic postscript color printer driver.
Note that cups-pdf has a configuration file in /etc/cups. The default location for pdf output is /var/spool/cups-pdf/$username.
Disable pc speaker sound
Createc /etc/modprobe.d/blacklist.conf with :
blacklist pcspkr
+++ Backup keys
dmsetup table --showkey
cryptsetup luksDump /dev/sda3 | grep "Payload offset"
Note Payload offset: 4040
then
dd if=/dev/sda3 of=./backup.img bs=512 count=4040
dmsetup info -c
How do I backup a LUKS header?
While you could just copy the appropriate number of bytes from the start of the LUKS partition, the best way is to use command option “luksHeaderBackup” of cryptsetup. This protects also against errors when non-standard parameters have been used in LUKS partition creation. Example:
cryptsetup luksHeaderBackup --header-backup-file h /dev/mapper/c1
cryptsetup luksHeaderBackup --header-backup-file h /dev/sda3
To restore, use the inverse command, i.e.
cryptsetup luksHeaderRestore --header-backup-file h /dev/mapper/c1
LVM header backup vgcfgbackup -f x201-lvm vgroup
+++ Restore keys
If you have live mapping still, you are not lost completely yet. Do not reboot! First run “dmsetup table –showkeys” and “dmsetup info -c” and store the full mapping to some file.
If you see dm-crypt mapping there mapped to proper drive, you can still recreate LUKS header with some some magic.
(If you have saved that dmsetup mapping, I’ll describe hot to save you data - still depends how many of fs was overwritten.)
If you want help with that, paste here “dmsetup table” (without using –showkeys, we do not want see your master key:-). For recovery you will need to know that key, so be sure you have full table with key stored as written above.
(Table is created according to LUKS header which is lost, so after reboot you are lost completely. BTW Passphrase will not help here at all.) http://www.spinics.net/lists/dm-crypt/msg02914.html https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#6._Backup_and_Data_Recovery
UUID http://www.datadisk.co.uk/html_docs/redhat/rh_lvm.htm https://www.centos.org/docs/5/html/Cluster_Logical_Volume_Manager/mdatarecover.html
p dd if=./backup.img of=/dev/sda3 bs=512 count=4040
++ Manual Luks volume
dd if=/dev/zero of=/bigsecret bs=1M count=10 losetup /dev/loop0 /bigsecret cryptsetup luksFormat /dev/loop0 ===> cryptsetup luksFormat -c cast5-cbc-plain -s 128 -h sha256 /dev/$DEVICE cryptsetup luksOpen /dev/loop0 secret
FORMAT mkfs.ext2 /dev/mapper/secret
MOUNT mkdir /mnt/secret mount -t ext2 /dev/mapper/secret /mnt/secret
UMOUNT umount /mnt/secret cryptsetup luksClose secret losetup -d /dev/loop0 # free the loopdevice.
REMOUNT losetup /dev/loop0 /bigsecret cryptsetup luksOpen /dev/loop0 secret mount -t ext2 /dev/mapper/secret /mnt/secret
check if trim is enabled https://sites.google.com/site/lightrush/random-1/checkiftrimonext4isenabledandworking
Remove guake title
# gconf-editor
/apps/guake/general/use_vte_titles
Fix Nautilus sort
Create/Edit ~/.gnomerc
and add
#export LC_COLLATE=C That was the original post
replaced by
#export LC_COLLATE="fr_FR.UTF-8"
IMPORTANT NOTE: You must make the ‘.gnomerc’ file executable before restarting your computer. You can use a command like
chmod 755 .gnomerc or chmod 700 .gnomerc
https://bbs.archlinux.org/viewtopic.php?pid=1081952
In the end I got it working with: /etc/locale.conf
LANG=fr_FR.UTF-8
#LC_COLLATE="C"
LC_COLLATE="fr_FR.UTF-8"
and adding/modifying the following in ~/.zshrc.local
export LC_ALL="fr_FR.UTF-8"
#export LC_COLLATE="C"
export LC_COLLATE="fr_FR.UTF-8"
CUPS
# systemctl enable cups.service
CUPS PDF
PDF virtual printer
CUPS-PDF is a nice package that allows one to setup a virtual printer that will generate a PDF from anything sent to it. Obviously this package is not necessary, but it can be quite useful.
Find generated PDF documents in a sub-directory located at /var/spool/cups-pdf. Normally, the subdirectory is named after the user who performed the job. A little tweak helps you to find your printed PDF documents more easily. Edit /etc/cups/cups-pdf.conf by changing the line
#Out /var/spool/cups-pdf/${USER}
to
Out /home/${USER}
This package can be installed by the following command:
pacman -S cups-pdf
After installing the package, set it up as if it were for any other printer by using the web interface. For the Device, select CUPS-PDF (Virtual PDF Printer); Make/Manufacturer, choose Generic; Model/Driver, select Generic postscript color printer or Generic Cups-PDF Printer.
Quality sucks!
Cron
Not enabled by default
# systemctl enable cronie.service
Journal
Since version 38, systemd has its own logging system, the journal. Therefore, running a syslog daemon is no longer required. To read the log, use:
# journalctl
By default (when Storage= is set to auto in /etc/systemd/journald.conf), the journal writes to /var/log/journal/. If the directory /var/log/journal/ does not exist (e.g. if you or some program delete it), systemd will not create it automatically, but instead write its logs to /run/systemd/journal. This means that logs will be lost on reboot.
On default installation it appears to be using /var/log/journal
Disable IPV6
Adding ipv6.disable=1 to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See Kernel parameters for more information.
Crpyptostick & Gnome
Disabled gnome-keyring in gnome-session-properties
disable gpg-agent in ~/.gnupg.conf
create /etc/profile.d/gpg-agent.sh
#!/bin/sh
envfile=“${HOME}/.gnupg/gpg-agent.env” if test -f “$envfile” && kill -0 $(grep GPG_AGENT_INFO “$envfile” | cut -d: -f 2) 2>/dev/null; then eval “$(cat “$envfile”)” else eval “$(gpg-agent –daemon –write-env-file “$envfile”)”
eval “$(gpg-agent –daemon –enable-ssh-support –write-env-file “$envfile”)”
fi export GPG_AGENT_INFO # the env file does not contain the export statement
chmod + x /etc/profile/d/gpg-agent.sh
create /etc/udev/rules.d/40-cryptostick.rules
do not edit this file, it will be overwritten on update
SUBSYSTEM!=“usb”, GOTO=“cryptostick_rules_end” ACTION!=“add”, GOTO=“cryptostick_rules_end”
ATTR{idVendor}==“20a0”, ATTR{idProduct}==“4107”, ENV{ID_SMARTCARD_READER}=“1”, ENV{ID_SMARTCARD_READER_DRIVER}=“gnupg”
LABEL=“cryptostick_rules_end”
issues with i915
removed echo 0 > /sys/module/i915/parameters/i915_enable_rc6 echo 0 > /sys/module/i915/parameters/i915_enable_fbc echo 0 > /sys/module/i915/parameters/powersave
from /usr/bin/powersave
Added i915 in /etc/mkinitcpio.conf Created /etc/modprobe.d/i915.conf
options i915 i915_enable_rc6=1 options i915 i915_enable_fbc=1 options i915 lvds_downclock=1
Removed from grub default
apparement si i915 est dans mkinitcpio.conf alors on ne peut plus l’écrire après, uniquement via i915.conf (a investiguer)
in case of duplicate vgroup, rename
vgs -v
vgrename UUID new-vgroup-name
macchanger on boot /etc/systemd/system/macspoof@.service
[Unit] Description=macchanger on %I Before=NetworkManager.service After=sys-subsystem-net-devices-%I.device
[Service] ExecStart=/usr/bin/macchanger -r %I Type=oneshot
[Install] WantedBy=multi-user.target
Then enable for each network interface.
systemctl enable macspoof@
sudo systemctl enable macspoof@enp0s25
sudo systemctl enable macspoof@wlp3s0
dns cache + dns encrypt
pacman -S dnsmasq dnscrypt-proxy
/etc/dnsmasq.conf no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 proxy-dnssec domain-needed bogus-priv dns-forward-max=150 cache-size=1000 no-negcache
Restart dnsmasq.service to apply the changes.
Enable on boot: systemctl enable dnsmasq.service
/etc/NetworkManager/NetworkManager.conf [main] plugins=keyfile dhcp=dhclient dns=default #dns=dnsmasq
## Set static hostname
#[keyfile]
#hostname=foobar
## HTTP-based connectivity check
#[connectivity]
#uri=http://nmcheck.gnome.org/check_network_status.txt
#interval=100
Then launch: # systemctl edit dnscrypt-proxy.socket
[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40
Then restart dnscrypt-proxy.socket and stop dnscrypt-proxy.service if already running to let it be started by the .socket unit.
Enable on boot:
systemctl enable dnscrypt-proxy.socket
Create an lock down /etc/resolv.conf echo “nameserver 127.0.0.1” > /etc/resolv.conf chattr +i resolv.conf
Script to enable dnscrypt & auto
~/dns-auto.sh #!/bin/sh sudo systemctl stop NetworkManager.service sleep 1 sudo nmcli networking off sleep 1 sudo chattr -i /etc/resolv.conf sudo rm /etc/resolv.conf sudo systemctl start NetworkManager.service sleep 1 sudo nmcli networking on sleep 1
Then change mode: chmod +x dns-auto.sh
~dns-dnscrypt.sh #!/bin/sh sudo systemctl stop NetworkManager.service sleep 1 sudo nmcli networking off sleep 1 sudo chattr -i /etc/resolv.conf sudo sh -c “echo nameserver 127.0.0.1 > /etc/resolv.conf” sudo chattr +i /etc/resolv.conf sudo systemctl start NetworkManager.service sleep 1 sudo nmcli networking on
Then change mode: chmod +x dns-dnscrypt.sh
to make sure resolv.conf is the right one on boot (and also locked down):
/etc/systemd/system/dnscrypt-reset.service [Unit] Description=Reset /etc/resolv.conf and lock it After=NetworkManager.service
[Service]
ExecStart=/home/alpha/dns-dnscrypt.sh
Type=oneshot
[Install]
WantedBy=multi-user.target
Enable on boot:
systemctl enable dnscrypt-reset.service
Change default server systemctl edit dnscrypt-proxy.service –full
soltysiak
dnscrypt.eu-dk
trim test https://unix.stackexchange.com/questions/85865/trim-with-lvm-and-dm-crypt/85880#85880
This is just a script I would like to share if some lazy person come here. It was made out of the accepted answer from frostschutz. http://unix.stackexchange.com/a/85880/6661