Archlinux quick install

Description Link to heading

This is a quick procedure to install archlinux on a host with secureboot disabled and on nvme disks. No hardening nor specific configuration involved.

Process Link to heading

Disable secureboot, boot on a live media or via netboot, then considering hostname=foo:

Partitioning, luks and lvm setup Link to heading

sgdisk -o \
  -n 1:0:+250M -t 1:EF00 \
  -n 2:0:+250M -t 2:8300 \
  -n 3:0:0     -t 3:8309 \
  /dev/nvme0n1

mkfs.fat -F32 /dev/nvme0n1p1

mkfs.ext4 /dev/nvme0n1p2

cryptsetup luksFormat /dev/nvme0n1p3
cryptsetup luksOpen /dev/nvme0n1p3 foo

pvcreate /dev/mapper/foo
vgcreate foo /dev/mapper/foo

lvcreate -L 25G foo -n root
lvcreate -L 25G foo -n var
lvcreate -L 10G foo -n tmp
lvcreate -L 80G foo -n home

mkfs.ext4 /dev/foo/root
mkfs.ext4 /dev/foo/var
mkfs.ext4 /dev/foo/home

mount /dev/foo/root /mnt/
mkdir -p /mnt/home /mnt/var /mnt/boot
mount /dev/foo/var /mnt/var
mount /dev/foo/home /mnt/home
mount /dev/nvme0n1p2 /mnt/boot
mkdir -p /mnt/boot/efi
mount /dev/nvme0n1p1 /mnt/boot/efi

Init system Link to heading

pacstrap /mnt linux linux-firmware base
genfstab -U /mnt > /mnt/etc/fstab

Locale, hostname and TZ configuration Link to heading

In chroot (arch-chroot /mnt):

ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
hwclock --systohc
echo foo > /etc/hostname
echo "127.0.1.1 foo" >> /etc/hosts

Accounts configuration Link to heading

In chroot:

pacman -S sudo polkit openssh
passwd
useradd -m local
passwd local
usermod -aG wheel local
systemctl enable sshd.service
mkdir -p ~local/.ssh
curl https://code.hopopops.com/vianney.keys > ~local/.ssh/authorized_keys
chown -R local: ~local/.ssh

Grub/bootloader configuration Link to heading

In chroot:

pacman -S grub efibootmgr mkinitcpio-{dropbear,utils,netconf} lvm2
curl https://code.hopopops.com/vianney.keys > /etc/dropbear/root_key

# edit /etc/default/grub to edit boot parameters:
# GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet ip=ip=<ip iface 1>:::::eth0:none:ip=<ip iface 2>::<default route iface 2>:<netmask iface 2>::eth1:none cryptdevice=UUID=<crypt device uuid>:cryptlvm root=/dev/foo/root"

# edit /etc/mkinitcpio.conf to edit hooks:
# HOOKS=(base udev keyboard modconf block netconf dropbear encryptssh lvm2 filesystems fsck autodetect)

mkinitcpio -P

grub-install --target=x86_64-efi --efi-directory /boot/efi --removable
grub-mkconfig -o /boot/grub/grub.cfg

Iptables Link to heading

In chroot:

cat <<EOF > /etc/iptables/iptables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "*: icmp" -j ACCEPT
# -A INPUT -i <iface> -p tcp -m tcp --dport 22 -m comment --comment "ssh" -j ACCEPT
COMMIT
EOF

cat <<EOF > /etc/iptables/ip6tables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmpv6 -m comment --comment "*: icmp6 (needed for establishing connexion)" -j ACCEPT
-A INPUT -d fe80::/10 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -m comment --comment "*: dhcpc6 (needed for establishing connexion)" -j ACCEPT
# -A INPUT -i <iface> -p tcp -m tcp --dport 22 -m comment --comment "ssh" -j ACCEPT
COMMIT
EOF

systemctl enable iptables.service ip6tables.service

Network Link to heading

In chroot

cat <<EOF > /etc/systemd/network/10-lan.network
[Match]
Name=<iface name>

[Network]
Description=Main LAN interface
Address=<ip iface>/<mask>
EOF

systemctl enable systemd-networkd.service systemd-resolved.service systemd-timesyncd.service

Finally, outside of chroot:

ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf

All done Link to heading

reboot