Description Link to heading
Procédure rapide d’installation d’une machine sous archlinux sur des nvme et sans secureboot. Pas de hardening, pas de configuration spécifique.
Processus d’installation Link to heading
Désactiver secureboot, démarrer depuis un live media ou par netboot. Pour la suite, hostname=foo.
Partionnement, luks and lvm setup Link to heading
sgdisk -o \
-n 1:0:+250M -t 1:EF00 \
-n 2:0:+250M -t 2:8300 \
-n 3:0:0 -t 3:8309 \
/dev/nvme0n1
mkfs.fat -F32 /dev/nvme0n1p1
mkfs.ext4 /dev/nvme0n1p2
cryptsetup luksFormat /dev/nvme0n1p3
cryptsetup luksOpen /dev/nvme0n1p3 foo
pvcreate /dev/mapper/foo
vgcreate foo /dev/mapper/foo
lvcreate -L 25G foo -n root
lvcreate -L 25G foo -n var
lvcreate -L 10G foo -n tmp
lvcreate -L 80G foo -n home
mkfs.ext4 /dev/foo/root
mkfs.ext4 /dev/foo/var
mkfs.ext4 /dev/foo/home
mount /dev/foo/root /mnt/
mkdir -p /mnt/home /mnt/var /mnt/boot
mount /dev/foo/var /mnt/var
mount /dev/foo/home /mnt/home
mount /dev/nvme0n1p2 /mnt/boot
mkdir -p /mnt/boot/efi
mount /dev/nvme0n1p1 /mnt/boot/efi
Initialisation du système Link to heading
pacstrap /mnt linux linux-firmware base
genfstab -U /mnt > /mnt/etc/fstab
Configuration des locale, hostname et TZ Link to heading
Dans le chroot (arch-chroot /mnt) :
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
hwclock --systohc
echo foo > /etc/hostname
echo "127.0.1.1 foo" >> /etc/hosts
Configuration des comptes Link to heading
Dans le chroot :
pacman -S sudo polkit openssh
passwd
useradd -m local
passwd local
usermod -aG wheel local
systemctl enable sshd.service
mkdir -p ~local/.ssh
curl https://code.hopopops.com/vianney.keys > ~local/.ssh/authorized_keys
chown -R local: ~local/.ssh
Configuration grub/bootloader Link to heading
Dans le chroot :
pacman -S grub efibootmgr mkinitcpio-{dropbear,utils,netconf} lvm2
curl https://code.hopopops.com/vianney.keys > /etc/dropbear/root_key
# edit /etc/default/grub to edit boot parameters:
# GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet ip=ip=<ip iface 1>:::::eth0:none:ip=<ip iface 2>::<default route iface 2>:<netmask iface 2>::eth1:none cryptdevice=UUID=<crypt device uuid>:cryptlvm root=/dev/foo/root"
# edit /etc/mkinitcpio.conf to edit hooks:
# HOOKS=(base udev keyboard modconf block netconf dropbear encryptssh lvm2 filesystems fsck autodetect)
mkinitcpio -P
grub-install --target=x86_64-efi --efi-directory /boot/efi --removable
grub-mkconfig -o /boot/grub/grub.cfg
Iptables Link to heading
Dans le chroot :
cat <<EOF > /etc/iptables/iptables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "*: icmp" -j ACCEPT
# -A INPUT -i <iface> -p tcp -m tcp --dport 22 -m comment --comment "ssh" -j ACCEPT
COMMIT
EOF
cat <<EOF > /etc/iptables/ip6tables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmpv6 -m comment --comment "*: icmp6 (needed for establishing connexion)" -j ACCEPT
-A INPUT -d fe80::/10 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -m comment --comment "*: dhcpc6 (needed for establishing connexion)" -j ACCEPT
# -A INPUT -i <iface> -p tcp -m tcp --dport 22 -m comment --comment "ssh" -j ACCEPT
COMMIT
EOF
systemctl enable iptables.service ip6tables.service
Réseau Link to heading
Dans le chroot :
cat <<EOF > /etc/systemd/network/10-lan.network
[Match]
Name=<iface name>
[Network]
Description=Main LAN interface
Address=<ip iface>/<mask>
EOF
systemctl enable systemd-networkd.service systemd-resolved.service systemd-timesyncd.service
Finalement, hors chroot :
ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf
Terminé Link to heading
reboot