I’ve been wanting to install Arch on my primary workstation for a while though I was pretty overwhelmed with figuring out what sort of configuration I wanted. I now have something that I like and wanted to outline what I did. This is mostly for my own reference and documentation, though please feel free to use this and adapt it to your own needs!
This guide will outline how to setup a clean install of Arch linux with the following:
- Secure Boot.
- LUKS + BTRFS with subvolumes.
- AppArmor.
- systemd-boot.
- TPM 2.0 enrollment for LUKS.
- GNOME 42 w/ Wayland and NVIDIA proprietary driver.
Note
Please do your own research and check the latest Arch Install Guide for guidance. Sorry if this breaks your system uwu
Base Install
The Arch Install Guide is honestly the best way to get started and is a great reference if you get stuck along the way.
Before you get started, make sure that you have UEFI Mode enabled and Secure Boot disabled on your system. We will enable Secure Boot later in this guide.
WiFi and Syncing System Clock
You will probably want to connect to WiFi, unless you are directly plugged in or are setting up an air-gapped system.
iwctl is probably the easiest way to do this.
| |
You can also do this as a one-liner, with the AP passphrase:
iwctl --passphrase <passphrase> station <device> connect <SSID>
Once you verify that you are connected to the internet, go ahead and sync your system clock using NTP:
timedatectl set-ntp true
Partitions
Warning
Make sure you are using the correct drive! Always verify so you don’t accidently nuke your data.
We will want to verify which hard drive we are going to install Arch to. The easiest way to do this is to use lsblk or fdisk -l. Personally, lsblk is prettier and I much prefer it :)
| |
My system has multiple hard drives. In this case, I am going to install Arch on one of the 1TB NVME SSDs, nvme1n1.
Now to create the system partitions, let’s start with the EFI boot partition:
| |
For the root partition, accept all of the default values:
| |
With our new partitions made, it is time to write the changes!
| |
LUKS
Tip
Consider your threat model when creating your passphrase.
When creating the LUKS volume, make sure you are selecting your root partition, and not the EFI boot partition. In my case, the second partition (the root partition) is nvme1n1p2.
| |
Once that finishes, you are going to want to open the newly created LUKS volume. You will need to name the volume when you open it, I typically just call it “luks”, though you can pick whatever you want. Just make sure you stay consistent!
| |
Format EFI and Root Partitions
Simple and easy, format the EFI boot partition with FAT32:
$ mkfs.vfat -F32 /dev/nvme1n1p1
And now the root partition, with BTRFS:
$ mkfs.btrfs /dev/mapper/luks
Create and Mount BTRFS Subvolumes
In order to take advantage of BTRFS snapshots, we will need to make subvolumes for root and home. Root being the system files that live in / and home being our user data in /home/.
| |
Now we are going to mount the root subvolume, make mount directories for the home subvolume and the EFI boot partition, then mount the boot partition:
| |
If you are wanting to use space cache (space_cache=v1) instead of free space tree (space_cache=v2) , check
this out for more info.
Install System Packages
With the prep work out of the way, it is time to install our base system packages so we can chroot into the system :3
Info
If you are using an AMD CPU, you will want amd-ucode and not intel-ucode. Also, you may want to use linux instead of linux-zen for your kernel.
| |
Feel free to change this list to fit your needs. You can always install more packages later. Also, feel free to replace vim with your editor of choice :)
After the pacstrap command finishes, you will want to generate your /etc/fstab file. This handy command will generate this file based on your current mount points. Cool, right?
| |
Now for the exciting part, let’s chroot into our new linux install so we can do some additional configuration!
Chroot and System Configuration
To chroot into the new linux install you will run the following command:
| |
You will now be presented with a root user prompt.
Go ahead and enable the following services, so we don’t forget!
| |
User Accounts
First things first, we need to set a root password. Make sure you pick something secure. Again, consider your threat model!
| |
We will also want to create our user account. I am adding the user to the wheel group, as in a moment we will be granting this user group access to use the sudo command for privilege escalation. Also, when setting the password, again I say, consider your threat model :3
| |
To add the wheel group to the suderos file we will want uncomment the following line from the default config (or add it if it isn’t there):
| |
This will allow members of the wheel group to execute any command as root.
System Hostname and Hosts Configuration
Your system’s hostname can be whatever you want, all you need to do is put it in the /etc/hostname file.
| |
We will also want to define this hostname in our /etc/hosts/ file, as follows:
| |
Locale Generation and Timezone
Another important thing we need to do is define our language locale. You will want to open the /etc/locale.gen file in your editor of choice and uncomment the lines that are relevant to your language. For me, I went with U.S English, with UTF-8 encoding.
| |
Note
You may need to also select your locale in GNOME’s settings later.
| |
To set the timezone, you will need to figure out the correct timezone string based on your region. An easy way to do that is to use grep:
| |
For me, I picked America/Los_Angeles. Now to set the timezone you picked, and sync it to your system clock:
| |
You can run date to verify the current system time.
initramfs Configuration and Generation
The initramfs configuration is super important (not to mention super neat). I would recommend that you take some time to familiarize yourself with
mkinitcpio, which is the tool used to create the initial ramdisk (initramfs).
To start, we will need to modify /etc/mkinitcpio.conf to make changes to the MODULES and HOOKS sections. Go ahead and open that file in your editor of choice and set those lines to the following:
| |
Once that is done, it is time to generate our new initramfs:
| |
If you notice some warning messages about missing firmware, check the Additional Firmware section towards the end of this guide. It is okay to ignore for the moment and likely won’t cause any problems. Though if you are concerned, go ahead and check out that section then regenerate your initramfs after you install any additional firmware packages.
Bootloader
If you don’t want to use systemd-boot, follow instructions for your bootloader of choice instead. Though if you are cool with systemd-boot, go ahead and install it with the following command:
| |
Now to make our Arch boot entry. You are going to need the UUID of your root partition for this, so to make things a bit easier, I would recommend adding the UUID to the boot entry file, twice:
Warning
Make sure you are using the correct drive and are specifying your root partition.
| |
Go ahead and open /boot/loader/entries/arch.conf in your editor of choice and add the following:
Warning
If you did not use linux-zen, make sure you specify that in this file. Also, if you used amd-ucode, use that for your initrd instead.
| |
The nvidia-drm.modeset=1 kernel option will be needed for our NVIDIA driver, which we will install
later. If you won’t be using the NVIDIA driver, go ahead and remove this.
GNOME 42
Installing the latest version of GNOME is pretty straight forward. At the time of writing, GNOME 42 is the latest and greatest! You can install it like this:
| |
You may want to include xorg if you are not planning on using Wayland and prefer to stick with X11.
Once that is done installing, you will want to enable to GNOME Desktop Manager service:
| |
If you are looking to install a different Window Manager / Desktop Environment, check the Arch Wiki for guidance on how to do that.
NVIDIA
To install the NVIDIA proprietary drivers, and to get them to play nice with Wayland and GDM, we need to do a few things.
First, install the following:
| |
You may just want nvidia instead of nvidia-dkms, depending on your setup.
The next thing you’ll want to do is prevent the Nouveau video driver from loading. Open /etc/modprobe.d/prevent-nouveau.conf in your editor of choice, and add:
| |
As of writing this, GDM will force X11 and not offer Wayland as an option if it detects that an NVIDIA graphics card is present. To get around this, we just need to disable this rule by doing the following:
| |
Now we will need to set some custom NVIDIA kernel flags and enable NVIDIA’s power management services in order for the latest drivers to work with Wayland. This is a recent issue, as I haven’t had to do this in the past.
Go ahead and open up /etc/modprobe.d/nvidia-power-management.conf in your editor of choice, and add the following:
| |
You can remove the NVreg_EnableMSI=0 option if you’d like. I needed to do that on my end to fix an issue where my display wouldn’t wake up after my computer went to sleep.
Now you just need to enable the following NVIDIA services:
| |
Since we added some new configuration files to our /etc/modprobe.d/ folder, we will need to regenerate our initramfs. Earlier we included the modconf hook, which will tell mkinitcpio to include all configuration files in that directory.
| |
Once the initframfs generates, it is time to boot into our new install for real! Go ahead and exit chroot, unmount, and reboot:
| |
Apparmor Profiles
Assuming everything went well, you should now be booted into your fresh Arch install and logged into your local user account :3
Now that we’re here, let’s verify that Apparmor is working.
| |
The output of Yes will indicate that Apparmor is enabled. To get the current status and list of profiles loaded, run the following:
| |
If you aren’t getting output similar to what is outlined above, head on over to the Arch Wiki for guidance.
Timeshift
Timeshift will be the application we use to create and manage BTRFS snapshots of our root subvolume. This application isn’t yet available in Arch’s official repos, though like anything else, we can find it in the Arch User Repository (AUR).
An easy and convenient way to install and manage AUR packages on your system is to use an AUR helper (or write your own ;3). There are several helpers to pick from, though today I will be using
paru. One of the main reasons I like paru is that it allows you to review and edit the PKGBUILD, in-line, before it runs. If you don’t care about that, or don’t enjoy using vim to edit files, I’d suggest checking out yay.
| |
Now that you have paru, you can install Timeshift like this:
| |
Tip
Think about your disaster and data recovery plan and test it often!
After you install Timeshift, go ahead and open it up and go through the settings / setup process. Make sure you select the BTRFS snapshot type. The snapshot location is up to you, though the most convenient is probably to have it stored on the root subvolume.
I am only using snapshots on my root subvolume, though you can enable snapshots on your home subvolume as well. I am using Timeshift for my system level stuff and duplicity for my user data.
Update 24 Aug 2022:
It turns out that by default, the cronie service is disabled in Arch. This is needed in order for Timeshift to do automatic snapshots. To fix this, run the following to enable the service:
| |
TPM 2.0 Enrollment
Warning
Depending on your security situation, doing this might be a bad idea.
Verify that your TPM is detected, and that it is version 2.0:
| |
If that path doesn’t exist, you might be able to check /sys/class/tpm/tpm0/device/description.
At this point, systemd-cryptenroll should already be able to see our TPM, since we included the systemd and sd-encrypt hooks when generating our initramfs. To verify this you can run:
| |
You should see your TPM listed in the output, similar to what is shown above. Assuming that looks good, you will now want to enroll your TPM to one of your key slots on your LUKS volume, in my case that is partition 2:
| |
After that, you will need to add a new rd.luks.options option to your boot entry for Arch. Open /boot/loader/entries/arch.conf in your editor of choice, and add tpm2-device=auto. Your boot entry should now look something like this:
| |
If you reboot, you should see your system go straight to the login screen. If the TPM is tampered with or removed, you will be prompted to enter your passphrase like before.
Secure Boot
Before you enable Secure Boot, you will need to go into your BIOS and enable “Setup Mode”. This will allow key enrollment. Depending on your BIOS, you may have to first delete all of your pre-existing keys before Setup Mode can be toggled. Refer to your motherboard’s documentation if you run into issues.
You may also wish to keep vendor keys enrolled so you can continue to boot into Windows and use other boot utilities. If you don’t know what you are doing, chances are you will want to keep these vendor keys.
Once your BIOS is in Secure Boot Setup Mode, go ahead and boot back into Arch, and run the following command to verify:
| |
You should see output similar to what is shown above. The important part is to make sure that “Setup Mode” says enabled and that “Secure Boot” says disabled.
Now, with that out of the way, you can create secure boot keys and enroll them, then sign your kernel files. To do this, I used sbctl. They have some excellent documentation on their
Github repo.
To create keys and enroll them, do the following (note, this will ensure that Microsoft’s keys are also enrolled. Remove --microsoft if you don’t want that):
| |
Now we need to sign our EFI boot files. To figure out which files need signing, we can run sbctl verify:
| |
To sign these files, simply run:
| |
To verify that those files were signed, run sbctl verify again:
| |
You may also need to generate an EFI Stub, depending on your configuration. I didn’t need to do this on my end in order for this to work. To learn more, check out the sbctl
usage guide.
Now you can reboot and enable Secure Boot! Once you log back in, you can verify that everything is working by running sbctl status:
| |
Congrats, you now have Secure Boot working!
Additional Firmware
The linux-firmware package covers most firmware for common hardware devices, though I had to install some additional packages to ensure that my system was stable. When you
generate your initframfs, you may see some warning messages about firmware not being installed. Search around for the firmware that is mentioned and you will likely find a package for it in the
AUR.
| |
At this point you’re done! You can probably start enjoying your new Arch Linux install, so go have fun :3
References
I used so, so many references during this process. The list below are the ones I found to be the most helpful.
- https://wiki.archlinux.org/title/Installation_guide
- https://wiki.archlinux.org/title/Iwd#iwctl
- https://wiki.archlinux.org/title/AppArmor
- https://wiki.archlinux.org/title/GNOME
- https://wiki.archlinux.org/title/NVIDIA
- https://wiki.archlinux.org/title/systemd-boot
- https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS
- https://forum.artixlinux.org/index.php/topic,1506.0.html
- https://unix.stackexchange.com/questions/610779/pop-os-systemd-boot-cant-detect-windows
- https://www.reddit.com/r/archlinux/comments/u3ydcf/after_updating_to_5173arch_gnome_wayland/
- https://www.reddit.com/r/archlinux/comments/u31p61/option_to_run_gnome_on_wayland_missing_from_gdm/
- https://www.reddit.com/r/archlinux/comments/u36x68/my_arch_fallback_to_x11_session_after_today/
- https://lemmy.eus/post/2898
- https://github.com/Foxboron/sbctl#usage
- https://odysee.com/@EF-TechMadeSimple:3/arch-linux-install-january-2021-iso-2:a
- https://wiki.tnonline.net/w/Btrfs/Space_Cache
<3 m0x
Nickname: