You are not logged in.
Hi all,
I am a noob when it comes to linux. I installed Arch a few years ago, and had tons of fun with it. I could do everything I do in other Oses, even gaming and so on. I have it on dual boot ever since.
I decided to make a "Arch Live USB", so I researched everything again and wrote a guide for myself. The installation in the USB Stick was flawless, but I dont know if I could call it a Live USB since it is just a standard install on a USB.
I plan to reinstall my Arch Linux for fun, so I would like your feedback if everything I choose to do is fine. Also if I shouldn't do something or if there is something else that matters that I should do. I would like also to get some feedback on others apps and stuff that aren't in the "script", if it isn't there, I dont know about it. (I already have a question, is there a sddm pure wayland or another display manager for kde that is?).
Thanks for all the help you can offer. (I am brazillian, so sorry if my english is too poor. Some commands are focused on my locale).
Remember echo value >> file
#Before arch-chroot
#Keyboard Layout
ls /usr/share/kbd/keymaps/**/*.map.gz | grep br
localectl list-keymaps | grep br
loadkeys br-abnt2
#Is EFI?
ls /sys/firmware/efi/efivars
#Pacstrap Parallel Download
nano /etc/pacman.conf
ParallelsDownload = 50
uncomment / add the live above
#Do we have internet?
ip link ou ip a
ping site
#Do we need Wifi?
iwctl
[iwd]#device list
[iwd]#station device scan
[iwd]#station device get-networks
[iwd]#station device connect SSID
[iwd]#exit
reminder you can also iwctl --passphrase passphrrase station device connect SSID
reminder for liver (networkmanager) nmtui (wifi)
#time and date
timedatectl set-ntp true
#Partition Scheme
lsblk
fdisk /dev/sdx ou cfdisk /dev/sdx
mkfs.ex4 /dev/root ou home
mkfs.fat -F32 /dev/boot
this last one to format the EFI partition in case you need (Dont do it if you have windows or another so installed)
mkswap /dev/swap
#USB Live
mkfs.ex4 -O "ĥas_journal" /dev/root ou home
So that we get a ext4 without journaling
#Mounting Partitions
mount /dev/sdx /mnt
mkdir /mnt/boot
mkdir /mnt/home
mount /dev/sdx /mnt/boot
mount /dev/sdx /mnt/home
swapon /dev/sdx
beware that you need to mount the root partition first and then create the boot or home directory so it actually creates them in the partition, if you create them before it will screw up the partition scheme and bug out the boot (EFI/ESP partition) and so on.
#USB Live - Doing a RAM journaling
mkdir /etc/systemd/journald.conf.d
/etc/systemd/journald.conf.d/usbstick.conf
[Journal]
Storage=volatile
RuntimeMaxUse=30M
So we get a 30MB Journal in RAM. We need to do proper shutdown so we dont get data loss or damage the partition.
#Pacstrap
pacstrap /mnt base base-devel linux linux-firmware linux-headers amd-ucode nano sudo
#Generate Fstab
genfstab -U /mnt >> /mnt/etc/fstab
cat /mnt/etc/fstab
#Chroot
arch-chroot /mnt
#After arch-chroot
#Set up timezone
timedatectl list-timezones | grep Sao
ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
hwclock -w
#Set up locale
nano /etc/locale.gen
pt_BR.UTF-8 UTF-8
uncomment line
locale-gen
nano /etc/locale.conf
LANG=pt_BR.UTF-8
nano /etc/vconsole.conf
KEYMAP=br-abnt2
#Hostname / Hosts
nano /etc/hostname
soul
nano /etc/hosts
127.0.0.1 localhost
::1 localhost
127.0.1.1 soul.localdomanin soul
#Boot - systemd bootloader
#Install
bootctl install
#Set up Loader
sudo -e /boot/loader/loader.conf
default arch
timeout 0
console-mode max
editor no
#Set up Menu Entry
blkid
echo UUID=rootUUID >> /boot/loader/entries/arch.conf
sudo -e /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options root=UUID=rootUUID resume=UUID=swapUUID rw
if you dont want to suspend and resume, dont use the resume= option, but do keep the rw (read/write for your root partition).
#Set up Hook to auto update loader
sudo -e /etc/pacman.d/hooks/100-systemd-boot.hook
[Trigger]
Type = Package
Operation = Upgrade
Target = systemd
[Action]
Description = Updating systemd-boot
When = PostTransaction
Exec = /usr/bin/bootctl update
#Troubleshooting
#UEFI didnt update loader entry - Fix
pacman -S efibootmgr
efibootmgr -c -d /dev/vda -p 1 -l '\EFI\systemd\systemd-bootx64.efi' -L 'Arch Linux'
where vda and 1 are device and partition with ESP (EFI Partition)
efibootmgr -c -d /dev/vda -p 1 -l '\vmlinuz-linux root=/dev/vda2 initrd=\amd-ucode.img \initrd=initramfs-linux.img' -v
the same rules applys, but loads the kernel as an EFI executable, so no need to use a boot loader, on a fast test adding amd-ucode failed, so you might need to leave just initramfs. Root can be device, UUID or LABEL.
#UEFI menu entry removal
efibootmgr -b 0000 -B
#Reinstall Kernel/AMD-ucode
mkinitcpio -P ou pacman -S linux ou pacman -S amd-ucode
#Root passwd
passwd
#Activate basic network and reboot to test boot and load locale variables
pacman -S networkmanager
systemctl enable networkmanager
exit
umount -R /mnt
reboot
if everything works out fine, you should get to a login prompt. Now type root and your password.
nmtui
to connect to wifi if you need it (graphical interface to connect to wifi)
#Creating user
#Installing user variables and folders
pacman -S xdg-utils xdg-user-dirs
Add user variables and folders
#Adding user
useradd -mUG adm,wheel soultrigger
this will create the home folder (m), also a group with your user name (U) and add you to adm and wheel groups (G). If you just did adduser soultrigger it would create just your user and soultrigger group and would not create your home folder or add you to any other group.
#User password
passwd soultrigger
#Secure Editor
nano /etc/sudoers
Defaults editor=/usr/bin/rnano
If you like nano like me this will make so that we use a restricted nano version to edit files, since doing EDITOR=nano visudo will run nano as root allowing to use malicious code (big security flaw). There is also an added feature, you will run rnano as a normal user (will ask for sudoer password anyway), and when you save the file it will save to a temporary one, then sudo will elevate the privilegies to copy the tmp file over the file we wanted to edit, so we will have a far more secure environment. After this change edit files with sudo -e /path/file, it will call rnano for you automatically. If it fails to overwrite the destined file, it will notify you and you will have both files (the original and the temporary one).
#Sudoers
sudo -e /etc/sudoers.d/01_soultrigger
soultrigger ALL=(ALL) ALL
#Pacman Parallel Download
sudo -e /etc/pacman.conf
ParallelsDownload = 50
uncomment / add the above line
#Graphic Driver & Gaming - AMD / Vulkan
#Activate Multilib
sudo -e /etc/pacman.conf
[multilib]
Include = /etc/pacman.d/mirrorlist
uncomment lines
pacman -Syu
you need to update the system to actually ativate it or the next pacman command will fail
#Driver and Vulkan
pacman -S mesa lib32-mesa xf86-video-amdgpu vulkan-radeon lib32-vulkan-radeon libva-mesa-driver lib32-libva-mesa-driver mesa-vdpau lib32-mesa-vdpau vulkan-tools
#Loading driver / Support Southern Islands
mkdir /etc/mobprobe.d
sudo -e /etc/mobprobe.d/amdgpu.conf
options amdgpu si_support=1
options amdgpu cik_support=0
sudo -e /etc/mobprobe.d/radeon.conf
options amdgpu si_support=0
options amdgpu cik_support=0
sudo -e /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)
Hook sample, you need to make sure modconf is on this line
#Audio - Alsa / Pipewire
pacman -S pipewire xdg-desktop-portal xdg-desktop-portal-kde
Para suporte adicional instale pipewire-alsa pipewire-pulse pipewire-jack (para o pipewire funcionar como esses outros servidores)
For 32 bit support lib32-pipewire and lib32-pipewire-jack
Alsa is within the kernel.
xdg-desktop-* to add screen/sound sharing for browsers in wayland/pipewire
#Network - Bluetooth - Printer - Security
pacman -S networkmanager network-manager-applet wpa_supplicant bluez bluez-utils cups cups-pdf firewalld firejail
systemctl enable NetworkManager
systemctl enable bluetooth
systemctl enable firewalld
sudo firecfg
sudo -e /etc/pacman.d/hooks/firejail.hook
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/local/bin/*
Target = usr/share/applications/*.desktop
[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
Hook to auto update firejail config each time pacman changes the system
#File Sharing - Samba
pacman -S nfs-utils sshfs dnsmasq samba
systemctl enable dnsmasq
samba seems to require some fine work to configure, I advise looking at the archwiki
#Virtualization - KVM / QEMU / Libvirt
pacman -S virt-manager qemu ebtables iptables-nft bridge-utils openbsd-netcat dnsmasq dmidecode ovmf
qemu-arch-extra add other foreign architetures, unfortunately there is not a package split for each architeture as arm64
sudo usermod -G libvirt -a soultrigger
sudo -e /etc/libvit/libvitd.conf (This one prevented libvirt to run on my live system, so you might want to skip this change)
#unix_sock_group = "libvirt"
#unix_sock_ro_perms = "0777" # set to 0770 to deny non-group libvirt users
#unix_sock_rw_perms = "0770"
#auth_unix_ro = "none"
#auth_unix_rw = "none"
uncomment these lines and change values, the point of this is to run as file security based system instead of polkit, but failed on my live system, I had to revert these change to libvirt load and activate properly
systemctl enable ebtables
systemctl enable dnsmasq
systemctl enable libvirtd
#KDE - DE
pacman -S plasma plasma-wayland-session sddm akregator ark dolphin dolphin-plugins elisa filelight gwenview kalarm kamoso kate kbackup kcalc kcharselect kcolorchooser kdeconnect kdenlive kdf kdialog kfind khelpcenter kleopatra kmag kmail knotes kolourpaint kompare konsole konversation korganizer krdc krfb ksystemlog ktimer ktorrent kwalletmanager kwave okular partitionmanager print-manager skanlite spectacle sweeper yakuake okteta ffmpegthumbs kdegraphics-mobipocket kdegraphics-thumbnailers kdenetwork-filesharing kdesdk-thumbnailers zeroconf-ioslave ksysguard qt5-virtualkeyboard packagekit-qt5 kde-gtk-config
systemctl enable sddm
Theme Arc Dark Icon Papirus-Dark sddm Crown-Blue
#Applications - Outside KDE base
pacman -S dialog man-db man-pages bash-completion rsync reflector neofetch efibootmgr firefox chromium calibre discord gimp krita libreoffice-fresh lutris steam wine winetricks qbittorrent vlc onboard avahi nss-mdns ntfs-3g fzf
sudo -e /etc/xdg/reflector/reflector.conf
--save /etc/pacman.d/mirrorlist
--country Brazil
--protocol https
--latest 5
--sort rate
systemctl enable reflector.timer
#USB stick multi video driver support
pacman -S xf86-video-vesa xf86-video-ati xf86-video-amdgpu xf86-video-intel xf86-video-nouveau
#USB stick prevention of useless writes
pacman -S libeatmydata
eatmydata firefox
the point of this command is to prevent firefox from doing non essential data writes
#Security
#Storage Encryption?
I need to research this
#Limit Su to Wheel Group
sudo -e /etc/pam.d/su
auth required pam_wheel.so use_uid
uncomment the line
enforces that only the members of wheel group can call the SU command
#Delay on Login Attempt
sudo -e /etc/pam.d/system-login
auth optional pam_faildelay.so delay=4000000
Adds 4 secons after failed login attemp, useful?
#Limit Amount of Processes?
sudo -e /etc/security/limits.conf
* soft nproc 100
* hard nproc 200
the point is to prevent an exploit by an unknow user (hack) to load processes on your system beyond what you usually do, you will be limited to the soft, but you can go to the hard limit with prlimit
#Wayland instead of Xorg
Use Wayland instead of Xorg (usually xorg runs as root, which is a big major security flaw. It seems xorg can run now as a normal user as of what pacman says nowadays when you install it. Nonethless I believe SDDM still runs under xorg, even though with systemd it seems he uses normal user privileges. Hopefully we will get a wayland only SDDM soon)
#Secure Editor (already done above)
nano /etc/sudoers
Defaults editor=/usr/bin/rnano
If you like nano like me this will make so that we use a restricted nano version to edit files, since doing EDITOR=nano visudo will run nano as root allowing to use malicious code (big security flaw). There is also an added feature, you will run rnano as a normal user (will ask for sudoer password anyway), and when you save the file it will save to a temporary one, then sudo will elevate the privilegies to copy the tmp file over the file we wanted to edit, so we will have a far more secure environment. After this change edit files with sudo -e /path/file, it will call rnano for you automatically. If it fails to overwrite the destined file, it will notify you and you will have both files (the original and the temporary one).
#Disables SSH login without tty
sudo -e /etc/sudoers
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear text. You have to run "ssh -t hostname sudo <cmd>".
#
Defaults requiretty
Enforces you can only connect with a console tty on SSH, if this was not the case you could compromise your sudoer password. (it would show your password as you type it)
#Disable SSH root login
sudo -e /etc/ssh/sshd_config
PermitRootLogin no
Enforces you cant login as root trough SSH
#Limits Login Schemes
sudo -e /etc/security/access.conf
+:root:LOCAL
-:root:ALL
+:soultrigger:LOCAL
+:(wheel):LOCAL
+:(adm):LOCAL
-:ALL:ALL
Limits login access schemes, the first proper match excutes and ignores the rest, so that we will have majorly local logins and prevents to login remotely, also rejects all attempts by the users not specified here. If you will use remote access remember to change it later.
*****Learn SSH, you damn noob (talking to myself)*****
#ACL for aditional security?
ACL can increase security, adds extra options to the linux permission system. It is part of systemd. The partition needs to be mounted with ACL enabled to work. Initially I didnt see a reason to use it on my local domestic machine. There is also a MAC system (mandatory access control), but seemed way too troublesome to use.
#Disable Kexec (allows to change the kernel in execution)
sudo -e /etc/sysctl.d/51-kexec-restrict.conf
kernel.kexec_load_disabled = 1
Disable Kexec (allows to change the kernel in execution, so you prevent a foreigner user to change your machine in a major way).
#Packages
arch-install-scripts
fontforge
tlp
lkrg
usbguard
pacman-contrib (scripts for pacman - paccache)
pkgfile (searchs the file in the package repository (pkgfile -u to sync and pkgfile file to search -l to search all)
#Pacman
#System update
pacman -Syu (updates the system, dont use partial updates)
#Package Install
pacman -S package (installs the package and if a group package you get options like below)
Enter a selection (default=all): 1-10 15 (installs 1 trough 10 and 15)
Enter a selection (default=all): ^5-8 ^2 (installs all except 5 trough 8 and 2)
pacman -S --needed package (installs package, but only the unique packages not installed yet)
pacman -S --needed - < pkglist.txt (installs the packages in the list)
pacman -S --needed $(comm -12 <(pacman -Slq | sort) <(sort pkglist.txt)) (installs the packages in the list and removes the AUR or locally installed ones)
pacman -Qqn | pacman -S - (reinstalls all packages)
pacman -S --asdeps package_name (pacman installs the explicitly (package name) as a dependency if you use this option)
#Package Searchs / Info
pacman -Sg package (shows the packages that are part of the package group)
pacman -Si package (shows more details about the package)
pacman -Qi package (same as above, but only about the installed packages)
pacman -Qii package (adds information about backups)
pacman -Ql package (lists all files installed by the package)
pacman -Qk package (verifies if the package files are installed (verifies errors). -Qkk for a more extensive verification)
pacman -Qo /path/file (shows what package the file is a part of)
pacman -Qtd (verifies packages without any dependencies (orphans))
pacman -Qet (same as above, but for dependencies explicitly installed, but without use/connection)
pacman -Qe (list packages installed explicitly) e -Qd (lists packages installed implicityly) (pacman can change a explicitly installed to implicitly if you use the --asdeps when you install) (fore reference, explicitly are the ones you put in the pacman command line and the implictly ones are the dependencies thoses packages asked for)
pacman -Fx package (x = variable for all the above basically, but it is for remote packages)
pacman -F file.extension (searchs for a package that contains the file)
pacman -Qqm (lists packages from AUR)
#Package Removal
pacman -Rs package (removes the package and all its dependencies not used by other packages - it is the right way to do it)
pacman -Rsu package (removes the package and all its dependencies even if needed by another package - use it if the above one fails)
pacman -Rdd package (you should not use this one, huge chances to break the system (beware some people puts it in tutorials)
pacman -Rn (prevents packman to make a backup of configurations when it removes it as .pacsave. Pacman doesnt remove .config from home)
pacman -Qtdq | pacman -Rns - (in theory removes the orphaned packages)
pacman -Rsu $(comm -23 <(pacman -Qq | sort) <(sort pkglist.txt)) (removes packages not in the list)
#Clean Cache
pacman -Sc (clean the package cache (backup copies of older versions), it will let the most up to date backup copy of each package though. -Scc to force to clean all packages in the cache)
paccache -r (removes all old packages (backups in the cache) when pacman updates. -rkl to let the most up to date backup still there)
#Package Download without Install
pacman -Sw package (downloads the package without installing it)
#AUR / Local Package Install
pacman -U /path/to/package/package_name-version.pkg.tar.zst (install the package locally, usually a AUR one)
pacman -U http://www.example.com/repo/example.pkg.tar.zst (same as above, but remotely)
#Package install reason change
pacman -D --asdeps package (changes the install reason from explicitly to implicitly --asexplicit to revert it)
(dont use the option above with -Syu, changes all linked packages)
#Syncs database
pacman -Fy (synchronizes the database)
#Unlocks database
rm /var/lib/pacman/db.lck (removes the lock in the databse, happens sometimes when for some reason pacman gets interrupted by user or another reason)
#Package Lists
pacman -Qqe > pkglist.txt
LC_ALL=C pacman -Qi | awk '/^Name/{name=$3} /^Installed Size/{print $4$5, name}' | sort -h (list packages and its size)
expac (list package by size and description)
expac -H M "%011m\t%-20n\t%10d" $(comm -23 <(pacman -Qqen | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort | uniq)) | sort -n
fzf pacman -Qq | fzf --preview 'pacman -Qil {}' --layout=reverse --bind 'enter:execute(pacman -Qil {} | less)' (browse packages)Offline