Install Artix - Sawangg/dotfiles GitHub Wiki
Download the ISO image on the official Artix Linux website. We will choose the artix-base-dinit-x86_64.iso version to get Artix Linux with dinit. The partitions for our machine will be like the following
Important
Need to figure out the correct setup with SWAP & BTRFS
System: UEFI & GPT
+----------------------+----------------------+----------------------+----------------------+
| EFI system partition | BTRFS Subvolume 1 | BTRFS Subvolume 2 | BTRFS Subvolume 3 |
| | | | |
| /efi (fat32) | / (btrfs) | /home (btrfs) | [@snapshots] |
| | | | |
| /dev/your-disk-1 |----------------------+----------------------+----------------------+
| unencrypted | /dev/your-disk-2 encrypted using LUKS2 |
+----------------------+--------------------------------------------------------------------+
| physical disk - /dev/your-disk |
+-------------------------------------------------------------------------------------------+
Use this schema as reference if you're lost with what disk or partitions I use in the commands
This approch is using BTRFS with LUKS2 to encrypt our entire system. We will also later on protect our /efi partition using secure boot. This will provide maximum security for our data.
During this guide, I will reference the disk as either /dev/your-disk or a variant of this to indicate a specific partition. You will be able to see if your disk is /dev/sda for a hard drive or /dev/nvme0n1 for an M.2 SSD or any other in the section about wiping your disk.
Locate the ISO you downloaded on your machine and use a tool like dd on Linux or Rufus on Windows to flash the usb.
Here is the command to run as root to flash the USB on Linux
dd bs=4M if=path/to/artix-base-dinit-x86_64.iso of=/dev/my-usb conv=fsync oflag=direct status=progressOnce the USB is flashed, plug the USB in your PC when it's shutdown, press the boot menu choice key or change the bootable order in your BIOS and boot onto the USB.
You might need to edit the GRUB boot options depending on your hardware or else you'll get a black screen once you loaded the live OS. Press e on the Stick/HDD option of the menu and add ‘nomodeset’ at the end of the line that starts with linux.
linux ... nodemoset
Press f10 to boot. You should now have access to the root terminal of your live Artix Linux.
Use the default credentials
username: root
password: artixChange your keyboard mapping if you didn't change the keytable in the GRUB options.
loadkeys <keymap> # Ex: loadkeys fr # For azerty layoutThis step ensure that you start with a fresh disk. You can use whatever disk manager tool you’re comfortable with. Be careful if you have data on this drive it will be deleted!
List your partitions and disks:
lsblkWipe the data
dd bs=4096 if=/dev/urandom iflag=nocache of=/dev/your-disk oflag=direct status=progress || trueWAIT for the process to finish and run
syncWe're going to need to connect to the network to install the necessary packages. Follow those steps to connect to the WIFI using wpa_supplicant provided in the live install of Artix.
rfkill unblock wlan
ip link set wlan0 up
wpa_cli
add_network
set_network (id) ssid "myssid"
set_network (id) psk "mypassword"
enable_network (id)We're going to use the parted tool to create our partitions. Let's download it
pacman -S partedCreate a GPT partition table
parted -s /dev/your-disk mklabel gptWe're going to use the UEFI & GPT combo. The first partition is going to hold our bootloader and the rest will be encrypted LUKS.
We're also going to use btrfs instead of ext4 to get filesystem snapshots, builtin subvolumes and because it's a more recent filesystem.
parted -s -a optimal /dev/your-disk mkpart "primary" "fat32" "0%" "512MiB"
parted -s /dev/your-disk set 1 esp on
parted -s -a optimal /dev/your-disk mkpart "primary" "512MiB" "100%"Print the partition table of a drive and see if the alignment of your partition is optimal
lsblk
parted -s /dev/your-disk align-check optimal 1
parted -s /dev/your-disk align-check optimal 2Now we're going to encrypt our disk. To get started run the next command to see the performance of every cipher on your machine
cryptsetup benchmarkTo generate a strong password, you can use this tool: https://rumkin.com/tools/password/
Next we're going to encrypt the disk using one of the stronger cipher proposed by the benchmark.
cryptsetup -v --pbkdf pbkdf2 -c aes-xts-plain64 -s 256 --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/your-disk-2Important
When GRUB is patched to allow the use of Argon2id, remove --pbkdf pbkdf2 from the command
Then we mount using the device mapper. A possible reboot here can fix issues mounting the partition.
cryptsetup luksOpen /dev/your-disk-2 alphabtrfs subvolume create /mnt/@rootNow unmount to change so we can change the mounting options
We can format each partition to use the correct file system.
mkfs.fat -n ESP -F 32 /dev/your-disk-1
mkswap -L SWAP /dev/alpha/volSwap
mkfs.btrfs -L ROOT /dev/alpha/volRoot
mkfs.btrfs -L HOME /dev/alpha/volUserYou might get some errors from btrfs, you can check the filesystem using lsblk -f
We can finally mount our newly created partitions.
swapon /dev/alpha/volSwap
mount /dev/alpha/volRoot /mnt
mkdir -p /mnt/boot/efi
mount /dev/your-disk-1 /mnt/boot/efi
mkdir /mnt/home
mount /dev/alpha/volUser /mnt/homeWe did it! We can finally install Artix to our system.
It's time to install all the necessary packages for your brand new os.
First we're going to install the base. I chose dinit but you can use runit openrc or s6 and I also added seatd instead of elogind to keep the philosophy of Artix
basestrap -i /mnt base base-devel dinit seatd seatd-dinit dbus-dinitThen we're going to chose linux-hardened for more security. We're also using seatd and turnstile instead of elogind. We're going to install turnstile later on.
basestrap -i /mnt linux-firmware linux-hardened linux-hardened-headers booster cryptsetup btrfs-progs dhcpcd dhcpcd-dinit iwd iwd-dinit acpi chrony chrony-dinit openssh manAnd finally we're going to install additional packages
basestrap -i /mnt doas vim git amd-ucode fastfetchFeel free to replace the amd-ucode with the necessary drivers for your CPU (intel-ucode). We're going to install GPU drivers later on.
Generate the fstab
fstabgen -U /mnt >> /mnt/etc/fstabEnsure everything is listed correctly
cat /mnt/etc/fstabIf you're missing an entry, add it manually, for example this is the command to add your /home
echo -e "# /dev/mapper/alpha-volUser LABEL=HOME\nUUID=`blkid -s UUID -o value /dev/alpha/volUser`\t/home\t\text4\t\trw,relatime\t0 2\n" | tee -a /mnt/etc/fstabtmpfs is a temporary filesystem that resides in memory or swap partitions. Without systemd, only the /run directory uses tmpfs by default. We can change the size of tmpfs partition using this command
echo -e "\ntmpfs\t\t\t\t\t\t/tmp\t\ttmpfs\t\trw,nosuid,nodev,relatime,size=8G,mode=1777\t0 0\n" | tee -a /mnt/etc/fstabartix-chroot /mnt /bin/bashSet your new root password
passwdSince we're using doas instead of sudo and for whatever reason sudo is a dependency of base-devel, we will remove it now
pacman -Rdd sudoFirst we need to generate our local. It is recommanded to use en_US
echo -e "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
export LANG=en_US.UTF-8Then we need to switch our timezone
ln -s /usr/share/zoneinfo/your-continent/your-city /etc/localetime
hwclock --systohcSetup your hostname, in this example "Artix"
echo "Artix" > /etc/hostnameAnd finally we need to add our static hosts
vim /etc/hostsAnd insert this
127.0.0.1 localhost
::1 localhost
127.0.1.1 myhostname.localdomain myhostname
Add your keymaps in vconsole
echo "KEYMAP=fr" > /etc/vconsole.confNext we're going to create a user account
useradd -m myuser
passwd myuser
usermod -aG wheel,storage,power myuserWe need to enable the use of doas for the wheel group. To do that create doas.conf
vim /etc/doas.confAnd add
permit :wheelIf you wan to persist your password in your terminal after you used it once, you can change the doas.conf to this
permit persist :wheelKeep in mind that this is not as secure as typing your password every time.
We're going to use booster instead of the more traditional mkinitcpio. Here is the config we're going to use in /etc/booster.yaml
universal: false
modules: btrfs
mount_timeout: 30sNow we can build our image. Be sure to check your kernel version with ls /usr/lib/mobules or uname -r
booster build -f --kernel-version -6.10.12-hardened1-1-hardened /boot/booster-linux-hardened.imgImportant
For LUKS2 without Argon2id, to embed the key in the initramfs, run that cryptsetup luksAddKey --pbkdf pbkdf2 /dev/your-disk-2 /crypto_keyfile.bin
Let's install our bootloader GRUB
pacman -S grub efibootmgrRun this command to add the correct configuration. Make sure you reference the correct partition (it should be your second one)
sed -i "s/^GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT=\"cryptdevice=UUID=`blkid -s UUID -o value /dev/your-disk-2`:alpha loglevel=3 quiet resume=UUID=`blkid -s UUID -o value /dev/alpha/volSwap` net.iframes=0\"/" /etc/default/grubNext open the file and check if the output of the previous command is correct
vim /etc/default/grubThen uncomment this line
GRUB_ENABLE_CRYPTODISK="y"
Save the file and run the next two commands to install and generate the config
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=artix --recheck /dev/your-disk
grub-mkconfig -o /boot/grub/grub.cfgCheck the output of the command to see if it used our booster-linux-hardened image we created earlier
It seems like we can now boot into our system.
Exit the termnial, unmount the partitions and reboot !
exit
umount -R /mnt
swapoff -a
sync
rebootBecause we didn't install networkmanager, we're going to enable the dhcpcd service as root to get an ip adress
doas dinitctl enable dbus
doas dinitctl enable dhcpcdWe will also enable other services
doas dinitctl enable chronyIf you installed iwd in the basestrap, you can connect to the wifi by running
doas dinitctl enable iwd
iwctl
station name connect SSIDYou can also change your DNS to whatever you want (don't use one that tracks you please). You can prevent the file from being updated if you want your DNS configuration to be persistent.
vim /etc/resolv.conf
chattr +i /etc/resolv.confYou're DONE !! Congratulation, you're well on your way to have a secure system. See the next page of the wiki to upgrade the security of your newly installed system.