Install Artix - Sawangg/dotfiles GitHub Wiki
Download the ISO image on the official Artix Linux website. We will choose the artix-base-dinit-x86_64.iso
version to get Artix Linux with dinit. The partitions for our machine will be like the following
System: UEFI & GPT
+----------------------+----------------------+----------------------+----------------------+
| EFI system partition | Logical volume 1 | Logical volume 2 | Logical volume 3 |
| | | | |
| /efi | / | [SWAP] | /home |
| | | | |
| | /dev/alpha/volRoot | /dev/alpha/volSwap | /dev/alpha/volUser |
| /dev/your-disk-1 |----------------------+----------------------+----------------------+
| unencrypted | /dev/your-disk-2 encrypted using LVM on LUKS1 |
+----------------------+--------------------------------------------------------------------+
| physical disk - /dev/your-disk |
+-------------------------------------------------------------------------------------------+
Use this schema as reference if you're lost with what disk or partitions I use in the commands
This approch is using LVM on LUKS to encrypt our entire system. We will also later on protect our boot/efi
partition using the secure bios and an additional tool. This will provide maximum security for our data.
During this guide, I will reference the disk as either /dev/your-disk
or a variant of this to indicate a specific partition. You will be able to see if your disk is /dev/sda
for a hard drive or /dev/nvme0n1
for an M.2 SSD or any other in the section about wiping your disk.
Locate the ISO you downloaded on your machine and use a tool like dd on Linux or Rufus on Windows to flash the usb.
Here is the command to run as root to flash the USB on Linux
dd bs=4M if=path/to/artix-base-dinit-x86_64.iso of=/dev/my-usb conv=fsync oflag=direct status=progress
Once the USB is flashed, plug the USB in your PC when it's shutdown, press the boot menu choice key or change the bootable order in your BIOS and boot onto the USB.
You might need to edit the GRUB boot options depending on your hardware or else you'll get a black screen once you loaded the live OS. Press e on the Stick/HDD option of the menu and add ‘nomodeset’ at the end of the line that starts with linux.
linux ... nodemoset
Press f10 to boot. You should now have access to the root terminal of your live Artix Linux.
Use the default credentials
username: root
password: artix
Change your keyboard mapping if you didn't change the keytable in the GRUB options.
loadkeys <keymap> # Ex: loadkeys fr # For azerty layout
This step ensure that you start with a fresh disk. You can use whatever disk manager tool you’re comfortable with. Be careful if you have data on this drive it will be deleted!
List your partitions and disks:
lsblk
Wipe the data
dd bs=4096 if=/dev/urandom iflag=nocache of=/dev/your-disk oflag=direct status=progress || true
WAIT for the process to finish and run
sync
We're going to need to connect to the network to install the necessary packages. Follow those steps to connect to the WIFI using wpa_supplicant
provided in the live install of Artix.
rfkill unblock wlan
ip link set wlan0 up
wpa_cli
add_network
set_network (id) ssid "myssid"
set_network (id) psk "mypassword"
enable_network (id)
We're going to use the parted tool to create our partitions. Let's download it
pacman -Syu
pacman -S parted
Create a GPT partition table
parted -s /dev/your-disk mklabel gpt
We're going to use the UEFI & GPT combo. The first partition is going to hold our bootloader and the rest will be encrypted using LVM on LUKS. We're also going to use btrfs
instead of ext4
to get filesystem snapshots and because it's a more recent filesystem.
parted -s -a optimal /dev/your-disk mkpart "primary" "fat32" "0%" "512MiB"
parted -s /dev/your-disk set 1 esp on
parted -s -a optimal /dev/your-disk mkpart "primary" "btrfs" "512MiB" "100%"
parted -s /dev/your-disk set 2 lvm on
Print the partition table of a drive and see if the alignment of your partition is optimal
lsblk
parted -s /dev/your-disk align-check optimal 1
parted -s /dev/your-disk align-check optimal 2
Now we're going to encrypt our disk. To get started run the next command to try to force the unlocking of stronger ciphers
cryptsetup benchmark
If that didn't work and you get an N/A on serpent-xts, try rebooting your live environment.
To generate a strong password, you can use this tool: https://rumkin.com/tools/password/
Next we're going to encrypt the disk using one of the stronger cipher proposed by the benchmark.
cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash sha512 --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/your-disk-2
Then we mount using the device mapper. A possible reboot here can fix issues mounting the partition.
cryptsetup luksOpen /dev/your-disk-2 alpha
Now it's possible to create the physical volume
pvcreate /dev/mapper/alpha
And finally the logical volume that we'll call alpha
vgcreate alpha /dev/mapper/alpha
Next we can create the 3 partitions needed: swap user and root
lvcreate --contiguous y --size 16G alpha --name volSwap
lvcreate --contiguous y --size 400G alpha --name volUser
lvcreate --contiguous y --extents +100%FREE alpha --name volRoot
We can format each partition to use the correct file system.
mkfs.fat -n ESP -F 32 /dev/your-disk-1
mkswap -L SWAP /dev/alpha/volSwap
mkfs.btrfs -L ROOT /dev/alpha/volRoot
mkfs.btrfs -L HOME /dev/alpha/volUser
We can finally mount our newly created partitions.
swapon /dev/alpha/volSwap
mount /dev/alpha/volRoot /mnt
mkdir -p /mnt/boot/efi
mount /dev/your-disk-1 /mnt/boot/efi
mkdir /mnt/home
mount /dev/alpha/volUser /mnt/home
We did it! We can finally install Artix to our system.
It's time to install all the necessary packages for your brand new os.
First we're going to install the base. I chose dinit but you can use runit openrc or s6 and I also added seatd instead of elogind to keep the philosophy of Artix
basestrap -i /mnt base base-devel dinit seatd seatd-dinit dbus-dinit
Then we're going to chose linux-hardened for more security. We're also using seatd and turnstile instead of elogind. We're going to install turnstile later on. (TODO: try booster instead of mkinitcpio)
basestrap -i /mnt linux-firmware linux-hardened linux-hardened-headers mkinitcpio dhcpcd dhcpcd-dinit iwd iwd-dinit acpi acpid acpid-dinit chrony chrony-dinit openssh man
And finally we're going to install additional packages
basestrap -i /mnt doas vim git amd-ucode fastfetch
Feel free to replace the amd-ucode with the necessary drivers for your CPU (intel-ucode). We're going to install GPU drivers later on.
Generate the fstab
fstabgen -U /mnt >> /mnt/etc/fstab
Ensure everything is listed correctly
cat /mnt/etc/fstab
If you're missing an entry, add it manually, for example this is the command to add your /home
echo -e "# /dev/mapper/alpha-volUser LABEL=HOME\nUUID=`blkid -s UUID -o value /dev/alpha/volUser`\t/home\t\text4\t\trw,relatime\t0 2\n" | tee -a /mnt/etc/fstab
tmpfs is a temporary filesystem that resides in memory or swap partitions. Without systemd, only the /run directory uses tmpfs by default. We can change the size of tmpfs partition using this command
echo -e "\ntmpfs\t\t\t\t\t\t/tmp\t\ttmpfs\t\trw,nosuid,nodev,relatime,size=8G,mode=1777\t0 0\n" | tee -a /mnt/etc/fstab
artix-chroot /mnt /bin/bash
Set your new root password
passwd
Since we're using doas
instead of sudo
and for whatever reason sudo
is a dependency of base-devel
, we will remove it now
pacman -Rdd sudo
First we need to generate our local. It is recommanded to use en_US
echo -e "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
export LANG=en_US.UTF-8
Then we need to switch our timezone
ln -s /usr/share/zoneinfo/your-continent/your-city /etc/localetime
hwclock --systohc
Setup your hostname, in this example "Artix"
echo "Artix" > /etc/hostname
And finally we need to add our static hosts
vim /etc/hosts
And insert this
127.0.0.1 localhost
::1 localhost
127.0.1.1 myhostname.localdomain myhostname
Add your keymaps in vconsole
echo "KEYMAP=fr" > /etc/vconsole.conf
Next we're going to create a user account
useradd -m myuser
passwd myuser
usermod -aG wheel,storage,power myuser
We need to enable the use of doas for the wheel group. To do that create doas.conf
vim /etc/doas.conf
And add
permit :wheel
If you wan to persist your password in your terminal after you used it once, you can change the doas.conf
to this
permit persist :wheel
Keep in mind that this is not as secure as typing your password every time.
pacman -S cryptsetup lvm2 lvm2-dinit
dinitctl enable lvm2
vim /etc/mkinitcpio.conf
And insert encrypt lvm2 and resume between the block and filesystems parameters
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck)
Should become
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 resume filesystems fsck)
Next, we will create a key to decrypt our disk during boot by our bootloader. If we don't do that, we will be prompted for our encryption key twice instead of one directly on boot. The default path for that key is /crypto_keyfile.bin
. BE CAREFUL to never leak this key because it can fully decrypt your disk. We will generate it like this
dd if=/dev/random of=/crypto_keyfile.bin bs=512 count=8 iflag=fullblock
chmod 000 /crypto_keyfile.bin
Add the file to the FILES
hook of /etc/mkinitcpio.conf
and register your key.
sed -i "s/FILES=(/FILES=(\/crypto_keyfile.bin/g" /etc/mkinitcpio.conf
cryptsetup luksAddKey /dev/your-disk-2 /crypto_keyfile.bin
Compile the image and you're ready to go
mkinitcpio -p linux-hardened
We should get a successfull image generation
Let's install GRUB
pacman -S grub efibootmgr
Run this command to add the correct configuration. Make sure you reference the correct lvm partition (it should be your second one)
sed -i "s/^GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT=\"cryptdevice=UUID=`blkid -s UUID -o value /dev/your-disk-2`:alpha loglevel=3 quiet resume=UUID=`blkid -s UUID -o value /dev/alpha/volSwap` net.iframes=0\"/" /etc/default/grub
Next open the file and check if the output of the previous command is correct
vim /etc/default/grub
Then uncomment this line
GRUB_ENABLE_CRYPTODISK="y"
And add to GRUB_PRELOAD_MODULES cryptodisk
GRUB_PRELOAD_MODULES="cryptodisk part_gpt part_msdos"
Save the file and run the next two commands to install and generate the config
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=artix --recheck /dev/your-disk
grub-mkconfig -o /boot/grub/grub.cfg
Check the output of the command to see if it used our linux-hardened image we created earlier
If you're using something other than the default US keyboard, you're going have to generate a keymap for GRUB to use.
First, you're going to need to setup the AUR repositories. Check this page of the wiki. Next, we're going to add this package
yay -S ckbcomp
We're going to add this line to our default grub
echo "GRUB_TERMINAL_INPUT=at_keyboard" | tee -a /etc/default/grub
Open /etc/grub.d/40_custom
and paste those lines
insmod keylayouts
keymap /boot/grub/fr.gkb
Then generate the keymap and update GRUB
grub-kbdcomp -o /boot/grub/fr.gkb fr
update-grub
Voila, you should have your custom keymap on your next reboot
It seems like we can now boot into our system.
Exit the termnial, unmount the partitions and reboot !
exit
umount -R /mnt
swapoff -a
sync
reboot
Because we didn't install networkmanager
, we're going to enable the dhcpcd
service as root to get an ip adress
doas dinitctl enable dbus
doas dinitctl enable dhcpcd
We will also enable other services
doas dinitctl enable chrony
If you installed iwd
in the basestrap, you can connect to the wifi by running
doas dinitctl enable iwd
iwctl
station name connect SSID
You can also change your DNS to whatever you want (don't use one that tracks you please). You can prevent the file from being updated if you want your DNS configuration to be persistent.
vim /etc/resolv.conf
chattr +i /etc/resolv.conf
You're DONE !! Congratulation, you're well on your way to have a secure system. See the next page of the wiki to upgrade the security of your newly installed system.