Building a practical system based on Arch Linux

This is a well-defined guide of building a usable and comfortable system in which you can work. This guide is based on Arch Linux which is one of my favorite GNU/Linux distributions.


NOTE: This guide is a subset of the Arch Linux Wiki in combination with my own experience. Since it is a personal guide that can't cover every aspects, you may check the wiki if you face any problem that is not mentioned here.

Prerequisites

In this guide, I have following assumption(s):

  • Your machine supports UEFI and Secure Boot (optional)
  • Your machine supports Wireless network


Guide

Base system installation

Preparations

Follow the installation guide until Connect to the internet section.

  • Network

    We'll deal with the network by using netctl.
    To start with, copy the example profile by executing this:

    cp /etc/netctl/examples/wireless-wpa /etc/netctl/wireless-wpa
    

    Then change the Interface to your network interface. Supplant the ESSID and Key. Finally, start the profile:

    netctl start wireless-wpa
    

    You can test the network status by:

    ping archlinux.org
    

    Continue with wiki until Partition the disks section.

  • Disk partition

    We will follow the approach which is introduced at here. By following this approach, system will have /boot and Swap secured. Using this approach in combination with Secure Boot can protect the system from evil maid attack in the majority of the situations.
    Follow the wiki until Mount ESP section.

Installation

Install the base system by following the steps Installation section introduced.
HOWEVER, you need to append the package list (supplant the intel-ucode by amd-ucode if your machine is using AMD CPU):

pacstrap /mnt base linux btrfs-progs wpa_supplicant intel-ucode

Configurations

Follow the wiki until Initramfs section. DON'T forget complete the network configuration again on the new system. NOTE: Following steps should be done after chrooting

  • Initramfs

    Complete the steps mkinitcpio section mentioned:
    Edit the HOOKS array in /etc/mkinitcpio.conf. You will have the HOOKS array like this:

    HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)
    

    Add /usr/bin/btrfs to the BINARIES array.
    Then, regenerate the initramfs:

    mkinitcpio -p linux
    
  • Boot loader

    Follow the wiki until Boot loader section.
    Install the GRUB because GRUB is the only boot loader which supports encrypted /boot partition:

    pacman -S grub
    

    Edit /etc/default/grub, adding this option:

    GRUB_ENABLE_CRYPTODISK=y
    

    Append the GRUB_CMDLINE_LINUX, supplanting the uuid by your own UUID. The :allow-discards option is used for the SSD TRIM:

    GRUB_CMDLINE_LINUX="cryptdevice=UUID=uuid:cryptroot:allow-discards root=/dev/mapper/cryptroot"
    

    Then install the GRUB to the esp (Supplant the esp bellow by your own EFI partition path):

    grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB
    

    Finally, generate the GRUB config:

    grub-mkconfig -o /boot/grub/grub.cfg
    
  • Encrypted Swap

    Follow the instructions Swap encryption wiki introduced.
    Finally, exit the chroot environment and reboot.

Post installation configuration

System wide

  • Prevent the machine from beeping

    Beeping is annoying in every situations. Therefore, you can prevent the machine from that by following Globally section in PC speaker wiki page.

  • Setup users and sudo

    Follow the guide in Users and groups wiki page.
    Add a user and add him to wheel group. Then, follow the Configuration section in sudo wiki page to permit the wheel group to sudo.

  • Setup the Time Machine

    The whole root takes Btrfs as its filesystem. With the Btrfs builtin function snapshot and the comprehensive Time Machine tool snapper which is created by openSUSE, the system can easily backup and restore.

    • Create the configurations

      Create the new configuration for / by following Configuration of snapper and mount point section (use root as the configuration name).
      Create the new configuration for /home:

      snapper -c home create-config /home
      
    • Polish the config

      Edit the config home and root in /etc/snapper/configs/ to change the limitation of the backups:

      TIMELINE_MIN_AGE="1800"
      TIMELINE_LIMIT_HOURLY="5"
      TIMELINE_LIMIT_DAILY="5"
      TIMELINE_LIMIT_WEEKLY="0"
      TIMELINE_LIMIT_MONTHLY="3"
      TIMELINE_LIMIT_YEARLY="2"
      

      Then change the ALLOW_USERS and(or) ALLOW_GROUPS value to permit the access from non-root user(s):

      ALLOW_USERS=""
      ALLOW_GROUPS="wheel"
      

      Edit the snapper-timeline.timer to change the frequency of cleanup event. For example, executing the timer every hour:

      [Timer]
      OnUnitActiveSec=1h
      
    • Enable and start the Time Machine

      Finally, start and enable both snapper-timeline.timer and snapper-cleanup.timer to start the Time Machine. You can check the snapshots by snapper list to see if the Time Machine runs properly.

  • Enable TRIM on SSD

    This helps your SSD driver to work more healthily.
    Because we have done something before, enabling TRIM is quite easy:

    systemctl start fstrim.timer
    systemctl enable fstrim.timer
    

  • Setup Secure Boot using your own keys

    The system will use its own keys(PK, KEK, db) to perform Secure Boot but not Microsoft's keys. It can sign the kernel and boot loader automatically after updating or installing the kernel and(or) bootloader by using Pacman Hooks.
    Follow the guide in Using your own keys section in Secure Boot wiki page.
    Remember deleting the .auth files in the esp after setup to prevent further changes from unauthorized people.
    Add three hooks to automatically sign boot loader and the kernel:

    • /etc/pacman.d/hooks/99-secureboot.hook

      [Trigger]
      Operation = Install
      Operation = Upgrade
      Type = Package
      Target = linux
      
      [Action]
      Description = Signing Kernel for SecureBoot
      When = PostTransaction
      Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /path/to/db.key --cert /path/to/db.crt --output {} {}; fi' \ ;
      Depends = sbsigntools
      Depends = findutils
      Depends = grep
      
    • /etc/pacman.d/hooks/99-secureboot-grub.hook

      [Trigger]
      Operation = Install
      Operation = Upgrade
      Type = Package
      Target = grub
      
      [Action]
      Description = Signing GRUB for SecureBoot
      When = PostTransaction
      Exec = /usr/bin/find /efi/ -name 'grub*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /path/to/db.key --cert /path/to/db.crt --output {} {}; fi' \ ;
      Depends = sbsigntools
      Depends = findutils
      Depends = grep
      
    • /etc/pacman.d/hooks/98-grub-install.hook
      Supplant the esp below by your esp path

      [Trigger]
      Operation = Install
      Operation = Upgrade
      Type = Package
      Target = grub
      
      [Action]
      Description = reinstall GRUB
      When = PostTransaction
      Exec = /usr/bin/grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB
      
  • Setup X.org, LightDM and i3wm

    Install X.org, LightDM and i3wm together:

    sudo pacman -S xorg lightdm lightdm-gtk-greeter i3
    

    Install gnome-terminal:

    sudo pacman -S gnome-terminal
    

  • Setup NVIDIA Optimus and Vertical Sync

    It can support the laptops which have Intel integrated GPU and NVIDIA discrete GPU. Solve the screen tearing problem also.

    • Install NVIDIA Driver

      Follow the guide in Installation section in NVIDIA wiki page.
      Remember to install lib32 nvidia package in order to use Steam.

    • Configuration

      Follow the guide in LightDM section in NVIDIA Optimus wiki page.

    • Vertical Sync configuration

      Follow the guide in DRM kernel mode setting section. Remember to use 98-nvidia.hook as hook's filename to prevent from the conflicting hook order with the Secure Boot hooks we created above.

    • Adjust the DPI

      Install the xorg-xrdb package. Add the following configuration to .Xresources:

      Xft.dpi: 96
      Xft.autohint: 0
      Xft.lcdfilter:  lcddefault
      Xft.hintstyle:  hintfull
      Xft.hinting: 1
      Xft.antialias: 1
      Xft.rgba: rgb
      

  • netctl roaming

    Start and enable netctl-auto@interface.service (supplant the interface by your own network interface name):

    systemctl start netctl-auto@interface.service
    systemctl enable netctl-auto@interface.service
    


Conclusion

This system is the most robust and secure system I can build on my certain machine. Having a reliable operating system is considerable for an increasing number of people who care about their privacy and digital rights in this hostile world.
Therefore I wrote this post, not only for me, but also for you.