Create disk

sudo dd if=distro.iso of=/dev/sdX status_progress bs=1M

Boot arch

Better connect ethernet, else use wifi-menu

loadkeys de-latin1

Partition drive

Use lsblk or blkid, fdisk -l to get an overview of the current situation

sgdisk --zap-all /dev/sdX
sgdisk --clear \
     --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
     --new=2:0:0       --typecode=2:8300 --change-name=2:system \
       /dev/sdX

Or use cgdisk which is nice and interactive

mkfs.fat -F32 -n EFI /dev/disK/by-partlabel/EFI

Cryptsetup

cryptsetup luksFormat /dev/sda2 --key-size 512 --iter-time 2000
[--align-payload=8192 -h sha512 -c aus-xts-plain64]
cryptsetup luksOpen /dev/sda2 cryptroot

mkfs.btrfs --force --label system /dev/mapper/cryptroot

Then create btrfs filesystems, optionally with subvolumes

# maybe use compress=lzo but that could be dangerous
o_btrfs=defaults,x-mount.mkdir,compress=zstd,ssd,noatime
mount -t btrfs /dev/mapper/cryptroot /mnt
# Using subvolumes:
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/snapshots
umount -R /mnt
# Mount created btrfs filesystem
mount -t btrfs -o $o_btrfs /dev/mapper/cryptroot /mnt
# Or using subvolumes:
mount -t btrfs -o subvol=root,$o_btrfs /dev/mapper/cryptroot /mnt
mount -t btrfs -o subvol=home,$o_btrfs /dev/mapper/cryptroot /mnt/home
mount -t btrfs -o subvol=snapshots,$o_btrfs /dev/mapper/cryptroot /mnt/.snapshots
mkdir -p /mnt/boot/efi
mount LABEL=EFI /mnt/boot/efi

Mirrorlist

Use reflector if possible

cp /etc/pacman.d/{mirrorlist,mirrorlist.backup}
pacman -S reflector
reflector --country France --country Germany --age 12 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

# Old school: uncomment country-specific mirrors in mirrorlist.backup; then
rankmirrors -n 6 /etc/pacman.d/mirrorlist.backup > /etc/pacman.d/mirrorlist

Install base system

pacstrap /mnt base

fstab

genfstab -L -p /mnt >> /mnt/etc/fstab

Should look something like this:

# <file system> <dir> <type> <options> <dump> <pass>
# /dev/sda1 EFI ESP partition
UUID=6285-B457 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro	0 2

# /dev/sda2 with plain btrfs on top of luks:
# /dev/mapper/cryptroot UUID=XXXXXX
LABEL=cryptroot / btrfs rw,noatime,ssd,compress=zstd,space_cache,subvolid=5,subvol=/ 0 0

# /dev/sda2 with btrfs and subvolumes:
# /dev/mapper/cryptroot UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
/dev/mapper/cryptroot / btrfs rw,noatime,compress=zstd,ssd,space_cache,subvolid=257,subvol=/root,subvol=root	0 0
# /dev/mapper/cryptroot UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
/dev/mapper/cryptroot /home btrfs rw,noatime,compress=zstd,ssd,space_cache,subvolid=258,subvol=/home,subvol=home	0 0
# /dev/mapper/cryptroot UUID=...
/dev/mapper/cryptroot /.snapshots btrfs rw,noatime,compress=zstd,ssd,space_cache,subvolid=259,subvol=/snapshots,subvol=snapshots	0 0

# ext4 for refrence:
# /dev/sda2 with ext4
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 rw,relatime,data=ordered 0 1

Chroot

Chroot into mounted new system, either via systemd-nspawn or chroot: Use systemd-nspawn to use *ctl commands directly in “chroot”

# -b is for boot
systemd-nspawn -bD /mnt
# or
arch-chroot /mnt

Locale

Edit /etc/locale.gen, uncomment de_DE.UTF-8 and en_US.UTF-8, run locale-gen, then use either systemd-firstboot or localectl

systemd-firstboot --prompt-locale
# or
localectl list-locales
↳ [...] en_US.UTF-8 [...]
localectl set-locale LANG=en_US.UTF-8
localectl set-keymap --no-convert de-latin1

Time

Use timedatectl and run configure ntp via systemd-timedated and systemd-timesyncd, ntpd is old

timedatectl set-ntp 1
timedatectl list-timezones
↳ ...
timedatectl set-timezone Europe/Berlin
hwclock --systohc

Hostname

Set via hostnamectl

hostnamectl set-hostname myhostname
hostnamectl set-chassis "laptop"

Append to /etc/hosts

127.0.0.1	localhost.localdomain	localhost
::1		localhost.localdomain	localhost
127.0.1.1	myhostname.localdomain	myhostname
# or via echo
echo "127.0.1.1	myhostname.localdomain myhostname" >> /etc/hosts

Network

Ethernet can be managed by systemd-networkd in case of NetworkManager failure

Install NetworkManager, then use in case of no GUI:

# Scan
nmcli dev wifi
# Add connection, interactively
nmcli con add --ask
↳ Connection type: wifi
↳ No to all others
# Check
nmcli con show
↳ NAME UUID ..., note NAME
# Connect
nmcli con up id 'NAME'

Install packages

pacman -Syu
pacman -S base-devel btrfs-progs gptfdisk
pacman -S adwaita-icon-theme ansible avahi bash binutils btrfs-progs bzip2
cantarell-fonts chrome-gnome-shell coreutils cryptsetup dconf-editor
device-mapper diffutils dosfstools e2fsprogs efibootmgr eog epiphany evince
fakeroot file file-roller filesystem findutils fish freetype2 gawk gcc
gcc-libs gdm gedit glibc gnome-backgrounds gnome-bluetooth gnome-calculator
gnome-clocks gnome-color-manager gnome-control-center gnome-desktop
gnome-icon-theme gnome-icon-theme-extras gnome-keyring gnome-menus
gnome-shell gnome-system-monitor gnome-terminal gnome-tweaks grep gvfs gzip
inetutils iproute2 iputils iw less librsvg libtool linux linux-headers
logrotate man-db man-pages mdadm nano nautilus networkmanager pacman patch
pciutils perl polkit pkg-config procps-ng psmisc pulseaudio sed shadow sudo
sysfsutils systemd-sysvcompat tar tracker ttf-dejavu usbutils util-linux
which xdg-user-dirs-gtk xfsprogs xterm xorg-server xorg-server-xwayland

initramfs

Backup /etc/mkinitcpio.conf, then edit:

# /etc/mkinitcpio.conf
MODULES=(vfat i915)
BINARIES=()
FILES=()
HOOKS=(systemd sd-vconsole autodetect modconf block keymap sd-encrypt btrfs filesystems keyboard)
#HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)

Regenerate the initramfs

mkinitcpio -p linux

Then copy to ESP

cp /boot/initrd-linux.img /boot/efi
cp /boot/initrd-linux-fallback.img /boot/efi
cp /boot/vmlinuz-generic /boot/efi

Security

Set password, add to sudoers/wheel group

passwd
usermod -a -G wheel username

Bootloader

Install systemd-boot to the ESP

bootctl --path=/boot/efi install

Then check efi vars with efibootmgr -v, in case bootctl failed to install an entry, use

efibootmgr \
--create \
--disk /dev/nvme0n1 \
--gpt \
--loader "\EFI\systemd\systemd-bootx64.efi" \
--label systemdboot \
--part 1 \
--timeout 0 \
--write-signature \
--verbose

Set boot order if necessary, 0010 would be systemd-boot

efibootmgr -o 0010,0020

Configure bootloader in /boot/efi/loader/loader.conf

default arch
# leave timeout to debug, can disable later
timeout 2
# leave editor to debug, should disable later(security risk!)
editor 1

Create boot entries:

• Get luks-uuid with: sudo cryptsetup luksUUID /dev/nvme0n1p2
• Device-mapper name is luksroot here, be consistent

# /boot/efi/loader/entries/arch.conf
title   Arch Linux
#initrd /acpi_override # applying DSDT patch later
initrd  /initrd-linux.img
linux   /vmlinuz-generic
options rd.luks.uuid=<uuid> rd.luks.name=<uuid>=luksroot root=/dev/mapper/luksroot rw quiet splash
# for btrfs subvoumes use rootflags=subvol=...
# Set "dangerous" options later:
#options rw root=/dev/nvme0n1p2 quiet splash acpi.ec_no_wakeup=1 psmouse.synaptics_intertouch=1 mem_sleep_default=deep loglevel=3 i915.modeset=1 i915.fastboot=1 i915.enable_guc=1

# /boot/efi/loader/entries/arch-fallback.conf
title   Arch Linux fallback
initrd  /initrd-linux-fallback.img
linux   /vmlinuz-generic
options rd.luks.uuid=<uuid> rd.luks.name=<uuid>=luksroot root=/dev/mapper/luksroot rw

Might have to fiddle around with root=... and include subvol, encrypt stuff

See also

• Altercation/Bulletproof Arch install
• Encrypted system with btrfs subvolumes
• Snapper