Arch Install Desktop vs Server Differences

 


In my day to day life I use 4 devices running Arch Linux

  • XPS13 laptop
  • Ryzen 7 3700X on a B550 itx system
  • Ryzen 3 3100 on a A520 as my home server
  • Xeon E3-1260L on a LGA 1155 running Next Cloud and a web server
In this post I will outline the differences in my Arch Linux install among these devices. Before proceeding I should point out that using a rolling release on a server environment poses additional challenges that generally cannot be justified for production systems.

The first step is to boot using an Arch Linux USB. Then I generally start by creating a 260MB EFI partition using fdisk. The boot partition needs to be formatted as a Fat 32 partition. 

mkfs.fat -F32 /dev/sda1

The rest of the partitions are going to be on LVM. First step is to create a partition in the remainder of the disk and choose LVM as the partition type. Once done I would create the physical volume and a volume group.

pvcreate /dev/sda2
vgcreate vgmain /dev/sda2

Now I would create the root partition in the volume group. For desktop installations the root partition is going to be LUKS encrypted. This ensures the os is encrypted at rest and tamper proof if physical access is compromised. 
  • Desktop
    • lvcreate -L 30G vgmain -n cryptlvroot
    • cryptsetup -u -v luksFormat /dev/vgmain/cryptlvroot
  • Server
    • lvcreate -L 30G vgmain -n lvroot
Now I would proceed to format the root partition. For the desktop, the LUKS partition needs to be opened before it can be formatted
  • Desktop
    • cryptsetup open /dev/vgmain/cryptlvroot root
    • mkfs.ext4 /dev/mapper/root
  • Server
    • mkfs.ext4 /dev/vgmain/lvroot
Now I'm at the point of creating the data partition. For the desktop the data partition will be mounted as the home volume. For servers I generally create a different mount point for this. I always encrypt the data partition using LUKS. 

lvcreate -l +100%FREE vgmain -n lvdata
cryptsetup -y -v luksFormat /dev/vgmain/lvdata
cryptsetup open /dev/vgmain/lvdata encdata
mkfs.ext4 /dev/mapper/encdata

It's time to mount all the file systems. Before that lets talk about the way the LUKS volumes are to be unlocked during boot.

For the desktop installations I would configure a password prompt during initial ramdisk creation (explained later in this post). The password prompt will unlock the root encrypted volume. The data volume will them be unlocked using a key file stored within the root volume. 

For server installations it doesn't make sense to keep the data partition key in the root volume as the root volume is not encrypted. I choose to store the key in a usb flash drive. This approach gives me a better chance of keeping the data encrypted at rest by removing the usb drive from the servers in case of a physical security compromise. I do take additional steps to protect the keys stored in the USB drive but these steps would fall under security by obscurity at best and is beyond the scope of this post. 
  • Desktop
    • mount /dev/mapper/root /mnt
    • mkdir /mnt/boot
    • mount /dev/sda1 /mnt/boot
    • mkdir /mnt/home
    • mount /dev/mapper/encdata /mnt/home
  • Server
    • mount /dev/vgmain/lvroot /mnt
    • mkdir /mnt/boot
    • mount /dev/sda1 /mnt/boot
    • mkdir /mnt/data
    • mount /dev/mapper/encdata /mnt/data
    • mkdir /mnt/keys
    • mount /dev/sdc1 /mnt/keys (sdc1 is a usb flash drive)
Now that the partitions are mounted I'm ready to create the file system table. 

mkdir /mnt/etc
genfstab -U /mnt >> /mnt/etc/fstab

Lets continue the installation. I'm gonna verify the UEFI boot was used by looking at efi vars.

ls /sys/firmware/efi/efivars

In a desktop installation with wifi capabilities now would be the time to connect.

iwctl
station wlan0 connect [ssid]
station wlan0 show
quit

Verify a live internet connection by pinging archlinux.org

 ping archlinux.org

Set and check network time protocol

timedatectl set-ntp true
timedatectl status

Install the essentials. For server environments I use the lts kernel. For desktop environments I use the latest kernel but still install the lts kernel which can be used to recover the system without using chroot.
  • Server
    • pacstrap /mnt base linux-lts linux-firmware linux-lts-headers
  • Desktop
    • pacstrap /mnt base linux linux-firmware linux-headers linux-lts linux-lts-headers
Switch to the newly installed root and setup swap

arch-chroot /mnt
free (check memory and decide how much swap you need)
dd if=/dev/zero of=/swapfile bs=1M count=8192 status=progress
chmod 600 /swapfile
mkswap /swapfile 
echo '/swapfile none swap 0 0' | tee -a /etc/fstab

Setup auto mounting of the encrypted data volume by creating a key and adding it to crypttab. Install editors and lvm packages as well

pacman -Sy vim nano lvm2
dd if=/dev/urandom of=/keys/data-key bs=512 count=8
cryptsetup luksAddKey /dev/vgmain/lvdata /keys/data-key

Use `lsblk -a` to find the UUID fo the encrypted data partition and add it to the /etc/crypttab file

encdata UUID=[xxxxx-xxxxx-xxxx...] /keys/data-key

Set timezone and locale

ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
hwclock --systohc
vim /etc/locale.gen
Uncomment your locale. Ex: en_US.UTF-8 UTF-8
locale-gen
vim /etc/locale.conf
Enter your locale. Ex: LANG=en_US.UTF-8

Network config

vim /etc/hostname
Enter [name]
vim /etc/hosts
Enter
127.0.0.1    localhost
::1               localhost
127.0.1.1    [name].localdomain [name]

Setting root password and creating additional users

passwd - enter root password
useradd -g users -G power,storage,wheel -m [youradminaccount]
passwd [youradminaccount]

Install and configure sudo so that everyone in wheel user group can sudo after confirming password.

pacman -S sudo
visudo
Uncomment %wheel ALL=(ALL) ALL

Install network tools and base dev tools. Enable systemd services for networking

pacman -S base-devel networkmanager dialog
systemctl enable NetworkManager
systemctl enable systemd-networkd.service
systemctl enable systemd-resolved.service

Configure initial ram disk creation. For desktop environments we need to configure luks and lvm as we need to unlock the LUKS encrypted root volume in the lvm partition. For server environments we only need to configure lvm.

  • Server
    • vim /etc/mkinitcpio.conf
    • Insert lvm2 bwetween block and filesystem
    • HOOKS=(base udev autodetect modconf block __lvm2__ filesystems keyboard fsck)
    • Recreate initramfs image
    • mkinitcpio -P linux-lts
  • Desktiop
    • vim /etc/mkinitcpio.conf
    • Insert lvm2 and encrypt hooks like so
    • HOOKS=(base udev autodetect __keyboard__ consolefont modconf block __lvm2__ __encrypt__ filesystems fsck)
    • Recreate initramfs images for lts and general kernel
    • mkinitcpio -P linux-lts
    • mkinitcpio -P linux
Install the processor microcode

pacman -S intel-ucode OR pacman -S amd-ucode

Install bootloader

pacman -S grub efibootmgr mtools

Set the kernel parameters for grub
  • Server
    • vim /etc/default/grub
    • root=dev/vgmain/lvroot
    • This needs to be added to GRUB_CMDLINE_LINUX section
  • Desktop
    • vim /etc/default/grub
    • cryptdevice=UUID=xxxx-xxxx-xxxx-xxxxxx:root root=/dev/mapper/root
    • The UUID is of the cryptlvroot logical volume. This needs to be added to GRUB_CMDLINE_LINUX section
    • You can also add lvm to GRUB_PRELOAD_MODULES section, but this is optional as we will be using grub-mkconfig later
Setup GRUB
  • grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
  • grub-mkconfig -o /boot/grub/grub.cfg
Time to reboot into the new system
  • exit
  • umount -a [Safe to ignore any errors saying the system is busy]
  • reboot
That's a wrap. :)





 













Comments

Post a Comment

Popular posts from this blog

Nextcloud and PHP8

Image
  PHP8 broke my Nextcloud instance !!! I run a Nextcloud instance on a self hosted Arch  linux server. Arch linux because I like the challenge 😁. Nextcloud due to privacy reasons. Recently Arch upgraded all php packages to php8 . Nextcloud 20.x, the version I'm using currently can't work on php8 thus my instance went offline. In this article I'm gonna describe how I managed to fix this issue. I run timeshift in my server via the cli. So I could have downgraded the php version. That would mean I would have to refrain from updating php and risk zero day vulnerabilities. That would nullify the whole purpose of running a self hosted Nextcloud instance for my sensitive data. Instead I went with dual php versions. I run php-fpm with Apache in my server so now I have to figure out how to run Fast CGI process manager with 2 php versions in the same Apache server. If you are thinking "well you are a SDE and you should know it", let me start by saying I neither use PHP
Read more

Setting up KDiff3 to work with TortoiseGIT

Image
Setting up KDiff3 to work with TortoiseGIT When I work with git I do most of my work on the command line except for a few tasks. Resolving conflicts is one of them. So when it comes to resolving conflicts I prefer the KDiff3 instead of the TortoiseGIT diff. I was googling around to find the proper way and after grabbing things from difference places here is what I did. Obvious steps  :) Install git Install KDiff3 Install TortoiseGIT Then after that Open tortoise GIT settings Go to "Diff Viewer" Go to section "Configure the program used for comparing different revisio...." Choose "External" Enter the following "[ kdiff3 instalation path ]\kdiff3.exe %base %mine --L1 %bname --L2 %yname" Go to "Merge Tool" Choose "External" Enter the following "[ kdiff3 instalation path ]\kdiff3.exe %base %mine %theirs -o %merged" Click apply I will soon write something to show how to actually resolve
Read more

Nextcloud on Arch Linux (Encrypted System) [Part 01 - Preparation]

Image
 In this series of posts I'm going to outline the process I used to create my own Nextcloud server.  Network Setup First step is to prepare my network. I'm planning to host this at home. Due to obvious security concerns I don't want to host this on my home network. I used pfSense  to achieve what I want. The pfSense setup is outside the scope of this post. If you do need help or is curious about setting up pfSense let me know. Given below is an overview diagram of my network,  The basic firewall rules in this network are Server can't talk to the switch.  Server can't talk to the pfSense router interface Server interface has Suricata IDS/IPS running.  Drive Preparation and Encryption Secure erase the drive.  Note: The drive I used was an old HDD. What I didn't notice was that the partition table was of type DOS. Had to change that to GPT and repeat this process in order for it to work. I'm going to use a 250GB HDD for my instalation (not a SSD). First step
Read more