Arch Install Desktop vs Server Differences

 


In my day to day life I use 4 devices running Arch Linux

  • XPS13 laptop
  • Ryzen 7 3700X on a B550 itx system
  • Ryzen 3 3100 on a A520 as my home server
  • Xeon E3-1260L on a LGA 1155 running Next Cloud and a web server
In this post I will outline the differences in my Arch Linux install among these devices. Before proceeding I should point out that using a rolling release on a server environment poses additional challenges that generally cannot be justified for production systems.

The first step is to boot using an Arch Linux USB. Then I generally start by creating a 260MB EFI partition using fdisk. The boot partition needs to be formatted as a Fat 32 partition. 

mkfs.fat -F32 /dev/sda1

The rest of the partitions are going to be on LVM. First step is to create a partition in the remainder of the disk and choose LVM as the partition type. Once done I would create the physical volume and a volume group.

pvcreate /dev/sda2
vgcreate vgmain /dev/sda2

Now I would create the root partition in the volume group. For desktop installations the root partition is going to be LUKS encrypted. This ensures the os is encrypted at rest and tamper proof if physical access is compromised. 
  • Desktop
    • lvcreate -L 30G vgmain -n cryptlvroot
    • cryptsetup -u -v luksFormat /dev/vgmain/cryptlvroot
  • Server
    • lvcreate -L 30G vgmain -n lvroot
Now I would proceed to format the root partition. For the desktop, the LUKS partition needs to be opened before it can be formatted
  • Desktop
    • cryptsetup open /dev/vgmain/cryptlvroot root
    • mkfs.ext4 /dev/mapper/root
  • Server
    • mkfs.ext4 /dev/vgmain/lvroot
Now I'm at the point of creating the data partition. For the desktop the data partition will be mounted as the home volume. For servers I generally create a different mount point for this. I always encrypt the data partition using LUKS. 

lvcreate -l +100%FREE vgmain -n lvdata
cryptsetup -y -v luksFormat /dev/vgmain/lvdata
cryptsetup open /dev/vgmain/lvdata encdata
mkfs.ext4 /dev/mapper/encdata

It's time to mount all the file systems. Before that lets talk about the way the LUKS volumes are to be unlocked during boot.

For the desktop installations I would configure a password prompt during initial ramdisk creation (explained later in this post). The password prompt will unlock the root encrypted volume. The data volume will them be unlocked using a key file stored within the root volume. 

For server installations it doesn't make sense to keep the data partition key in the root volume as the root volume is not encrypted. I choose to store the key in a usb flash drive. This approach gives me a better chance of keeping the data encrypted at rest by removing the usb drive from the servers in case of a physical security compromise. I do take additional steps to protect the keys stored in the USB drive but these steps would fall under security by obscurity at best and is beyond the scope of this post. 
  • Desktop
    • mount /dev/mapper/root /mnt
    • mkdir /mnt/boot
    • mount /dev/sda1 /mnt/boot
    • mkdir /mnt/home
    • mount /dev/mapper/encdata /mnt/home
  • Server
    • mount /dev/vgmain/lvroot /mnt
    • mkdir /mnt/boot
    • mount /dev/sda1 /mnt/boot
    • mkdir /mnt/data
    • mount /dev/mapper/encdata /mnt/data
    • mkdir /mnt/keys
    • mount /dev/sdc1 /mnt/keys (sdc1 is a usb flash drive)
Now that the partitions are mounted I'm ready to create the file system table. 

mkdir /mnt/etc
genfstab -U /mnt >> /mnt/etc/fstab

Lets continue the installation. I'm gonna verify the UEFI boot was used by looking at efi vars.

ls /sys/firmware/efi/efivars

In a desktop installation with wifi capabilities now would be the time to connect.

iwctl
station wlan0 connect [ssid]
station wlan0 show
quit

Verify a live internet connection by pinging archlinux.org

 ping archlinux.org

Set and check network time protocol

timedatectl set-ntp true
timedatectl status

Install the essentials. For server environments I use the lts kernel. For desktop environments I use the latest kernel but still install the lts kernel which can be used to recover the system without using chroot.
  • Server
    • pacstrap /mnt base linux-lts linux-firmware linux-lts-headers
  • Desktop
    • pacstrap /mnt base linux linux-firmware linux-headers linux-lts linux-lts-headers
Switch to the newly installed root and setup swap

arch-chroot /mnt
free (check memory and decide how much swap you need)
dd if=/dev/zero of=/swapfile bs=1M count=8192 status=progress
chmod 600 /swapfile
mkswap /swapfile 
echo '/swapfile none swap 0 0' | tee -a /etc/fstab

Setup auto mounting of the encrypted data volume by creating a key and adding it to crypttab. Install editors and lvm packages as well

pacman -Sy vim nano lvm2
dd if=/dev/urandom of=/keys/data-key bs=512 count=8
cryptsetup luksAddKey /dev/vgmain/lvdata /keys/data-key

Use `lsblk -a` to find the UUID fo the encrypted data partition and add it to the /etc/crypttab file

encdata UUID=[xxxxx-xxxxx-xxxx...] /keys/data-key

Set timezone and locale

ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
hwclock --systohc
vim /etc/locale.gen
Uncomment your locale. Ex: en_US.UTF-8 UTF-8
locale-gen
vim /etc/locale.conf
Enter your locale. Ex: LANG=en_US.UTF-8

Network config

vim /etc/hostname
Enter [name]
vim /etc/hosts
Enter
127.0.0.1    localhost
::1               localhost
127.0.1.1    [name].localdomain [name]

Setting root password and creating additional users

passwd - enter root password
useradd -g users -G power,storage,wheel -m [youradminaccount]
passwd [youradminaccount]

Install and configure sudo so that everyone in wheel user group can sudo after confirming password.

pacman -S sudo
visudo
Uncomment %wheel ALL=(ALL) ALL

Install network tools and base dev tools. Enable systemd services for networking

pacman -S base-devel networkmanager dialog
systemctl enable NetworkManager
systemctl enable systemd-networkd.service
systemctl enable systemd-resolved.service

Configure initial ram disk creation. For desktop environments we need to configure luks and lvm as we need to unlock the LUKS encrypted root volume in the lvm partition. For server environments we only need to configure lvm.

  • Server
    • vim /etc/mkinitcpio.conf
    • Insert lvm2 bwetween block and filesystem
    • HOOKS=(base udev autodetect modconf block __lvm2__ filesystems keyboard fsck)
    • Recreate initramfs image
    • mkinitcpio -P linux-lts
  • Desktiop
    • vim /etc/mkinitcpio.conf
    • Insert lvm2 and encrypt hooks like so
    • HOOKS=(base udev autodetect __keyboard__ consolefont modconf block __lvm2__ __encrypt__ filesystems fsck)
    • Recreate initramfs images for lts and general kernel
    • mkinitcpio -P linux-lts
    • mkinitcpio -P linux
Install the processor microcode

pacman -S intel-ucode OR pacman -S amd-ucode

Install bootloader

pacman -S grub efibootmgr mtools

Set the kernel parameters for grub
  • Server
    • vim /etc/default/grub
    • root=dev/vgmain/lvroot
    • This needs to be added to GRUB_CMDLINE_LINUX section
  • Desktop
    • vim /etc/default/grub
    • cryptdevice=UUID=xxxx-xxxx-xxxx-xxxxxx:root root=/dev/mapper/root
    • The UUID is of the cryptlvroot logical volume. This needs to be added to GRUB_CMDLINE_LINUX section
    • You can also add lvm to GRUB_PRELOAD_MODULES section, but this is optional as we will be using grub-mkconfig later
Setup GRUB
  • grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
  • grub-mkconfig -o /boot/grub/grub.cfg
Time to reboot into the new system
  • exit
  • umount -a [Safe to ignore any errors saying the system is busy]
  • reboot
That's a wrap. :)





 













Comments

Popular posts from this blog

Nextcloud and PHP8

Nextcloud on Arch Linux (Encrypted System) [Part 01 - Preparation]