mirror of
https://github.com/tommytran732/Arch-Setup-Script
synced 2024-12-22 15:01:34 -05:00
Setting up Arch Linux with BTRFS, snapshots and full disk encryption including /boot (UEFI only).
.github/ISSUE_TEMPLATE | ||
install.sh | ||
LICENSE | ||
README.md | ||
secureboot.sh |
Introduction
This is my fork of easy-arch, a script made in order to boostrap a basic Arch Linux environment with snapshots and encryption by using a fully automated process.
This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.
How does it work?
- Download an Arch Linux ISO from here
- Flash the ISO onto an USB Flash Drive.
- Boot the live environment.
- Connect to the internet.
git clone https://github.com/tommytran732/Arch-Setup-Script/
cd Arch-Setup-Script
chmod u+x ./install.sh && ./install.sh
Changes to the original project
- Encrypted /boot with LUKS1
- SUSE - like partition layout and fully working snapper snapshots & rollback
- Minimally setup GNOME 40 with pipewire
- AppArmor and Firewalld enabled by default
- Defaulting umask to 077
- Randomize Mac Address and disable Connectivity Check for privacy
- Added some kernel/grub settings from https://github.com/Whonix/security-misc/tree/master/etc/default
- Added udev rules from https://gitlab.com/garuda-linux/themes-and-settings/settings/garuda-common-settings/-/tree/master/etc/udev/rules.d
Snapper behavior
The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎
- Snapper rollback works! You will no longer need to manually rollback from a live USB like you would with the @ and @home layout suggested in the Arch Wiki.
- You can boot into a readonly snapshot! GDM and other services will start normally so you can get in and verify that everything works before rolling back.
- Automatic snapshots on pacman install/update operations
- Directories such as /boot, /boot/efi, /var/log, /var/crash, /var/tmp, /var/spool, /var/lib/libvirt/images are excluded from the snapshots as they either should be persistent or are just temporary files. /cryptkey is excluded as we do not want the encryption key to be included in the snapshots, which could be sent to another device as a backup.
- GRUB will boot into the default BTRFS snapshot set by snapper. Like on SUSE, your running system will always be a read-write snapshot in @/.snapshots/X/snapshot.
Partitions layout
Partition/Subvolume | Label | Mountpoint | Notes |
---|---|---|---|
1 | ESP | /boot/efi | Unencrypted FAT32 |
2 | @/.snapshots/X/snapshot | / | Encrypted BTRFS |
3 | @/boot | /boot/ | Encrypted BTRFS (nodatacow) |
4 | @/root | /root | Encrypted BTRFS |
5 | @/home | /home | Encrypted BTRFS |
6 | @/.snapshots | /.snapshots | Encrypted BTRFS |
7 | @/srv | /srv | Encrypted BTRFS (nodatacow) |
8 | @/var_log | /var/log | Encrypted BTRFS (nodatacow) |
9 | @/var_crash | /var/crash | Encrypted BTRFS (nodatacow) |
10 | @/var_cache | /var/cache | Encrypted BTRFS (nodatacow) |
11 | @/var_tmp | /var/tmp | Encrypted BTRFS (nodatacow) |
12 | @/var_spool | /var/spool | Encrypted BTRFS (nodatacow) |
13 | @/var_lib_libvirt_images | /var/lib/libvirt/images | Encrypted BTRFS (nodatacow) |
14 | @/var_lib_machines | /var/lib/machines | Encrypted BTRFS (nodatacow) |
15 | @/var_lib_gdm | /var/lib/gdm | Encrypted BTRFS (nodatacow) |
16 | @/var_lib_AccountsService | /var/lib/AccountsService | Encrypted BTRFS (nodatacow) |
17 | @/cryptkey | /cryptkey | Encrypted BTRFS (nodatacow) |