Base working script
Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
This commit is contained in:
commit
c11812535a
GPG Key ID:
DBA5BB7505946FAD
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.env
|
||||
3
README
Normal file
3
README
Normal file
@ -0,0 +1,3 @@
|
||||
# Automated ArchLinux Installer
|
||||
|
||||
Automated ArchLinux install script with luks encrypted btrfs root partition
|
||||
146
archinst.sh
Normal file
146
archinst.sh
Normal file
@ -0,0 +1,146 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
# Load
|
||||
source ./env
|
||||
|
||||
loadkeys "$KEYMAP"
|
||||
|
||||
[ -d /sys/firmware/efi ] || { echo "[-] BIOS mode not supported."; exit 1; }
|
||||
|
||||
ping -c1 archlinux.org >/dev/null || { echo "[-] No network!"; exit 1; }
|
||||
timedatectl set-ntp true
|
||||
|
||||
read -rp "!!! WARNING: This will destroy all data on $DEVICE. Proceed? (yes/[no]): " confirm
|
||||
[[ "$confirm" == "yes" ]] || exit 1
|
||||
|
||||
sgdisk --zap-all "$DEVICE"
|
||||
wipefs -a "$DEVICE"
|
||||
sgdisk -n 1:0:+512M -t 1:ef00 -c 1:"EFI System Partition" "$DEVICE"
|
||||
sgdisk -n 2:0:0 -t 2:8300 -c 2:"Linux root" "$DEVICE"
|
||||
|
||||
cryptsetup luksFormat --type luks2 "$ROOT_PART"
|
||||
cryptsetup open "$ROOT_PART" "$CRYPT_NAME"
|
||||
mkfs.btrfs -f "$CRYPT_DEVICE"
|
||||
|
||||
mount "$CRYPT_DEVICE" /mnt
|
||||
btrfs subvolume create /mnt/@
|
||||
btrfs subvolume create /mnt/@home
|
||||
btrfs subvolume create /mnt/@log
|
||||
btrfs subvolume create /mnt/@pkg
|
||||
btrfs subvolume create /mnt/@srv
|
||||
btrfs subvolume create /mnt/@snapshots
|
||||
umount /mnt
|
||||
|
||||
mount -o compress=zstd,subvol=@ "$CRYPT_DEVICE" /mnt
|
||||
mkdir -p /mnt/{home,var/log,var/cache/pacman/pkg,srv,.snapshots,boot}
|
||||
mount -o compress=zstd,subvol=@home "$CRYPT_DEVICE" /mnt/home
|
||||
mount -o compress=zstd,subvol=@log "$CRYPT_DEVICE" /mnt/var/log
|
||||
mount -o compress=zstd,subvol=@pkg "$CRYPT_DEVICE" /mnt/var/cache/pacman/pkg
|
||||
mount -o compress=zstd,subvol=@srv "$CRYPT_DEVICE" /mnt/srv
|
||||
mount -o compress=zstd,subvol=@snapshots "$CRYPT_DEVICE" /mnt/.snapshots
|
||||
|
||||
mkfs.fat -F32 "$EFI_PART"
|
||||
mount "$EFI_PART" /mnt/boot
|
||||
|
||||
btrfs filesystem mkswapfile --size "${SWAP_SIZE_GB}g" /mnt/swapfile
|
||||
chmod 600 /mnt/swapfile
|
||||
mkswap /mnt/swapfile
|
||||
swapon /mnt/swapfile
|
||||
pacstrap -K /mnt base linux linux-firmware btrfs-progs vim sudo man-db openssh nftables apparmor
|
||||
|
||||
genfstab -U /mnt >> /mnt/etc/fstab
|
||||
UUID=$(blkid -s UUID -o value "$ROOT_PART")
|
||||
|
||||
sed -i 's|/boot vfat defaults|/boot vfat defaults,dmask=077,fmask=177|' /mnt/etc/fstab
|
||||
|
||||
arch-chroot /mnt /bin/bash <<EOF
|
||||
|
||||
UUID=$(blkid -s UUID -o value "$ROOT_PART")
|
||||
|
||||
ln -sf "/usr/share/zoneinfo/$TIMEZONE" /etc/localtime
|
||||
hwclock --systohc
|
||||
|
||||
echo "$LOCALE UTF-8" > /etc/locale.gen
|
||||
locale-gen
|
||||
echo "LANG=$LOCALE" > /etc/locale.conf
|
||||
echo "KEYMAP=$KEYMAP" > /etc/vconsole.conf
|
||||
|
||||
echo "$HOSTNAME" > /etc/hostname
|
||||
cat <<HCONF > /etc/hosts
|
||||
127.0.0.1 localhost
|
||||
::1 localhost
|
||||
127.0.1.1 $HOSTNAME.localdomain $HOSTNAME
|
||||
HCONF
|
||||
|
||||
echo "root:$ROOTPASS" | chpasswd
|
||||
|
||||
useradd -m -G wheel "$USERNAME"
|
||||
echo "$USERNAME:$USERPASS" | chpasswd
|
||||
echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers
|
||||
|
||||
|
||||
sed -i 's/^HOOKS=.*/HOOKS=(base udev autodetect keyboard keymap modconf block encrypt filesystems btrfs fsck)/' /etc/mkinitcpio.conf
|
||||
mkinitcpio -P
|
||||
|
||||
bootctl install
|
||||
cat <<BLDR > /boot/loader/loader.conf
|
||||
default arch
|
||||
timeout 3
|
||||
editor no
|
||||
BLDR
|
||||
|
||||
cat <<ENTRY > /boot/loader/entries/arch.conf
|
||||
title Arch Linux
|
||||
linux /vmlinuz-linux
|
||||
initrd /initramfs-linux.img
|
||||
options cryptdevice=/dev/sda2:cryptroot root=/dev/mapper/cryptroot rw rootflags=subvol=@
|
||||
|
||||
ENTRY
|
||||
|
||||
echo "/swapfile none swap defaults 0 0" >> /etc/fstab
|
||||
|
||||
systemctl enable sshd
|
||||
systemctl enable nftables
|
||||
systemctl enable apparmor
|
||||
systemctl enable systemd-networkd
|
||||
systemctl enable systemd-resolved
|
||||
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
|
||||
|
||||
cat <<NET > /etc/systemd/network/20-wired.network
|
||||
[Match]
|
||||
Name=en*
|
||||
|
||||
[Network]
|
||||
DHCP=yes
|
||||
NET
|
||||
|
||||
mkdir -p /home/$USERNAME/.ssh
|
||||
chmod 700 /home/$USERNAME/.ssh
|
||||
echo $SSHPUBKEY > /home/$USERNAME/.ssh/authorized_keys
|
||||
chmod 600 /home/$USERNAME/.ssh/authorized_keys
|
||||
chown -R $USERNAME:$USERNAME /home/$USERNAME/.ssh
|
||||
|
||||
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
|
||||
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
|
||||
|
||||
cat <<NFT > /etc/nftables.conf
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
ct state established,related accept
|
||||
iif lo accept
|
||||
tcp dport ssh accept
|
||||
}
|
||||
}
|
||||
NFT
|
||||
|
||||
nft -f /etc/nftables.conf
|
||||
|
||||
|
||||
EOF
|
||||
|
||||
umount -R /mnt
|
||||
reboot
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user