AutoArch/archinst.sh

#!/bin/bash
set -euo pipefail

# Load
source ./env

loadkeys "$KEYMAP"

[ -d /sys/firmware/efi ] || { echo "[-] BIOS mode not supported."; exit 1; }

ping -c1 archlinux.org >/dev/null || { echo "[-] No network!"; exit 1; }
timedatectl set-ntp true

read -rp "!!! WARNING: This will destroy all data on $DEVICE. Proceed? (yes/[no]): " confirm
[[ "$confirm" == "yes" ]] || exit 1

sgdisk --zap-all "$DEVICE"
wipefs -a "$DEVICE"
sgdisk -n 1:0:+512M -t 1:ef00 -c 1:"EFI System Partition" "$DEVICE"
sgdisk -n 2:0:0     -t 2:8300 -c 2:"Linux root" "$DEVICE"

cryptsetup luksFormat --type luks2 "$ROOT_PART"
cryptsetup open "$ROOT_PART" "$CRYPT_NAME"
mkfs.btrfs -f "$CRYPT_DEVICE"

mount "$CRYPT_DEVICE" /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@log
btrfs subvolume create /mnt/@pkg
btrfs subvolume create /mnt/@srv
btrfs subvolume create /mnt/@snapshots
umount /mnt

mount -o compress=zstd,subvol=@ "$CRYPT_DEVICE" /mnt
mkdir -p /mnt/{home,var/log,var/cache/pacman/pkg,srv,.snapshots,boot}
mount -o compress=zstd,subvol=@home "$CRYPT_DEVICE" /mnt/home
mount -o compress=zstd,subvol=@log "$CRYPT_DEVICE" /mnt/var/log
mount -o compress=zstd,subvol=@pkg "$CRYPT_DEVICE" /mnt/var/cache/pacman/pkg
mount -o compress=zstd,subvol=@srv "$CRYPT_DEVICE" /mnt/srv
mount -o compress=zstd,subvol=@snapshots "$CRYPT_DEVICE" /mnt/.snapshots

mkfs.fat -F32 "$EFI_PART"
mount "$EFI_PART" /mnt/boot

btrfs filesystem mkswapfile --size "${SWAP_SIZE_GB}g" /mnt/swapfile
chmod 600 /mnt/swapfile
mkswap /mnt/swapfile
swapon /mnt/swapfile
pacstrap -K /mnt base linux linux-firmware btrfs-progs vim sudo man-db openssh nftables apparmor

genfstab -U /mnt >> /mnt/etc/fstab
UUID=$(blkid -s UUID -o value "$ROOT_PART")

sed -i 's|/boot vfat defaults|/boot vfat defaults,dmask=077,fmask=177|' /mnt/etc/fstab

arch-chroot /mnt /bin/bash <<EOF

UUID=$(blkid -s UUID -o value "$ROOT_PART")

ln -sf "/usr/share/zoneinfo/$TIMEZONE" /etc/localtime
hwclock --systohc

echo "$LOCALE UTF-8" > /etc/locale.gen
locale-gen
echo "LANG=$LOCALE" > /etc/locale.conf
echo "KEYMAP=$KEYMAP" > /etc/vconsole.conf

echo "$HOSTNAME" > /etc/hostname
cat <<HCONF > /etc/hosts
127.0.0.1   localhost
::1         localhost
127.0.1.1   $HOSTNAME.localdomain $HOSTNAME
HCONF

echo "root:$ROOTPASS" | chpasswd

useradd -m -G wheel "$USERNAME"
echo "$USERNAME:$USERPASS" | chpasswd
echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers


sed -i 's/^HOOKS=.*/HOOKS=(base udev autodetect keyboard keymap modconf block encrypt filesystems btrfs fsck)/' /etc/mkinitcpio.conf
mkinitcpio -P

bootctl install
cat <<BLDR > /boot/loader/loader.conf
default arch
timeout 3
editor no
BLDR

cat <<ENTRY > /boot/loader/entries/arch.conf
title   Arch Linux
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options cryptdevice=/dev/sda2:cryptroot root=/dev/mapper/cryptroot rw rootflags=subvol=@

ENTRY

echo "/swapfile none swap defaults 0 0" >> /etc/fstab

systemctl enable sshd
systemctl enable nftables
systemctl enable apparmor
systemctl enable systemd-networkd
systemctl enable systemd-resolved
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

cat <<NET > /etc/systemd/network/20-wired.network
[Match]
Name=en*

[Network]
DHCP=yes
NET

mkdir -p /home/$USERNAME/.ssh
chmod 700 /home/$USERNAME/.ssh
echo $SSHPUBKEY > /home/$USERNAME/.ssh/authorized_keys
chmod 600 /home/$USERNAME/.ssh/authorized_keys
chown -R $USERNAME:$USERNAME /home/$USERNAME/.ssh

sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config

cat <<NFT > /etc/nftables.conf
table inet filter {
	chain input {
		type filter hook input priority 0;
		policy drop;
		ct state established,related accept
		iif lo accept
		tcp dport ssh accept
	}
}
NFT

nft -f /etc/nftables.conf


EOF

umount -R /mnt
reboot