r.obin.ch

Workstation

This page contains the documentation of my usual workstation setup. Most of it was taken from the following ressources:

Preparation

  1. Prepare https://www.ventoy.net on an USB drive
  2. Download the Arch Linux image from https://archlinux.org/download/ and copy it to the USB drive
  3. Set up the BIOS:
    1. Disable secure boot1
    2. Swap Fn and Ctrl keys
    3. Enable function keys as primary function
    4. Enable virtualization
    5. Set BIOS passwords
  4. Connect the device to the internet
  5. Boot into Ventoy and select the Arch Linux image
  6. Change keyboard layout with loadkeys de_CH-latin1
  7. Update system clock with timedatectl set-ntp true
  8. Make sure the device is charged enough or connected to power
    • Get battery capacity with cat /sys/class/power_supply/BAT0/capacity

Access via SSH

Connecting to the live environment via SSH becomes handy, when you need to do some research on the internet, copy some commands or working on a different and maybe more comfy workplace.

  1. Reset the root password with passwd
  2. Allow login as root with password sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
  3. Reload SSH service with systemctl restart sshd.service
  4. Find the IP address with ip addr show
  5. Connect from another computer with ssh -o PreferredAuthentications=password root@[ip-address]

Partitioning

  1. Find installed block devices with fdisk -l
  2. If there is a EFI partition with at least 200 MiB it can be used for /boot otherwise the size should be increased or a separate /boot partition created
  3. Partition the block device with fdisk /dev/nvme0n1 to something like 
    Device           Start        End    Sectors   Size Type
/dev/nvme0n1p1    2048    2099199    2097152     1G EFI System
/dev/nvme0n1p2 2099200 2000408575 1998309376 952.9G Linux filesystem
  4. Encrypt system partition with cryptsetup luksFormat /dev/nvme0n1p2
    • Read carefully how to confirm
  5. Mount encrypted partition to cryptlvm with cryptsetup open /dev/nvme0n1p2 cryptlvm
  6. Create a physical volume on top of the LUKS container with pvcreate /dev/mapper/cryptlvm
  7. Create a volume group with the previously create physical volume with vgcreate systemcryptlvm /dev/mapper/cryptlvm
  8. Create logical volumes on the volume group: 
    lvcreate -L 8G systemcryptlvm -n swap
lvcreate -L 400G systemcryptlvm -n root
lvcreate -l 100%FREE systemcryptlvm -n home
  9. Format filesystem on each logical volume: 
    mkfs.btrfs /dev/systemcryptlvm/root
mkfs.btrfs /dev/systemcryptlvm/home
mkswap /dev/systemcryptlvm/swap
  10. If necessary format EFI partition with mkfs.fat -F32 /dev/nvme0n1p1
  11. Mount filesystems: 
    mount /dev/systemcryptlvm/root /mnt
mkdir /mnt/home
mount /dev/systemcryptlvm/home /mnt/home
swapon /dev/systemcryptlvm/swap
  12. Mount boot partition2: 
    mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

Install base system

  1. Set appropriate mirrors in /etc/pacman.d/mirrorlist or via reflector --country Switzerland --age 12 --protocol https --sort rate --download-timeout 10 --save /etc/pacman.d/mirrorlist
  2. Install base system with pacstrap /mnt base linux linux-firmware
  3. Generate an fstab file genfstab -U /mnt >> /mnt/etc/fstab
  4. Change root into the new system with arch-chroot /mnt
  5. Install lvm2, vim and btrfs-progs with pacman -S lvm2 vim btrfs-progs
  6. Update hooks in /etc/mkinitcpio.conf to HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck) by adding encrypt lvm2 using vim
  7. Set time zone ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime
  8. Set hardware clock with hwclock --systohc
  9. Uncomment locale en_US.UTF-8 UTF-8 und de_CH.UTF-8 UTF-8 in /etc/locale.gen
  10. Generate locales with locale-gen
  11. Set locale in /etc/locale.conf to LANG=en_US.UTF-8
  12. Set keymap in /etc/vconsole.conf to 
    KEYMAP=sg
FONT=eurlatgr
    • All locales with localectl list-keymaps
    • All fonts with ls -l /usr/share/kbd/consolefonts/ | grep -i ".psfu.gz"
  13. Set hostename in /etc/hostname
  14. Create new initramfs with mkinitcpio -P
  15. Set root password with passwd

Boot manager

  1. Install grub and efibootmgr packages with pacman -S grub efibootmgr
  2. Install bootloader with grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
  3. Get UUID of cryptdevice with blkid | grep crypto
  4. Edit /etc/default/grub:
    1. Add GRUB_DISABLE_OS_PROBER=false at the end of the file to prevent Warning: os-prober will not be executed to detect other bootable partition and install package os-prober if you want to dual boot
    2. Change GRUB_CMDLINE_LINUX="cryptdevice=UUID=904eab28-ca25-4c03-a948-75539689b4d1:cryptlvm root=/dev/systemcryptlvm/root"
  5. Generate GRUB configuration grub-mkconfig -o /boot/grub/grub.cfg

Microcode

  1. Add microcode package with pacman -S amd-ucode or pacman -S intel-ucode
  2. Regenerate GRUB configuration grub-mkconfig -o /boot/grub/grub.cfg

User management

  1. Add a user useradd -m robin
  2. Set password passwd robin
  3. Add sudo package pacman -S sudo
  4. Edit sudoers file with EDITOR=vim visudo
  5. Uncomment that members of group sudo can execute any command by uncommenting the line %sudo ALL=(ALL:ALL) ALL
  6. Add group sudo with groupadd sudo
  7. Add user to group sudo gpasswd -a robin sudo

Graphical User Interface

  1. Install Gnome with pacman -S gnome
  2. Enable gdm with systemctl enable gdm
  3. Set x11 keymap with localectl --no-convert set-x11-keymap ch
  4. Configure Gnome:
    • Fast cursor speed gsettings set org.gnome.desktop.peripherals.mouse speed 1
    • Fast touchpad speed gsettings set org.gnome.desktop.peripherals.touchpad speed 1
    • Tab to click for touch pad gsettings set org.gnome.desktop.peripherals.touchpad tap-to-click true
    • Set keyboard layout gsettings set org.gnome.desktop.input-sources sources "[('xkb', 'ch')]"
    • Allow ALT and right mouse button to resize windows gsettings set org.gnome.desktop.wm.preferences resize-with-right-button true
    • Define keyboard shortcuts for opening terminal and browser
    • Enable switching windows shortcut on ALT + Tab in Keyboard settings
    • Enable night light mode
    • Enable Auto login
      1. Edit /etc/gdm/custom.conf: 
        [daemon]
AutomaticLoginEnable=True
AutomaticLogin=robin
  5. Add network manager package pacman -S networkmanager
  6. Enable network manager systemctl enable NetworkManager.service
  7. Enable Gnome Keyring SSH Agent with systemctl --user enable --now gcr-ssh-agent
  8. Define SSH_AUTH_SOCK in .bashrc with export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gcr/ssh
  9. Install a Chinese font pacman -S noto-fonts-cjk

Reboot to system

  1. Logout CTRL + D
  2. Unmount umount -R /mnt
  3. Restart reboot

AUR helper

  1. Install build tools pacman -S --needed base-devel git
  2. Clone paru git clone https://aur.archlinux.org/paru.git
  3. Build paru cd paru && makepkg -si

Drivers and firmware support

  1. Install firmware updated paru -S fwupd
  2. Get new update metadata fwupdmgr get-updates
  3. Install updates fwupdmgr update
  4. Enable bluetooth systemctl enable --now bluetooth
  5. Install fingerprint reader paru -S fprintd
    • Scan fingerprint in Gnome Settings
  6. Install tlp paru -S tlp tlp-rdw
    • Enable service systemctl enable --now tlp.service
    • Enable service systemctl enable --now NetworkManager-dispatcher.service
    • Mask systemctl mask systemd-rfkill.service and systemctl mask systemd-rfkill.socket
    • Set battery thresholds with tlp setcharge 60 80 BAT0
  7. Install printer support paru -S cups hplib

Configure VPN

  1. Configure Wireguard via NetworkManager

Tools

For more details about the software I use have a look at the software page.

  1. Install git pacman -S git
    • Configure user and email git config --global user.name "Robin" && git config --global user.email "[email protected]"
    • Configure GPG key git config --global user.signing
    • Enable commit signing by default git config --global commit.gpgsign true
  2. Install docker (Container runtime) paru -S docker docker-compose docker-buildx
    1. Add user to docker group gpasswd -a robin docker
    2. Restart
  3. Install localesend (Share data and files locally) paru -S localesend-bin
  4. Install Firefox (Browser) paru -S firefox
    1. Login into Mozilla account
  5. Install Visual Studio Code (Editor) paru -S visual-studio-code-bin
    1. Install Firacode font paru -S ttf-fira-code
    2. Login with Github
  6. Install KeepassXC (Password manager) paru -S keepassxc
  7. Install Evolution (Mail client) paru -S evolution
    1. Configure email accounts
    2. Configure webdav accounts
  8. Install LibreOffice (Office suite) paru -S libreoffice-fresh
    1. Enable experimental features in settings “Options > LibreOffice > Advanced”
    2. Enable Tabbed/Ribbon UI “View > User Interface”
  9. Install network tools paru -S nmap bind-tools
  10. Install man pages paru -S man-db man-pages
  11. Install fish paru -S fish
    1. Set fish as default interactive shell kgx -e fish
    2. Configure fish with fish_config
    3. Install fisher curl -sL https://git.io/fisher | source && fisher install jorgebucaran/fisher

Device specific

Lenovo ThinkPad P14s Gen 4 AMD

  • Prevent the touchpad from waking up the device3
    1. Create a new udev rule at /etc/udev/rules.d/99-disable-touchpad-wakeup.rules
    2. Add the following content: 
      KERNEL=="i2c-SYNA8018:00", SUBSYSTEM=="i2c", ATTR{power/wakeup}="disabled"

Footnotes

  1. I want to look into secure boot for a while, but since you can brick your device and on recent Lenovo ThinkPads it’s even more likely, I decided not to risk my new device. See this

  2. See this

  3. See this