From 494fa5dc64a13ada8950f348240ae8e202fc82b4 Mon Sep 17 00:00:00 2001 From: The_miro Date: Fri, 27 Mar 2026 13:24:14 +0100 Subject: [PATCH] copied archbaseos-guided-install.sh from The_miro/Dotfiles.git for base OS installation --- archbaseos-guided-install.sh | 202 +++++++++++++++++++++++++++++++++++ 1 file changed, 202 insertions(+) create mode 100755 archbaseos-guided-install.sh diff --git a/archbaseos-guided-install.sh b/archbaseos-guided-install.sh new file mode 100755 index 0000000..a175ee5 --- /dev/null +++ b/archbaseos-guided-install.sh @@ -0,0 +1,202 @@ +#!/usr/bin/env bash +set -euo pipefail + +############################################ +# Helper Functions +############################################ + +confirm() { + echo "WARNING: This will ERASE ALL DATA on $1" + read -rp "Type YES to continue: " ans + [[ $ans == "YES" ]] +} + +ask() { + local prompt=$1 + local var + read -rp "$prompt: " var + echo "$var" +} + +pause() { + read -rp "Press ENTER to continue..." +} + +############################################ +# Begin +############################################ + +echo "== Arch Linux FIDO2-Ready Installer ==" + +lsblk +DRIVE=$(ask "Enter install drive (e.g., /dev/sda)") +confirm "$DRIVE" || exit 1 + +# Required packages +pacman -Syd --noconfirm parted cryptsetup libfido2 pam-u2f systemd-ukify + +############################################ +# Partitioning +############################################ + +RAM_GB=$(free --giga | awk '/Mem/ {print $2}') +DISK_GB=$(lsblk -dn -o SIZE -b "$DRIVE" | awk '{print int($1/1024/1024/1024)}') + +EFI_SIZE=5 +SWAP_SIZE=$RAM_GB +ROOT_SIZE=$((DISK_GB - SWAP_SIZE - EFI_SIZE - 1)) + +if (( ROOT_SIZE < 8 )); then + echo "ERROR: Disk too small for layout." + exit 1 +fi + +echo "EFI=${EFI_SIZE}G, Root=${ROOT_SIZE}G, Swap=${SWAP_SIZE}G" + +parted -s "$DRIVE" mklabel gpt \ + mkpart EFI fat32 1MiB "${EFI_SIZE}GiB" \ + set 1 esp on \ + mkpart ROOT "${EFI_SIZE}GiB" "$((EFI_SIZE + ROOT_SIZE))GiB" \ + mkpart SWAP "$((EFI_SIZE + ROOT_SIZE))GiB" 100% + +EFI_PART="${DRIVE}1" +ROOT_PART="${DRIVE}2" +SWAP_PART="${DRIVE}3" + +mkfs.fat -F32 "$EFI_PART" +mkswap "$SWAP_PART" +swapon "$SWAP_PART" + +############################################ +# Encryption +############################################ + +echo +read -rp "Enable FIDO2 for unlocking root? (YES/NO): " ENABLE_FIDO_ROOT + +echo "Formatting LUKS2 root..." +cryptsetup luksFormat "$ROOT_PART" --type luks2 +cryptsetup open "$ROOT_PART" cryptroot + +if [[ $ENABLE_FIDO_ROOT == "YES" ]]; then + echo "Enroll FIDO2 key for LUKS2" + pause + systemd-cryptenroll "$ROOT_PART" --fido2-device=auto --fido2-with-client-pin=no +fi + +# Add fallback password +echo "Adding fallback LUKS password (recommended)" +cryptsetup luksAddKey "$ROOT_PART" + +############################################ +# Filesystem +############################################ + +mkfs.btrfs /dev/mapper/cryptroot + +mount /dev/mapper/cryptroot /mnt +btrfs subvolume create /mnt/@ +btrfs subvolume create /mnt/@home +umount /mnt + +mount -o subvol=@ /dev/mapper/cryptroot /mnt +mkdir -p /mnt/home +mount -o subvol=@home /dev/mapper/cryptroot /mnt/home + +mkdir -p /mnt/boot +mount "$EFI_PART" /mnt/boot + +############################################ +# Base System Install +############################################ + +GPU_INFO=$(lspci | grep -E "VGA|3D") +GPU_PKGS="" + +if echo "$GPU_INFO" | grep -qi nvidia; then + #GPU_PKGS="nvidia nvidia-utils" + GPU_PKGS="nvidia-open" +elif echo "$GPU_INFO" | grep -qi amd; then + GPU_PKGS="xf86-video-amdgpu" +elif echo "$GPU_INFO" | grep -qi intel; then + GPU_PKGS="xf86-video-intel" +fi + +KERNEL=$(ask "Kernel (linux, linux-lts, linux-zen)") +HOSTNAME=$(ask "Hostname") +USERNAME=$(ask "Username") +read -rsp "Password for $USERNAME: " USERPASS; echo + +read -rp "Enable FIDO2 for user login? (YES/NO): " ENABLE_FIDO_USER + +pacstrap /mnt \ + base "$KERNEL" linux-firmware vim zsh git networkmanager grub efibootmgr \ + btrfs-progs cryptsetup libfido2 pam-u2f sudo "$GPU_PKGS" + +genfstab -U /mnt >> /mnt/etc/fstab + +############################################ +# CHROOT Configuration +############################################ + +ROOT_UUID=$(blkid -s UUID -o value "$ROOT_PART") + + +arch-chroot /mnt /usr/bin/env \ + HOSTNAME="$HOSTNAME" \ + USERNAME="$USERNAME" \ + USERPASS="$USERPASS" \ + ENABLE_FIDO_ROOT="$ENABLE_FIDO_ROOT" \ + ENABLE_FIDO_USER="$ENABLE_FIDO_USER" \ + ROOT_UUID="$ROOT_UUID" \ + /bin/bash <<'EOF' + +set -euo pipefail + +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +echo "LANG=en_US.UTF-8" > /etc/locale.conf + +ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime +hwclock --systohc + +echo "$HOSTNAME" > /etc/hostname +systemctl enable NetworkManager + +useradd -m -G wheel -s /bin/zsh "$USERNAME" +echo "$USERNAME:$USERPASS" | chpasswd + +echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers + +# Initramfs + GRUB for FIDO2 +if [[ "$ENABLE_FIDO_ROOT" == "YES" ]]; then + sed -i 's/^HOOKS=.*/HOOKS=(base systemd autodetect modconf block sd-encrypt filesystems keyboard fsck)/' /etc/mkinitcpio.conf +else + sed -i 's/^HOOKS=.*/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/' /etc/mkinitcpio.conf +fi + +mkinitcpio -P + +if [[ "$ENABLE_FIDO_ROOT" == "YES" ]]; then + GRUB_CMDLINE="rd.luks.name=$ROOT_UUID=cryptroot rd.luks.options=fido2-device=auto root=/dev/mapper/cryptroot" +else + GRUB_CMDLINE="cryptdevice=UUID=$ROOT_UUID:cryptroot root=/dev/mapper/cryptroot" +fi + +sed -i "s|^GRUB_CMDLINE_LINUX=.*|GRUB_CMDLINE_LINUX=\"$GRUB_CMDLINE\"|" /etc/default/grub + +grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB +grub-mkconfig -o /boot/grub/grub.cfg + +# User login FIDO2 +if [[ "$ENABLE_FIDO_USER" == "YES" ]]; then + echo "Enrolling FIDO2 for user login" + mkdir -p /home/$USERNAME/.config/Yubico + chown $USERNAME:$USERNAME /home/$USERNAME/.config/Yubico + sudo -u "$USERNAME" bash -c "pamu2fcfg >> /home/$USERNAME/.config/Yubico/u2f_keys" + echo "auth required pam_u2f.so" >> /etc/pam.d/system-auth +fi +EOF + +echo "Installation complete!" +echo "Run: umount -R /mnt && reboot"