Eric Phillips
11 KiB
+++ date = '2025-12-19T22:51:02-07:00' draft = false title = 'Lenovo Slim' tags = ['install', 'guide'] lastmod = '2025-12-19' +++
Getting rid of Windows
Windows is not my favorite and with the new push for fancy pattern matching engines that we call 'ai'I'm even less fond. My old yoga2 pro was getting long in the tooth and Sarah's is not doign well with the increased load from Windows so we got new laptops, Costco had a sale. First things first, how do we get rid of Windows on this Lenovo Ideapad Slim.
- Get into UEFI by holding F2 at poweron
- turn off secure boot, and some other windows only options
- boot into a live usb, I've had great luck with Ventoy
- Follow the Arch Linux Install Guide
- I deleted all partitions except the EFI and have one encrypted partition with btrfs and several subvolumes. Swap will be in a file.
partition 1 -> EFI
partition 2 -> LUKS encryption
btrfs:
@ -> /
@home -> /home
@varlog -> /var/log
@paccache -> /var/cache/pacman
@dockerroot -> /var/docker
Getting a bootable system
With the usb live environment we want to do the minimal necessary to get a bootable system. This means setting up disk encryption, mounts, basic software, and a root password. We'll worry about userspace apps and pretty stuff once we're booted into the permanent system. Disk encryption will use dm-crypt to encrypt the partition first, then make the filesystem and subvolumes.
crytpsetup -v luksFormat --label *cryptname* /dev/sda2
cryptsetup open /dev/sda2 sdacrypt
Once the encrypted partition is open we want to run the following once to set some options that will be applied everytime the partition is opened. These options are described here dm-crypt/Specialties
cryptsetup --allow-discards --perf-no_read_workqueue \
--perf-no_write-workqueue --persistant refresh sdacrypt
check that they were applied using
cryptsetup luksDump /dev/sda2
Flags: allow-discards no-read-workqueue no-write-workqueue
Create the filesystem and subvols
mkfs.btrfs -L realroot /dev/sda2
mount /dev/sda2 /mnt
btrfs subvol create @ # repeat for all desired subvolumes
umount /mnt
mount the root subvol, create the mountpoints and mount everything else
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@ /dev/sda2 /mnt
mkdir /mnt/boot
mkdir /mnt/home
mkdir -p /mnt/var/log
mkdir -p /mnt/var/cache/pacman
mkdir /var/docker
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@home /dev/sda2 /mnt/home
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@varlog /dev/sda2 /mnt/var/log
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@paccache /dev/sda2 /mnt/var/cache/pacman
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@docker /dev/sda2 /mnt/var/docker
mount /dev/sda1 /mnt/boot
install the base system and required packages to boot and get network up
pacstrap -K /mnt base linux linux-firmware amd-microcode btrfs-progs iwd neovim sudo vi pam-u2f openssh
Configure the system and chroot
gentfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
ln -sf /usr/share/zoneinfo/America/Denver /etc/location
hwclock --systohc
Edit locale.gen and uncomment the US english lines create locale.conf and add
LANG="en_US.UTF-8"
LC_COLLATE="C"
- Run locale-gen
- Set the hosname in /etc/hostname
- enable systemd-resolved and systemd-networkd, ln -s the appropriate network example into systemd/network.
I like using a unified kernel instead of a bootloader where possible. With this in mind and the encrypted root we need to edit mkinitcpio.conf and the preset. See Encrypting the entire filesystem for details related to the encryption. See Unified kernel image for details on booting the kernel directly.
Add to the hooks for dealing with encryption to mkinitcpio.conf:
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
create a file called /etc/crypttab.initramfs (UUID and cryptname need to match luksDump):
cryptname UUID=UUID none password-echo=no
create a file called root.conf in /etc/cmd and add(cryptname must match cryptname in crypttab.initramfs):
root=/dev/mapper/cryptname rw rootfstype=btrfs rootflags=subvol=@
edit /etc/mkinitcpio.d/linux.preset and comment out PRESET_image and uncomment PRESET_uki. Change the dir part of uki to match the path to the EFI directory ie /boot/EFI/Linux. make the Linux dir in the EFI path. Then recreate the image with:
mkinitcpio -p linux
Set the root password using passwd then reboot.
Upon rebooting we're going to finish setting up the system, see here for more recommendations General recommendations. For our uses we need to:
- Add a user, set password, add to sudoers file
- Secure root
- Enroll yubikey or other fido2 device into the luks partition
- Install our user environment
- Setup window manager
- Setup fido2 login
- Brightness control
Add a user
Never run daily as root, just don't. We add the user, create a home, add groups using
useradd -m -G wheel myuser
passwd myuser
Edit the sudoers file and uncomment the line %wheel line then logout, login as the new user and make sure sudo works, ie sudo pacman -Syu
visudo
%wheel ALL=(ALL:ALL) ALL
Secure root
This step could wait until after FIDO2 Login as it's usually a good idea to be able to get into root when messing with pam.d files. There are several alternatives for securing root:
- generate a random string using openssl and basically disable root login
openssl rand -base64 32 # generates a 256 bit random key, also useful for secrets in programming
- use pass and create and entry, this would allow you to access the password at anytime if needed.
pass generate local/hostname-root 30 # this will generate a password and insert it into you password store
- sudo to root, run the password command and mash the keyboard
Decrypting with a FIDO2 hardware token
Why, cause I can and it's way better security wise than a password that's easy to rememeber and easy to type. The process has been made pretty easy Unlocking LUKS2 and systemd-cryptenroll. First we have to enroll the device then edit crypttab.initramfs and tell the boot process to ask for the device instead of a password.
sudo systemd-cryptenroll /dev/sda2 --fido2-device=auto
cryptname UUID=UUID none password-echo=no,fido2-device=auto
Reboot and see if it works.
Install user environment
First we need to get my dotfiles installed and install our userspace programs. Why dotfiles first? There's a archpkgs.txt file to help get everything we want without having to remember it.
sudo pacman -Syu git
ssh-keygen
copy the key in the .pub file and add it to my profile where my dotfiles are stored, currently gitea, for details see the readme.
git clone --bare ssh://gitea@gitea.ewpt3ch.dev:25213/ewpt3ch/dotfiles.git .dotfiles
alias dotfiles='/usr/bin/git --git-dir=$HOME/.dotfiles/ --work-tree=$HOME'
rm .bashrc # this is going to be replace and git checkout will complain
dotfiles checkout [branch] # probably workstation
sudo pacman -S --needed - < archpkgs.txt
/usr/bin/fish
Install fisher for fish plugins and vim plug
curl -sL https://raw.githubusercontent.com/jorgebucaran/fisher/main/functions/fisher.fish | source && fisher install jorgebucaran/fisher
curl -sL https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim -o plug.vim
fisher update
open neovim and run :PlugUpdate
plug in the yubikey that will be used with this device, probably the one enrolled to unlock the drive, see gpg on yubikey, and run: (2 ssb entries should have a > instead of #)
gpg --card-edit
gpg/card> fetch
gpg/card> quit
gpg --card-status
Log out and log back in again
Setup window manager
sway
check movement of the mouse cursor with the trackpad on a laptop. I it doesn't feel right and the taps are not working copy .config/sway/chiron/config .config/sway/hostname/config reload alt shift cSee Swaywm
FIDO2 Login
Even cooler than unlocking with a FIDO2 token is logging in and using sudo with one. Universal 2nd Factor
mkdir ~/.config/Yubico
pamu2fcfg -i pam://hostname > ~/.config/Yubico/u2f_keys
pamu2fcfg -i pam://hostname >> ~/.config/Yubico/u2f_keys # additional keys
Create a 2nd terminal and sudo su just incase we mess something up we still have root so we can fix it. I like to have the password as fallback even though it can be less secure. Setup sudo for FIDO2 in the first terminal:
/etc/pam.d/sudo
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
Test sudo and make sure it worked, if the device is not plugged in it should fallback to password.
If that worked we can setup login. Make sure you have a working password for root or a bootable device, this has the potential to lock us out.
/etc/pam.d/login # add the following after the pam_nologin line
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
Brightness control
The brightness buttons do not work out of the box, fortunately there's a utility to help: brightnessctl. In our dotfiles there's a new utility called monbright that similar to our volumeset, sets the bightness of the monitor. We connect it to the buttons in the configuration for swaywm. Getting it to work required adding my user to the video group
sudo gpasswd -a *user* video
Then add a udev rule to change the group on the interface to video so members of the video group can change the setting, see Backlight
/etc/udev/rules.d/backight.rules
--------------------------
ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chgrp video $sys$devpath/brightness", RUN+="/bin/chmod g+w $sys$devpath/brightness"
Conclusion
Everything on this laptop seems to work great out of the box so far. The only thing that is bugging me is the WIFI. It seems to start slow and ramp up, not sure if it's the arch mirrors right now with the ongoing DDOS issues or if it's something in the wifi driver.