ewpt3ch/blog.ewpt3ch.dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
blog.ewpt3ch.dev/content/posts/Lenovo-slim.md
T
Eric Phillips e5266f702e added backlight info
2026-01-03 17:27:23 -07:00

270 lines
11 KiB
Markdown
Raw Permalink Blame History

+++
date = '2025-12-19T22:51:02-07:00'
draft = false
title = 'Lenovo Slim'
tags = ['install', 'guide']
lastmod = '2025-12-19'
+++
## Getting rid of Windows
Windows is not my favorite and with the new push for fancy pattern matching engines that we call 'ai'I'm even less fond. My old yoga2 pro was getting long in the tooth and Sarah's is not doign well with the increased load from Windows so we got new laptops, Costco had a sale. First things first, how do we get rid of Windows on this Lenovo Ideapad Slim.
- Get into UEFI by holding F2 at poweron
- turn off secure boot, and some other windows only options
- boot into a live usb, I've had great luck with [Ventoy](https://www.ventoy.net/en/doc_start.html)
- Follow the [Arch Linux Install Guide](https://wiki.archlinux.org/title/Installation_guide)
- I deleted all partitions except the EFI and have one encrypted partition with btrfs and several subvolumes. Swap will be in a file.
```
partition 1 -> EFI
partition 2 -> LUKS encryption
btrfs:
@ -> /
@home -> /home
@varlog -> /var/log
@paccache -> /var/cache/pacman
@dockerroot -> /var/docker
```
## Getting a bootable system
With the usb live environment we want to do the minimal necessary to get a bootable system. This means setting up disk encryption, mounts, basic software, and a root password. We'll worry about userspace apps and pretty stuff once we're booted into the permanent system. Disk encryption will use [dm-crypt](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system) to encrypt the partition first, then make the filesystem and subvolumes.
```
crytpsetup -v luksFormat --label *cryptname* /dev/sda2
cryptsetup open /dev/sda2 sdacrypt
```
Once the encrypted partition is open we want to run the following once to set some options that will be applied everytime the partition is opened. These options are described here [dm-crypt/Specialties](https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD))
```
cryptsetup --allow-discards --perf-no_read_workqueue \
--perf-no_write-workqueue --persistant refresh sdacrypt
```
check that they were applied using
```
cryptsetup luksDump /dev/sda2
Flags: allow-discards no-read-workqueue no-write-workqueue
```
Create the filesystem and subvols
```
mkfs.btrfs -L realroot /dev/sda2
mount /dev/sda2 /mnt
btrfs subvol create @ # repeat for all desired subvolumes
umount /mnt
```
mount the root subvol, create the mountpoints and mount everything else
```
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@ /dev/sda2 /mnt
mkdir /mnt/boot
mkdir /mnt/home
mkdir -p /mnt/var/log
mkdir -p /mnt/var/cache/pacman
mkdir /var/docker
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@home /dev/sda2 /mnt/home
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@varlog /dev/sda2 /mnt/var/log
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@paccache /dev/sda2 /mnt/var/cache/pacman
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@docker /dev/sda2 /mnt/var/docker
mount /dev/sda1 /mnt/boot
```
install the base system and required packages to boot and get network up
```
pacstrap -K /mnt base linux linux-firmware amd-microcode btrfs-progs iwd neovim sudo vi pam-u2f openssh
```
Configure the system and chroot
```
gentfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
ln -sf /usr/share/zoneinfo/America/Denver /etc/location
hwclock --systohc
```
Edit locale.gen and uncomment the US english lines
create locale.conf and add
```
LANG="en_US.UTF-8"
LC_COLLATE="C"
```
- Run locale-gen
- Set the hosname in /etc/hostname
- enable systemd-resolved and systemd-networkd, ln -s the appropriate network example into systemd/network.
I like using a unified kernel instead of a bootloader where possible. With this in mind and the encrypted root we need to edit mkinitcpio.conf and the preset. See [Encrypting the entire filesystem](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system) for details related to the encryption. See [Unified kernel image](https://wiki.archlinux.org/title/Unified_kernel_image) for details on booting the kernel directly.
Add to the hooks for dealing with encryption to mkinitcpio.conf:
```
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
```
create a file called `/etc/crypttab.initramfs` (UUID and cryptname need to match luksDump):
cryptname UUID=UUID none password-echo=no
create a file called root.conf in /etc/cmd and add(cryptname must match cryptname in crypttab.initramfs):
```
root=/dev/mapper/cryptname rw rootfstype=btrfs rootflags=subvol=@
```
edit /etc/mkinitcpio.d/linux.preset and comment out `PRESET_image` and uncomment `PRESET_uki`. Change the dir part of uki to match the path to the EFI directory ie `/boot/EFI/Linux`. make the Linux dir in the EFI path. Then recreate the image with:
mkinitcpio -p linux
Set the root password using `passwd` then reboot.
Upon rebooting we're going to finish setting up the system, see here for more recommendations [General recommendations](https://wiki.archlinux.org/title/General_recommendations). For our uses we need to:
- [Add a user, set password, add to sudoers file](#add-a-user)
- [Secure root](#secure-root)
- [Enroll yubikey or other fido2 device into the luks partition](#decrypting-with-a-fido2-hardware-token)
- [Install our user environment](#install-user-environment)
- [Setup window manager](#setup-window-manager)
- [Setup fido2 login](#fido2-login)
- [Brightness control](#brighness-control)
## Add a user
Never run daily as root, just don't. We add the user, create a home, add groups using
```
useradd -m -G wheel myuser
passwd myuser
```
Edit the sudoers file and uncomment the line %wheel line then logout, login as the new user and make sure sudo works, ie sudo pacman -Syu
```
visudo
%wheel ALL=(ALL:ALL) ALL
```
## Secure root
This step could wait until after [FIDO2 Login](#fido2-login) as it's usually a good idea to be able to get into root when messing with pam.d files. There are several alternatives for securing root:
- generate a random string using openssl and basically disable root login
`openssl rand -base64 32 # generates a 256 bit random key, also useful for secrets in programming`
- use [pass](https://www.passwordstore.org/) and create and entry, this would allow you to access the password at anytime if needed.
`pass generate local/hostname-root 30 # this will generate a password and insert it into you password store`
- sudo to root, run the password command and mash the keyboard
## Decrypting with a FIDO2 hardware token
Why, cause I can and it's way better security wise than a password that's easy to rememeber and easy to type. The process has been made pretty easy [Unlocking LUKS2](https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html) and [systemd-cryptenroll](https://wiki.archlinux.org/title/Systemd-cryptenroll#FIDO2_tokens). First we have to enroll the device then edit crypttab.initramfs and tell the boot process to ask for the device instead of a password.
```
sudo systemd-cryptenroll /dev/sda2 --fido2-device=auto
cryptname UUID=UUID none password-echo=no,fido2-device=auto
```
Reboot and see if it works.
## Install user environment
First we need to get my dotfiles installed and install our userspace programs. Why dotfiles first? There's a archpkgs.txt file to help get everything we want without having to remember it.
sudo pacman -Syu git
ssh-keygen
copy the key in the .pub file and add it to my profile where my dotfiles are stored, currently [gitea](https://giteat.ewpt3ch.dev/ewpt3ch/dotfiles), for details see the readme.
```
git clone --bare ssh://gitea@gitea.ewpt3ch.dev:25213/ewpt3ch/dotfiles.git .dotfiles
alias dotfiles='/usr/bin/git --git-dir=$HOME/.dotfiles/ --work-tree=$HOME'
rm .bashrc # this is going to be replace and git checkout will complain
dotfiles checkout [branch] # probably workstation
```
sudo pacman -S --needed - < archpkgs.txt
/usr/bin/fish
Install [fisher](https://github.com/jorgebucaran/fisher) for fish plugins and [vim plug](https://github.com/junegunn/vim-plug)
curl -sL https://raw.githubusercontent.com/jorgebucaran/fisher/main/functions/fisher.fish | source && fisher install jorgebucaran/fisher
curl -sL https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim -o plug.vim
fisher update
open neovim and run `:PlugUpdate`
plug in the yubikey that will be used with this device, probably the one enrolled to unlock the drive, see [gpg on yubikey](https://blog.ewpt3ch.dev/posts/gpg-on-yubikey/), and run: (2 ssb entries should have a > instead of #)
```
gpg --card-edit
gpg/card> fetch
gpg/card> quit
gpg --card-status
```
Log out and log back in again
## Setup window manager
sway
check movement of the mouse cursor with the trackpad on a laptop. I it doesn't feel right and the taps are not working copy `.config/sway/chiron/config .config/sway/hostname/config` reload `alt shift c`See [Swaywm](https://github.com/swaywm/sway/wiki)
### FIDO2 Login
Even cooler than unlocking with a FIDO2 token is logging in and using sudo with one. [Universal 2nd Factor](https://wiki.archlinux.org/title/Universal_2nd_Factor#Passwordless_sudo)
```
mkdir ~/.config/Yubico
pamu2fcfg -i pam://hostname > ~/.config/Yubico/u2f_keys
pamu2fcfg -i pam://hostname >> ~/.config/Yubico/u2f_keys # additional keys
```
Create a 2nd terminal and sudo su just incase we mess something up we still have root so we can fix it. I like to have the password as fallback even though it can be less secure. Setup sudo for FIDO2 in the first terminal:
/etc/pam.d/sudo
------
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
Test sudo and make sure it worked, if the device is not plugged in it should fallback to password.
If that worked we can setup login. Make sure you have a working password for root or a bootable device, this has the potential to lock us out.
/etc/pam.d/login # add the following after the pam_nologin line
--------
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
### Brightness control
The brightness buttons do not work out of the box, fortunately there's a utility to help: [brightnessctl](https://github.com/Hummer12007/brightnessctl). In our dotfiles there's a new utility called monbright that similar to our volumeset, sets the bightness of the monitor. We connect it to the buttons in the configuration for swaywm. Getting it to work required adding my user to the video group
sudo gpasswd -a *user* video
Then add a udev rule to change the group on the interface to video so members of the video group can change the setting, see [Backlight](https://wiki.archlinux.org/title/Backlight)
/etc/udev/rules.d/backight.rules
--------------------------
ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chgrp video $sys$devpath/brightness", RUN+="/bin/chmod g+w $sys$devpath/brightness"
### Conclusion
Everything on this laptop seems to work great out of the box so far. The only thing that is bugging me is the WIFI. It seems to start slow and ramp up, not sure if it's the arch mirrors right now with the ongoing DDOS issues or if it's something in the wifi driver.
Reference in New Issue View Git Blame Copy Permalink