Eric Phillips
6.6 KiB
+++ date = '2025-12-19T22:51:02-07:00' draft = false title = 'Lenovo Slim' tags = ['install', 'guide'] +++
Getting rid of Windows
Windows is not my favorite and with the new push for fancy pattern matching engines that we call 'ai'I'm even less fond. My old yoga2 pro was getting long in the tooth and Sarah's is not doign well with the increased load from Windows so we got new laptops, Costco had a sale. First things first, how do we get rid of Windows on this Lenovo Ideapad Slim.
- Get into UEFI by holding F2 at poweron
- turn off secure boot, and some other windows only options
- boot into a live usb, I've had great luck with Ventoy
- Follow the Arch Linux Install Guide
- I deleted all partitions except the EFI and have one encrypted partition with btrfs and several subvolumes. Swap will be in a file.
partition 1 -> EFI
partition 2 -> LUKS encryption
btrfs:
@ -> /
@home -> /home
@varlog -> /var/log
@paccache -> /var/cache/pacman
@dockerroot -> /var/docker
Getting a bootable system
With the usb live environment we want to do the minimal necessary to get a bootable system. This means setting up disk encryption, mounts, basic software, and a root password. We'll worry about userspace apps and pretty stuff once we're booted into the permanent system. Disk encryption will use dm-crypt to encrypt the partition first, then make the filesystem and subvolumes.
crytpsetup -v luksFormat --label *cryptname* /dev/sda2
cryptsetup open /dev/sda2 sdacrypt
Once the encrypted partition is open we want to run the following once to set some options that will be applied everytime the partition is opened. These options are described here dm-crypt/Specialties
cryptsetup --allow-discards --perf-no_read_workqueue \
--perf-no_write-workqueue --persistant refresh sdacrypt
check that they were applied using
cryptsetup luksDump /dev/sda2
Flags: allow-discards no-read-workqueue no-write-workqueue
Create the filesystem and subvols
mkfs.btrfs -L realroot /dev/sda2
mount /dev/sda2 /mnt
btrfs subvol create @ # repeat for all desired subvolumes
umount /mnt
mount the root subvol, create the mountpoints and mount everything else
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@ /dev/sda2 /mnt
mkdir /mnt/boot
mkdir /mnt/home
mkdir -p /mnt/var/log
mkdir -p /mnt/var/cache/pacman
mkdir /var/docker
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@home /dev/sda2 /mnt/home
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@varlog /dev/sda2 /mnt/var/log
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@paccache /dev/sda2 /mnt/var/cache/pacman
mount -o rw,noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@docker /dev/sda2 /mnt/var/docker
mount /dev/sda1 /mnt/boot
install the base system and required packages to boot and get network up
pacstrap -K /mnt base linux linux-firmware amd-microcode btrfs-progs iwd neovim sudo vi pam-u2f
Configure the system and chroot
gentfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
ln -sf /usr/share/zoneinfo/America/Denver /etc/location
hwclock --systohc
Edit locale.gen and uncomment the US english lines create locale.conf and add
LANG="en_US.UTF-8"
LC_COLLATE="C"
- Run locale-gen
- Set the hosname in /etc/hostname
- enable systemd-resolved and systemd-networkd, ln -s the appropriate network example into systemd/network.
I like using a unified kernel instead of a bootloader where possible. With this in mind and the encrypted root we need to edit mkinitcpio.conf and the preset. See Encrypting the entire filesystem for details related to the encryption. See Unified kernel image for details on booting the kernel directly.
Add to the hooks for dealing with encryption to mkinitcpio.conf:
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
create a file called /etc/crypttab.initramfs (UUID and cryptname need to match luksDump):
cryptname UUID=UUID none password-echo=no
create a file called root.conf in /etc/cmd and add(cryptname must match cryptname in crypttab.initramfs):
root=/dev/mapper/cryptname rw rootfstype=btrfs rootflags=subvol=@
edit /etc/mkinitcpio.d/linux.preset and comment out PRESET_image and uncomment PRESET_uki. Change the dir part of uki to match the path to the EFI directory ie /boot/EFI/Linux. make the Linux dir in the EFI path. Then recreate the image with:
mkinitcpio -p linux
Set the root password using passwd then reboot.
Upon rebooting we're going to finish setting up the system, see here for more recommendations General recommendations. For our uses we need to:
- add a user, set password, add to sudoers file
- enroll yubikey or other fido2 device into the luks partition
- intall our window manager and user programs and tools
- set the root password to a long random string(test sudo works first)
- install our user environment eg dotfiles and associated tooling
- setup fido2 login
Add a user
Never run daily as root, just don't. We add the user, create a home, add groups using
useradd -m -G wheel myuser
passwd myuser
Edit the sudoers file and uncomment the line %wheel line then logout, login as the new user and make sure sudo works, ie sudo pacman -Syu
visudo
%wheel ALL=(ALL:ALL) ALL
Decrypting with a FIDO2 hardware token
Why, cause I can and it's way better security wise than a password that's easy to rememeber and easy to type. The process has been made pretty easy Unlocking LUKS2 and systemd-cryptenroll. First we have to enroll the device then edit crypttab.initramfs and tell the boot process to ask for the device instead of a password.
sudo systemd-cryptenroll /dev/sda2 --fido2-device=auto
cryptname UUID=UUID none password-echo=no,fido2-device=auto
Reboot and see if it works.