Manjaro Linux Reinstall Record

Manjaro Linux Setup

Install

1. partition

   NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
   nvme0n1                                       259:0    0 931.5G  0 disk
   ├─nvme0n1p1                                   259:1    0   400M  0 part  /boot/efi
   ...
   ├─nvme0n1p5                                   259:5    0   258G  0 part
   │ └─luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 254:0    0   258G  0 crypt /
   ...

   esp partition nvme0n1p1 mount on \boot\efi, while the root system installed on crypted partition nvme0n1p5 with LUKSv1. Replace block names according to actual situation of your computer.

System modification

Before start, make an upgrade for the whole system.

sudo pacman -Syu

Repository

• Change server location: China
• Add archlinuxcn Repository at the end of file.

  sudo echo >> /etc/pacman.conf "
  [archlinuxcn]
  Server = https://mirrors.ustc.edu.cn/archlinuxcn/$arch
  "

• Enable flatpak and AUR in "Add / Remove Software" setting.
• Install yay tool for more comfortable package management experience.

  sudo pacman -S yay

Shell

• Install oh-my-zsh-git from archlinuxcn repository with the latest code.

  yay -S archlinuxcn/oh-my-zsh-git

  After installing the package, copy .zshrc from system to home directory.

  cp /usr/share/oh-my-zsh/zshrc ~/.zshrc

  Add the following code to the end of .zshrc for original manjaro shell experience.

  # Use powerline
  USE_POWERLINE="true"
  # Source manjaro-zsh-configuration
  if [[ -e /usr/share/zsh/manjaro-zsh-config ]]; then
  source /usr/share/zsh/manjaro-zsh-config
  fi
  # Use manjaro zsh prompt
  if [[ -e /usr/share/zsh/manjaro-zsh-prompt ]]; then
  source /usr/share/zsh/manjaro-zsh-prompt
  fi

  At last, make some small modification, install autojump plugin.

  yay -S autojump

  modify the .zshrc file.

  plugins=(git autojump)

  then, change shell to zsh.

  chsh -s /bin/zsh

• sudo without password add this line at the end of file /etc/sudoers.d/10-installer

  sudo echo %wheel ALL=(ALL:ALL) NOPASSWD: ALL >> /etc/sudoers.d/10-installer

GPU Switch

Use envycontrol to switch intel, nvidia, and hybrid mode.

yay -S envycontrol

In addition, a kde plasma5 widget can be convenient.

yay -S plasma5-applets-optimus-gpu-switcher

Fonts

Install several fonts both in Latin and Chinese.

yay -S wqy-microhei-lite wqy-bitmapfont wqy-microhei wqy-zenhei ttf-roboto adobe-source-han-sans-cn-fonts adobe-source-han-serif-cn-fonts

Install ttf-apple-emoji to replace original noto-fonts-emoji

yay -S ttf-apple-emoji

Make system custom font configuration to enable apple color emoji and change preferred Chinese fonts.

sudo touch /etc/fonts/local.conf
sudo vim /etc/fonts/local.conf

Paste following code into local.conf.

<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
 <alias>
   <family>sans-serif</family>
   <prefer>
     <family>Noto Sans</family>
     <family>Apple Color Emoji</family>
     <family>Noto Emoji</family>
     <family>DejaVu Sans</family>
     <family>Source Han Sans CN</family>
   </prefer> 
 </alias>
 
 <alias>
   <family>serif</family>
   <prefer>
     <family>Noto Serif</family>
     <family>Apple Color Emoji</family>
     <family>Noto Emoji</family>
     <family>DejaVu Serif</family>
     <family>Source Han Serif CN</family>
   </prefer>
 </alias>
 
 <alias>
  <family>monospace</family>
  <prefer>
    <family>Noto Mono</family>
    <family>Apple Color Emoji</family>
    <family>Noto Emoji</family>
    <family>DejaVu Sans Mono</family>
    <family>WenQuanYi Micro Hei Mono</family>
   </prefer>
 </alias>
</fontconfig>

Command

Install some very useful and common tools.

yay -S zip net-tools base-devel nmap vulscan python-pypandoc

yay -S cowsay xcowsay sl asciiquarium fortune-mod cmatrix oneko toilet lolcat

Appearance

Install latte dock

yay -S latte-dock

Change the desktop layout:

• move panel from bottom to top;
• add widgets into panel: Application Launcher, Global menu, Panel Spacer, Network speed, CatWalk, System tray, Pager, Digital clock, Peek at Desktop.
• add latte dock at bottom of desktop with widgets: Application Dashboard, Latte Tasks, Trashcan, Analog clock.
• add a weather widget right side the desktop.

For widgets configuration, CatWalk idle threshold is 30%, weather location is Tianjin, China. For latte dock, Items absolute size is 56px., zoom on hover is 10%, background size is 14%, and Opacity is 52%.

swapfile

The system has no swap partition after default installation process, for the full suspend and hibernation function experience, we setup swap manually.

Create a swap file matched the physical memory and set proper permissions.

sudo fallocate -l 8G /.swapfile # create a hide swapfile on root /
sudo chmod 600 /.swapfile

Enable and open swap

sudo mkswap /.swapfile
sudo swapon /.swapfile

Insert swap info into fstab

sudo echo "/.swapfile none swap defaults 0 0" >> /etc/fstab

Reboot and check if the swap on

swapon
NAME       TYPE SIZE USED PRIO
/.swapfile file   8G   0B   -2

Samba

In Dolphin, the property share tab is unavailable because of samba service broken. Now we fix it.

yay -S samba
sudo touch /etc/samba/smb.conf
sudo mkdir -p /var/lib/samba/usershares
sudo groupadd sambashares -U [username]
sudo chown [username]:sambashares /var/lib/samba/usershares
sudo chmod 1770 /var/lib/samba/usershares

sudo systemctl enable smb.service

# Optionally, for accessible via NetBIOS host name
sudo systemctl enable nmb.service

# Optionally, for discoverable by most non-Windows file managers
sudo systemctl enable avahi-daemon.service

# Optionally, for discoverable by Windows, wsdd service required 
yay -S wsdd
sudo systemctl enable wsdd.service

Add following text into smb.conf (in order to prevent bugs, add a blank line at the end of file.)

[global]
        usershare path = /var/lib/samba/usershares
        usershare max shares = 100
        usershare allow guests = yes
        usershare owner only = yes

then reboot.

Attention: it seems like there are many bugs in property share tab.

Firewall

A Firewall and Firewall GUI manager is optional for network using.

yay -S firewalld
sudo systemctl enable firewalld.service
sudo systemctl start firewalld.service

SSD trim

Trim is referred to discard unused blocks on the SSD. Trim on encrypted device has specific security risks, but for most users, the benefit of TRIM outweigh those security concerns.

sudo cryptsetup --allow-discards --persistent refresh luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
sudo fstrim -a -v

Java environment

In order to run jar application such as minecraft, Java environment is required. we can install OpenJDK environment with JavaFX support.

yay -S aur/java-openjfx # jre and jdk will be installed as dependencies automatically

Install and config application

git

add lfs support

yay -S git-lfs

config username and e-mail.

git config --global user.name "My Name"
git config --global user.email "myemail@example.com"

Internet Technology

there are many useful packages in repository.

yay -S archlinuxcn/*****-verge-rev-bin watt-toolkit-bin

fcitx5 and rime

Install fcitx5 bundle including 4 packages:

1. fcitx5 2) fcitx5-configtool 3) fcitx5-gtk 4) fcitx5-qt

and other extra packages

yay -S fcitx5-im fcitx5-lua kcm-fcitx5 fcitx5-rime fcitx5-chinese-addons libime manjaro-asian-input-support-fcitx5 rime-symbols

then reboot to apply modify.

clone clover_flypinyin to local

git clone https://github.com/happylzyy/rime-cloverpinyin.git

follow the README.md to build the package.

extract package to /usr/share/rime-data and replace exsiting file.

create a config file in ~/.local/share/fcitx5/rime

touch default.custom.yaml

and write

patch:
  "menu/page_size": 5
  schema_list:
    - schema: clover_flypy
    - schema: clover

restart the rime engine.

apparmor

install apparmor utils and enable the service.

yay -S apparmor
systemctl enable apparmor.service

Add kernel cmdline as follows. This section is not suitable for grub but for UKI.

mkdir /etc/cmdline.d
touch /etc/cmdline.d/security.conf

# enable apparmor
lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1 audit_backlog_limit=256

vim

install gvim via yay tool.

yay -S gvim

clone the vim config to .vim folder.

mkdir -p ~/.vim && cd ~/.vim
git clone https://github.com/happylzyy/vim-init.git
cd vim-init && git checkout linux

create a new file .vimrc' in home directory and add following code

echo source ~/.vim/vim-init/init.vim > .vimrc

open vim, type:PluginInstall` to fix missing plugins via internet.

typora

the last free version of typora is 0.11.18(beta), we can build it by using AUR PKGBUILD.

yay -S aur/typora-free

albert

yay -S archlinuxcn/albert

Open System Setting -> Startup and Shutdown->Autostart, add albert in autorun list.

Attention: albert has no wayland support yet.

WPS

Install wps and all dependencies including chinese language support, font packages, and several fix patch, etc.

yay -S wps-office wps-office-all-dicts-win-languages wps-office-mui-zh-cn wps-office-mime-cn wps-office-fonts wps-office-bwrap freetype2-wps ttf-wps-fonts ttf-ms-fonts

install bug fix libtiff5

yay -S libtiff5

GIMP

yay -S gimp

Make GIMP Look Like Photoshop, follow the PhotoGIMP project.

Node.js

yay -S nodejs npm

configure local repository

npm config set registry https://registry.npmmirror.com/

OneDrive

As some files synced on onedrive, we install onedriver and create some links

yay -S onedrive-abraunegg onedrivegui
# Seting onedrive at ~/OneDrive in the onedrivegui app

ln -s ~/OneDrive/Sync/Minecraft/server ./server
ln -s ~/OneDrive/Sync/Calibre ./Calibre
ln -s ~/OneDrive/Sync/Zotero/storage ./Zotero/storage

Other app without configuration

yay -S steam stellarium visual-studio-code-bin zenmap wechat-beta-bwrap lx-music-desktop-bin calibre zotero kleopatra

Secure Boot and LUKS TPM

Prepare

Install all packages we need

yay -S sbctl tpm2-tss tpm2-tools

follow this guideline , generate Machine Own Key and enroll it into the EFI variables.

Install bootloader

this section changes bootloader from grub to systemd-boot, because grub has not support to LUKSv2.

Change esp partition mount point from /boot/efi to /efi permanently. If the esp mount point remains unchanged, grub packages should be removed.

umount /boot/efi
sudo mkdir -p /efi
sudo sed -i 's/\/boot\/efi/\/efi/g' /etc/fstab
mount -a

Delete old boot entry and install new bootloader

OLD_MANJARO="$(efibootmgr | grep "manjaro" | cut -d' ' -f1 | cut -c 5-8)" # Manjaro is old boot entry name
efibootgmr -b "${OLD_MANJARO}" -B # delete old boot entry
bootctl install && systemctl enable systemd-boot-update.service # install systemd-boot

After installation, it should be a new boot entry "Linux Boot Manager" appeared in the UEFI boot menu.

Open /boot/efi/loader/loader.conf and add there default @saved. This will make systemd-boot select your previously booted kernel by default. Another useful change is setting timeout to 1 or 2, most likely that’s long enough period to see bootloader’s menu and stop countdown if needed.

Configure initramfs

mkinitcpio.conf

Replace HOOKS array in /etc/mkinitcpio.conf and save old ones commented in the end of the file just in case:

OLD_HOOKS=$(cat /etc/mkinitcpio.conf | grep "^HOOKS=(")
sed -i 's|'"${OLD_HOOKS}"'|HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)|' /etc/mkinitcpio.conf && echo '#previous_'$OLD_HOOKS |tee -a /etc/mkinitcpio.conf

Also for better (de)compression speed/efficiency ratio consider setting COMPRESSION="zstd" in your /etc/mkinitcpio.conf if not set already. Note though that this works only starting from linux 5.10.

crypttab.initramfs

Do the following to add entry about LUKS partition to crypttab.initramfs

UUID=$(sudo blkid -s UUID -o value /dev/nvme0n1p5)
sudo echo luks-$UUID UUID=$UUID none tpm2-device=auto > /etc/crypttab.initramfs

cmdline

Create cmdline with the current boot parameters of the system

Optionally, /etc/cmdline.d can be used for more flexible configuration.

cat /proc/cmdline > /etc/kernel/cmdline

linux.preset

Open preset file for the current kernel in /etc/mkinitcpio.d, such as linux66.preset.

Make changes following line :

• uncomment default_uki fallback_uki default_options
• comment default_image fallback_image
• make sure the appropriate mount point of the esp in the uki path

build UKI

sudo mkinitcpio -P

After building, there should be several UKI images in /boot/efi/EFI/Linux. Optionally, we can remove old images unused under /boot.

sudo rm /boot/initramfs*

if warning about consolefont appears during build process, create vconsole.conf and build again.

echo "KEYMAP=us\nFONT=tcvn8x16" > /etc/vconsole.conf

Secure Boot

sbctl is a tool that generates signed and thus trusted images used to boot system.

Create a new script sbsign-all.

vim ./sbsign-all

Write following code in this script and save

#!/usr/bin/env bash

efidir="/boot/efi"

# UKI sign
for file in ${efidir}/EFI/Linux/*.efi; do /usr/bin/sbctl sign -s $file; done

# system-boot sign
/usr/bin/sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi

# kernel sign
for file in /boot/vmlinuz*; do /usr/bin/sbctl sign -s $file; done

change permission for excutation

sudo chmod a+x ./sbsign-all

then run the script.

sudo ./sbsign-all

Benefit from mkinitcpio hook and pacman hook, the sign process will run automatically when system upgrade or modified.

After all steps above, reboot and enter UEFI setup menu, set Secure Boot ON, exit saving setting, check if the system can boot normally.

Unlock LUKS via TPM

The manjaro installation use LUKSv1 for the default crypt solution, but our plan only support LUKSv2. So we need convert LUKS before configuring TPM.

Insert the manjaro installation U-disk into the computer, enter live CD environment. if it is prohibited by secure policy, disable secure boot mode temporarily.

Open a terminal, run following command.

sudo cryptsetup convert --type luks2 /dev/nvme0n1p5

reboot and enable secure boot mode again.

Before sealing LUKS key into TPM, check command bootctl, following condition should be satisfied:

• system booted by systemd-boot bootloader

• system booted in secure boot mode

If the conditions are satisfied, check the cryptsetup status:

sudo cryptsetup luksDump /dev/nvme0n1p5

Normally it should have 1 or 2 keyslots already occupied, the first one is passphrase we set, the other is probably /crypto_keyfile.bin, and no tokens in place (yet). we suggest remove slot 1 if it’s occupied by crypto_keyfile at the moment (since it’s not safe to use crypto_keyfile in configuration we’re building).

sudo cryptsetup luksKillSlot /dev/nvme0n1p5 1
sudo rm /crypto_keyfile.bin

Then seal the LUKS key into TPM with PCR 7

sudo systemd-cryptenroll /dev/nvme0n1p5 --tpm2-device=auto --tpm2-pcrs=7

References

1. https://forum.manjaro.org/t/howto-using-secure-boot-and-tpm2-to-unlock-luks-partition-on-boot/101626
2. https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#
3. https://wiki.archlinux.org/title/Unified_kernel_image
4. https://wiki.archlinux.org/title/Trusted_Platform_Module
5. https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
6. https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Using_systemd-cryptsetup-generator
7. https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Examples
8. https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Trusted_Platform_Module_and_FIDO2_keys