An opinionated, declarative, idempotent Arch Linux installer with a focus on security.
Goal: Define your system once in YAML, deploy anywhere, recover from anything.
| Feature | Description |
|---|---|
| LUKS2 Encryption | Full disk encryption with argon2id |
| BTRFS Snapshots | 12 subvolumes, bootable snapshots, automatic cleanup |
| Secure Boot | Unified Kernel Images, systemd-boot, sbctl signing |
| Security Hardening | Kernel hardening, CPU mitigations, firewall, and more |
| Multiple Kernels | linux-hardened, mainline, LTS with variants |
| Multi-Desktop | GNOME, KDE, Hyprland - install one or all, choose at login |
| Dual-Boot Ready | Friendly to Windows dual-boot (separate drives recommended) |
| Package Profiles | Different profiles based on your hardware and preferences |
| Dotfiles Sync | Git backups of config files, push/pull functionality |
| Notifications | Desktop alerts for snapshots and sync |
# From Arch ISO live environment
pacman-key --init
pacman -Sy git
git clone https://github.com/kodoshi/arch_installer.git
cd arch_installer
# Edit config (optional)
nano config/config.yaml
# Install
chmod +x ./scripts/install.sh
./scripts/install.shThis installer implements defense-in-depth with multiple security layers:
| Feature | Implementation |
|---|---|
| LUKS2 | Full disk encryption with aes-xts-plain64, 512-bit key |
| Key Derivation | argon2id PBKDF (1GB memory, 4 threads, 4000ms iterations) |
The kernel command line includes security parameters:
| Parameter | Purpose |
|---|---|
lockdown=integrity |
Kernel lockdown mode |
iommu=force |
Force IOMMU for DMA protection |
pti=on |
Page Table Isolation (Meltdown mitigation) |
spectre_v2=on |
Spectre v2 mitigation |
spec_store_bypass_disable=on |
Spectre v4 mitigation |
l1tf=full,force |
L1 Terminal Fault mitigation |
mds=full,nosmt |
Microarchitectural Data Sampling mitigation |
srbds=on |
Special Register Buffer mitigation |
tsx_async_abort=full,nosmt |
TSX Async Abort mitigation |
init_on_alloc=1 |
Zero memory on allocation |
init_on_free=1 |
Zero memory on free |
| Feature | Implementation |
|---|---|
| UKI Signing | Unified Kernel Images signed with sbctl |
| Key Management | Custom Secure Boot keys via sbctl |
| Boot Protection | Only signed kernels can boot |
| Setting | Value |
|---|---|
| Default incoming | deny - blocks unsolicited connections |
| Default outgoing | allow - permits normal internet |
| ICMP | blocked - invisible to ping sweeps |
| Logging | enabled - audit trail |
The linux-hardened kernel is available as a package option, providing additional exploit mitigations.
For detailed threat analysis, see docs/threat-model.md.
| Topic | Description |
|---|---|
| Configuration | System, storage, boot, GPU, snapper settings |
| BTRFS Layout | Subvolume structure and snapshot storage |
| Bootable Snapshots | Boot into previous system states |
| Secure Boot | Key enrollment and UKI signing |
| Firewall | UFW setup and hardening |
| Threat Model | Security threats and mitigations |
| Verification | Post-install checks |
| Dotfiles Sync | Git backup of config files, with versioning |
| Notifications | Desktop alerts setup |
| Troubleshooting | Common issues and solutions |
| Development | Testing, file structure, idempotency |
# Hold Space during boot → Select "Snapshot #N [kernel] (date)"
# Verify: cat /proc/cmdline | grep -o 'subvol=[^ ]*'
# Make permanent: snapper -c root rollback <N>dotfiles-sync init git@github.com:user/dotfiles.git
dotfiles-sync push
dotfiles-sync pullverify-install --fix- Expand Notifications Think of more useful desktop notifications, e.g. ssh login attempts
- Expand Testing Suite Current tests are limited by docker, figure out full automated testing with actual VMs (maybe where Secure Boot can also be tested?)
- Improve declarative nature of this installer E.g. there are still some imperative steps in the install scripts that could be made more declarative/config-driven, e.g push the dotfiles setup into config.yaml, declaring what is supposed to be tracked.
- More package profiles Add more profiles? Figure out personas and/or hardware setups to target
- Improve CI poetry.lock should be generated on remote workers, avoid diff noise. Also expand CI based on improved testing suite.
- Add more desktops ???
See LICENSE for details.