#!/bin/bash

# It is necessary for mounting /boot without password request
dd bs=512 count=8 if=/dev/urandom of=/etc/key
chmod 400 /etc/key
cryptsetup luksAddKey /dev/sda2 /etc/key
echo "cryptboot /dev/sda2 /etc/key luks" >> /etc/crypttab

# Same thing: open LVM without password prompt
dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin
sed -i 's\^FILES=.*\FILES="/crypto_keyfile.bin"\g' /etc/mkinitcpio.conf
mkinitcpio -p linux
chmod 600 /boot/initramfs-linux*

# Enable Intel microcode CPU updates (if you use Intel processor, of course)
# pacman -S intel-ucode
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux

# Some additional security
chmod 700 /boot
chmod 700 /etc/iptables

