-
-
Save Acroexist69/7c2992dc42b0dcd608fa3c09c109e18b to your computer and use it in GitHub Desktop.
Install Alpine Linux on ZFS, on LUKS, with FDE and standalone UEFI GRUB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Install Alpine Linux on ZFS, on LUKS, with FDE and standalone UEFI GRUB | |
set -e | |
cat << EOF > answers.txt | |
KEYMAPOPTS="us us" | |
HOSTNAMEOPTS="-n localhost" | |
INTERFACESOPTS="auto lo | |
iface lo inet loopback | |
auto eth0 | |
iface eth0 inet dhcp | |
" | |
TIMEZONEOPTS="-z America/Detroit" | |
PROXYOPTS="none" | |
APKREPOSOPTS="-1" | |
SSHDOPTS="-c openssh" | |
NTPOPTS="-c chrony" | |
DISKOPTS="-z --please-dont-do-anything" | |
EOF | |
setup-alpine -e -f answers.txt || true | |
echo root:changeme | chpasswd | |
modprobe zfs | |
apk add zfs sfdisk cryptsetup | |
cat << EOF | sfdisk --quiet --label gpt /dev/sda | |
/dev/sda1: start=1M,size=100M,bootable,type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B | |
/dev/sda2: type=CA7D7CCB-63ED-4C53-861C-1742536059CC | |
EOF | |
mknod /dev/sda1 b 8 1 || true | |
mknod /dev/sda2 b 8 2 || true | |
mkfs.vfat -F 32 /dev/sda1 | |
echo -n changeme | cryptsetup -M luks1 luksFormat /dev/sda2 - | |
echo -n changeme | cryptsetup open /dev/sda2 crypt - | |
zpool create -f -o ashift=12 -O acltype=posixacl -O canmount=off -O atime=off -O xattr=sa -O mountpoint=/ -R /mnt root /dev/mapper/crypt | |
zfs create -o mountpoint=none -o canmount=off root/ROOT | |
zfs create -o mountpoint=legacy root/ROOT/alpine | |
mount -t zfs root/ROOT/alpine /mnt | |
rc-update add dmcrypt sysinit | |
rc-update add zfs-import sysinit | |
rc-update add zfs-mount sysinit | |
sed -i 's/ext2 ext3 ext4/ext2 ext3 ext4 zfs/' /sbin/setup-disk | |
setup-disk -m sys /mnt | |
mkdir /mnt/boot/efi | |
mount -t vfat /dev/sda1 /mnt/boot/efi | |
ln -s /dev/mapper/crypt /dev/crypt | |
dd if=/dev/urandom of=/mnt/crypto_keyfile.bin bs=512 count=4 | |
echo -n changeme | cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin | |
for i in dev proc sys; do mount -o bind /$i /mnt/$i; done | |
chroot /mnt apk add grub grub-efi | |
chroot /mnt apk del syslinux | |
echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub | |
echo "GRUB_CMDLINE_LINUX_DEFAULT='cryptroot=UUID=$(blkid -s UUID -o value /dev/sda2) cryptdm=crypt cryptkey'" >> /mnt/etc/default/grub | |
echo "crypt /dev/sda2" > /mnt/etc/crypttab | |
chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg | |
chroot /mnt grub-install --target x86_64-efi --removable --efi-directory=/boot/efi/ | |
sed -i 's/zfs/zfs cryptsetup cryptkey/' /mnt/etc/mkinitfs/mkinitfs.conf | |
chroot /mnt sh -c 'mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b / $(ls /lib/modules/)' | |
chroot /mnt grub-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --modules="part_gpt cryptodisk luks zfs" --fonts=unicode -o /boot/efi/EFI/BOOT/BOOTX64.EFI "boot/grub/grub.cfg=/boot/grub/grub.cfg" | |
for i in dev proc sys boot/efi; do umount /mnt/$i; done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment