Fedora Bootstrap Installation

fedora_bootstrap_install.sh

# Set environmental vars like which disk to install to
DISK="/dev/nvme0n1"
RELEASE=40

# Become root and disable SELinux
sudo -i -u root
setenforce 0

# Reset partition table and create new one
wipefs -a $DISK
parted $DISK mklabel gpt mkpart EFI fat32 1 1001MiB set 1 esp on mkpart SYS 1001MiB 100%

# Create partitions
mkfs.fat -F 32 "${DISK}p1"
cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --key-size 256 --hash sha512 --pbkdf argon2id "${DISK}p2"
cryptsetup luksOpen "${DISK}p2" crypto_root
mkfs.ext4 -m0 /dev/mapper/crypto_root # -m0 reserves 0 percent for root user

# Prepare for installation
mount /dev/mapper/crypto_root /mnt
mkdir -p /mnt/boot/efi
mount "${DISK}p1" /mnt/boot/efi
udevadm trigger # Why do I do this?

mkdir -p /mnt/{proc,sys,dev/pts}
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
mount -B /dev /mnt/dev
mount -t devpts pts /mnt/dev/pts

# Install core system
dnf --installroot=/mnt --releasever=$RELEASE groupinstall -y core
dnf --installroot=/mnt install -y glibc-langpack-en

# Copy resolv.conf
mv /mnt/etc/resolv.conf /mnt/etc/resolv.conf.back
cp /etc/resolv.conf /mnt/etc/resolv.conf

# Generate /etc/fstab
dnf install -y arch-install-scripts
genfstab -U /mnt >> /mnt/etc/fstab # Remove entry for zram

# chroot into new system
chroot /mnt /bin/bash
mount -t efivarfs efivarfs /sys/firmware/efi/efivars
fixfiles -F onboot
dnf install -y efi-filesystem efibootmgr fwupd kernel dracut binutils systemd-boot cryptsetup

# Prepare all steps for UKI construction and proper decryption procedure
echo "crypto_root UUID=$(cryptsetup luksUUID /dev/nvme0n1p2) none" > /etc/crypttab
echo "kernel_cmdline=\"root=UUID=$(blkid -s UUID -o value /dev/mapper/crypto_root) ro rd.luks.name=$(blkid -s UUID -o value /dev/nvme0n1p2)=crypto_root rhgb quiet\"" > /etc/dracut.conf.d/cmdline.conf

cat << EOF > /usr/bin/update_uki.sh
#!/bin/bash

printf "\nI: Updating unified kernel image...\n"

kernel_version=$(ls -lrt --full-time /lib/modules | grep -v "debug" | cut -d" " -f9 | tail -n1)
printf "I: New kernel version is $kernel_version\n"

printf "I: Copying old image as backup\n"
if [ -e /boot/efi/EFI/fedora/unified_kernel.efi ]; then
    cp /boot/efi/EFI/fedora/unified_kernel.efi /boot/efi/EFI/fedora/unified_kernel_old.efi
    mv /boot/efi/EFI/fedora/unified_kernel.efi /boot/efi/EFI/fedora/unified_kernel_$(uname -r).efi
fi

printf "I: Moving files to /boot\n"
cp /lib/modules/$kernel_version/vmlinuz /boot/vmlinuz-$kernel_version
cp /lib/modules/$kernel_version/config /boot/config-$kernel_version
cp /lib/modules/$kernel_version/System.map /boot/System.map-$kernel_version

# Build new kernel image
dracut --uefi --kver="$kernel_version" /boot/efi/EFI/fedora/unified_kernel.efi
EOF

chmod 0744 /usr/bin/update_uki.sh

efibootmgr --quiet --create --disk /dev/nvme0n1p1 --label "Fedora UKI" --loader /EFI/fedora/unified_kernel.efi

systemd-firstboot --prompt

passwd

update_uki.sh # Force-rebuild

exit # exit chroot

umount -n -R /mnt

reboot

# Remove grub
rm /etc/dnf/protected.d/*grub*
dnf remove -y grubby grub2\*
rm -rf /boot/grub2

useradd -mG wheel meep
passwd meep

exit

# login as user
sudo -i -u root
dnf groupinstall -y "Fedora Workstation"

reboot

# Login as user
dnf update
dnf install python3-dnf-plugins-post-transaction-actions.noarch
echo "kernel-core.x86_64:any:/usr/bin/update_uki.sh" > /etc/dnf/plugins/post-transaction-actions.d/kernel_upgrade.action

# Follow post-install guide like here: https://github.com/devangshekhawat/Fedora-40-Post-Install-Guide