andrej-peterka/gist:a594d8c90f10a92b7638fcdf85766b54

## gistfile1.txt
# USEFUL LINKS:
https://help.ubuntu.com/community/encryptedZfs
https://unix.stackexchange.com/questions/178666/sbin-cryptsetup-not-found-on-boot
http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/
https://www.combustible.me/wordpress/2014/09/22/linux-mint-zfs-root-full-disk-encryption-hibernation-encrypted-swap/
https://askubuntu.com/questions/729673/ubuntu-full-disk-encryption-with-encrypted-boot
http://thesimplecomputer.info/full-disk-encryption-with-ubuntu
https://github.com/zfsonlinux/zfs/wiki/Ubuntu-16.04-Root-on-ZFS

# Run this for UEFI booting (for use now or in the future):
sgdisk     -n3:1M:+512M -t3:EF00 /dev/disk/by-id/ata-VBOX_HARDDISK_VB1104d745-09d29211

# Run these in all cases:
sgdisk     -n9:-8M:0    -t9:BF07 /dev/disk/by-id/ata-VBOX_HARDDISK_VB1104d745-09d29211
sgdisk     -n1:0:0      -t1:BF01 /dev/disk/by-id/ata-VBOX_HARDDISK_VB1104d745-09d29211

cryptsetup -y -v luksFormat /dev/disk/by-id/ata-VBOX_HARDDISK_VB1104d745-09d29211-part1
cryptsetup luksOpen /dev/disk/by-uuid/2b5b8e03-26e2-4c2a-937b-97689c055129 root_crypt

zpool create -o ashift=12 -O atime=off -O canmount=off -O compression=lz4 -O normalization=formD -O mountpoint=/ -R /mnt rpool /dev/mapper/root_crypt
zfs create -o canmount=off -o mountpoint=none rpool/ROOT
zfs create -o canmount=noauto -o mountpoint=/ rpool/ROOT/ubuntu
zfs mount rpool/ROOT/ubuntu

zfs create                 -o setuid=off              rpool/home
zfs create -o mountpoint=/root                        rpool/home/root
zfs create -o canmount=off -o setuid=off  -o exec=off rpool/var
zfs create -o com.sun:auto-snapshot=false             rpool/var/cache
zfs create                                            rpool/var/log
zfs create                                            rpool/var/spool
zfs create -o com.sun:auto-snapshot=false -o exec=on  rpool/var/tmp

# If you use /srv on this system:
zfs create                                            rpool/srv

# If this system will have games installed:
zfs create                                            rpool/var/games

# If this system will store local email in /var/mail:
zfs create                                            rpool/var/mail

# If this system will use NFS (locking):
zfs create -o com.sun:auto-snapshot=false \
             -o mountpoint=/var/lib/nfs                 rpool/var/nfs

chmod 1777 /mnt/var/tmp
debootstrap xenial /mnt
zfs set devices=off rpool

echo woot > /mnt/etc/hostname
echo "127.0.1.1       woot" >> /mnt/etc/hosts

ifconfig -a
nano /mnt/etc/network/interfaces.d/NAME

########
auto NAME
iface NAME inet dhcp
########

mount --rbind /dev  /mnt/dev
mount --rbind /proc /mnt/proc
mount --rbind /sys  /mnt/sys
chroot /mnt /bin/bash --login

###### CHROOT HERE!
apt install nano

ln -s /dev/mapper/root_crypt /dev/root_crypt
echo 'ENV{DM_NAME}=="root_crypt", SYMLINK+="root_crypt"' > /etc/udev/rules.d/99-local.rules

blkid
/dev/sda1: UUID="2b5b8e03-26e2-4c2a-937b-97689c055129" TYPE="crypto_LUKS" PARTUUID="b1e1b55c-5e53-43d9-9263-6d3e19ec33c2"

nano /etc/crypttab
root_crypt UUID=2b5b8e03-26e2-4c2a-937b-97689c055129 none luks,discard

nano /etc/initramfs-tools/conf.d/cryptroot
#####
target=root_crypt,source=UUID=2b5b8e03-26e2-4c2a-937b-97689c055129,key=none,rootdev,discard
#####

locale-gen en_US.UTF-8
echo 'LANG="en_US.UTF-8"' > /etc/default/locale
dpkg-reconfigure tzdata


nano /etc/apt/sources.list
##########
deb http://archive.ubuntu.com/ubuntu xenial main universe
deb-src http://archive.ubuntu.com/ubuntu xenial main universe

deb http://security.ubuntu.com/ubuntu xenial-security main universe
deb-src http://security.ubuntu.com/ubuntu xenial-security main universe

deb http://archive.ubuntu.com/ubuntu xenial-updates main universe
deb-src http://archive.ubuntu.com/ubuntu xenial-updates main universe
###########
ln -s /proc/self/mounts /etc/mtab
apt update
apt install --yes ubuntu-minimal
apt install --yes --no-install-recommends linux-image-generic
apt install --yes zfs-initramfs cryptsetup

#### ADD THIS TO /etc/initramfs-tools/modules
raid1
raid456
aes-x86_64
sha512-ssse3
xts
dm-mod
dm-crypt
####

apt install dosfstools
mkdosfs -F 32 -n EFI /dev/disk/by-id/scsi-SATA_disk1-part3
mkdir /boot/efi
echo PARTUUID=$(blkid -s PARTUUID -o value \
      /dev/disk/by-id/scsi-SATA_disk1-part3) \
      /boot/efi vfat defaults 0 1 >> /etc/fstab
### ADD THIS TO FSTAB...
/dev/mapper/root_crypt  /       zfs     defaults        0 0
###
mount /boot/efi
apt install --yes grub-efi-amd64

addgroup --system lpadmin
addgroup --system sambashare

passwd

grub-probe /
# zfs

update-initramfs -c -k all
nano /etc/default/grub
# add GRUB_ENABLE_CRYPTODISK=y
# Comment out: GRUB_HIDDEN_TIMEOUT=0
# Remove quiet and splash from: GRUB_CMDLINE_LINUX_DEFAULT
# add boot=zfs to GRUB_CMDLINE_LINUX_DEFAULT
# Uncomment: GRUB_TERMINAL=console
# Save and quit.

update-grub
grub-install --target=x86_64-efi --efi-directory=/boot/efi       --bootloader-id=ubuntu --recheck --no-floppy
ls /boot/grub/*/zfs.mod
zfs snapshot rpool/ROOT/ubuntu@install
exit
###### END CHROOT HERE!
mount | grep -v zfs | tac | awk '/\/mnt/ {print $3}' | xargs -i{} umount -lf {}
zpool export rpool
############## REBOOOOOOOOOOOOOOT
zfs create rpool/home/pipi
adduser pipi
cp -a /etc/skel/.[!.]* /home/pipi
chown -R pipi:pipi /home/pipi
usermod -a -G adm,cdrom,dip,lpadmin,plugdev,sambashare,sudo pipi
zfs create -V 4G -b $(getconf PAGESIZE) -o compression=zle \
      -o logbias=throughput -o sync=always \
      -o primarycache=metadata -o secondarycache=none \
      -o com.sun:auto-snapshot=false rpool/swap
mkswap -f /dev/zvol/rpool/swap
echo /dev/zvol/rpool/swap none swap defaults 0 0 >> /etc/fstab

swapon -av
apt dist-upgrade --yes

apt install --yes xubuntu-desktop

for file in /etc/logrotate.d/* ; do
    if grep -Eq "(^|[^#y])compress" "$file" ; then
        sed -i -r "s/(^|[^#y])(compress)/\1#\2/" "$file"
    fi
done

reboooooot

sudo zfs destroy rpool/ROOT/ubuntu@install
	# USEFUL LINKS:
	https://help.ubuntu.com/community/encryptedZfs
	https://unix.stackexchange.com/questions/178666/sbin-cryptsetup-not-found-on-boot
	http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/
	https://www.combustible.me/wordpress/2014/09/22/linux-mint-zfs-root-full-disk-encryption-hibernation-encrypted-swap/
	https://askubuntu.com/questions/729673/ubuntu-full-disk-encryption-with-encrypted-boot
	http://thesimplecomputer.info/full-disk-encryption-with-ubuntu
	https://github.com/zfsonlinux/zfs/wiki/Ubuntu-16.04-Root-on-ZFS

	# Run this for UEFI booting (for use now or in the future):
	sgdisk -n3:1M:+512M -t3:EF00 /dev/disk/by-id/ata-VBOX_HARDDISK_VB1104d745-09d29211

	# Run these in all cases:
	sgdisk -n9:-8M:0 -t9:BF07 /dev/disk/by-id/ata-VBOX_HARDDISK_VB1104d745-09d29211
	sgdisk -n1:0:0 -t1:BF01 /dev/disk/by-id/ata-VBOX_HARDDISK_VB1104d745-09d29211

	cryptsetup -y -v luksFormat /dev/disk/by-id/ata-VBOX_HARDDISK_VB1104d745-09d29211-part1
	cryptsetup luksOpen /dev/disk/by-uuid/2b5b8e03-26e2-4c2a-937b-97689c055129 root_crypt

	zpool create -o ashift=12 -O atime=off -O canmount=off -O compression=lz4 -O normalization=formD -O mountpoint=/ -R /mnt rpool /dev/mapper/root_crypt
	zfs create -o canmount=off -o mountpoint=none rpool/ROOT
	zfs create -o canmount=noauto -o mountpoint=/ rpool/ROOT/ubuntu
	zfs mount rpool/ROOT/ubuntu

	zfs create -o setuid=off rpool/home
	zfs create -o mountpoint=/root rpool/home/root
	zfs create -o canmount=off -o setuid=off -o exec=off rpool/var
	zfs create -o com.sun:auto-snapshot=false rpool/var/cache
	zfs create rpool/var/log
	zfs create rpool/var/spool
	zfs create -o com.sun:auto-snapshot=false -o exec=on rpool/var/tmp

	# If you use /srv on this system:
	zfs create rpool/srv

	# If this system will have games installed:
	zfs create rpool/var/games

	# If this system will store local email in /var/mail:
	zfs create rpool/var/mail

	# If this system will use NFS (locking):
	zfs create -o com.sun:auto-snapshot=false \
	-o mountpoint=/var/lib/nfs rpool/var/nfs

	chmod 1777 /mnt/var/tmp
	debootstrap xenial /mnt
	zfs set devices=off rpool

	echo woot > /mnt/etc/hostname
	echo "127.0.1.1 woot" >> /mnt/etc/hosts

	ifconfig -a
	nano /mnt/etc/network/interfaces.d/NAME

	########
	auto NAME
	iface NAME inet dhcp
	########

	mount --rbind /dev /mnt/dev
	mount --rbind /proc /mnt/proc
	mount --rbind /sys /mnt/sys
	chroot /mnt /bin/bash --login

	###### CHROOT HERE!
	apt install nano

	ln -s /dev/mapper/root_crypt /dev/root_crypt
	echo 'ENV{DM_NAME}=="root_crypt", SYMLINK+="root_crypt"' > /etc/udev/rules.d/99-local.rules

	blkid
	/dev/sda1: UUID="2b5b8e03-26e2-4c2a-937b-97689c055129" TYPE="crypto_LUKS" PARTUUID="b1e1b55c-5e53-43d9-9263-6d3e19ec33c2"

	nano /etc/crypttab
	root_crypt UUID=2b5b8e03-26e2-4c2a-937b-97689c055129 none luks,discard

	nano /etc/initramfs-tools/conf.d/cryptroot
	#####
	target=root_crypt,source=UUID=2b5b8e03-26e2-4c2a-937b-97689c055129,key=none,rootdev,discard
	#####

	locale-gen en_US.UTF-8
	echo 'LANG="en_US.UTF-8"' > /etc/default/locale
	dpkg-reconfigure tzdata


	nano /etc/apt/sources.list
	##########
	deb http://archive.ubuntu.com/ubuntu xenial main universe
	deb-src http://archive.ubuntu.com/ubuntu xenial main universe

	deb http://security.ubuntu.com/ubuntu xenial-security main universe
	deb-src http://security.ubuntu.com/ubuntu xenial-security main universe

	deb http://archive.ubuntu.com/ubuntu xenial-updates main universe
	deb-src http://archive.ubuntu.com/ubuntu xenial-updates main universe
	###########
	ln -s /proc/self/mounts /etc/mtab
	apt update
	apt install --yes ubuntu-minimal
	apt install --yes --no-install-recommends linux-image-generic
	apt install --yes zfs-initramfs cryptsetup

	#### ADD THIS TO /etc/initramfs-tools/modules
	raid1
	raid456
	aes-x86_64
	sha512-ssse3
	xts
	dm-mod
	dm-crypt
	####

	apt install dosfstools
	mkdosfs -F 32 -n EFI /dev/disk/by-id/scsi-SATA_disk1-part3
	mkdir /boot/efi
	echo PARTUUID=$(blkid -s PARTUUID -o value \
	/dev/disk/by-id/scsi-SATA_disk1-part3) \
	/boot/efi vfat defaults 0 1 >> /etc/fstab
	### ADD THIS TO FSTAB...
	/dev/mapper/root_crypt / zfs defaults 0 0
	###
	mount /boot/efi
	apt install --yes grub-efi-amd64

	addgroup --system lpadmin
	addgroup --system sambashare

	passwd

	grub-probe /
	# zfs

	update-initramfs -c -k all
	nano /etc/default/grub
	# add GRUB_ENABLE_CRYPTODISK=y
	# Comment out: GRUB_HIDDEN_TIMEOUT=0
	# Remove quiet and splash from: GRUB_CMDLINE_LINUX_DEFAULT
	# add boot=zfs to GRUB_CMDLINE_LINUX_DEFAULT
	# Uncomment: GRUB_TERMINAL=console
	# Save and quit.

	update-grub
	grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ubuntu --recheck --no-floppy
	ls /boot/grub/*/zfs.mod
	zfs snapshot rpool/ROOT/ubuntu@install
	exit
	###### END CHROOT HERE!
	mount \| grep -v zfs \| tac \| awk '/\/mnt/ {print $3}' \| xargs -i{} umount -lf {}
	zpool export rpool
	############## REBOOOOOOOOOOOOOOT
	zfs create rpool/home/pipi
	adduser pipi
	cp -a /etc/skel/.[!.]* /home/pipi
	chown -R pipi:pipi /home/pipi
	usermod -a -G adm,cdrom,dip,lpadmin,plugdev,sambashare,sudo pipi
	zfs create -V 4G -b $(getconf PAGESIZE) -o compression=zle \
	-o logbias=throughput -o sync=always \
	-o primarycache=metadata -o secondarycache=none \
	-o com.sun:auto-snapshot=false rpool/swap
	mkswap -f /dev/zvol/rpool/swap
	echo /dev/zvol/rpool/swap none swap defaults 0 0 >> /etc/fstab

	swapon -av
	apt dist-upgrade --yes

	apt install --yes xubuntu-desktop

	for file in /etc/logrotate.d/* ; do
	if grep -Eq "(^\|[^#y])compress" "$file" ; then
	sed -i -r "s/(^\|[^#y])(compress)/\1#\2/" "$file"
	fi
	done

	reboooooot

	sudo zfs destroy rpool/ROOT/ubuntu@install