Skip to content

Instantly share code, notes, and snippets.

@exocron

exocron/install.sh

Last active June 25, 2022 05:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save exocron/5766432130febdbdf98d5b9a8a20f6fc to your computer and use it in GitHub Desktop.
Save exocron/5766432130febdbdf98d5b9a8a20f6fc to your computer and use it in GitHub Desktop.
Download ZIP
Install Alpine Linux on ZFS, on LUKS, with FDE and standalone UEFI GRUB
Raw
install.sh
#!/bin/sh
# Install Alpine Linux on ZFS, on LUKS, with FDE and standalone UEFI GRUB
set -e
cat << EOF > answers.txt
KEYMAPOPTS="us us"
HOSTNAMEOPTS="-n localhost"
INTERFACESOPTS="auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
"
TIMEZONEOPTS="-z America/Detroit"
PROXYOPTS="none"
APKREPOSOPTS="-1"
SSHDOPTS="-c openssh"
NTPOPTS="-c chrony"
DISKOPTS="-z --please-dont-do-anything"
EOF
setup-alpine -e -f answers.txt || true
echo root:changeme | chpasswd
modprobe zfs
apk add zfs sfdisk cryptsetup
cat << EOF | sfdisk --quiet --label gpt /dev/sda
/dev/sda1: start=1M,size=100M,bootable,type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B
/dev/sda2: type=CA7D7CCB-63ED-4C53-861C-1742536059CC
EOF
mknod /dev/sda1 b 8 1 || true
mknod /dev/sda2 b 8 2 || true
mkfs.vfat -F 32 /dev/sda1
echo -n changeme | cryptsetup -M luks1 luksFormat /dev/sda2 -
echo -n changeme | cryptsetup open /dev/sda2 crypt -
zpool create -f -o ashift=12 -O acltype=posixacl -O canmount=off -O atime=off -O xattr=sa -O mountpoint=/ -R /mnt root /dev/mapper/crypt
zfs create -o mountpoint=none -o canmount=off root/ROOT
zfs create -o mountpoint=legacy root/ROOT/alpine
mount -t zfs root/ROOT/alpine /mnt
rc-update add dmcrypt sysinit
rc-update add zfs-import sysinit
rc-update add zfs-mount sysinit
sed -i 's/ext2 ext3 ext4/ext2 ext3 ext4 zfs/' /sbin/setup-disk
setup-disk -m sys /mnt
mkdir /mnt/boot/efi
mount -t vfat /dev/sda1 /mnt/boot/efi
ln -s /dev/mapper/crypt /dev/crypt
dd if=/dev/urandom of=/mnt/crypto_keyfile.bin bs=512 count=4
echo -n changeme | cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
for i in dev proc sys; do mount -o bind /$i /mnt/$i; done
chroot /mnt apk add grub grub-efi
chroot /mnt apk del syslinux
echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub
echo "GRUB_CMDLINE_LINUX_DEFAULT='cryptroot=UUID=$(blkid -s UUID -o value /dev/sda2) cryptdm=crypt cryptkey'" >> /mnt/etc/default/grub
echo "crypt /dev/sda2" > /mnt/etc/crypttab
chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
chroot /mnt grub-install --target x86_64-efi --removable --efi-directory=/boot/efi/
sed -i 's/zfs/zfs cryptsetup cryptkey/' /mnt/etc/mkinitfs/mkinitfs.conf
chroot /mnt sh -c 'mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b / $(ls /lib/modules/)'
chroot /mnt grub-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --modules="part_gpt cryptodisk luks zfs" --fonts=unicode -o /boot/efi/EFI/BOOT/BOOTX64.EFI "boot/grub/grub.cfg=/boot/grub/grub.cfg"
for i in dev proc sys boot/efi; do umount /mnt/$i; done
Raw
ubuntu.sh
#!/bin/sh
# Work-in-progress Ubuntu version
set -e
DEVICE=vdb
ESP=vdb1
ROOT=vdb2
PASSWORD=changeme
ZPOOL=rpool
cat << EOF | sfdisk --quiet --label gpt $DEVICE
/dev/$ESP: start=1M,size=100M,bootable,type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B
/dev/$ROOT: type=CA7D7CCB-63ED-4C53-861C-1742536059CC
EOF
echo -n $PASSWORD | cryptsetup -M luks1 luksFormat /dev/$ROOT -
echo -n $PASSWORD | cryptsetup open /dev/$ROOT crypt -
zpool create -f -o ashift=12 -O acltype=posixacl -O canmount=off -O atime=off -O xattr=sa -O mountpoint=/ -R /mnt $ZPOOL /dev/mapper/crypt
zfs create -o mountpoint=none -o canmount=off $ZPOOL/ROOT
zfs create -o mountpoint=legacy $ZPOOL/ROOT/ubuntu
mount -t zfs $ZPOOL/ROOT/ubuntu /mnt
debootstrap jammy /mnt
mount -o rbind,rslave /dev /mnt/dev
mount -o rbind,rslave /proc /mnt/proc
mount -o rbind,rslave /sys /mnt/sys
mkfs.vfat /dev/$ESP
mkdir -p /mnt/boot/efi
mount -t vfat /dev/$ESP /mnt/boot/efi
sed 's/# deb-src/deb-src/' /etc/apt/sources.list > /mnt/etc/apt/sources.list
chroot /mnt sed -i -e 's/# C.UTF-8/C.UTF-8/' -e 's/# en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen
chroot /mnt locale-gen
chroot /mnt apt update
chroot /mnt apt upgrade
chroot /mnt apt install -y cryptsetup grub-efi-amd64-bin linux-generic-hwe-22.04 ubuntu-desktop ubuntu-desktop-minimal ubuntu-standard ubuntu-wallpapers zfsutils-linux zfs-initramfs
chroot /mnt apt-mark auto '*'
chroot /mnt apt-mark manual cryptsetup grub-efi-amd64-bin linux-generic-hwe-22.04 ubuntu-desktop ubuntu-minimal ubuntu-standard zfsutils-linux
echo 'rpool/ROOT/ubuntu\t/\tzfs\tdefault\t0 0' > /mnt/etc/fstab
dd if=/dev/urandom of=/mnt/crypto_keyfile.bin bs=512 count=4
echo -n $PASSWORD | cryptsetup luksAddKey /dev/$ROOT /mnt/crypto_keyfile.bin
echo "crypt UUID=$(blkid -s UUID -o value /dev/$ROOT) /crypto_keyfile.bin luks,discard,initramfs" > /mnt/etc/crypttab
echo "cryptroot" >> /mnt/etc/initramfs-tools/modules
echo "zfs" >> /mnt/etc/initramfs-tools/modules
chroot /mnt update-initramfs -u
rm /mnt/etc/grub.d/10_linux_zfs
echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub
echo "GRUB_CMDLINE_LINUX_DEFAULT='cryptroot=UUID=$(blkid -s UUID -o value /dev/$ROOT) cryptdm=crypt cryptkey quiet splash'" >> /mnt/etc/default/grub
chroot /mnt update-grub
chroot /mnt grub-install --target x86_64-efi --removable --efi-directory=/boot/efi/
chroot /mnt grub-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --modules="part_gpt cryptodisk luks zfs" --fonts=unicode -o /boot/efi/EFI/BOOT/BOOTX64.EFI "boot/grub/grub.cfg=/boot/grub/grub.cfg"
rm /mnt/boot/efi/EFI/BOOT/grub.cfg
umount -R /mnt
zpool export $ZPOOL
cryptsetup close crypt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment