01-prep.bash

# :reminder_ribbon: Adjust as necessary
export DEV="/dev/nvme0n1"
export SWAP_S="8G"
export SYSTEM_S="20%FREE"
export HOME_S="80%FREE"

# These are for LVM
flavour="$( sed -n 's/.*cdrom:\[\([^ ]*\).*/\1/p' /etc/apt/sources.list )"
release="$( lsb_release -sr | tr -d . )"
if [ ${release} -ge 2204 ]; then VGNAME="vg${flavour,,}"; else VGNAME="${flavour}--vg"; fi
export VGNAME

# Some additional variables
export DM="${DEV##*/}"
export DEV_P="${DEV}$( if [[ "${DEV}" =~ "nvme" ]]; then echo "p"; fi )"
export DM_P="${DM}$( if [[ "${DM}" =~ "nvme" ]]; then echo "p"; fi )"

# :warning: WARNING: This will erase all your data, make sure you have a proper backup around :warning:
sgdisk --zap-all "${DEV}" # :warning: Make sure you have a backup
sgdisk --new=1:0:+768M "${DEV}"
sgdisk --new=2:0:+2M "${DEV}"
sgdisk --new=3:0:+128M "${DEV}"
sgdisk --new=5:0:0 "${DEV}"
sgdisk --typecode=1:8301 --typecode=2:ef02 --typecode=3:ef00 --typecode=5:8301 "${DEV}"
sgdisk --change-name=1:/boot --change-name=2:GRUB --change-name=3:EFI-SP --change-name=5:rootfs "${DEV}"
sgdisk --hybrid 1:2:3 "${DEV}"

# Encrypt /, /boot and /home, please make note of the passphrases
cryptsetup luksFormat --type=luks1 "${DEV_P}1" # /boot
cryptsetup luksFormat "${DEV_P}5"              # / and /home

# LUKS unlock to open the encrypted devices
cryptsetup open "${DEV_P}1" LUKS_BOOT
cryptsetup open "${DEV_P}5" "${DM_P}5_crypt"

# Format boot and EFI filesystems
mkfs.ext4 -L boot /dev/mapper/LUKS_BOOT
mkfs.vfat -F 16 -n EFI-SP "${DEV_P}3"

# Configure LVM
pvcreate "/dev/mapper/${DM_P}5_crypt"
vgcreate "${VGNAME}" "/dev/mapper/${DM_P}5_crypt"
lvcreate -L "${SWAP_S}" -n swap_1 "${VGNAME}"
lvcreate -l "${SYSTEM_S}" -n root "${VGNAME}"
lvcreate -l "${HOME_S}" -n home "${VGNAME}"

while [ ! -d /target/etc/default/grub.d ]; do
  echo "$(date --rfc-3339=seconds): Waiting for GRUB"
  sleep 1
done
echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg

02-post-install.bash

# Create a change-root environment to work in the newly installed OS
mount "/dev/mapper/${VGNAME}-root" /target
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done
chroot /target
mount -a

# Within the chroot install, configure cryptsetup-initramfs, which might be already installed
apt install -y cryptsetup-initramfs

# Configure GRUB
echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook
echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf

# Create a randomised key-file of 4096 bits (512 bytes), secure it, and add it to the LUKS volumes
mkdir /etc/luks
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=512 count=1
chmod u=rx,go-rwx /etc/luks
chmod u=r,go-rwx /etc/luks/boot_os.keyfile
cryptsetup luksAddKey ${DEV_P}1 /etc/luks/boot_os.keyfile
cryptsetup luksAddKey ${DEV_P}5 /etc/luks/boot_os.keyfile

# Add the keys to the crypttab
echo "LUKS_BOOT UUID=$(blkid -s UUID -o value ${DEV_P}1) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
echo "${DM_P}5_crypt UUID=$(blkid -s UUID -o value ${DEV_P}5) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab

# Finally update the initialramfs files to add the cryptsetup unlocking scripts and the key-file
update-initramfs -u -k all