simple encrypted disk with btrfs

setup.sh

# BASED_ON:
# https://wiki.archlinux.org/title/User:Altercation/Bullet_Proof_Arch_Install#Create_and_mount_BTRFS_subvolumes
# https://wiki.archlinux.org/title/Btrfs#Compression
# https://btrfs.readthedocs.io/en/latest/Administration.html?highlight=mount#mount-options
# https://grahamc.com/blog/erase-your-darlings

# download with: 
# curl -L setup-disk.shiryel.com > setup.sh

# run with:
# chmod +x setup.sh
# sudo ./setup.sh /dev/YOUR_DEVICE_HERE

# WIFI:
#
# `sudo systemctl start wpa_supplicant`
#
# if on `sudo systemctl status wpa_supplicant`, you get "rfkill: WLAN soft blocked", try:
# `rfkill list`
# `rfkill unblock wlan`
#
# `wpa_cli`
# > interface wlp2s0
# OK
# > add_network
# 0
# > set_network 0 ssid "myhomenetwork"
# OK
# > set_network 0 psk "mypassword"
# OK
# > set_network 0 key_mgmt WPA-PSK
# OK
# > enable_network 0
# OK

#
# Prepare
#

# https://gist.github.com/shiryel/44a24ce9f867e11bd5ddafb69b81c7e1
set -euxo pipefail

if [[ $# -lt 1 ]]; then
  echo "Error: Needs the device, eg: /dev/sda"
  echo "Example: ./kubenv.sh pod-name output-file.env"
  exit 1
fi

DRIVE=$1

loadkeys us-acentos

#
# Create disk partitions
#

sgdisk --zap-all $DRIVE

sgdisk --clear \
       --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
       --new=2:0:-16GiB  --typecode=2:8300 --change-name=2:cryptsystem \
       --new=3:0:0       --typecode=3:8200 --change-name=3:cryptswap \
       $DRIVE

# let the kernel know of the changes
partprobe $DRIVE

#
# Format (luks)
#

# BOOT (NOTE: maybe change all EFI to efi so windows cant find it easily?)

sleep 2 # wait for the kernel to update
mkfs.fat -F 32 -n EFI /dev/disk/by-partlabel/EFI

# ROOT

echo "In case of failure, run:"
echo "swapoff -L swap"
echo "cryptsetup close swap"
echo "cryptsetup close system"

# optional
# key size: -s 256
# payload align: --align-payload=8192
# cipher: -c aes-xts-plain64 (for LUKS)
cryptsetup luksFormat /dev/disk/by-partlabel/cryptsystem
cryptsetup open /dev/disk/by-partlabel/cryptsystem system

# SWAP

cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap
mkswap -L swap /dev/mapper/swap
swapon -L swap

#
#  Format (btrfs)
#

# Temporarily mount our top-level volume for further subvolume creation
mkfs.btrfs --force --label system /dev/mapper/system

# We assume /mnt as the standard mount point
mount -t btrfs LABEL=system /mnt

# CREATE SUBVOLUMES

btrfs sub create /mnt/@
btrfs sub create /mnt/@snapshots

# MOUNT SUBVOLUMES

# remount just the subvolumes under our top-level subvolume (which remains unmounted unless we need to do "surgery" and rollback to a previous system system):
umount -R /mnt

# The variable 'o' in this case is our default set of options for any given filesystem mount, while "o_btrfs" are those plus some options specific to btrfs. 
# The default option "x-mount.mkdir" is a neat trick that allows us to skip the creation of directories for mountpoints (they will be created automatically).
# DOCS: https://btrfs.readthedocs.io/en/latest/Administration.html?highlight=mount#mount-options
o="defaults,x-mount.mkdir"
o_btrfs="$o,ssd,compress=zstd,noatime,discard=async,space_cache"

mount -t btrfs -o $o_btrfs,subvol=@ LABEL=system /mnt/
mount -t btrfs -o $o_btrfs,subvol=@snapshots LABEL=system /mnt/.snapshots
mount -o $o LABEL=EFI /mnt/boot

# FINISH INSTALLING FROM HERE: https://wiki.archlinux.org/title/User:Altercation/Bullet_Proof_Arch_Install#Installation_of_Base_Arch_Linux_System