Last active
February 8, 2025 20:51
-
-
Save exocron/5766432130febdbdf98d5b9a8a20f6fc to your computer and use it in GitHub Desktop.
Install Alpine Linux on ZFS, on LUKS, with FDE and standalone UEFI GRUB
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Install Alpine Linux on ZFS, on LUKS, with FDE and standalone UEFI GRUB | |
| set -e | |
| cat << EOF > answers.txt | |
| KEYMAPOPTS="us us" | |
| HOSTNAMEOPTS="-n localhost" | |
| INTERFACESOPTS="auto lo | |
| iface lo inet loopback | |
| auto eth0 | |
| iface eth0 inet dhcp | |
| " | |
| TIMEZONEOPTS="-z America/Detroit" | |
| PROXYOPTS="none" | |
| APKREPOSOPTS="-1" | |
| SSHDOPTS="-c openssh" | |
| NTPOPTS="-c chrony" | |
| DISKOPTS="-z --please-dont-do-anything" | |
| EOF | |
| setup-alpine -e -f answers.txt || true | |
| echo root:changeme | chpasswd | |
| modprobe zfs | |
| apk add zfs sfdisk cryptsetup | |
| cat << EOF | sfdisk --quiet --label gpt /dev/sda | |
| /dev/sda1: start=1M,size=100M,bootable,type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B | |
| /dev/sda2: type=CA7D7CCB-63ED-4C53-861C-1742536059CC | |
| EOF | |
| mknod /dev/sda1 b 8 1 || true | |
| mknod /dev/sda2 b 8 2 || true | |
| mkfs.vfat -F 32 /dev/sda1 | |
| echo -n changeme | cryptsetup -M luks1 luksFormat /dev/sda2 - | |
| echo -n changeme | cryptsetup open /dev/sda2 crypt - | |
| zpool create -f -o ashift=12 -O acltype=posixacl -O canmount=off -O atime=off -O xattr=sa -O mountpoint=/ -R /mnt root /dev/mapper/crypt | |
| zfs create -o mountpoint=none -o canmount=off root/ROOT | |
| zfs create -o mountpoint=legacy root/ROOT/alpine | |
| mount -t zfs root/ROOT/alpine /mnt | |
| rc-update add dmcrypt sysinit | |
| rc-update add zfs-import sysinit | |
| rc-update add zfs-mount sysinit | |
| sed -i 's/ext2 ext3 ext4/ext2 ext3 ext4 zfs/' /sbin/setup-disk | |
| setup-disk -m sys /mnt | |
| mkdir /mnt/boot/efi | |
| mount -t vfat /dev/sda1 /mnt/boot/efi | |
| ln -s /dev/mapper/crypt /dev/crypt | |
| dd if=/dev/urandom of=/mnt/crypto_keyfile.bin bs=512 count=4 | |
| echo -n changeme | cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin | |
| for i in dev proc sys; do mount -o bind /$i /mnt/$i; done | |
| chroot /mnt apk add grub grub-efi | |
| chroot /mnt apk del syslinux | |
| echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub | |
| echo "GRUB_CMDLINE_LINUX_DEFAULT='cryptroot=UUID=$(blkid -s UUID -o value /dev/sda2) cryptdm=crypt cryptkey'" >> /mnt/etc/default/grub | |
| echo "crypt /dev/sda2" > /mnt/etc/crypttab | |
| chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg | |
| chroot /mnt grub-install --target x86_64-efi --removable --efi-directory=/boot/efi/ | |
| sed -i 's/zfs/zfs cryptsetup cryptkey/' /mnt/etc/mkinitfs/mkinitfs.conf | |
| chroot /mnt sh -c 'mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b / $(ls /lib/modules/)' | |
| chroot /mnt grub-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --modules="part_gpt cryptodisk luks zfs" --fonts=unicode -o /boot/efi/EFI/BOOT/BOOTX64.EFI "boot/grub/grub.cfg=/boot/grub/grub.cfg" | |
| for i in dev proc sys boot/efi; do umount /mnt/$i; done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Work-in-progress Ubuntu version | |
| set -e | |
| DEVICE=vdb | |
| ESP=vdb1 | |
| ROOT=vdb2 | |
| PASSWORD=changeme | |
| ZPOOL=rpool | |
| cat << EOF | sfdisk --quiet --label gpt $DEVICE | |
| /dev/$ESP: start=1M,size=100M,bootable,type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B | |
| /dev/$ROOT: type=CA7D7CCB-63ED-4C53-861C-1742536059CC | |
| EOF | |
| echo -n $PASSWORD | cryptsetup -M luks1 luksFormat /dev/$ROOT - | |
| echo -n $PASSWORD | cryptsetup open /dev/$ROOT crypt - | |
| zpool create -f -o ashift=12 -O acltype=posixacl -O canmount=off -O atime=off -O xattr=sa -O mountpoint=/ -R /mnt $ZPOOL /dev/mapper/crypt | |
| zfs create -o mountpoint=none -o canmount=off $ZPOOL/ROOT | |
| zfs create -o mountpoint=legacy $ZPOOL/ROOT/ubuntu | |
| mount -t zfs $ZPOOL/ROOT/ubuntu /mnt | |
| debootstrap jammy /mnt | |
| mount -o rbind,rslave /dev /mnt/dev | |
| mount -o rbind,rslave /proc /mnt/proc | |
| mount -o rbind,rslave /sys /mnt/sys | |
| mkfs.vfat /dev/$ESP | |
| mkdir -p /mnt/boot/efi | |
| mount -t vfat /dev/$ESP /mnt/boot/efi | |
| sed 's/# deb-src/deb-src/' /etc/apt/sources.list > /mnt/etc/apt/sources.list | |
| chroot /mnt sed -i -e 's/# C.UTF-8/C.UTF-8/' -e 's/# en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen | |
| chroot /mnt locale-gen | |
| chroot /mnt apt update | |
| chroot /mnt apt upgrade | |
| chroot /mnt apt install -y cryptsetup grub-efi-amd64-bin linux-generic-hwe-22.04 ubuntu-desktop ubuntu-desktop-minimal ubuntu-standard ubuntu-wallpapers zfsutils-linux zfs-initramfs | |
| chroot /mnt apt-mark auto '*' | |
| chroot /mnt apt-mark manual cryptsetup grub-efi-amd64-bin linux-generic-hwe-22.04 ubuntu-desktop ubuntu-minimal ubuntu-standard zfsutils-linux | |
| echo 'rpool/ROOT/ubuntu\t/\tzfs\tdefault\t0 0' > /mnt/etc/fstab | |
| dd if=/dev/urandom of=/mnt/crypto_keyfile.bin bs=512 count=4 | |
| echo -n $PASSWORD | cryptsetup luksAddKey /dev/$ROOT /mnt/crypto_keyfile.bin | |
| echo "crypt UUID=$(blkid -s UUID -o value /dev/$ROOT) /crypto_keyfile.bin luks,discard,initramfs" > /mnt/etc/crypttab | |
| echo "cryptroot" >> /mnt/etc/initramfs-tools/modules | |
| echo "zfs" >> /mnt/etc/initramfs-tools/modules | |
| chroot /mnt update-initramfs -u | |
| rm /mnt/etc/grub.d/10_linux_zfs | |
| echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub | |
| echo "GRUB_CMDLINE_LINUX_DEFAULT='cryptroot=UUID=$(blkid -s UUID -o value /dev/$ROOT) cryptdm=crypt cryptkey quiet splash'" >> /mnt/etc/default/grub | |
| chroot /mnt update-grub | |
| chroot /mnt grub-install --target x86_64-efi --removable --efi-directory=/boot/efi/ | |
| chroot /mnt grub-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --modules="part_gpt cryptodisk luks zfs" --fonts=unicode -o /boot/efi/EFI/BOOT/BOOTX64.EFI "boot/grub/grub.cfg=/boot/grub/grub.cfg" | |
| rm /mnt/boot/efi/EFI/BOOT/grub.cfg | |
| umount -R /mnt | |
| zpool export $ZPOOL | |
| cryptsetup close crypt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Watch out!
If your target is not /dev/sda but /dev/nvme0n1 and you have a /dev/sda disk attached the mknod command will erade your partitions on /dev/sda.
A better solution i to use instead the command
mdev -dOr change the major and minor number as seen in
lsblk.