Last active
April 4, 2025 19:30
Revisions
-
raphendyr revised this gist
Feb 26, 2023 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -183,7 +183,7 @@ mkfs.vfat -n EFI0 /dev/correct-disk1 Add all mounted filesystems to fstab ```sh lsblk -o name,path,uuid,fstype,label | tee /prepare/fstab ``` Edit the `/prepare/fstab` file to look like: @@ -208,9 +208,9 @@ UUID=filesyst-em00-0000-0000-dddddddddddd /home ext4 defaults,user_xattr,lazytim # LABEL=EFI0 UUID=DEAD-BEEF /boot/efi0 vfat defaults,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed 0 2 # repeat for every swap device (boot/swapon generates a new uuid every time) # LABEL=swap0 /dev/mapper/swap0 none swap sw 0 0 ``` 8. Prepare filesystems for chroot -
Mar 1, 2022 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -91,6 +91,7 @@ mdadm -v -C /dev/md/home -e 1.2 -l 1 -n 2 /dev/first-device4 /dev/second-device4 Note that we use version 1.0 for efi and boot, so they can be read without using RAID, but we mount them with raid, so both disk have the same data when updated. If you anticipate to add second disk later, you may create a single disk arrow now. To do that, replace `-n 2` with `--force -n 1`. Converting plain disk to RAID later is quite hard. Later, you can add new disk with `mdadm -a /dev/md/name /dev/second-deviceN` and `mdadm --frow -n 2 /dev/md/name`. Verify result with @@ -148,7 +149,7 @@ Edit the `/prepare/crypttab` file to look like: root UUID=cryptdev-0000-0000-0000-aaaaaaaaaaaa none luks,discard home UUID=cryptdev-0000-0000-0000-bbbbbbbbbbbb /etc/crypttab_home.key luks,discard # repeat for every disk with swap swap0 PARTUUID=blockdev-0000-0000-0000-eeeeeeeeeeee /etc/crypttab_swap.key plain,cipher=aes-xts-plain64,size=512,discard,swap ``` Open created devices @@ -378,7 +379,7 @@ update-grub ```sh for d in /boot/efi*; do grub-install --efi-directory=$d --bootloader-id=debian${d#/boot/efi} done ``` -
Feb 23, 2022 . 1 changed file with 426 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1 +1,426 @@ # Installing Debian ## prepare storage 1. prepare create a memory storage for secure files ```sh mkdir -p /prepare mount -t tmpfs none /prepare ``` install packages ```sh apt update apt install cryptsetup apt install mdadm # if you are going to use raid ``` 2. ensure you have correct devices ```sh fdisk -l /dev/sd? /dev/nvme?n? ``` 3. partition disks (use GPT) **For EFI systems:** _You may use purpose as the partition name_ ```sh cgdisk /dev/correct-disk # purpose size GUID name gdisk GUID # efi 512M EFI System EF00 C12A7328-F81F-11D2-BA4B-00A0C93EC93B # boot 512M Linux ext. boot EA00 BC13C2FF-59E6-4262-A352-B275FD6F7172 # root >30G Linux LUKS 8309 CA7D7CCB-63ED-4C53-861C-1742536059CC # home nG Linux LUKS 8309 CA7D7CCB-63ED-4C53-861C-1742536059CC # swap 8-64G Linux dm-crypt 8308 7FFEC5C9-2D00-49B7-8941-3EA10A5586B7 ``` The root partition is for OS and the home is for user files, but you may use a single partition instead (i.e., root). If you setup RAID, then use gdisk code `fd00` (GUID `A19D880F-05FC-4D3B-A006-743F0F84911E`) for root and home partitions. If you need hibernation, then this setup doesn't work for you (you need LVM). For hibernation the swap size would be about as much as you have RAM, which is a good default always. **For non-EFI systems (e.g., cloud VMs):** ```sh cgdisk /dev/correct-disk # purpose size GUID name gdisk GUID # grub 2M EF02 21686148-6449-6E6F-744E-656564454649 # boot 256M Linux ext. boot EA00 BC13C2FF-59E6-4262-A352-B275FD6F7172 # luks >10G Linux LUKS 8309 CA7D7CCB-63ED-4C53-861C-1742536059CC # swap 1-4G Linux dm-crypt 8308 7FFEC5C9-2D00-49B7-8941-3EA10A5586B7 ``` You can start with following command, which will set the first 2 partitions nicely. ```sh sfdisk /dev/correct-disk <<EOF label: gpt device: /d unit: sectors first-lba: 34 /d1 : start= 6144, size= 487424, type=BC13C2FF-59E6-4262-A352-B275FD6F7172, name="boot" /d9 : start= 2048, size= 4096, type=21686148-6449-6E6F-744E-656564454649, name="grub" EOF ``` 4. (optional) copy partition table to second RAID disk ```sh sgdisk --replicate=/dev/second-disk /dev/first-disk sgdisk -G /dev/second-disk ``` **Notice the order of arguments!** 5. (optional) create RAID ```sh mdadm -v -C /dev/md/boot -e 1.0 -l 1 -n 2 /dev/first-device2 /dev/second-device2 mdadm -v -C /dev/md/root -e 1.2 -l 1 -n 2 /dev/first-device3 /dev/second-device3 # only if this is home and not swap mdadm -v -C /dev/md/home -e 1.2 -l 1 -n 2 /dev/first-device4 /dev/second-device4 ``` Note that we use version 1.0 for efi and boot, so they can be read without using RAID, but we mount them with raid, so both disk have the same data when updated. If you anticipate to add second disk later, you may create a single disk arrow now. To do that, replace `-n 2` with `--force -n 1`. Converting plain disk to RAID later is quite hard. Verify result with ```sh cat /proc/mdstat ``` Prepare config ```sh mkdir -p /prepare/mdadm mdadm --detail --scan | tee /prepare/mdadm/mdadm.conf ``` Edit `/prepare/mdadm.conf` and replace installer hostname with the target hostname in name field. 6. setup crypto Partitions efi and boot won't be encrypted. Run the following command for data partitions root and home only. Use RAID devices `/dev/md1[34]`, if you created those. Create a nice password with `pwqgen` or come up with one. I recommend to use multiple words and less special characters. Consider that you should be able to write the password when the keyboard layout is not correct (i.e., just letters, numbers, comma, dot and space). ```sh cryptsetup --type luks2 --label "luks:root" luksFormat <root partition> cryptsetup --type luks2 --label "luks:home" luksFormat <home partition> ``` Create keyfiles ```sh for n in home swap; do dd bs=1024 count=8 if=/dev/random iflag=fullblock of=/prepare/crypttab_$n.key chmod 0400 /prepare/crypttab_$n.key ln -s /prepare/crypttab_$n.key /etc/crypttab_$n.key done ``` Add keyfiles to the cryptdisk, if you have home partition ```sh cryptsetup luksAddKey <home partition> /prepare/crypttab_home.key ``` Add cryptdisks to crypttab ```sh lsblk -o label,uuid,fstype | awk '/crypto_LUKS$/ { print $1, "UUID=" $2 }' | tee /prepare/crypttab # repeat for every disk with swap blkid /dev/correct-diskN | tee -a /prepare/crypttab ``` Edit the `/prepare/crypttab` file to look like: ``` root UUID=cryptdev-0000-0000-0000-aaaaaaaaaaaa none luks,discard home UUID=cryptdev-0000-0000-0000-bbbbbbbbbbbb /etc/crypttab_home.key luks,discard # repeat for every disk with swap swap0 PARTUUID=blockdev-0000-0000-0000-eeeeeeeeeeee /etc/crypttab_swap.key plain,cipher=aes-xts-plain64,size=512,hash=sha512,discard,swap ``` Open created devices ```sh TABFILE=/prepare/crypttab cryptdisks_start root # requires password TABFILE=/prepare/crypttab cryptdisks_start home # unlocks with key # repeat for every swap TABFILE=/prepare/crypttab cryptdisks_start swap0 # unlocks with key ``` 7. Create filesystems and fstab Create swaps ```sh # repeat for every swap mkswap -L swap0 /dev/mapper/swap0 ``` Create actual filesystems ```sh mkfs.ext4 -L boot </dev/correct-disk2 or /dev/md/boot> mkfs.ext4 -L root /dev/mapper/root mkfs.ext4 -L home -m 0 /dev/mapper/home # repeat for every disk in root array mkfs.vfat -n EFI0 /dev/correct-disk1 ``` Add all mounted filesystems to fstab ```sh lsblk -o name,uuid,fstype,label | tee /prepare/fstab ``` Edit the `/prepare/fstab` file to look like: ``` # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> <dump> <pass> # LABEL=root UUID=filesyst-em00-0000-0000-aaaaaaaaaaaa / ext4 defaults,user_xattr,lazytime,commit=30,errors=remount-ro 0 1 # LABEL=boot UUID=filesyst-em00-0000-0000-bbbbbbbbbbbb /boot ext4 defaults,lazytime,nodev,nosuid,noexec,commit=60 0 2 # LABEL=home UUID=filesyst-em00-0000-0000-dddddddddddd /home ext4 defaults,user_xattr,lazytime,nodev,nosuid,commit=30 0 2 # repeat for every efi device # LABEL=EFI0 UUID=DEAD-BEEF /boot/efi0 vfat defaults,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed 0 2 # repeat for every swap device # LABEL=swap0 UUID=filesyst-em00-0000-0000-eeeeeeeeeeee none swap sw 0 0 ``` 8. Prepare filesystems for chroot Copy it for chroot mounting ```sh cp /prepare/fstab /target.fstab ``` Edit `/target.fstab` to look like, i.e., **prefix paths**, drop swaps and add system mounts. ``` UUID=filesyst-em00-0000-0000-aaaaaaaaaaaa /target ext4 defaults,user_xattr,lazytime,commit=30,errors=remount-ro 0 1 UUID=filesyst-em00-0000-0000-bbbbbbbbbbbb /target/boot ext4 defaults,lazytime,nodev,nosuid,noexec,commit=60 0 2 UUID=filesyst-em00-0000-0000-dddddddddddd /target/home ext4 defaults,user_xattr,lazytime,nodev,nosuid,commit=30 0 2 # repeat for every efi device UUID=DEAD-BEEF /target/boot/efi0 vfat defaults,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed 0 2 run /target/run tmpfs defaults 0 0 sys /target/sys sysfs defaults 0 0 udev /target/dev devtmpfs defaults 0 0 dpts /target/dev/pts devpts defaults 0 0 proc /target/proc proc defaults 0 0 efivars /target/sys/firmware/efi/efivars efivarfs defaults ``` Mount root filesystem ```sh mkdir -p /target mount -T /target.fstab /target ``` ## Install base system 1. download tools ```sh apt update apt install debootstrap ``` 2. setup apt info ```sh release=bullseye case "$(hostname -f)" in *ovh.net) mirror=debian.mirrors.ovh.net ;; *) mirror=ftp.debian.org ;; esac ``` 3. install with debootstrap ```sh debootstrap \ --components=main,contrib,non-free \ --include=curl \ $release /target https://$mirror/debian \ || echo "Installation failed: exit=$?" ``` 4. setup a minimal level of the base system ```sh cat > /target/etc/apt/sources.list <<EOF deb http://$mirror/debian $release main contrib non-free deb http://$mirror/debian $release-updates main contrib non-free deb http://$mirror/debian $release-backports main contrib non-free deb http://security.debian.org/ $release-security main contrib non-free EOF cp -a /prepare/* /target/etc/ ``` 5. mount rest of the filesystem ```sh awk '/#/ {next}; $2 ~ /\/target\// {print length($2), $2}' /target.fstab | sort -n | while read l p; do mkdir -p $p && mount -T /target.fstab $p done ``` NOTE: above is required only for the first time. If you need to remount disks, following is enough. However remember that `/target.fstab` doesn't persist over reboots on live installers and rescue systems. ```sh mount -T /target.fstab -a ``` 6. enter chroot ```sh cp /etc/resolv.conf /target/etc/resolv.conf LANG=C.UTF-8 chroot /target /bin/bash ``` 7. (optional) install deb.n-1.fi private repo and install base system packages ```sh # in chroot curl -sSLo /run/nm1.deb https://deb.n-1.fi/archive-keyring.deb dpkg -E -i /run/nm1.deb rm /run/nm1.deb apt update # basic desktop: apt install blend-n-1.fi-desktop blend-n-1.fi-efi-amd64 # basic VPS: apt install blend-n-1.fi-shell blend-n-1.fi-vps-amd64 ``` 8. (alternative) install required packages manually Check content of above packages from the web site to get up-to-date idea what to install. ```sh # in chroot apt update # blend-n-1.fi-efi-amd64 apt install console-setup grub-efi grub-theme-breeze linux-image-amd64 # blend-n-1.fi-basesystem apt install apt-listchanges apt-utils aptitude base-passwd bsdutils bzip2 diffutils e2fsprogs findutils gawk grep gzip hostname less locales lz4 ncurses-base ncurses-bin p7zip pv reportbug sed systemd systemd-cron systemd-sysv unar util-linux xmlstarlet cryptsetup # consider these apt install burp ipset lm-sensors openssh-client passwdqc rsync unattended-upgrades vlan ``` 9. install more packages ```sh # if you used RAID apt install mdadm # TODO apt install ``` 11. Configure an user ```sh adduser user adduser user ssh adduser user sudo ``` 12. Final configurations ```sh # name your system echo myhostname > /target/etc/hostname # configure locales dpkg-reconfigure locales ``` 13. Update initramfs and grub ```sh update-initramfs -u -k all update-grub ``` 14. Install grub **EFI:** ```sh for d in /boot/efi*; do grub-install --efi-dorectory=$d --bootloader-id=debian${d#/boot/efi} done ``` Verify that boot entry was added correctly ```sh efibootmgr ``` **NOTE**: if above fails, then add boot entry manually ```sh efibootmgr -c -d /dev/disk-with-boot -L Debian -l \\EFI\\debian\\grubx64.efi ``` **Non-EFI:** ```sh grub-install /dev/correct-device ``` # Clean and reboot Exit the chroot ```sh exit ``` Umount target ```sh umount -R /target ``` Stop cryptdisks ```sh cryptdisks_stop root cryptdisks_stop home # repeat for every swap cryptdisks_stop swap0 ``` Reboot... -
Feb 23, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@ # Start