config/ubuntu-20.04/install-zfs-luks.sh

#!/bin/bash

# Boot Live CD
# Start terminal
# sudo su -
# apt update
# apt install openssh-server
# passwd ubuntu
#
# read secretpassword
# password=`cat /mount/cryptkeys.txt`

secretpassword=${secretpassword:-MyLUKSPassword}
password=${password:-MyLUKSPassword}
rootpassword=${rootpassword:-MyRootPassword}
hostname=${hostname:-myhostname}
DISK=${DISK:-/dev/disk/by-id/ata-ST1000LM024_HN-M101MBB_S2R8JX0D400082}

echo "$hostname $password $rootpassword $secretpassword $DISK"

export rootpassword
export password
export DISK

install_build_software() {
    apt-add-repository universe
    apt update
    apt install --yes debootstrap gdisk zfs-initramfs cryptsetup-bin
}

partitiondisk() {
    sgdisk --zap-all $DISK
    sgdisk            -n2:1M:+510M     -t2:EF00 $DISK
    sgdisk -a 1048576 -n3:0:+2G        -t3:BF01 $DISK
    end_position=$(sgdisk -E $DISK)
    sgdisk -a 1048576 -n4:0:$(( $end_position - (($end_position + 1) % 2048) )) -t4:BF01 $DISK
    fdisk -l $DISK
    # Needed for partitiontable to be visible
    sleep 5
    partprobe
}

setup_zpool_for_boot() {
    zpool destroy bpool 2>/dev/null
    zpool create -f -o ashift=12 -d \
	  -o feature@async_destroy=enabled \
	  -o feature@bookmarks=enabled \
	  -o feature@embedded_data=enabled \
	  -o feature@empty_bpobj=enabled \
	  -o feature@enabled_txg=enabled \
	  -o feature@extensible_dataset=enabled \
	  -o feature@filesystem_limits=enabled \
	  -o feature@hole_birth=enabled \
	  -o feature@large_blocks=enabled \
	  -o feature@lz4_compress=enabled \
	  -o feature@spacemap_histogram=enabled \
	  -o feature@userobj_accounting=enabled \
	  -O acltype=posixacl -O canmount=off -O compression=lz4 -O devices=off \
	  -O normalization=formD -O relatime=on -O xattr=sa \
	  -O mountpoint=/ -R /mnt bpool ${DISK}-part3
}

setup_zpool_for_root() {
    zpool destroy rpool 2>/dev/null
    cryptsetup luksClose luks1
    echo "$password" | cryptsetup -y -v luksFormat --sector-size 4096 \
				  --pbkdf-parallel 1 \
				  --pbkdf-memory 4000000 --pbkdf argon2id --iter-time 1000 \
				  ${DISK}-part4
    cryptsetup config --priority prefer --key-slot 0
    echo "$password" | cryptsetup luksOpen ${DISK}-part4 luks1
    (echo "$password"; echo "$secretpassword") |
	cryptsetup -y -v luksAddKey \
				  --pbkdf-parallel 1 \
				  --pbkdf-memory 4000000 --pbkdf argon2id --iter-time 40000 \
				  ${DISK}-part4
    zpool create -o ashift=12 \
	  -O acltype=posixacl -O canmount=off -O compression=lz4 \
	  -O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \
	  -O mountpoint=/ -R /mnt rpool /dev/mapper/luks1
}

create_zfs_mounts() {
    zfs create -o canmount=off -o mountpoint=none rpool/ROOT
    zfs create -o canmount=off -o mountpoint=none bpool/BOOT

    zfs create -o canmount=noauto -o mountpoint=/ rpool/ROOT/ubuntu
    zfs mount rpool/ROOT/ubuntu

    zfs create -o canmount=noauto -o mountpoint=/boot bpool/BOOT/ubuntu
    zfs mount bpool/BOOT/ubuntu
}

bootstrap_debian() {
    debootstrap focal /mnt
    # Do not allow device files in rpool (why?)
    zfs set devices=off rpool
}


make_stage2() {
    cat <<_stage2_eof >/mnt/stage2.sh
set_hostname() {
    echo $hostname > etc/hostname
    echo 127.0.1.1 $hostname >> etc/hosts
}

add_apt_sources() {
    perl -pe 's/\s*$/\n/' <<EOF > etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu focal main universe
deb-src http://archive.ubuntu.com/ubuntu focal main universe

deb http://security.ubuntu.com/ubuntu focal-security main universe
deb-src http://security.ubuntu.com/ubuntu focal-security main universe

deb http://archive.ubuntu.com/ubuntu focal-updates main universe
deb-src http://archive.ubuntu.com/ubuntu focal-updates main universe
EOF

    ln -s /proc/self/mounts /etc/mtab
    apt update

    locale-gen --purge "en_US.UTF-8"
    update-locale LANG=en_US.UTF-8 LANGUAGE=en_US
    dpkg-reconfigure --frontend noninteractive locales

#dpkg-reconfigure tzdata

}


install_initrd_tools() {
    apt install --yes nano
    apt install linux-modules-5.4.0-26-generic
    apt install --yes --no-install-recommends linux-image-generic
    apt install --yes zfs-initramfs
    apt install --yes grub-efi-amd64
}

install_luks() {
    apt install --yes cryptsetup
    # Add LUKS device for root in /etc/crypttab
    echo luks1 UUID=$(blkid -s UUID -o value ${DISK}-part4) none \
	 luks,discard,initramfs > /etc/crypttab
}

install_efi() {
    umount /boot/efi
    apt install dosfstools
    mkdosfs -F 32 -s 1 -n EFI ${DISK}-part2
    mkdir -p /boot/efi
    echo PARTUUID=$(blkid -s PARTUUID -o value ${DISK}-part2) \
	 /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab
    mount /boot/efi
    apt install --yes grub-efi-amd64-signed shim-signed
}

install_zfs_systemd_service() {
    perl -pe 's/\s*$/\n/' <<EOF > /etc/systemd/system/zfs-import-bpool.service
[Unit]
DefaultDependencies=no
Before=zfs-import-scan.service
Before=zfs-import-cache.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/zpool import -N -o cachefile=none bpool

[Install]
WantedBy=zfs-import.target

EOF

    systemctl enable zfs-import-bpool.service
}

adduser_group() {
    addgroup --system lpadmin
    addgroup --system sambashare
    echo "root:$rootpassword" | chpasswd
}

install_grub() {
    grub-probe /boot

    echo "### These are OK:"
    echo "   cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu"
    echo "   cryptsetup: WARNING: Couldn't determine root device"
    update-initramfs -c -k all

    (
	echo GRUB_TERMINAL=console
	echo GRUB_TIMEOUT=5
	echo 'GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/ubuntu"'
	echo GRUB_TIMEOUT_STYLE=''
	echo 'GRUB_CMDLINE_LINUX_DEFAULT=""'
	echo GRUB_TIMEOUT=5
    ) >>/etc/default/grub

    update-grub

    grub-install --target=x86_64-efi --efi-directory=/boot/efi \
		 --bootloader-id=ubuntu --recheck --no-floppy
}

ready_for_first_boot() {
    zpool export bpool
    zpool export rpool
    echo "Now reboot"
    echo "You may have to do this on first boot"
    echo "   zpool import -f bpool"
    echo "   zpool import -f rpool"
}

stage2() {
    set_hostname
    add_apt_sources
    install_initrd_tools
    install_luks
    install_efi
    install_zfs_systemd_service
    adduser_group
    install_grub
    ready_for_first_boot
}

stage2
_stage2_eof
}

stage1() {
    install_build_software
    partitiondisk
    setup_zpool_for_boot
    setup_zpool_for_root
    create_zfs_mounts
    bootstrap_debian
    make_stage2
}

doall() {
    stage1    
    modprobe efivars
    mount --rbind /dev  /mnt/dev
    mount --rbind /proc /mnt/proc
    mount --rbind /sys  /mnt/sys
    chroot /mnt /usr/bin/env DISK=$DISK bash -x /stage2.sh

    umount /mnt/boot || umount -l /mnt/boot
    zpool export bpool || zpool export -f bpool
    umount /mnt || umount -l /mnt
    zpool export rpool || zpool export -f rpool
}
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`#!/bin/bash`

			`# Boot Live CD`
			`# Start terminal`
			`# sudo su -`
			`# apt update`
			`# apt install openssh-server`
			`# passwd ubuntu`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`#`
			`# read secretpassword`
			# password=`cat /mount/cryptkeys.txt`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00
r815 re-installed. 2020-06-01 16:40:56 +00:00			`secretpassword=${secretpassword:-MyLUKSPassword}`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`password=${password:-MyLUKSPassword}`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`rootpassword=${rootpassword:-MyRootPassword}`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`hostname=${hostname:-myhostname}`
			`DISK=${DISK:-/dev/disk/by-id/ata-ST1000LM024_HN-M101MBB_S2R8JX0D400082}`

r815 re-installed. 2020-06-01 16:40:56 +00:00			`echo "$hostname $password $rootpassword $secretpassword $DISK"`

			`export rootpassword`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`export password`
			`export DISK`

			`install_build_software() {`
			`apt-add-repository universe`
			`apt update`
			`apt install --yes debootstrap gdisk zfs-initramfs cryptsetup-bin`
			`}`

			`partitiondisk() {`
			`sgdisk --zap-all $DISK`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`sgdisk -n2:1M:+510M -t2:EF00 $DISK`
			`sgdisk -a 1048576 -n3:0:+2G -t3:BF01 $DISK`
r815: Docker+Vagrant. 2020-06-12 14:24:10 +00:00			`end_position=$(sgdisk -E $DISK)`
			`sgdisk -a 1048576 -n4:0:$(( $end_position - (($end_position + 1) % 2048) )) -t4:BF01 $DISK`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`fdisk -l $DISK`
			`# Needed for partitiontable to be visible`
			`sleep 5`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`partprobe`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`}`

			`setup_zpool_for_boot() {`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`zpool destroy bpool 2>/dev/null`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`zpool create -f -o ashift=12 -d \`
			`-o feature@async_destroy=enabled \`
			`-o feature@bookmarks=enabled \`
			`-o feature@embedded_data=enabled \`
			`-o feature@empty_bpobj=enabled \`
			`-o feature@enabled_txg=enabled \`
			`-o feature@extensible_dataset=enabled \`
			`-o feature@filesystem_limits=enabled \`
			`-o feature@hole_birth=enabled \`
			`-o feature@large_blocks=enabled \`
			`-o feature@lz4_compress=enabled \`
			`-o feature@spacemap_histogram=enabled \`
			`-o feature@userobj_accounting=enabled \`
			`-O acltype=posixacl -O canmount=off -O compression=lz4 -O devices=off \`
			`-O normalization=formD -O relatime=on -O xattr=sa \`
			`-O mountpoint=/ -R /mnt bpool ${DISK}-part3`
			`}`

			`setup_zpool_for_root() {`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`zpool destroy rpool 2>/dev/null`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`cryptsetup luksClose luks1`
			`echo "$password" \| cryptsetup -y -v luksFormat --sector-size 4096 \`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`--pbkdf-parallel 1 \`
r815: Docker+Vagrant. 2020-06-12 14:24:10 +00:00			`--pbkdf-memory 4000000 --pbkdf argon2id --iter-time 1000 \`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`${DISK}-part4`
r815: Docker+Vagrant. 2020-06-12 14:24:10 +00:00			`cryptsetup config --priority prefer --key-slot 0`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`echo "$password" \| cryptsetup luksOpen ${DISK}-part4 luks1`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`(echo "$password"; echo "$secretpassword") \|`
			`cryptsetup -y -v luksAddKey \`
			`--pbkdf-parallel 1 \`
			`--pbkdf-memory 4000000 --pbkdf argon2id --iter-time 40000 \`
			`${DISK}-part4`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`zpool create -o ashift=12 \`
			`-O acltype=posixacl -O canmount=off -O compression=lz4 \`
			`-O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \`
			`-O mountpoint=/ -R /mnt rpool /dev/mapper/luks1`
			`}`

			`create_zfs_mounts() {`
			`zfs create -o canmount=off -o mountpoint=none rpool/ROOT`
			`zfs create -o canmount=off -o mountpoint=none bpool/BOOT`

			`zfs create -o canmount=noauto -o mountpoint=/ rpool/ROOT/ubuntu`
			`zfs mount rpool/ROOT/ubuntu`

			`zfs create -o canmount=noauto -o mountpoint=/boot bpool/BOOT/ubuntu`
			`zfs mount bpool/BOOT/ubuntu`
			`}`

			`bootstrap_debian() {`
			`debootstrap focal /mnt`
			`# Do not allow device files in rpool (why?)`
			`zfs set devices=off rpool`
			`}`


			`make_stage2() {`
			`cat <<_stage2_eof >/mnt/stage2.sh`
			`set_hostname() {`
			`echo $hostname > etc/hostname`
			`echo 127.0.1.1 $hostname >> etc/hosts`
			`}`

			`add_apt_sources() {`
			`perl -pe 's/\s*$/\n/' <<EOF > etc/apt/sources.list`
			`deb http://archive.ubuntu.com/ubuntu focal main universe`
			`deb-src http://archive.ubuntu.com/ubuntu focal main universe`

			`deb http://security.ubuntu.com/ubuntu focal-security main universe`
			`deb-src http://security.ubuntu.com/ubuntu focal-security main universe`

			`deb http://archive.ubuntu.com/ubuntu focal-updates main universe`
			`deb-src http://archive.ubuntu.com/ubuntu focal-updates main universe`
			`EOF`

			`ln -s /proc/self/mounts /etc/mtab`
			`apt update`

			`locale-gen --purge "en_US.UTF-8"`
			`update-locale LANG=en_US.UTF-8 LANGUAGE=en_US`
			`dpkg-reconfigure --frontend noninteractive locales`

			`#dpkg-reconfigure tzdata`

			`}`


			`install_initrd_tools() {`
			`apt install --yes nano`
			`apt install linux-modules-5.4.0-26-generic`
			`apt install --yes --no-install-recommends linux-image-generic`
			`apt install --yes zfs-initramfs`
			`apt install --yes grub-efi-amd64`
			`}`

			`install_luks() {`
			`apt install --yes cryptsetup`
			`# Add LUKS device for root in /etc/crypttab`
			`echo luks1 UUID=$(blkid -s UUID -o value ${DISK}-part4) none \`
			`luks,discard,initramfs > /etc/crypttab`
			`}`

			`install_efi() {`
			`umount /boot/efi`
			`apt install dosfstools`
			`mkdosfs -F 32 -s 1 -n EFI ${DISK}-part2`
			`mkdir -p /boot/efi`
			`echo PARTUUID=$(blkid -s PARTUUID -o value ${DISK}-part2) \`
			`/boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab`
			`mount /boot/efi`
			`apt install --yes grub-efi-amd64-signed shim-signed`
			`}`

			`install_zfs_systemd_service() {`
			`perl -pe 's/\s*$/\n/' <<EOF > /etc/systemd/system/zfs-import-bpool.service`
			`[Unit]`
			`DefaultDependencies=no`
			`Before=zfs-import-scan.service`
			`Before=zfs-import-cache.service`

			`[Service]`
			`Type=oneshot`
			`RemainAfterExit=yes`
			`ExecStart=/sbin/zpool import -N -o cachefile=none bpool`

			`[Install]`
			`WantedBy=zfs-import.target`

			`EOF`

			`systemctl enable zfs-import-bpool.service`
			`}`

			`adduser_group() {`
			`addgroup --system lpadmin`
			`addgroup --system sambashare`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`echo "root:$rootpassword" \| chpasswd`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`}`

			`install_grub() {`
			`grub-probe /boot`

			`echo "### These are OK:"`
			`echo " cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu"`
			`echo " cryptsetup: WARNING: Couldn't determine root device"`
			`update-initramfs -c -k all`

			`(`
			`echo GRUB_TERMINAL=console`
			`echo GRUB_TIMEOUT=5`
			`echo 'GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/ubuntu"'`
			`echo GRUB_TIMEOUT_STYLE=''`
			`echo 'GRUB_CMDLINE_LINUX_DEFAULT=""'`
			`echo GRUB_TIMEOUT=5`
			`) >>/etc/default/grub`

			`update-grub`

			`grub-install --target=x86_64-efi --efi-directory=/boot/efi \`
			`--bootloader-id=ubuntu --recheck --no-floppy`
			`}`

			`ready_for_first_boot() {`
			`zpool export bpool`
			`zpool export rpool`
			`echo "Now reboot"`
			`echo "You may have to do this on first boot"`
			`echo " zpool import -f bpool"`
			`echo " zpool import -f rpool"`
			`}`

			`stage2() {`
			`set_hostname`
			`add_apt_sources`
			`install_initrd_tools`
			`install_luks`
			`install_efi`
			`install_zfs_systemd_service`
			`adduser_group`
			`install_grub`
			`ready_for_first_boot`
			`}`

			`stage2`
			`_stage2_eof`
			`}`

			`stage1() {`
			`install_build_software`
			`partitiondisk`
			`setup_zpool_for_boot`
			`setup_zpool_for_root`
			`create_zfs_mounts`
			`bootstrap_debian`
			`make_stage2`
			`}`

			`doall() {`
			`stage1`
r815 re-installed. 2020-06-01 16:40:56 +00:00			`modprobe efivars`
ubuntu-20.04: Installation script. 2020-05-09 15:47:28 +00:00			`mount --rbind /dev /mnt/dev`
			`mount --rbind /proc /mnt/proc`
			`mount --rbind /sys /mnt/sys`
			`chroot /mnt /usr/bin/env DISK=$DISK bash -x /stage2.sh`

			`umount /mnt/boot \|\| umount -l /mnt/boot`
			`zpool export bpool \|\| zpool export -f bpool`
			`umount /mnt \|\| umount -l /mnt`
			`zpool export rpool \|\| zpool export -f rpool`
			`}`