diff --git a/ubuntu-20.04/install-zfs-luks.sh b/ubuntu-20.04/install-zfs-luks.sh new file mode 100644 index 0000000..a1685af --- /dev/null +++ b/ubuntu-20.04/install-zfs-luks.sh @@ -0,0 +1,236 @@ +#!/bin/bash + +# Boot Live CD +# Start terminal +# sudo su - +# apt update +# apt install openssh-server +# passwd ubuntu + +password=${password:-MyLUKSPassword} +hostname=${hostname:-myhostname} +DISK=${DISK:-/dev/disk/by-id/ata-ST1000LM024_HN-M101MBB_S2R8JX0D400082} + +export password +export DISK + +install_build_software() { + apt-add-repository universe + apt update + apt install --yes debootstrap gdisk zfs-initramfs cryptsetup-bin +} + +partitiondisk() { + sgdisk --zap-all $DISK + sgdisk -n2:1M:+512M -t2:EF00 $DISK + sgdisk -a 4096 -n3:0:+2G -t3:BF01 $DISK + # TODO better way to find the max size rounded to 8192 + sgdisk -a 4096 -n4:0:1953521663 -t4:8300 $DISK + fdisk -l $DISK + # Needed for partitiontable to be visible + sleep 5 +} + +setup_zpool_for_boot() { + zpool create -f -o ashift=12 -d \ + -o feature@async_destroy=enabled \ + -o feature@bookmarks=enabled \ + -o feature@embedded_data=enabled \ + -o feature@empty_bpobj=enabled \ + -o feature@enabled_txg=enabled \ + -o feature@extensible_dataset=enabled \ + -o feature@filesystem_limits=enabled \ + -o feature@hole_birth=enabled \ + -o feature@large_blocks=enabled \ + -o feature@lz4_compress=enabled \ + -o feature@spacemap_histogram=enabled \ + -o feature@userobj_accounting=enabled \ + -o overlay=on \ + -O acltype=posixacl -O canmount=off -O compression=lz4 -O devices=off \ + -O normalization=formD -O relatime=on -O xattr=sa \ + -O mountpoint=/ -R /mnt bpool ${DISK}-part3 +} + +setup_zpool_for_root() { + cryptsetup luksClose luks1 + echo "$password" | cryptsetup -y -v luksFormat --sector-size 4096 \ + --pbkdf-memory 4000000 --pbkdf argon2id --iter-time 3000 \ + ${DISK}-part4 + echo "$password" | cryptsetup luksOpen ${DISK}-part4 luks1 + zpool create -o ashift=12 \ + -O acltype=posixacl -O canmount=off -O compression=lz4 \ + -O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \ + -O mountpoint=/ -R /mnt rpool /dev/mapper/luks1 +} + +create_zfs_mounts() { + zfs create -o canmount=off -o mountpoint=none rpool/ROOT + zfs create -o canmount=off -o mountpoint=none bpool/BOOT + + zfs create -o canmount=noauto -o mountpoint=/ rpool/ROOT/ubuntu + zfs mount rpool/ROOT/ubuntu + + zfs create -o canmount=noauto -o mountpoint=/boot bpool/BOOT/ubuntu + zfs mount bpool/BOOT/ubuntu +} + +bootstrap_debian() { + debootstrap focal /mnt + # Do not allow device files in rpool (why?) + zfs set devices=off rpool +} + + +make_stage2() { + cat <<_stage2_eof >/mnt/stage2.sh +set_hostname() { + echo $hostname > etc/hostname + echo 127.0.1.1 $hostname >> etc/hosts +} + +add_apt_sources() { + perl -pe 's/\s*$/\n/' < etc/apt/sources.list +deb http://archive.ubuntu.com/ubuntu focal main universe +deb-src http://archive.ubuntu.com/ubuntu focal main universe + +deb http://security.ubuntu.com/ubuntu focal-security main universe +deb-src http://security.ubuntu.com/ubuntu focal-security main universe + +deb http://archive.ubuntu.com/ubuntu focal-updates main universe +deb-src http://archive.ubuntu.com/ubuntu focal-updates main universe +EOF + + ln -s /proc/self/mounts /etc/mtab + apt update + + locale-gen --purge "en_US.UTF-8" + update-locale LANG=en_US.UTF-8 LANGUAGE=en_US + dpkg-reconfigure --frontend noninteractive locales + +#dpkg-reconfigure tzdata + +} + + +install_initrd_tools() { + apt install --yes nano + apt install linux-modules-5.4.0-26-generic + apt install --yes --no-install-recommends linux-image-generic + apt install --yes zfs-initramfs + apt install --yes grub-efi-amd64 +} + +install_luks() { + apt install --yes cryptsetup + # Add LUKS device for root in /etc/crypttab + echo luks1 UUID=$(blkid -s UUID -o value ${DISK}-part4) none \ + luks,discard,initramfs > /etc/crypttab +} + +install_efi() { + umount /boot/efi + apt install dosfstools + mkdosfs -F 32 -s 1 -n EFI ${DISK}-part2 + mkdir -p /boot/efi + echo PARTUUID=$(blkid -s PARTUUID -o value ${DISK}-part2) \ + /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab + mount /boot/efi + apt install --yes grub-efi-amd64-signed shim-signed +} + +install_zfs_systemd_service() { + perl -pe 's/\s*$/\n/' < /etc/systemd/system/zfs-import-bpool.service +[Unit] +DefaultDependencies=no +Before=zfs-import-scan.service +Before=zfs-import-cache.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/sbin/zpool import -N -o cachefile=none bpool + +[Install] +WantedBy=zfs-import.target + +EOF + + systemctl enable zfs-import-bpool.service +} + +adduser_group() { + addgroup --system lpadmin + addgroup --system sambashare + echo "root:$password" | chpasswd +} + +install_grub() { + grub-probe /boot + + echo "### These are OK:" + echo " cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu" + echo " cryptsetup: WARNING: Couldn't determine root device" + update-initramfs -c -k all + + ( + echo GRUB_TERMINAL=console + echo GRUB_TIMEOUT=5 + echo 'GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/ubuntu"' + echo GRUB_TIMEOUT_STYLE='' + echo 'GRUB_CMDLINE_LINUX_DEFAULT=""' + echo GRUB_TIMEOUT=5 + ) >>/etc/default/grub + + update-grub + + grub-install --target=x86_64-efi --efi-directory=/boot/efi \ + --bootloader-id=ubuntu --recheck --no-floppy +} + +ready_for_first_boot() { + zpool export bpool + zpool export rpool + echo "Now reboot" + echo "You may have to do this on first boot" + echo " zpool import -f bpool" + echo " zpool import -f rpool" +} + +stage2() { + set_hostname + add_apt_sources + install_initrd_tools + install_luks + install_efi + install_zfs_systemd_service + adduser_group + install_grub + ready_for_first_boot +} + +stage2 +_stage2_eof +} + +stage1() { + install_build_software + partitiondisk + setup_zpool_for_boot + setup_zpool_for_root + create_zfs_mounts + bootstrap_debian + make_stage2 +} + +doall() { + stage1 + mount --rbind /dev /mnt/dev + mount --rbind /proc /mnt/proc + mount --rbind /sys /mnt/sys + chroot /mnt /usr/bin/env DISK=$DISK bash -x /stage2.sh + + umount /mnt/boot || umount -l /mnt/boot + zpool export bpool || zpool export -f bpool + umount /mnt || umount -l /mnt + zpool export rpool || zpool export -f rpool +}