#!/bin/bash # Boot Live CD # Start terminal # sudo su - # apt update # apt install openssh-server # passwd ubuntu # # read secretpassword # password=`cat /mount/cryptkeys.txt` secretpassword=${secretpassword:-MyLUKSPassword} password=${password:-MyLUKSPassword} rootpassword=${rootpassword:-MyRootPassword} hostname=${hostname:-myhostname} DISK=${DISK:-/dev/disk/by-id/ata-ST1000LM024_HN-M101MBB_S2R8JX0D400082} echo "$hostname $password $rootpassword $secretpassword $DISK" export rootpassword export password export DISK install_build_software() { apt-add-repository universe apt update apt install --yes debootstrap gdisk zfs-initramfs cryptsetup-bin } partitiondisk() { sgdisk --zap-all $DISK sgdisk -n2:1M:+510M -t2:EF00 $DISK sgdisk -a 1048576 -n3:0:+2G -t3:BF01 $DISK end_position=$(sgdisk -E $DISK) sgdisk -a 1048576 -n4:0:$(( $end_position - (($end_position + 1) % 2048) )) -t4:BF01 $DISK fdisk -l $DISK # Needed for partitiontable to be visible sleep 5 partprobe } setup_zpool_for_boot() { zpool destroy bpool 2>/dev/null zpool create -f -o ashift=12 -d \ -o feature@async_destroy=enabled \ -o feature@bookmarks=enabled \ -o feature@embedded_data=enabled \ -o feature@empty_bpobj=enabled \ -o feature@enabled_txg=enabled \ -o feature@extensible_dataset=enabled \ -o feature@filesystem_limits=enabled \ -o feature@hole_birth=enabled \ -o feature@large_blocks=enabled \ -o feature@lz4_compress=enabled \ -o feature@spacemap_histogram=enabled \ -o feature@userobj_accounting=enabled \ -O acltype=posixacl -O canmount=off -O compression=lz4 -O devices=off \ -O normalization=formD -O relatime=on -O xattr=sa \ -O mountpoint=/ -R /mnt bpool ${DISK}-part3 } setup_zpool_for_root() { zpool destroy rpool 2>/dev/null cryptsetup luksClose luks1 echo "$password" | cryptsetup -y -v luksFormat --sector-size 4096 \ --pbkdf-parallel 1 \ --pbkdf-memory 4000000 --pbkdf argon2id --iter-time 1000 \ ${DISK}-part4 cryptsetup config --priority prefer --key-slot 0 echo "$password" | cryptsetup luksOpen ${DISK}-part4 luks1 (echo "$password"; echo "$secretpassword") | cryptsetup -y -v luksAddKey \ --pbkdf-parallel 1 \ --pbkdf-memory 4000000 --pbkdf argon2id --iter-time 40000 \ ${DISK}-part4 zpool create -o ashift=12 \ -O acltype=posixacl -O canmount=off -O compression=lz4 \ -O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \ -O mountpoint=/ -R /mnt rpool /dev/mapper/luks1 } create_zfs_mounts() { zfs create -o canmount=off -o mountpoint=none rpool/ROOT zfs create -o canmount=off -o mountpoint=none bpool/BOOT zfs create -o canmount=noauto -o mountpoint=/ rpool/ROOT/ubuntu zfs mount rpool/ROOT/ubuntu zfs create -o canmount=noauto -o mountpoint=/boot bpool/BOOT/ubuntu zfs mount bpool/BOOT/ubuntu } bootstrap_debian() { debootstrap focal /mnt # Do not allow device files in rpool (why?) zfs set devices=off rpool } make_stage2() { cat <<_stage2_eof >/mnt/stage2.sh set_hostname() { echo $hostname > etc/hostname echo 127.0.1.1 $hostname >> etc/hosts } add_apt_sources() { perl -pe 's/\s*$/\n/' < etc/apt/sources.list deb http://archive.ubuntu.com/ubuntu focal main universe deb-src http://archive.ubuntu.com/ubuntu focal main universe deb http://security.ubuntu.com/ubuntu focal-security main universe deb-src http://security.ubuntu.com/ubuntu focal-security main universe deb http://archive.ubuntu.com/ubuntu focal-updates main universe deb-src http://archive.ubuntu.com/ubuntu focal-updates main universe EOF ln -s /proc/self/mounts /etc/mtab apt update locale-gen --purge "en_US.UTF-8" update-locale LANG=en_US.UTF-8 LANGUAGE=en_US dpkg-reconfigure --frontend noninteractive locales #dpkg-reconfigure tzdata } install_initrd_tools() { apt install --yes nano apt install linux-modules-5.4.0-26-generic apt install --yes --no-install-recommends linux-image-generic apt install --yes zfs-initramfs apt install --yes grub-efi-amd64 } install_luks() { apt install --yes cryptsetup # Add LUKS device for root in /etc/crypttab echo luks1 UUID=$(blkid -s UUID -o value ${DISK}-part4) none \ luks,discard,initramfs > /etc/crypttab } install_efi() { umount /boot/efi apt install dosfstools mkdosfs -F 32 -s 1 -n EFI ${DISK}-part2 mkdir -p /boot/efi echo PARTUUID=$(blkid -s PARTUUID -o value ${DISK}-part2) \ /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab mount /boot/efi apt install --yes grub-efi-amd64-signed shim-signed } install_zfs_systemd_service() { perl -pe 's/\s*$/\n/' < /etc/systemd/system/zfs-import-bpool.service [Unit] DefaultDependencies=no Before=zfs-import-scan.service Before=zfs-import-cache.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/sbin/zpool import -N -o cachefile=none bpool [Install] WantedBy=zfs-import.target EOF systemctl enable zfs-import-bpool.service } adduser_group() { addgroup --system lpadmin addgroup --system sambashare echo "root:$rootpassword" | chpasswd } install_grub() { grub-probe /boot echo "### These are OK:" echo " cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu" echo " cryptsetup: WARNING: Couldn't determine root device" update-initramfs -c -k all ( echo GRUB_TERMINAL=console echo GRUB_TIMEOUT=5 echo 'GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/ubuntu"' echo GRUB_TIMEOUT_STYLE='' echo 'GRUB_CMDLINE_LINUX_DEFAULT=""' echo GRUB_TIMEOUT=5 ) >>/etc/default/grub update-grub grub-install --target=x86_64-efi --efi-directory=/boot/efi \ --bootloader-id=ubuntu --recheck --no-floppy } ready_for_first_boot() { zpool export bpool zpool export rpool echo "Now reboot" echo "You may have to do this on first boot" echo " zpool import -f bpool" echo " zpool import -f rpool" } stage2() { set_hostname add_apt_sources install_initrd_tools install_luks install_efi install_zfs_systemd_service adduser_group install_grub ready_for_first_boot } stage2 _stage2_eof } stage1() { install_build_software partitiondisk setup_zpool_for_boot setup_zpool_for_root create_zfs_mounts bootstrap_debian make_stage2 } doall() { stage1 modprobe efivars mount --rbind /dev /mnt/dev mount --rbind /proc /mnt/proc mount --rbind /sys /mnt/sys chroot /mnt /usr/bin/env DISK=$DISK bash -x /stage2.sh umount /mnt/boot || umount -l /mnt/boot zpool export bpool || zpool export -f bpool umount /mnt || umount -l /mnt zpool export rpool || zpool export -f rpool }