documentation/docs/alpine-desktop-setup/installation.md

# Installation

To install the Alpine Linux distribution on the system, the encrypted partition and the efi partition have to be mounted to the main system.

```
# mount /dev/vg<n>/alp_root /mnt -t ext4
# mkdir /mnt/efi -p
# mount /dev/<disk1> /mnt/efi -t vfat
```

Then set up the base system using `setup-disk`:

```
# setup-disk -m sys /mnt
```

This will also add grub as bootloader which will be replaced but for now it will reside on the boot partition.

To make it possible to chroot into the system, mount the other directories:

```
# for i in dev proc sys run; do
> mount --rbind --make-rslave /$i /mnt/$i
> done
# chroot /mnt
```

The other setup scripts can be used to configure key aspects of the system. Besides that a few necessary services have to be activated.

```
# setup-hostname <hostname>
# setup-keymap us us-euro
# setup-timezone -i <area>/<subarea>
# setup-ntp openntpd
# rc-update add acpid default
# rc-update add lvm boot
# rc-update add seedrng boot
# rm -rf /var/tmp ; ln -s /tmp /var/tmp
# passwd root
```

> The root password does not really matter because it is going to be locked after a user has been created.

Set the `hwclock` to use `localtime` instead of `UTC` in `/etc/conf.d/hwclock`:

```
clock="local"
clock_hctosys="NO"
clock_systohc="NO"
```

Edit `/etc/fstab` for correct mounts:

```
/dev/disk/by-label/efi  /efi        vfat    defaults,nodev,nosuid,noexec                            0 2
/dev/vg<n>/alp_root     /           ext4    defaults,noatime                                        0 1
/dev/vg<n>/alp_home     /home       ext4    defaults,noatime,nosuid,nodev                           0 2
/dev/vg<n>/alp_var      /var        ext4    defaults,nodev,nosuid,noexec                            0 2
/dev/vg<n>/alp_nix      /nix        ext4    defaults,noatime,nodev,nosuid                           0 2
tmpfs                   /tmp        tmpfs   rw,size=4G,nr_inodes=5k,noexec,nodev,nosuid,mode=1777   0 0
proc                    /proc       proc    nosuid,nodev,noexec,hidepid=2                           0 0
```

By default Alpine Linux uses `mkinitfs` to create initramfs, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this `mkinitfs` and `grub-efi `will be replaced with `booster` and `secureboot-hook`.

```
# apk add booster secureboot-hook sbctl
# apk del mkinitfs grub-efi
```

To configure booster edit `/etc/booster.yaml`:

```
busybox: false
modules: vfat,nls_cp437,nls_iso8859_1
enable_lvm: true
```

The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. First the hook itself will have to be tweaked to use `booster` instead of `mkinitfs`, edit `/etc/kernel-hooks.d/50-secureboot.hook` and change the line:

```
/sbin/mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR"
```

to:

```
/usr/bin/booster build "$tmpdir"/initramfs --kernel-version "$NEW_VERSION-$FLAVOR"
```

and configure `/etc/kernel-hooks.d/secureboot.conf` for cmdline and secureboot. 

```
cmdline="rw rd.luks.name=<uuid>=luks root=/dev/vg<n>/alp_root modules=ext4 quiet splash rd.lvm.vg=vg<n>"

signing_cert="/usr/share/secureboot/keys/db/db.pem"
signing_key="/usr/share/secureboot/keys/db/db.key"

output_dir="/efi/EFI/Linux"

output_name="alpine-linux-{flavor}.efi"
```

Here `<uuid>` has to be replaced with the uuid of the partition which contains the volume group:

```
# blkid /dev/<disk2> >> /etc/kernel-hooks.d/secureboot.conf
```

Use `sbctl` to create secureboot keys and sign them.

```
# sbctl create-keys
# sbctl enroll-keys
...
```

> Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.

Now to see if everything went succesfully run:

```
# apk fix kernel-hooks
```

And it should give no warnings if done properly. 

As discussed earlier `grub` will be replaced, install `gummiboot` as a bootloader.

```
# apk add gummiboot
# gummiboot install --path=/efi
# sbctl sign -s /efi/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /efi/EFI/Boot/BOOTX64.EFI
```

And also remove some remnants of `grub`.

```
# rm -rf /efi/EFI/alpine
# rm -rf /efi/grub
# rm -rf /etc/default
# cd /boot && unlink boot
```

`gummiboot` can be configured with the file `/efi/loader/loader.conf` with which the timeout and the default OS can be specified.

```
default alpine-linux-lts.efi
timeout 2
editor no
```

Before finishing the installation `networkmanager` will be installed for networking. Also install `networkmanager-wifi` and `wpa_supplicant` for wifi functionality.

```
# apk add networkmanager networkmanager-wifi wpa_supplicant
# setup-devd udev
# rc-update add networkmanager default
```

Wifi will not yet work. For wifi configuration see the [network section](post-install/network). 

> If internet does not work after reboot create the config file as described in the [network section](post-install/network) and restart the service.

Now exit the chroot and you should be able to reboot into a working Alpine system.

```
# exit
# umount -lf /mnt
# reboot
```

When booting up your screen might appear blank, this is the encryption prompt. Enter the encryption key and press enter to boot.

> Do note that "Linux Boot Manager" will have to be set to load first in your bios.