documentation/docs/alpine-server-setup/installation.md

# Installation

To install the Alpine Linux distribution on the system, the datasets of the system pool and the EFI partitions have to be mounted to the main system. 

First import the system pool

```
# zpool import -N -R /mnt tank
```

Mount the datasets in the system pool and decrypt the home dataset

```
# zfs mount tank/root/alpine
# zfs load-key -L prompt tank/home
# zfs mount tank/home
# zfs mount tank/var
```

Mount the ESP

```
# mkdir /mnt/esp
# mount /dev/md/esp /mnt/esp -t vfat
```

Then install Alpine Linux

```
# setup-disk -m sys /mnt
```

This will also add `grub` as bootloader which will be replaced but for now it will reside on the ESP.

To make it possible to chroot into the system, mount the other directories:

```
# for i in dev proc sys run; do
> mount --rbind --make-rslave /$i /mnt/$i
> done
# chroot /mnt
```

The other setup scripts can be used to configure key aspects of the system. Besides that a few necessary services have to be activated.

```
# setup-hostname <hostname>
# setup-keymap us us-euro
# setup-timezone -i <area>/<subarea>
# setup-ntp openntpd
# rc-update add acpid default
# rc-update add seedrng boot
# rm -rf /var/tmp
# ln -s /tmp /var/tmp
# passwd root
```

> The root password does not really matter because it is going to be locked after a user has been created.

Set the `hwclock` to use `UTC` in `/etc/conf.d/hwclock` and disable writing the time to hardware. Running a NTP negates its usability.

```
clock="UTC"
clock_hctosys="NO"
clock_systohc="NO"
```

Configure the ESP raid array to mount

```
# modprobe raid1
# echo raid1 >> /etc/modules-load.d/raid1.conf
# mdadm --detail --scan >> /etc/mdadm.conf
# rc-update add mdadm boot
# rc-update add mdadm-raid boot
```

Configure ZFS to mount

```
rc-update add zfs-import sysinit
rc-update add zfs-mount sysinit
```

Edit `/etc/fstab` for correct mounts:

```
/dev/md/esp    /esp        vfat    defaults,nodev,nosuid,noexec                            0 2
tmpfs          /tmp        tmpfs   rw,size=4G,nr_inodes=5k,nodev,nosuid,noexec,mode=1777   0 0
proc           /proc       proc    nodev,nosuid,noexec,hidepid=2                           0 0
```

By default, Alpine Linux uses `mkinitfs` to create an initial ram filesystem, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this `mkinitfs` and `grub-efi `will be replaced with `booster` and `secureboot-hook`.

```
# apk add booster secureboot-hook sbctl
# apk del mkinitfs grub-efi
```

To configure booster edit `/etc/booster.yaml`:

```
enable_zfs: true
busybox: false
modules: vfat,nls_cp437,nls_iso8859_1
```

The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. First the hook itself will have to be tweaked to use `booster` instead of `mkinitfs`, edit `/etc/kernel-hooks.d/50-secureboot.hook` and change the line:

```
/sbin/mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR"
```

to:

```
/usr/bin/booster build "$tmpdir"/initramfs --kernel-version "$NEW_VERSION-$FLAVOR"
```

and configure `/etc/kernel-hooks.d/secureboot.conf` for cmdline and secureboot. 

```
cmdline="rw zfs=tank/root/alpine quiet splash"

signing_cert="/usr/share/secureboot/keys/db/db.pem"
signing_key="/usr/share/secureboot/keys/db/db.key"

output_dir="/esp/efi/linux"
output_name="alpine-linux-{flavor}.efi"
```

Use `sbctl` to create secureboot keys and sign them.

```
# sbctl create-keys
# sbctl enroll-keys
```

> Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.

Set the cache-file of the ZFS pool

```
# zpool set cachefile=/etc/zfs/zpool.cache tank
```

Now to see if everything went successfully, run:

```
# apk fix kernel-hooks
```

and it should give no warnings if done properly. 

As discussed earlier `grub` will be replaced, install `gummiboot` as a bootloader.

```
# apk add gummiboot
# mkdir /esp/loader
# mkdir /esp/efi/boot
# cp /usr/lib/gummiboot/gummibootx64.efi /esp/efi/boot/bootx64.efi
```

Sign the bootloader with `sbctl`

```
# sbctl sign -s /esp/efi/boot/bootx64.efi
```

And also remove some remnants of `grub`.

```
# rm -rf /boot/grub
# rm -rf /etc/default
# cd /boot && unlink boot && cd ..
```

`gummiboot` can be configured with the file `/esp/loader/loader.conf` with which the timeout and the default OS can be specified.

```
default alpine-linux-lts.efi
timeout 2
editor no
```

Now exit the chroot and you should be able to reboot into a working Alpine system.

```
# exit
# umount -lf /mnt
# zpool export tank
# reboot
```