documentation/docs/alpine-desktop-setup/installation.md

# Installation

To install the Alpine Linux distribution on the system, the encrypted partition and the efi partition have to be mounted to the main system.

```
# mount /dev/vg<m>/root<n> /mnt -t ext4
# mkdir /mnt/boot/efi -p
# mount /dev/<disk1> /mnt/boot/efi -t vfat
```

Then set up the base system using `setup-disk`:

```
# setup-disk -m sys /mnt
```

This will also add grub as bootloader which is going to be replaced on this system but for now it will reside on the boot partition.

Now the other directories are going to be mounted so that it's possible to chroot into the system:

```
# for i in dev proc sys run; do
> mount --rbind --make-rslave /$i /mnt/$i
> done
# mount /dev/vg<m>/var<n> /mnt/var
# mount /dev/vg<m>/tmp<n> /mnt/tmp
# chroot /mnt
```

The other "setup" scripts can be used to configure key aspects of the system.

```
# setup-hostname <hostname>
# setup-keymap us us-euro
# setup-timezone -i <area>/<subarea>
# setup-ntp openntpd
# rc-update add acpid default
# passwd root
```

Set the `hwclock` to use `localtime` instead of `UTC` in `/etc/conf.d/hwclock`:

```
clock="local"
clock_hctosys="NO"
clock_systohc="NO"
```

Edit `/etc/fstab` for correct mounts:

```
/dev/disk/by-label/efi  /boot/efi   vfat    defaults,nodev,nosuid,noexec    0 2
/dev/vg<m>/root<n>      /           ext4    defaults,noatime                0 1
/dev/vg<m>/home<n>      /home       ext4    defaults,noatime,nosuid,nodev   0 1
/dev/vg<m>/tmp<n>       /tmp        ext4    defaults,nodev,nosuid,noexec    0 1
/dev/vg<m>/var<n>       /var        ext4    defaults,nodev,nosuid,noexec    0 1
/dev/vg<m>/nix<n>       /nix        ext4    defaults,noatime,nodev,nosuid   0 1
proc                    /proc       proc    nosuid,nodev,noexec,hidepid=2   0 0
```

By default Alpine Linux uses `mkinitfs` to create initramfs, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this `mkinitfs` and `grub-efi `will be replaced with `booster` and `secureboot-hook`.

```
# apk add booster secureboot-hook sbctl
# apk del mkinitfs grub-efi
```

To configure booster edit `/etc/booster.yaml`:

```
busybox: false
modules: vfat,nls_cp437,nls_iso8859_1
enable_lvm: true
```

The most important step is the creation of uki's using `secureboot-hook` which also automatically signs them. First the hook itself will have to be tweaked to use `booster` instead of `mkinitfs`, edit `/etc/kernel-hooks.d/50-secureboot.hook` and change the line:

```
/sbin/mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR"
```

To:

```
/usr/bin/booster build "$tmpdir"/initramfs --kernel-version "$NEW_VERSION-$FLAVOR"
```

And configure `/etc/kernel-hooks.d/secureboot.conf` for cmdline and secureboot. 

```
cmdline="rw rd.luks.name=<uuid>=luks root=/dev/vg<m>/root<n> modules=ext4 quiet splash rd.lvm.vg=vg<m>"

signing_cert="/usr/share/secureboot/keys/db/db.pem"
signing_key="/usr/share/secureboot/keys/db/db.key"

output_dir="/boot/efi/EFI/Linux"

output_name="alpine-linux-{flavor}.efi"
```

Here `<uuid>` has to be replaced with the uuid of the partition which contains our volume group:

```
# blkid /dev/<disk2> >> /etc/kernel-hooks.d/secureboot.conf
```

All that's left for booting is secureboot which `sbctl` will be used for to create keys, and sign some executables with.

```
# sbctl create-keys
# sbctl enroll-keys
...
```

> Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.

Now to see if everything went succesfully run:

```
# apk fix kernel-hooks
```

And it should give no warnings if done properly. 

To make our lives easier we'll also install `gummiboot` as a bootloader.

```
# apk add gummiboot
# gummiboot install --path=/boot/efi
# sbctl sign -s /boot/efi/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/efi/EFI/Boot/BOOTX64.EFI
```

And also remove some junk left over by grub.

```
# rm -rf /boot/efi/EFI/alpine
# rm -rf /boot/grub
# unlink /boot/boot
```

You can also install `os-prober` which can find operating systems and add them to your bootloader. Besides that `gummiboot` can also be configured with the file `/boot/efi/loader/loader.conf` in which you can specify the timeout and what OS it should load into by default.

```
default alpine
timeout 2
editor no
```

Before finishing up the installation `networkmanager` will be installed for networking.

```
# apk add networkmanager
# setup-devd udev
# rc-update add networkmanager default
```

Wifi will not yet work but this is will be done later on.

> If internet doesn't work after reboot follow the instructions in the [network section](https://docs.bijl.us/alpine-desktop-setup/post-install/network/).

Now exit out of the chroot and you should be able to reboot into a working Alpine system.

```
# exit
# umount -lf /mnt
# reboot
```

> Do note that "Linux Boot Manager" will have to be set to load first in your bios.
> When booting up your screen might appear blank but you will have to enter the password you added for encryption and press enter.