Changed the install to full pool encryption.

2024-08-12 14:19:14 +02:00 · 2024-08-12 14:19:14 +02:00 · 3058f6b549
commit 3058f6b549
parent 720847971c
4 changed files with 20 additions and 59 deletions
--- a/docs/alpine-server-setup/index.md
+++ b/docs/alpine-server-setup/index.md
@ -1,5 +1,5 @@
 # An Alpine Linux server installation

-This guide will demonstrate how to install [Alpine Linux](https://www.alpinelinux.org/) for server application. Alpine Linux will run on a raid configured ZFS filesystem with an encrypted home dataset, user services with runsvdir and user containers with podman. 
+This guide will demonstrate how to install [Alpine Linux](https://www.alpinelinux.org/) for server application. Alpine Linux will run on a raid configured encrypted ZFS filesystem with automatic decryption with TPM. User containers will be configured with podman and managed with runsvdir. 

 Alpine Linux makes a good base for a server because of its simplicity, lightweightness and security. Check out the [Alpine Linux wiki](https://wiki.alpinelinux.org/wiki/Main_Page) for additional resources and information.
--- a/docs/alpine-server-setup/installation.md
+++ b/docs/alpine-server-setup/installation.md
@ -6,13 +6,13 @@ First import the system pool

 ```
 # zpool import -N -R /mnt tank
+# zfs load-key -L file:///tmp/tank.key tank
 ```

 Mount the datasets in the system pool and decrypt the home dataset

 ```
 # zfs mount tank/root/alpine
-# zfs load-key -L prompt tank/home
 # zfs mount tank/home
 # zfs mount tank/var
 ```
--- a/docs/alpine-server-setup/post-install/users.md
+++ b/docs/alpine-server-setup/post-install/users.md
@ -25,8 +25,6 @@ A user can be added in Alpine Linux with the `setup-user` script. Here we can sp
 # passwd <username>
 ```

-> Make sure that the home dataset is decrypted and mounted, before creating a user. 
-
 You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

 ```
@ -47,13 +45,13 @@ root:x:0:0:root:/root:/sbin/nologin

 ## User services

-The user will have its own init system, for the management of user containers and other user services. The `runsvdir` command of the `runit` init system will be used to create a local init system for the user. 
+The user will have its own service manager, for the management of user containers and other user services. As service manager `runsvdir` from `runit` will be used. Therefore install

 ```
 # apk add runit
 ```

-Create `/etc/init.d/runsvdir-user`, which will be the init script for the local init system of the user. 
+Create `/etc/init.d/runsvdir-user`, which will be the openrc-script for the service manager of the user. 

 ```
 #!/sbin/openrc-run
@ -69,7 +67,7 @@ command_background=true

 depend()
 {
-    after mount-home
+    after network-online
 }
 ```

@ -85,58 +83,10 @@ Link the user to `/etc/init.d/runsvdir-user`
 # ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>
 ```

-Finally, add the service to the manual runlevel
+Finally, add the service to the default runlevel

 ```
-# rc-update add runsvdir-user.<username> manual
+# rc-update add runsvdir-user.<username> default
 ```

-> This process can of course be repeated for several users.
-
-### Mounting home
-
-Before the user init system can be started, the home dataset should be decrypted and mounted. This process will be partially automated by adding it to the manual runlevel. 
-
-Create `/etc/init.d/mount-home`
-
-```
-#!/sbin/openrc-run
-
-depend()
-{
-    need localmount
-}
-
-start()
-{
-    zfs load-key -L prompt tank/home
-    zfs mount tank/home
-}
-
-stop()
-{
-    zfs unmount tank/home
-    zfs unload-key tank/home
-}
-```
-
-Make `/etc/init.d/mount-home` an executable
-
-```
-# chmod +x /etc/init.d/mount-home
-```
-
-Add the service to the manual runlevel
-
-```
-# rc-update add mount-home manual
-```
-
-Now the scripts can be started accordingly with
-
-```
-# openrc -n manual
-```
-
-> Note that after a reboot this command should be performed to decrypt the home partition and to start the user services.
-
+> This process can of course be repeated for several users.
--- a/docs/alpine-server-setup/provisioning.md
+++ b/docs/alpine-server-setup/provisioning.md
@ -92,6 +92,14 @@ Define the pool partitions
 > done
 ```

+The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/crypt-key.txt` with:
+
+```
+# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/tank.key && cat /tmp/tank.key
+```
+
+> Later on in the guide `clevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to write it down.
+
 Create the system pool

 ```
@ -101,6 +109,9 @@ Create the system pool
    -O acltype=posix \ 
    -O xattr=sa \
    -O dnodesize=auto \
+    -O encryption=on \
+    -O keyformat=passphrase \
+    -O keylocation=file:///tmp/tank.key \
    -m none \
    tank raidz1 $poolparts
 ```
@ -112,7 +123,7 @@ Then create the system datasets
 ```
 # zfs create -o mountpoint=none tank/root
 # zfs create -o canmount=noauto -o mountpoint=/ -o atime=off -o quota=24g tank/root/alpine
-# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> -o encryption=on -o keyformat=passphrase tank/home
+# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> tank/home
 # zfs create -o mountpoint=/var -o exec=off -o setuid=off -o devices=off -o quota=16g tank/var
 ```