From 3058f6b54950fd23014be61579c4596526140b69 Mon Sep 17 00:00:00 2001 From: Luc Date: Mon, 12 Aug 2024 14:19:14 +0200 Subject: [PATCH] Changed the install to full pool encryption. --- docs/alpine-server-setup/index.md | 2 +- docs/alpine-server-setup/installation.md | 2 +- .../alpine-server-setup/post-install/users.md | 62 ++----------------- docs/alpine-server-setup/provisioning.md | 13 +++- 4 files changed, 20 insertions(+), 59 deletions(-) diff --git a/docs/alpine-server-setup/index.md b/docs/alpine-server-setup/index.md index 16491aa..be041fd 100644 --- a/docs/alpine-server-setup/index.md +++ b/docs/alpine-server-setup/index.md @@ -1,5 +1,5 @@ # An Alpine Linux server installation -This guide will demonstrate how to install [Alpine Linux](https://www.alpinelinux.org/) for server application. Alpine Linux will run on a raid configured ZFS filesystem with an encrypted home dataset, user services with runsvdir and user containers with podman. +This guide will demonstrate how to install [Alpine Linux](https://www.alpinelinux.org/) for server application. Alpine Linux will run on a raid configured encrypted ZFS filesystem with automatic decryption with TPM. User containers will be configured with podman and managed with runsvdir. Alpine Linux makes a good base for a server because of its simplicity, lightweightness and security. Check out the [Alpine Linux wiki](https://wiki.alpinelinux.org/wiki/Main_Page) for additional resources and information. \ No newline at end of file diff --git a/docs/alpine-server-setup/installation.md b/docs/alpine-server-setup/installation.md index 10b7c14..154e6c0 100644 --- a/docs/alpine-server-setup/installation.md +++ b/docs/alpine-server-setup/installation.md @@ -6,13 +6,13 @@ First import the system pool ``` # zpool import -N -R /mnt tank +# zfs load-key -L file:///tmp/tank.key tank ``` Mount the datasets in the system pool and decrypt the home dataset ``` # zfs mount tank/root/alpine -# zfs load-key -L prompt tank/home # zfs mount tank/home # zfs mount tank/var ``` diff --git a/docs/alpine-server-setup/post-install/users.md b/docs/alpine-server-setup/post-install/users.md index ba5a6db..eafee41 100644 --- a/docs/alpine-server-setup/post-install/users.md +++ b/docs/alpine-server-setup/post-install/users.md @@ -25,8 +25,6 @@ A user can be added in Alpine Linux with the `setup-user` script. Here we can sp # passwd ``` -> Make sure that the home dataset is decrypted and mounted, before creating a user. - You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default: ``` @@ -47,13 +45,13 @@ root:x:0:0:root:/root:/sbin/nologin ## User services -The user will have its own init system, for the management of user containers and other user services. The `runsvdir` command of the `runit` init system will be used to create a local init system for the user. +The user will have its own service manager, for the management of user containers and other user services. As service manager `runsvdir` from `runit` will be used. Therefore install ``` # apk add runit ``` -Create `/etc/init.d/runsvdir-user`, which will be the init script for the local init system of the user. +Create `/etc/init.d/runsvdir-user`, which will be the openrc-script for the service manager of the user. ``` #!/sbin/openrc-run @@ -69,7 +67,7 @@ command_background=true depend() { - after mount-home + after network-online } ``` @@ -85,58 +83,10 @@ Link the user to `/etc/init.d/runsvdir-user` # ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user. ``` -Finally, add the service to the manual runlevel +Finally, add the service to the default runlevel ``` -# rc-update add runsvdir-user. manual +# rc-update add runsvdir-user. default ``` -> This process can of course be repeated for several users. - -### Mounting home - -Before the user init system can be started, the home dataset should be decrypted and mounted. This process will be partially automated by adding it to the manual runlevel. - -Create `/etc/init.d/mount-home` - -``` -#!/sbin/openrc-run - -depend() -{ - need localmount -} - -start() -{ - zfs load-key -L prompt tank/home - zfs mount tank/home -} - -stop() -{ - zfs unmount tank/home - zfs unload-key tank/home -} -``` - -Make `/etc/init.d/mount-home` an executable - -``` -# chmod +x /etc/init.d/mount-home -``` - -Add the service to the manual runlevel - -``` -# rc-update add mount-home manual -``` - -Now the scripts can be started accordingly with - -``` -# openrc -n manual -``` - -> Note that after a reboot this command should be performed to decrypt the home partition and to start the user services. - +> This process can of course be repeated for several users. \ No newline at end of file diff --git a/docs/alpine-server-setup/provisioning.md b/docs/alpine-server-setup/provisioning.md index bdfce6e..e4853fd 100644 --- a/docs/alpine-server-setup/provisioning.md +++ b/docs/alpine-server-setup/provisioning.md @@ -92,6 +92,14 @@ Define the pool partitions > done ``` +The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/crypt-key.txt` with: + +``` +# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/tank.key && cat /tmp/tank.key +``` + +> Later on in the guide `clevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to write it down. + Create the system pool ``` @@ -101,6 +109,9 @@ Create the system pool -O acltype=posix \ -O xattr=sa \ -O dnodesize=auto \ + -O encryption=on \ + -O keyformat=passphrase \ + -O keylocation=file:///tmp/tank.key \ -m none \ tank raidz1 $poolparts ``` @@ -112,7 +123,7 @@ Then create the system datasets ``` # zfs create -o mountpoint=none tank/root # zfs create -o canmount=noauto -o mountpoint=/ -o atime=off -o quota=24g tank/root/alpine -# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota= -o encryption=on -o keyformat=passphrase tank/home +# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota= tank/home # zfs create -o mountpoint=/var -o exec=off -o setuid=off -o devices=off -o quota=16g tank/var ```