From 35ee8a3320add2527c7e7f61a4a029518d86a018 Mon Sep 17 00:00:00 2001
From: Luc <luc@bijl.us>
Date: Tue, 24 Dec 2024 12:38:29 +0100
Subject: [PATCH] docs/alpine-server-setup/provisioning.md: set mountpoint to
legacy, implement zlevis and updated format
---
docs/alpine-server-setup/provisioning.md | 50 +++++++++++++++---------
1 file changed, 31 insertions(+), 19 deletions(-)
diff --git a/docs/alpine-server-setup/provisioning.md b/docs/alpine-server-setup/provisioning.md
index e4853fd..e1907ba 100644
--- a/docs/alpine-server-setup/provisioning.md
+++ b/docs/alpine-server-setup/provisioning.md
@@ -1,6 +1,8 @@
# Provisioning
-After flashing the Alpine Linux extended ISO, partition the disks. For this action internet is required since `zfs` and `sgdisk` are not included on the extended ISO, therefore it needs to be obtained from the repository.
+Flash the Alpine Linux extended ISO and make sure the secureboot keys are reset and TPM is enabled in the BIOS of the host.
+
+After booting the Alpine Linux extended ISO, partition the disks. For this action internet is required since `zfs`, `sgdisk` and various other necessary packages are not included on the extended ISO, therefore they need to be obtained from the alpine package repository.
To set it up `setup-interfaces` and `setup-apkrepos` will be used.
@@ -9,10 +11,12 @@ To set it up `setup-interfaces` and `setup-apkrepos` will be used.
# setup-apkrepos -c1
```
-A few packages will have to be installed first:
+> To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar.
+
+A few packages will have to be installed first,
```
-# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm
+# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm tpm2-tools zlevis
```
and load the ZFS kernel module
@@ -21,7 +25,7 @@ and load the ZFS kernel module
# modprobe zfs
```
-Define the disks you want to use for this install
+Define the disks you want to use for this install,
```
# export disks="/dev/disk/by-id/<id-disk-1> ... /dev/disk/by-id/<id-disk-n>"
@@ -31,7 +35,7 @@ with `<id-disk-n>` for $n \in \mathbb{N}$ the `id` of the disk.
> According to [openzfs-FAQ](https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html) using `/dev/disk/by-id/` is the best practice for small pools. For larger pools, using serial Attached SCSI (SAS) and the like, see [vdev_id](https://openzfs.github.io/openzfs-docs/man/master/5/vdev_id.conf.5.html) for proper configuration.
-Wipe the existing disk partitions
+Wipe the existing disk partitions:
```
# for disk in $disks; do
@@ -41,7 +45,7 @@ Wipe the existing disk partitions
> done
```
-Create on each disk an `EFI system` partition (ESP) and a `Linux filesystem` partition
+Create on each disk an `EFI system` partition (ESP) and a `Linux filesystem` partition:
```
# for disk in $disks; do
@@ -50,13 +54,13 @@ Create on each disk an `EFI system` partition (ESP) and a `Linux filesystem` par
> done
```
-Create device nodes
+Create device nodes:
```
# mdev -s
```
-Define the EFI partitions
+Define the EFI partitions:
```
# export efiparts=""
@@ -66,7 +70,7 @@ Define the EFI partitions
> done
```
-Create a `mdraid` array on the EFI partitions
+Create a `mdraid` array on the EFI partitions:
```
# modprobe raid1
@@ -74,7 +78,7 @@ Create a `mdraid` array on the EFI partitions
# mdadm --assemble --scan
```
-Format the array with a FAT32 filesystem
+Format the array with a FAT32 filesystem:
```
# mkfs.fat -F 32 /dev/md/esp
@@ -92,15 +96,15 @@ Define the pool partitions
> done
```
-The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/crypt-key.txt` with:
+The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/tank.key` with:
```
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/tank.key && cat /tmp/tank.key
```
-> Later on in the guide `clevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to write it down.
+> Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it.
-Create the system pool
+Create the system pool:
```
# zpool create -f \
@@ -111,26 +115,34 @@ Create the system pool
-O dnodesize=auto \
-O encryption=on \
-O keyformat=passphrase \
- -O keylocation=file:///tmp/tank.key \
+ -O keylocation=prompt \
-m none \
tank raidz1 $poolparts
```
> Additionally, the `spare` option can be used to indicate spare disks. If more redundancy is preferred than `raidz2` and `raidz3` are possible [alternatives](https://openzfs.github.io/openzfs-docs/man/master/7/zpoolconcepts.7.html) for `raidz1`. If a single disk is used the `raidz` option can be left aside. For further information see [zpool-create](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-create.8.html).
-Then create the system datasets
+Then create the system datasets:
```
# zfs create -o mountpoint=none tank/root
-# zfs create -o canmount=noauto -o mountpoint=/ -o atime=off -o quota=24g tank/root/alpine
+# zfs create -o mountpoint=legacy -o quota=24g tank/root/alpine
# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> tank/home
-# zfs create -o mountpoint=/var -o exec=off -o setuid=off -o devices=off -o quota=16g tank/var
+# zfs create -o mountpoint=/var -o atime=off -o exec=off -o setuid=off -o devices=off -o quota=16g tank/var
```
> Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool.
-Finally, export the zpool
+Write the encryption key to TPM and store the jwe in tpm:jwe:
+
+```
+# zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/tank.key) tank
+```
+
+> To check if it worked, perform `zfs list -Ho tpm:jwe tank | zlevis-decrypt`.
+
+Finally, export the zpool:
```
# zpool export tank
-```
\ No newline at end of file
+```