From 35ee8a3320add2527c7e7f61a4a029518d86a018 Mon Sep 17 00:00:00 2001 From: Luc Date: Tue, 24 Dec 2024 12:38:29 +0100 Subject: [PATCH] docs/alpine-server-setup/provisioning.md: set mountpoint to legacy, implement zlevis and updated format --- docs/alpine-server-setup/provisioning.md | 50 +++++++++++++++--------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/docs/alpine-server-setup/provisioning.md b/docs/alpine-server-setup/provisioning.md index e4853fd..e1907ba 100644 --- a/docs/alpine-server-setup/provisioning.md +++ b/docs/alpine-server-setup/provisioning.md @@ -1,6 +1,8 @@ # Provisioning -After flashing the Alpine Linux extended ISO, partition the disks. For this action internet is required since `zfs` and `sgdisk` are not included on the extended ISO, therefore it needs to be obtained from the repository. +Flash the Alpine Linux extended ISO and make sure the secureboot keys are reset and TPM is enabled in the BIOS of the host. + +After booting the Alpine Linux extended ISO, partition the disks. For this action internet is required since `zfs`, `sgdisk` and various other necessary packages are not included on the extended ISO, therefore they need to be obtained from the alpine package repository. To set it up `setup-interfaces` and `setup-apkrepos` will be used. @@ -9,10 +11,12 @@ To set it up `setup-interfaces` and `setup-apkrepos` will be used. # setup-apkrepos -c1 ``` -A few packages will have to be installed first: +> To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar. + +A few packages will have to be installed first, ``` -# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm +# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm tpm2-tools zlevis ``` and load the ZFS kernel module @@ -21,7 +25,7 @@ and load the ZFS kernel module # modprobe zfs ``` -Define the disks you want to use for this install +Define the disks you want to use for this install, ``` # export disks="/dev/disk/by-id/ ... /dev/disk/by-id/" @@ -31,7 +35,7 @@ with `` for $n \in \mathbb{N}$ the `id` of the disk. > According to [openzfs-FAQ](https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html) using `/dev/disk/by-id/` is the best practice for small pools. For larger pools, using serial Attached SCSI (SAS) and the like, see [vdev_id](https://openzfs.github.io/openzfs-docs/man/master/5/vdev_id.conf.5.html) for proper configuration. -Wipe the existing disk partitions +Wipe the existing disk partitions: ``` # for disk in $disks; do @@ -41,7 +45,7 @@ Wipe the existing disk partitions > done ``` -Create on each disk an `EFI system` partition (ESP) and a `Linux filesystem` partition +Create on each disk an `EFI system` partition (ESP) and a `Linux filesystem` partition: ``` # for disk in $disks; do @@ -50,13 +54,13 @@ Create on each disk an `EFI system` partition (ESP) and a `Linux filesystem` par > done ``` -Create device nodes +Create device nodes: ``` # mdev -s ``` -Define the EFI partitions +Define the EFI partitions: ``` # export efiparts="" @@ -66,7 +70,7 @@ Define the EFI partitions > done ``` -Create a `mdraid` array on the EFI partitions +Create a `mdraid` array on the EFI partitions: ``` # modprobe raid1 @@ -74,7 +78,7 @@ Create a `mdraid` array on the EFI partitions # mdadm --assemble --scan ``` -Format the array with a FAT32 filesystem +Format the array with a FAT32 filesystem: ``` # mkfs.fat -F 32 /dev/md/esp @@ -92,15 +96,15 @@ Define the pool partitions > done ``` -The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/crypt-key.txt` with: +The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/tank.key` with: ``` # cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/tank.key && cat /tmp/tank.key ``` -> Later on in the guide `clevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to write it down. +> Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it. -Create the system pool +Create the system pool: ``` # zpool create -f \ @@ -111,26 +115,34 @@ Create the system pool -O dnodesize=auto \ -O encryption=on \ -O keyformat=passphrase \ - -O keylocation=file:///tmp/tank.key \ + -O keylocation=prompt \ -m none \ tank raidz1 $poolparts ``` > Additionally, the `spare` option can be used to indicate spare disks. If more redundancy is preferred than `raidz2` and `raidz3` are possible [alternatives](https://openzfs.github.io/openzfs-docs/man/master/7/zpoolconcepts.7.html) for `raidz1`. If a single disk is used the `raidz` option can be left aside. For further information see [zpool-create](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-create.8.html). -Then create the system datasets +Then create the system datasets: ``` # zfs create -o mountpoint=none tank/root -# zfs create -o canmount=noauto -o mountpoint=/ -o atime=off -o quota=24g tank/root/alpine +# zfs create -o mountpoint=legacy -o quota=24g tank/root/alpine # zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota= tank/home -# zfs create -o mountpoint=/var -o exec=off -o setuid=off -o devices=off -o quota=16g tank/var +# zfs create -o mountpoint=/var -o atime=off -o exec=off -o setuid=off -o devices=off -o quota=16g tank/var ``` > Setting the `` depends on the total size of the pool, generally try to reserve some empty space in the pool. -Finally, export the zpool +Write the encryption key to TPM and store the jwe in tpm:jwe: + +``` +# zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/tank.key) tank +``` + +> To check if it worked, perform `zfs list -Ho tpm:jwe tank | zlevis-decrypt`. + +Finally, export the zpool: ``` # zpool export tank -``` \ No newline at end of file +```