codeblocks?

2025-01-12 18:12:36 +01:00 · 2025-01-12 18:12:36 +01:00 · 4a39ff4782
commit 4a39ff4782
parent b861149cb5
3 changed files with 190 additions and 180 deletions
--- a/docs/gentoo-desktop-setup/installation.md
+++ b/docs/gentoo-desktop-setup/installation.md
@ -2,47 +2,45 @@ Now is the time to actually install Gentoo.
 First import the pool again:
-```
+``` shell
-# zpool import -N -R /mnt rpool
+root # zpool import -N -R /mnt rpool
-# zfs load-key -L file:///tmp/rpool.key rpool
+root # zfs load-key -L file:///tmp/rpool.key rpool
 ```
 Then mount the datasets and the ESP on `/mnt`:
-```
+``` shell
-# mount -t zfs rpool/root/gentoo /mnt
+root # mount -t zfs rpool/root/gentoo /mnt
-# mkdir /mnt/var
+root # mkdir /mnt/var
-# mount -t zfs rpool/root/gentoo/var /mnt/var
+root # mount -t zfs rpool/root/gentoo/var /mnt/var
-# mkdir /mnt/efi
+root # mkdir /mnt/efi
-# mount -t vfat /dev/disk/by-label/esp /mnt/efi
+root # mount -t vfat /dev/disk/by-label/esp /mnt/efi
 ```
 Now we're going to fetch a stage3 tarball for on the root of the system. Replace the `<release_date>` with the latest tarball release.
-```
+``` shell
-# cd /mnt
+root # cd /mnt
-# wget https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/stage3-amd64-musl-hardened-<release_date>.tar.xz
+root # wget https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/stage3-amd64-musl-hardened-<release_date>.tar.xz
 ```
-> There are also other mirrors like `https://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/` which might provide a faster download depending on your location. Check out <https://www.gentoo.org/downloads/mirrors/> for other mirrors.
+This should have placed a tarball at `/mnt/stage3-amd64-musl-hardened-*-.tar.xz`. There are also other mirrors like `https://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/` which might provide a faster download depending on your location. Check out <https://www.gentoo.org/downloads/mirrors/> for other mirrors.
 > It is also possible to use `links` instead of `wget` which provides a small user interface for navigation: `# links https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened`
 Unpack it in the new root:
-```
+``` shell
-# tar xpvf stage3-*.tar.xz --numeric-owner
+root # tar xpvf stage3-*.tar.xz --numeric-owner -C /mnt
 ```
 Then before finally chrooting into the system simply copy over the `resolv.conf` for internet connection inside the chroot.
-```
+``` shell
-# cp /etc/resolv.conf /mnt/etc/.
+root # cp /etc/resolv.conf /mnt/etc/.
-# cp /tmp/rpool.key /mnt/tmp
+root # cp /tmp/rpool.key /mnt/tmp
-# for i in dev proc sys run; do
+root # for i in dev proc sys run; do mount --rbind --make-rslave /$i /mnt/$i; done
-    mount --rbind --make-rslave /$i /mnt/$i
+root # chroot /mnt 
    done
 # chroot /mnt 
 ```
 ## Configuring the system
@ -51,7 +49,7 @@ Then before finally chrooting into the system simply copy over the `resolv.conf`
 Before installing any software first edit `/etc/portage/make.conf` which acts as the main configuration file for portage. A Gentoo installation is highly personal so diverting from these settings is encouraged. Here's an example file:
-```
+``` title="/etc/portage/make.conf"
 # Please consult /usr/share/portage/config/make.conf.example for a more
 # detailed example.
 COMMON_FLAGS="-march=native -O2 -pipe"
@ -83,7 +81,7 @@ PORTAGE_LOGDIR_CLEAN="find \"\${PORTAGE_LOGDIR}\" -type f ! -name \"summary.log*
 ACCEPT_LICENSE="-* @FREE"
 # USE flags
-USE="${USE} networkmanager wayland dbus elogind -systemd policykit pam man udev pipewire initramfs secureboot modules-sign dist-kernel -gtkdoc" # ....
+USE="${USE} networkmanager -modemmanager wayland dbus elogind -systemd policykit pam man udev pipewire initramfs secureboot modules-sign dist-kernel" # ....
 # Emerge settings
 EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --with-bdeps y"
@ -97,259 +95,261 @@ MODULES_SIGN_HASH="sha512"
 ```
-> Don't forget to change the `MAKEOPTS` to match your CPU and also the `USEFLAGS` to your liking. 
+> Don't forget to change the `MAKEOPTS` to match your CPU and also the `USEFLAGS` to your liking by i.e. adding `-gtk-doc`. 
 Now finally sync the repositories and try installing a package like `vim`.
-```
+``` shell
-# emaint sync
+root # emaint sync
-# emerge --ask --verbose app-editors/vim
+...
 Action: sync for repo: gentoo, returned code = 0
 root # emerge --ask --verbose app-editors/vim
 >>> Completed (3 of 4) app-editors/vim-*::gentoo
 ```
-In theory it should work.
+Then try running `vim` and it theory it should work!
 ### Fstab
-Simply add these lines to the fstab:
+Simply add these lines to the systems `fstab`:
-```
+``` title="/etc/fstab"
 rpool/root/gentoo       /   	zfs     rw,noatime,xattr,posixacl,casesensitive                 0 1
 rpool/root/gentoo/var   /var	zfs     rw,noatime,nosuid,nodev,xattr,posixacl,casesensitive    0 2
-/dev/disk/by-label/efi  /efi	vfat	defaults,nodev,nosuid,noexec,umask=0077			0 2
+/dev/disk/by-label/esp  /efi	vfat	defaults,nodev,nosuid,noexec,umask=0077                 0 2
 tmpfs                   /tmp	tmpfs	rw,nodev,nosuid,noexec,mode=1777                        0 0
 proc                    /proc	proc	nodev,nosuid,noexec,hidepid=2                           0 0
 ```
 ### Date and time
-First install `timezone-data`:
+Musl does not come with timezone's installed by default. Install `timezone-data` with:
-```
+``` shell
-# emerge -av sys-libs/timezone-data
+root # emerge -av sys-libs/timezone-data
 ```
-Create `/etc/env.d/00local` with:
+Select the correct timezone with:
-```
+``` title="/etc/env.d/00local"
 TZ="/usr/share/zoneinfo/<region>/<city>"
 ```
-Update the environment:
+Update the environment of your shell:
-```
+``` shell
-# env-update && source /etc/profile
+root # env-update && source /etc/profile
 ```
-Configure `hwclock` in `/etc/conf.d/hwclock`:
+To sync your system's time with a server set up a *Network Time Protocol daemon*. It's recommended to use OpenBSD's `openntpd` which aims to be as secure and minimal as possible:
-```
+``` shell
-clock="UTC"
+root # emerge -av net-misc/openntpd
-clock_hctosys="NO"
+root # rc-update add ntpd default
-clock_systohc="NO"
+root # rc-service ntpd start
 ```
 And set up a `ntpd`:
 ```
 # emerge -av net-misc/openntpd
 # rc-update add ntpd default
 # rc-service ntpd start
 ```
 ### Set up locales
-Install the `musl-locales` package:
+Musl also does not support locales out of the box. They aren't necessary but some programms rely on them to set the language of their application. To be able to use locales install the `musl-locales` package:
-```
+``` shell
-# emerge -av sys-apps/musl-locales
+root # emerge -av sys-apps/musl-locales
 ```
-And in `/etc/env.d/01musl_locales` add:
+And to allow the system to know where the locales are located:
-```
+``` title="/etc/env.d/01musl_locales"
 MUSL_LOCPATH="/usr/share/i18n/locales/musl"
 ```
-Then choose the desired locale with $n \in \mathbb{N}$:
+There are a multiple locales to choose from. In most situations choosing `en_US` is the standard but selecting a diverent one should not break the system. Choose the desired locale with $n \in \mathbb{N}$:
-```
+``` shell
-# eselect locale list
+root # eselect locale list
-# eselect locale set <n>
+root # eselect locale set <n>
-# env-update && source /etc/profile
+root # env-update && source /etc/profile
 ```
 ### Setting the hostname
-Simply run:
+The system's hostname is the name given to the machine. Other systems on a network will also be able to see this name. To set it replace <hostname> with the desired name:
-```
+``` shell
-echo "<hostname>" > /etc/hostname
+root # echo "<hostname>" > /etc/hostname
 ```
 ### Internet
-NetworkManager is an easy to use network manager. Before emerging it, consider adding some USE flags in `/etc/portage/package.use/networkmanager`
+NetworkManager is an easy to use network manager. It has compatibility with most VPN protocols, works with Eduroam etc. and also has multiple graphical interfaces. Before emerging it, consider adding some USE flags to your liking:
-```
+``` title="/etc/portage/package.use/networkmanager"
-net-misc/networkmanager dhcpcd -wext
+net-misc/networkmanager dhcpcd -wext -modemmanager -ppp
 ```
-And also make sure the `networkmanager` USE flag is enabled in your `make.conf`. Then emerge `networkmananger`:
+Also make sure the `networkmanager` USE flag is enabled in your `make.conf`. Then emerge `networkmananger`:
-```
+``` shell
-# emerge -av net-misc/networkmanager
+root # emerge -av net-misc/networkmanager
 ```
-Then disable any other network services before enabling the service:
+Then disable any other network services before enabling the `NetworkManager`service:
 ``` shell
 root # rc-update add NetworkManager default
 * service NetworkManager added to runlevel default
 ```
-# rc-update add NetworkManager default
+
-# rc-service NetworkManager start
+### Adding GURU 
 GURU is an extra repository which contains packages not available in the main Gentoo repository. Although the packages it contains might not be as well tested as in the main repo they are still necessary for some setups. Add Guru with:
 ``` shell
 root # emerge -av app-eselect/eselect-repository
 root # eselect repository enable guru
 root # emaint sync --repo guru
 ```
 To allow unstable packages from GURU set the `~amd64` keyword for it:
 ``` title="/etc/portage/package.accept_keywords/guru"
 */*::guru ~amd64
 ```
 ## Making the system boot
 ### Sbctl
-First off install `sbctl`:
+`sbctl` is a simple tool which allows for the management of Secureboot settings on a system. It can create, deploy and sign keys with ease. First off install `sbctl`:
-```
+``` shell
-# emerge -av sbctl
+root # emerge -av sbctl
 ```
 > Verify that Secureboot mode is on and in setup mode with `sbctl status`
 Then create and enroll keys into the system.
-```
+``` shell
-# sbctl create-keys
+root # sbctl create-keys
-# sbctl enroll-keys <--microsoft>
+Created Owner UUID abcde....
 Creating secure boot keys...✔
 Secure boot keys created!
 root # sbctl enroll-keys <--microsoft>
 ...
 Enrolled keys to the EFI variables!
 ```
 Use the `--microsoft` flag if the system is unable to use custom keys or when dual booting with Windows.
 ## Adding GURU 
 GURU is an extra repository which contains packages not available in the main Gentoo repository. Although the packages it contains might not be as well tested as in the main repo they are still necessary for some setups. Add Guru with:
 ```
 # emerge -av app-eselect/eselect-repository
 # eselect repository enable guru
 # emaint sync --repo guru
 ```
 To allow unstable packages from GURU, in `/etc/portage/package.accept_keywords/guru`:
 ```
 */*::guru ~amd64
 ```
 ### Zlevis' auto decryption
-`zlevis` is able to unlock an encrypted ZFS root pool with keys saved in a TPM, currently it's only available in the `portage-ample` repository and also has some dependencies in the `guru` repository:
+`zlevis` is able to unlock an encrypted ZFS root pool with keys saved in a TPM, currently it's only available in the `portage-ample` repository and also has some dependencies in the `guru` repository. Add the `portage-ample` repository with:
-```
+``` shell
-# eselect repository add portage-ample git https://git.bijl.us/lnorg/portage-ample
+root # eselect repository add portage-ample git https://git.bijl.us/lnorg/portage-ample
-# emaint sync -r portage-ample
+root # emaint sync -r portage-ample
 ```
-Then before emerging add the `dracut` flag in `/etc/portage/package.use/zlevis`
+Then before emerging add the `dracut` flag for zlevis:
-```
+``` title="/etc/portage/package.use/zlevis"
 app-crypt/zlevis dracut
 ```
 Then simply install it:
-```
+``` shell
-# emerge -av app-crypt/zlevis
+root # emerge -av app-crypt/zlevis
 ```
 Now add `zlevis` to the pool with
-```
+``` shell
-# zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/rpool.key) rpool
+root # zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/rpool.key) rpool
 ```
 ### UKI's
-UKI's in conjuction with secureboot make for a pretty secure bootchain :D <--- deze lijnen moeten nog anders
+UKI's in conjuction with secureboot make for a pretty secure bootchain. It bundles the command line, initramfs, efi-stub and more in one file which can then easily be signed for Secureboot. We use `dracut` as initramfs generator and `ukify` as UKI generator.
 We use `dracut` as initramfs generator and `ukify` as UKI generator.
-Firsty create `/usr/lib/kernel/install.conf`
+Configure the kernelinstall to use `dracut` and `ukify`:
-```
+``` title="/usr/lib/kernel/install.conf"
 layout=uki
 initrd_generator=dracut
 uki_generator=ukify
 ```
-And in `/etc/kernel/uki.conf`
+``` title="/etc/kernel/uki.conf"
 ```
 [UKI]
 SecureBootSigningTool=sbsign
 ```
-Portage also has to be told to generate a UKI when installing a kernel this can be done by creating `/etc/portage/package.use/uki`
+Portage also has to be told to generate a UKI when installing a kernel. Set the corresponding required USE flags:
-```
+``` title="/etc/portage/package.use/uki"
 sys-apps/systemd-utils kernel-install boot ukify
 sys-kernel/installkernel dracut ukify uki
 ```
-These USE flags tell portage also to install `systemd-boot` which can automatically detect UKI's and because of the `secureboot` flag in `/etc/portage/make.conf` it will also automatically sign the bootloader.
+These USE flags tell portage also to install `systemd-boot` which can automatically detect UKI's and because of the `secureboot` flag in `/etc/portage/make.conf` it will also automatically sign the bootloader when it gets installed or updated on the ESP.
-Also allow `linux-firmware`'s license in `/etc/portage/package.license`:
+For a desktop to function it will also require firmware. On Linux this is usually the `linux-firmware` package. Allow the licenses required for `linux-firmware`:
-```
+``` title="/etc/portage/package.license"
-# Accepting the license for linux-firmware
+# Accepting the license for linux-firmware and redistributable licenses
-sys-kernel/linux-firmware linux-fw-redistributable
+sys-kernel/linux-firmware linux-fw-redistributable @BINARY-REDISTRIBUTABLE
 # Accepting any license that permits redistribution
 sys-kernel/linux-firmware @BINARY-REDISTRIBUTABLE
 ```
-Enable the `zlevis` module in `/etc/dracut.conf.d/zlevis.conf`
+Then to allow `zlevis` to unlock the root pool it will need to be added to the initramfs. Enable the `zlevis` module for dracut: 
-```
+``` title="/etc/dracut.conf.d/zlevis.conf"
 nofsck="yes"
 add_dracutmodules+=" zlevis "
 ```
-Before installing a kernel define a minimal kernel command line in `/etc/kernel/cmdline`:
+Before installing a kernel define a minimal kernel command line which allows the initramfs to find the root:
-```
+``` title="/etc/kernel/cmdline"
 rw root=ZFS=rpool/root/gentoo quiet splash
 ```
-Then finally install all the necessary packages:
+Then finally install the packages mentioned which are required for a running system:
 ``` shell
 root # emerge -av sbsigntools systemd-utils linux-firmware gentoo-kernel-bin zfs-kmod
 ```
-# emerge -av sbsigntools systemd-utils linux-firmware gentoo-kernel-bin zfs-kmod
+
-```
+> Note that `gentoo-kernel-bin` was installed which is the pre-compiled Gentoo kernel. Later on we will compile our own custom kernel.
 It should have done this without throwing any errors.
-Then for a nice boot interface install `systemd-boot` on the ESP:
+Because Gentoo generates UKI's for all the kernels installed on a system it would be nice to be able to choose upon boot which one. For a nice boot interface install `systemd-boot` on the ESP:
-```
+``` shell
-# bootctl install
+root # bootctl install
 Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/efi/EFI/systemd/systemd-bootx64.efi".
 Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/efi/EFI/BOOT/BOOTX64.EFI".
 Random seed file /efi/loader/random-seed successfully refreshed (32 bytes).
 Created EFI boot entry "Linux Boot Manager".
 ```
 The last thing to do is adding a few ZFS services on boot:
-```
+``` shell
-# rc-update add zfs-import sysinit
+root # rc-update add zfs-import sysinit
-# rc-update add zfs-mount sysinit
+root # rc-update add zfs-mount sysinit
 ```
 Now exit the chroot and unmount the filesystem with:
-```
+``` shell
-# umount -lf /mnt
+root # umount -lf /mnt
 ```
-The system should boot after reboot!
+The system should be functionalafter reboot!
--- a/docs/gentoo-desktop-setup/provisioning.md
+++ b/docs/gentoo-desktop-setup/provisioning.md
@ -4,66 +4,66 @@ After booting the Alpine Linux extended ISO, partition the disks. For this actio
 To set it up `setup-interfaces` and `setup-apkrepos` will be used.
-```
+``` shell
-# setup-interfaces -ar
+root # setup-interfaces -ar
-# setup-apkrepos -c1
+root # setup-apkrepos -c1
 ```
 > To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar.
 A few packages will have to be installed first,
-```
+``` shell
-# apk add zfs lsblk sgdisk wipefs dosfstools
+root # apk add zfs lsblk sgdisk wipefs dosfstools
 ```
 and load the ZFS kernel module
-```
+``` shell
-# modprobe zfs
+root # modprobe zfs
 ```
 Wipe the existing disk partitions
-```
+``` shell
-# zpool labelclear -f /dev/<disk>
+root # zpool labelclear -f /dev/<disk>
-# wipefs -a /dev/<disk>
+root # wipefs -a /dev/<disk>
-# sgdisk --zap-all /dev/<disk>
+root # sgdisk --zap-all /dev/<disk>
 ```
 Create on the disk an `EFI system` partition (ESP) and a `Linux filesystem` partition
-```
+``` shell
-# sgdisk -n 1:1m:+512m -t 1:ef00 /dev/<disk>
+root # sgdisk -n 1:1m:+512m -t 1:ef00 /dev/<disk>
-# sgdisk -n 2:0:-10m -t 2:8300 /dev/<disk>
+root # sgdisk -n 2:0:-10m -t 2:8300 /dev/<disk>
 ```
 Reload the device nodes
-```
+``` shell
-# mdev -s
+root # mdev -s
 ```
 Then, format the ESP with a FAT32 filesystem
-```
+``` shell
-# mkfs.fat -F 32 -n esp /dev/<disk>1
+root # mkfs.fat -F 32 -n esp /dev/<disk>1
 ```
 ## ZFS pool creation
 The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/rpool.key` with:
-```
+``` shell
-# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key
+root # cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key
 ```
 > Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it.
 Create the system pool:
-```
+``` shell
-# zpool create -f \
+root # zpool create -f \
        -o ashift=12 \
        -O compression=lz4 \
        -O acltype=posix \ 
@ -78,11 +78,11 @@ Create the system pool:
 Then create the system datasets:
-```
+``` shell
-# zfs create -o mountpoint=none rpool/root
+root # zfs create -o mountpoint=none rpool/root
-# zfs create -o mountpoint=legacy -o quota=48g rpool/root/gentoo
+root # zfs create -o mountpoint=legacy -o quota=48g rpool/root/gentoo
-# zfs create -o mountpoint=legacy -o quota=32g rpool/root/gentoo/var
+root # zfs create -o mountpoint=legacy -o quota=32g rpool/root/gentoo/var
-# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> rpool/home
+root # zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> rpool/home
 ```
 > Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool.
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -8,6 +8,8 @@ theme:
    - navigation.tabs
    - navigation.indexes
    - toc.follow
    - content.code.copy
    - content.code.annotate 
  logo: assets/lnorg-logo.png
  favicon: assets/lnorg-logo.png
  palette:  
@ -33,6 +35,14 @@ extra:
 markdown_extensions:
  - pymdownx.arithmatex:
      generic: true
  - pymdownx.highlight:
      use_pygments: true
      anchor_linenums: true
      line_spans: __span
      pygments_lang_class: true
  - pymdownx.inlinehilite
  - pymdownx.snippets
  - pymdownx.superfences
 extra_javascript:
  - javascripts/mathjax.js