codeblocks?

This commit is contained in:
nils 2025-01-12 18:12:36 +01:00
parent b861149cb5
commit 4a39ff4782
3 changed files with 190 additions and 180 deletions

View file

@ -2,47 +2,45 @@ Now is the time to actually install Gentoo.
First import the pool again: First import the pool again:
``` ``` shell
# zpool import -N -R /mnt rpool root # zpool import -N -R /mnt rpool
# zfs load-key -L file:///tmp/rpool.key rpool root # zfs load-key -L file:///tmp/rpool.key rpool
``` ```
Then mount the datasets and the ESP on `/mnt`: Then mount the datasets and the ESP on `/mnt`:
``` ``` shell
# mount -t zfs rpool/root/gentoo /mnt root # mount -t zfs rpool/root/gentoo /mnt
# mkdir /mnt/var root # mkdir /mnt/var
# mount -t zfs rpool/root/gentoo/var /mnt/var root # mount -t zfs rpool/root/gentoo/var /mnt/var
# mkdir /mnt/efi root # mkdir /mnt/efi
# mount -t vfat /dev/disk/by-label/esp /mnt/efi root # mount -t vfat /dev/disk/by-label/esp /mnt/efi
``` ```
Now we're going to fetch a stage3 tarball for on the root of the system. Replace the `<release_date>` with the latest tarball release. Now we're going to fetch a stage3 tarball for on the root of the system. Replace the `<release_date>` with the latest tarball release.
``` ``` shell
# cd /mnt root # cd /mnt
# wget https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/stage3-amd64-musl-hardened-<release_date>.tar.xz root # wget https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/stage3-amd64-musl-hardened-<release_date>.tar.xz
``` ```
> There are also other mirrors like `https://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/` which might provide a faster download depending on your location. Check out <https://www.gentoo.org/downloads/mirrors/> for other mirrors. This should have placed a tarball at `/mnt/stage3-amd64-musl-hardened-*-.tar.xz`. There are also other mirrors like `https://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/` which might provide a faster download depending on your location. Check out <https://www.gentoo.org/downloads/mirrors/> for other mirrors.
> It is also possible to use `links` instead of `wget` which provides a small user interface for navigation: `# links https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened` > It is also possible to use `links` instead of `wget` which provides a small user interface for navigation: `# links https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened`
Unpack it in the new root: Unpack it in the new root:
``` ``` shell
# tar xpvf stage3-*.tar.xz --numeric-owner root # tar xpvf stage3-*.tar.xz --numeric-owner -C /mnt
``` ```
Then before finally chrooting into the system simply copy over the `resolv.conf` for internet connection inside the chroot. Then before finally chrooting into the system simply copy over the `resolv.conf` for internet connection inside the chroot.
``` ``` shell
# cp /etc/resolv.conf /mnt/etc/. root # cp /etc/resolv.conf /mnt/etc/.
# cp /tmp/rpool.key /mnt/tmp root # cp /tmp/rpool.key /mnt/tmp
# for i in dev proc sys run; do root # for i in dev proc sys run; do mount --rbind --make-rslave /$i /mnt/$i; done
mount --rbind --make-rslave /$i /mnt/$i root # chroot /mnt
done
# chroot /mnt
``` ```
## Configuring the system ## Configuring the system
@ -51,7 +49,7 @@ Then before finally chrooting into the system simply copy over the `resolv.conf`
Before installing any software first edit `/etc/portage/make.conf` which acts as the main configuration file for portage. A Gentoo installation is highly personal so diverting from these settings is encouraged. Here's an example file: Before installing any software first edit `/etc/portage/make.conf` which acts as the main configuration file for portage. A Gentoo installation is highly personal so diverting from these settings is encouraged. Here's an example file:
``` ``` title="/etc/portage/make.conf"
# Please consult /usr/share/portage/config/make.conf.example for a more # Please consult /usr/share/portage/config/make.conf.example for a more
# detailed example. # detailed example.
COMMON_FLAGS="-march=native -O2 -pipe" COMMON_FLAGS="-march=native -O2 -pipe"
@ -83,7 +81,7 @@ PORTAGE_LOGDIR_CLEAN="find \"\${PORTAGE_LOGDIR}\" -type f ! -name \"summary.log*
ACCEPT_LICENSE="-* @FREE" ACCEPT_LICENSE="-* @FREE"
# USE flags # USE flags
USE="${USE} networkmanager wayland dbus elogind -systemd policykit pam man udev pipewire initramfs secureboot modules-sign dist-kernel -gtkdoc" # .... USE="${USE} networkmanager -modemmanager wayland dbus elogind -systemd policykit pam man udev pipewire initramfs secureboot modules-sign dist-kernel" # ....
# Emerge settings # Emerge settings
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --with-bdeps y" EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --with-bdeps y"
@ -97,259 +95,261 @@ MODULES_SIGN_HASH="sha512"
``` ```
> Don't forget to change the `MAKEOPTS` to match your CPU and also the `USEFLAGS` to your liking. > Don't forget to change the `MAKEOPTS` to match your CPU and also the `USEFLAGS` to your liking by i.e. adding `-gtk-doc`.
Now finally sync the repositories and try installing a package like `vim`. Now finally sync the repositories and try installing a package like `vim`.
``` ``` shell
# emaint sync root # emaint sync
# emerge --ask --verbose app-editors/vim ...
Action: sync for repo: gentoo, returned code = 0
root # emerge --ask --verbose app-editors/vim
>>> Completed (3 of 4) app-editors/vim-*::gentoo
``` ```
In theory it should work. Then try running `vim` and it theory it should work!
### Fstab ### Fstab
Simply add these lines to the fstab: Simply add these lines to the systems `fstab`:
``` ``` title="/etc/fstab"
rpool/root/gentoo / zfs rw,noatime,xattr,posixacl,casesensitive 0 1 rpool/root/gentoo / zfs rw,noatime,xattr,posixacl,casesensitive 0 1
rpool/root/gentoo/var /var zfs rw,noatime,nosuid,nodev,xattr,posixacl,casesensitive 0 2 rpool/root/gentoo/var /var zfs rw,noatime,nosuid,nodev,xattr,posixacl,casesensitive 0 2
/dev/disk/by-label/efi /efi vfat defaults,nodev,nosuid,noexec,umask=0077 0 2 /dev/disk/by-label/esp /efi vfat defaults,nodev,nosuid,noexec,umask=0077 0 2
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec,mode=1777 0 0 tmpfs /tmp tmpfs rw,nodev,nosuid,noexec,mode=1777 0 0
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0 proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
``` ```
### Date and time ### Date and time
First install `timezone-data`: Musl does not come with timezone's installed by default. Install `timezone-data` with:
``` ``` shell
# emerge -av sys-libs/timezone-data root # emerge -av sys-libs/timezone-data
``` ```
Create `/etc/env.d/00local` with: Select the correct timezone with:
``` ``` title="/etc/env.d/00local"
TZ="/usr/share/zoneinfo/<region>/<city>" TZ="/usr/share/zoneinfo/<region>/<city>"
``` ```
Update the environment: Update the environment of your shell:
``` ``` shell
# env-update && source /etc/profile root # env-update && source /etc/profile
``` ```
Configure `hwclock` in `/etc/conf.d/hwclock`: To sync your system's time with a server set up a *Network Time Protocol daemon*. It's recommended to use OpenBSD's `openntpd` which aims to be as secure and minimal as possible:
``` ``` shell
clock="UTC" root # emerge -av net-misc/openntpd
clock_hctosys="NO" root # rc-update add ntpd default
clock_systohc="NO" root # rc-service ntpd start
```
And set up a `ntpd`:
```
# emerge -av net-misc/openntpd
# rc-update add ntpd default
# rc-service ntpd start
``` ```
### Set up locales ### Set up locales
Install the `musl-locales` package: Musl also does not support locales out of the box. They aren't necessary but some programms rely on them to set the language of their application. To be able to use locales install the `musl-locales` package:
``` ``` shell
# emerge -av sys-apps/musl-locales root # emerge -av sys-apps/musl-locales
``` ```
And in `/etc/env.d/01musl_locales` add: And to allow the system to know where the locales are located:
``` ``` title="/etc/env.d/01musl_locales"
MUSL_LOCPATH="/usr/share/i18n/locales/musl" MUSL_LOCPATH="/usr/share/i18n/locales/musl"
``` ```
Then choose the desired locale with $n \in \mathbb{N}$: There are a multiple locales to choose from. In most situations choosing `en_US` is the standard but selecting a diverent one should not break the system. Choose the desired locale with $n \in \mathbb{N}$:
``` ``` shell
# eselect locale list root # eselect locale list
# eselect locale set <n> root # eselect locale set <n>
# env-update && source /etc/profile root # env-update && source /etc/profile
``` ```
### Setting the hostname ### Setting the hostname
Simply run: The system's hostname is the name given to the machine. Other systems on a network will also be able to see this name. To set it replace <hostname> with the desired name:
``` ``` shell
echo "<hostname>" > /etc/hostname root # echo "<hostname>" > /etc/hostname
``` ```
### Internet ### Internet
NetworkManager is an easy to use network manager. Before emerging it, consider adding some USE flags in `/etc/portage/package.use/networkmanager` NetworkManager is an easy to use network manager. It has compatibility with most VPN protocols, works with Eduroam etc. and also has multiple graphical interfaces. Before emerging it, consider adding some USE flags to your liking:
``` ``` title="/etc/portage/package.use/networkmanager"
net-misc/networkmanager dhcpcd -wext net-misc/networkmanager dhcpcd -wext -modemmanager -ppp
``` ```
And also make sure the `networkmanager` USE flag is enabled in your `make.conf`. Then emerge `networkmananger`: Also make sure the `networkmanager` USE flag is enabled in your `make.conf`. Then emerge `networkmananger`:
``` ``` shell
# emerge -av net-misc/networkmanager root # emerge -av net-misc/networkmanager
``` ```
Then disable any other network services before enabling the service: Then disable any other network services before enabling the `NetworkManager`service:
``` shell
root # rc-update add NetworkManager default
* service NetworkManager added to runlevel default
``` ```
# rc-update add NetworkManager default
# rc-service NetworkManager start ### Adding GURU
GURU is an extra repository which contains packages not available in the main Gentoo repository. Although the packages it contains might not be as well tested as in the main repo they are still necessary for some setups. Add Guru with:
``` shell
root # emerge -av app-eselect/eselect-repository
root # eselect repository enable guru
root # emaint sync --repo guru
```
To allow unstable packages from GURU set the `~amd64` keyword for it:
``` title="/etc/portage/package.accept_keywords/guru"
*/*::guru ~amd64
``` ```
## Making the system boot ## Making the system boot
### Sbctl ### Sbctl
First off install `sbctl`: `sbctl` is a simple tool which allows for the management of Secureboot settings on a system. It can create, deploy and sign keys with ease. First off install `sbctl`:
``` ``` shell
# emerge -av sbctl root # emerge -av sbctl
``` ```
> Verify that Secureboot mode is on and in setup mode with `sbctl status` > Verify that Secureboot mode is on and in setup mode with `sbctl status`
Then create and enroll keys into the system. Then create and enroll keys into the system.
``` ``` shell
# sbctl create-keys root # sbctl create-keys
# sbctl enroll-keys <--microsoft> Created Owner UUID abcde....
Creating secure boot keys...✔
Secure boot keys created!
root # sbctl enroll-keys <--microsoft>
...
Enrolled keys to the EFI variables!
``` ```
Use the `--microsoft` flag if the system is unable to use custom keys or when dual booting with Windows. Use the `--microsoft` flag if the system is unable to use custom keys or when dual booting with Windows.
## Adding GURU
GURU is an extra repository which contains packages not available in the main Gentoo repository. Although the packages it contains might not be as well tested as in the main repo they are still necessary for some setups. Add Guru with:
```
# emerge -av app-eselect/eselect-repository
# eselect repository enable guru
# emaint sync --repo guru
```
To allow unstable packages from GURU, in `/etc/portage/package.accept_keywords/guru`:
```
*/*::guru ~amd64
```
### Zlevis' auto decryption ### Zlevis' auto decryption
`zlevis` is able to unlock an encrypted ZFS root pool with keys saved in a TPM, currently it's only available in the `portage-ample` repository and also has some dependencies in the `guru` repository: `zlevis` is able to unlock an encrypted ZFS root pool with keys saved in a TPM, currently it's only available in the `portage-ample` repository and also has some dependencies in the `guru` repository. Add the `portage-ample` repository with:
``` ``` shell
# eselect repository add portage-ample git https://git.bijl.us/lnorg/portage-ample root # eselect repository add portage-ample git https://git.bijl.us/lnorg/portage-ample
# emaint sync -r portage-ample root # emaint sync -r portage-ample
``` ```
Then before emerging add the `dracut` flag in `/etc/portage/package.use/zlevis` Then before emerging add the `dracut` flag for zlevis:
``` ``` title="/etc/portage/package.use/zlevis"
app-crypt/zlevis dracut app-crypt/zlevis dracut
``` ```
Then simply install it: Then simply install it:
``` ``` shell
# emerge -av app-crypt/zlevis root # emerge -av app-crypt/zlevis
``` ```
Now add `zlevis` to the pool with Now add `zlevis` to the pool with
``` ``` shell
# zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/rpool.key) rpool root # zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/rpool.key) rpool
``` ```
### UKI's ### UKI's
UKI's in conjuction with secureboot make for a pretty secure bootchain :D <--- deze lijnen moeten nog anders UKI's in conjuction with secureboot make for a pretty secure bootchain. It bundles the command line, initramfs, efi-stub and more in one file which can then easily be signed for Secureboot. We use `dracut` as initramfs generator and `ukify` as UKI generator.
We use `dracut` as initramfs generator and `ukify` as UKI generator.
Firsty create `/usr/lib/kernel/install.conf` Configure the kernelinstall to use `dracut` and `ukify`:
``` ``` title="/usr/lib/kernel/install.conf"
layout=uki layout=uki
initrd_generator=dracut initrd_generator=dracut
uki_generator=ukify uki_generator=ukify
``` ```
And in `/etc/kernel/uki.conf` ``` title="/etc/kernel/uki.conf"
```
[UKI] [UKI]
SecureBootSigningTool=sbsign SecureBootSigningTool=sbsign
``` ```
Portage also has to be told to generate a UKI when installing a kernel this can be done by creating `/etc/portage/package.use/uki` Portage also has to be told to generate a UKI when installing a kernel. Set the corresponding required USE flags:
``` ``` title="/etc/portage/package.use/uki"
sys-apps/systemd-utils kernel-install boot ukify sys-apps/systemd-utils kernel-install boot ukify
sys-kernel/installkernel dracut ukify uki sys-kernel/installkernel dracut ukify uki
``` ```
These USE flags tell portage also to install `systemd-boot` which can automatically detect UKI's and because of the `secureboot` flag in `/etc/portage/make.conf` it will also automatically sign the bootloader. These USE flags tell portage also to install `systemd-boot` which can automatically detect UKI's and because of the `secureboot` flag in `/etc/portage/make.conf` it will also automatically sign the bootloader when it gets installed or updated on the ESP.
Also allow `linux-firmware`'s license in `/etc/portage/package.license`: For a desktop to function it will also require firmware. On Linux this is usually the `linux-firmware` package. Allow the licenses required for `linux-firmware`:
``` ``` title="/etc/portage/package.license"
# Accepting the license for linux-firmware # Accepting the license for linux-firmware and redistributable licenses
sys-kernel/linux-firmware linux-fw-redistributable sys-kernel/linux-firmware linux-fw-redistributable @BINARY-REDISTRIBUTABLE
# Accepting any license that permits redistribution
sys-kernel/linux-firmware @BINARY-REDISTRIBUTABLE
``` ```
Enable the `zlevis` module in `/etc/dracut.conf.d/zlevis.conf` Then to allow `zlevis` to unlock the root pool it will need to be added to the initramfs. Enable the `zlevis` module for dracut:
``` ``` title="/etc/dracut.conf.d/zlevis.conf"
nofsck="yes" nofsck="yes"
add_dracutmodules+=" zlevis " add_dracutmodules+=" zlevis "
``` ```
Before installing a kernel define a minimal kernel command line in `/etc/kernel/cmdline`: Before installing a kernel define a minimal kernel command line which allows the initramfs to find the root:
``` ``` title="/etc/kernel/cmdline"
rw root=ZFS=rpool/root/gentoo quiet splash rw root=ZFS=rpool/root/gentoo quiet splash
``` ```
Then finally install all the necessary packages: Then finally install the packages mentioned which are required for a running system:
``` shell
root # emerge -av sbsigntools systemd-utils linux-firmware gentoo-kernel-bin zfs-kmod
``` ```
# emerge -av sbsigntools systemd-utils linux-firmware gentoo-kernel-bin zfs-kmod
``` > Note that `gentoo-kernel-bin` was installed which is the pre-compiled Gentoo kernel. Later on we will compile our own custom kernel.
It should have done this without throwing any errors. It should have done this without throwing any errors.
Then for a nice boot interface install `systemd-boot` on the ESP: Because Gentoo generates UKI's for all the kernels installed on a system it would be nice to be able to choose upon boot which one. For a nice boot interface install `systemd-boot` on the ESP:
``` ``` shell
# bootctl install root # bootctl install
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/efi/EFI/BOOT/BOOTX64.EFI".
Random seed file /efi/loader/random-seed successfully refreshed (32 bytes).
Created EFI boot entry "Linux Boot Manager".
``` ```
The last thing to do is adding a few ZFS services on boot: The last thing to do is adding a few ZFS services on boot:
``` ``` shell
# rc-update add zfs-import sysinit root # rc-update add zfs-import sysinit
# rc-update add zfs-mount sysinit root # rc-update add zfs-mount sysinit
``` ```
Now exit the chroot and unmount the filesystem with: Now exit the chroot and unmount the filesystem with:
``` ``` shell
# umount -lf /mnt root # umount -lf /mnt
``` ```
The system should boot after reboot! The system should be functionalafter reboot!

View file

@ -4,66 +4,66 @@ After booting the Alpine Linux extended ISO, partition the disks. For this actio
To set it up `setup-interfaces` and `setup-apkrepos` will be used. To set it up `setup-interfaces` and `setup-apkrepos` will be used.
``` ``` shell
# setup-interfaces -ar root # setup-interfaces -ar
# setup-apkrepos -c1 root # setup-apkrepos -c1
``` ```
> To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar. > To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar.
A few packages will have to be installed first, A few packages will have to be installed first,
``` ``` shell
# apk add zfs lsblk sgdisk wipefs dosfstools root # apk add zfs lsblk sgdisk wipefs dosfstools
``` ```
and load the ZFS kernel module and load the ZFS kernel module
``` ``` shell
# modprobe zfs root # modprobe zfs
``` ```
Wipe the existing disk partitions Wipe the existing disk partitions
``` ``` shell
# zpool labelclear -f /dev/<disk> root # zpool labelclear -f /dev/<disk>
# wipefs -a /dev/<disk> root # wipefs -a /dev/<disk>
# sgdisk --zap-all /dev/<disk> root # sgdisk --zap-all /dev/<disk>
``` ```
Create on the disk an `EFI system` partition (ESP) and a `Linux filesystem` partition Create on the disk an `EFI system` partition (ESP) and a `Linux filesystem` partition
``` ``` shell
# sgdisk -n 1:1m:+512m -t 1:ef00 /dev/<disk> root # sgdisk -n 1:1m:+512m -t 1:ef00 /dev/<disk>
# sgdisk -n 2:0:-10m -t 2:8300 /dev/<disk> root # sgdisk -n 2:0:-10m -t 2:8300 /dev/<disk>
``` ```
Reload the device nodes Reload the device nodes
``` ``` shell
# mdev -s root # mdev -s
``` ```
Then, format the ESP with a FAT32 filesystem Then, format the ESP with a FAT32 filesystem
``` ``` shell
# mkfs.fat -F 32 -n esp /dev/<disk>1 root # mkfs.fat -F 32 -n esp /dev/<disk>1
``` ```
## ZFS pool creation ## ZFS pool creation
The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/rpool.key` with: The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/rpool.key` with:
``` ``` shell
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key root # cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key
``` ```
> Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it. > Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it.
Create the system pool: Create the system pool:
``` ``` shell
# zpool create -f \ root # zpool create -f \
-o ashift=12 \ -o ashift=12 \
-O compression=lz4 \ -O compression=lz4 \
-O acltype=posix \ -O acltype=posix \
@ -78,11 +78,11 @@ Create the system pool:
Then create the system datasets: Then create the system datasets:
``` ``` shell
# zfs create -o mountpoint=none rpool/root root # zfs create -o mountpoint=none rpool/root
# zfs create -o mountpoint=legacy -o quota=48g rpool/root/gentoo root # zfs create -o mountpoint=legacy -o quota=48g rpool/root/gentoo
# zfs create -o mountpoint=legacy -o quota=32g rpool/root/gentoo/var root # zfs create -o mountpoint=legacy -o quota=32g rpool/root/gentoo/var
# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> rpool/home root # zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> rpool/home
``` ```
> Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool. > Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool.

View file

@ -8,6 +8,8 @@ theme:
- navigation.tabs - navigation.tabs
- navigation.indexes - navigation.indexes
- toc.follow - toc.follow
- content.code.copy
- content.code.annotate
logo: assets/lnorg-logo.png logo: assets/lnorg-logo.png
favicon: assets/lnorg-logo.png favicon: assets/lnorg-logo.png
palette: palette:
@ -33,6 +35,14 @@ extra:
markdown_extensions: markdown_extensions:
- pymdownx.arithmatex: - pymdownx.arithmatex:
generic: true generic: true
- pymdownx.highlight:
use_pygments: true
anchor_linenums: true
line_spans: __span
pygments_lang_class: true
- pymdownx.inlinehilite
- pymdownx.snippets
- pymdownx.superfences
extra_javascript: extra_javascript:
- javascripts/mathjax.js - javascripts/mathjax.js