lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity

Updated provisioning and installation in alpine-desktop install.

Browse source
This commit is contained in:
Luc Bijl 2024-08-31 12:53:55 +02:00
parent 6cff163765
commit 545d63dd15
8 changed files with 103 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
docs/alpine-desktop-setup/installation.md
View file

@ -1,22 +1,22 @@
# Installation
To install the Alpine Linux distribution on the system, the encrypted partition and the efi partition have to be mounted to the main system.
To install the Alpine Linux distribution on the system, the alpine root partition and the EFI partition have to be mounted to the main system.
```
# mount /dev/vg<n>/alp_root /mnt -t ext4
# mkdir /mnt/efi -p
# mount /dev/<disk1> /mnt/efi -t vfat
# mount /dev/vg/alpine_root /mnt -t ext4
# mkdir /mnt/esp
# mount /dev/disk/by-label/esp /mnt/esp -t vfat
```
Then set up the base system using `setup-disk`:
Then install Alpine Linux using `setup disk`
```
# setup-disk -m sys /mnt
```
This will also add grub as bootloader which will be replaced but for now it will reside on the boot partition.
> This will also add `grub` as bootloader which will be replaced but for now it will reside on the ESP.
To make it possible to chroot into the system, mount the other directories:
To have a functional chroot into the system, bind the system process directories
```
# for i in dev proc sys run; do
@ -35,7 +35,8 @@ The other setup scripts can be used to configure key aspects of the system. Besi
# rc-update add acpid default
# rc-update add lvm boot
# rc-update add seedrng boot
# rm -rf /var/tmp ; ln -s /tmp /var/tmp
# rm -rf /var/tmp
# ln -s /tmp /var/tmp
# passwd root
```
@ -49,19 +50,19 @@ clock_hctosys="NO"
clock_systohc="NO"
```
Edit `/etc/fstab` for correct mounts:
Edit `/etc/fstab` for correct mounts
```
/dev/disk/by-label/efi /efi vfat defaults,nodev,nosuid,noexec 0 2
/dev/vg<n>/alp_root / ext4 defaults,noatime 0 1
/dev/vg<n>/alp_home /home ext4 defaults,noatime,nosuid,nodev 0 2
/dev/vg<n>/alp_var /var ext4 defaults,nodev,nosuid,noexec 0 2
/dev/vg<n>/alp_nix /nix ext4 defaults,noatime,nodev,nosuid 0 2
tmpfs /tmp tmpfs rw,size=4G,nr_inodes=5k,noexec,nodev,nosuid,mode=1777 0 0
proc /proc proc nosuid,nodev,noexec,hidepid=2 0 0
/dev/disk/by-label/esp /esp vfat defaults,nodev,nosuid,noexec 0 2
/dev/vg/alpine_root / ext4 defaults,noatime 0 1
/dev/vg/home /home ext4 defaults,noatime,nodev,nosuid 0 2
/dev/vg/var /var ext4 defaults,nodev,nosuid,noexec 0 2
/dev/vg/nix /nix ext4 defaults,noatime,nodev,nosuid 0 2
tmpfs /tmp tmpfs rw,size=4G,nr_inodes=5k,nodev,nosuid,noexec,mode=1777 0 0
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
```
By default Alpine Linux uses `mkinitfs` to create initramfs, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this `mkinitfs` and `grub-efi `will be replaced with `booster` and `secureboot-hook`.
By default, Alpine Linux uses `mkinitfs` to create an initial ram filesystem, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this `mkinitfs` and `grub-efi `will be replaced with `booster` and `secureboot-hook`.
```
# apk add booster secureboot-hook sbctl
@ -71,9 +72,9 @@ By default Alpine Linux uses `mkinitfs` to create initramfs, although it is mini
To configure booster edit `/etc/booster.yaml`:
```
enable_lvm: true
busybox: false
modules: vfat,nls_cp437,nls_iso8859_1
enable_lvm: true
```
The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. First the hook itself will have to be tweaked to use `booster` instead of `mkinitfs`, edit `/etc/kernel-hooks.d/50-secureboot.hook` and change the line:
@ -91,20 +92,19 @@ to:
and configure `/etc/kernel-hooks.d/secureboot.conf` for cmdline and secureboot.
```
cmdline="rw rd.luks.name=<uuid>=luks root=/dev/vg<n>/alp_root modules=ext4 quiet splash rd.lvm.vg=vg<n>"
cmdline="rw rd.luks.name=<uuid>=luks rd.lvm.vg=vg root=/dev/vg/alpine_root modules=ext4 quiet splash"
signing_cert="/usr/share/secureboot/keys/db/db.pem"
signing_key="/usr/share/secureboot/keys/db/db.key"
output_dir="/efi/EFI/Linux"
output_dir="/esp/efi/linux"
output_name="alpine-linux-{flavor}.efi"
```
Here `<uuid>` has to be replaced with the uuid of the partition which contains the volume group:
Here `<uuid>` has to be replaced with the UUID of the partition which contains the volume group:
```
# blkid /dev/<disk2> >> /etc/kernel-hooks.d/secureboot.conf
# blkid /dev/<disk>2 >> /etc/kernel-hooks.d/secureboot.conf
```
Use `sbctl` to create secureboot keys and sign them.
@ -112,7 +112,6 @@ Use `sbctl` to create secureboot keys and sign them.
```
# sbctl create-keys
# sbctl enroll-keys
...
```
> Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.
@ -123,35 +122,40 @@ Now to see if everything went succesfully run:
# apk fix kernel-hooks
```
And it should give no warnings if done properly.
and it should give no warnings if done properly.
As discussed earlier `grub` will be replaced, install `gummiboot` as a bootloader.
```
# apk add gummiboot
# gummiboot install --path=/efi
# sbctl sign -s /efi/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /efi/EFI/Boot/BOOTX64.EFI
# mkdir /esp/loader
# mkdir /esp/efi/boot
# cp /usr/lib/gummiboot/gummibootx64.efi /esp/efi/boot/bootx64.efi
```
And also remove some remnants of `grub`.
Sign the bootloader with `sbctl`
```
# rm -rf /efi/EFI/alpine
# rm -rf /efi/grub
# sbctl sign -s /esp/efi/boot/bootx64.efi
```
and also remove some remnants of `grub`.
```
# rm -rf /boot/grub
# rm -rf /etc/default
# cd /boot && unlink boot
# cd /boot && unlink boot && cd ..
```
`gummiboot` can be configured with the file `/efi/loader/loader.conf` with which the timeout and the default OS can be specified.
`gummiboot` can be configured with the file `/esp/loader/loader.conf` with which the timeout and the default OS can be specified.
```
default alpine-linux-lts.efi
default alpine-linux-<flavor>.efi
timeout 2
editor no
```
Before finishing the installation `networkmanager` will be installed for networking. Also install `networkmanager-wifi` and `wpa_supplicant` for wifi functionality.
Before finishing the installation `networkmanager` will be installed for networking. Also install `networkmanager-wifi` and `wpa_supplicant` for Wi-Fi functionality.
```
# apk add networkmanager networkmanager-wifi wpa_supplicant
@ -159,7 +163,7 @@ Before finishing the installation `networkmanager` will be installed for network
# rc-update add networkmanager default
```
Wifi will not yet work. For wifi configuration see the [network section](post-install/network).
Wi-Fi will not yet work. For Wi-Fi configuration see the [network section](post-install/network).
> If internet does not work after reboot create the config file as described in the [network section](post-install/network) and restart the service.
@ -171,6 +175,4 @@ Now exit the chroot and you should be able to reboot into a working Alpine syste
# reboot
```
When booting up your screen might appear blank, this is the encryption prompt. Enter the encryption key and press enter to boot.
> Do note that "Linux Boot Manager" will have to be set to load first in your bios.
When booting up your screen might appear blank, this is the encryption prompt. Enter the encryption key and press enter to boot.

37
docs/alpine-desktop-setup/post-install/init-system.md
View file

@ -1,37 +0,0 @@
# Init system
## OpenRC
Alpine Linux uses OpenRC as init system which has a few configuration options that can be changed. Most options are already explained in the `/etc/rc.conf` file which has to be edited.
### Parallel services
The boot process can be sped up if services are launched parallel (do note that this *can* potentially lock the boot process).
```
rc_parallel="YES"
```
### Logging
What is more important is enabling the logger which logs the rc process. Enable it by setting:
```
rc_logger="YES"
```
To also log the kernel add `klogd`.
```
# apk add sysklogd
# rc-update add klogd boot
```
You can view the logs in `/var/log/dmesg` and `/var/log/messages`.
## User services using runit
If `home-manager` has been initialised and logged into the Wayfire session then it should have started a lot of services automatically. These are created and managed through `home-manager`.
The help and manual pages of `runit` explain how to use `sv` to manage the services.

16
docs/alpine-desktop-setup/post-install/logging.md Normal file
View file

@ -0,0 +1,16 @@
# Logging
Enable the logger to log the rc-processes by editing `/etc/rc.conf`
```
rc_logger="YES"
```
To also log the kernel add `klogd`.
```
# apk add sysklogd
# rc-update add klogd boot
```
You can view the logs in `/var/log/dmesg` and `/var/log/messages`.

4
docs/alpine-desktop-setup/post-install/users.md
View file

@ -4,7 +4,7 @@ It might be nice to add a user to your system.
## Wheel
Before creating the user install `doas`, to use when root is required:
Before creating the user, install `doas`. To be able to "do as" root when it is required:
```
# apk add doas
@ -18,7 +18,7 @@ permit nopasss :_power cmd /sbin/poweroff
permit nopasss :_power cmd /sbin/reboot
```
and create a `_power` group for users to be able to poweroff the system without root:
and create a `_power` group for users to be able to power off the system without root:
```
# addgroup -S _power

65
docs/alpine-desktop-setup/provisioning.md
View file

@ -12,61 +12,74 @@ To set it up `setup-interfaces` and `setup-apkrepos` will be used.
A few packages will have to be installed first:
```
# apk add cryptsetup lvm2 lsblk e2fsprogs gptfdisk dosfstools acpid
# apk add e2fsprogs cryptsetup lvm2 lsblk sgdisk wipefs dosfstools acpid
```
The drive should be partitioned using `gdisk` (or `cfdisk`). It should have atleast two partitions with one `EFI System` partition and one `Linux filesystem` partition and look something like this:
| Number of partition | Size | Type |
|:-----:|:-----:|:-----:|
| 1 | 512 MB or more | EFI System |
| 2 | Rest of the drive | Linux filesystem |
Then to create the filesystem on the efi partition.
Wipe the existing disk partitions
```
# mkfs.fat -F 32 -n efi /dev/<disk1>
# wipefs -a /dev/<disk>
# sgdisk --zap-all /dev/<disk>
```
The root partition of the system is going to be encrypted using `cryptsetup`. First generate a key that will be used to encrypt the device and save it temporarily to the file `/tmp/crypt-key.txt` with:
Create on the disk an `EFI system` partition (ESP) and a `Linux filesystem` partition
```
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/crypt-key.txt && cat /tmp/crypt-key.txt
# sgdisk -n 1:1m:+512m -t 1:ef00 /dev/<disk>
# sgdisk -n 2:0:-10m -t 2:8300 /dev/<disk>
```
Later on in the guide `clevis` will be used for automatic decryption so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again so make sure to write it down.
Reload the device nodes
```
# mdev -s
```
Then, format the ESP with a FAT32 filesystem
```
# mkfs.fat -F 32 -n esp /dev/<disk>1
```
## Volume group creation
The root partition of the system is going to be encrypted using `cryptsetup`. First generate a key that will be used to encrypt the device and save it temporarily to the file `/tmp/luks.key` with:
```
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/luks.key && cat /tmp/luks.key
```
> Later on in the guide `clevis` will be used for automatic decryption. So, this key only has to be entered a few times. However, if any changes are made to the BIOS or secure-boot then this key will be needed again, so make sure to write it down.
Then format the partition using `cryptsetup`:
```
# cryptsetup luksFormat /dev/<disk2> --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 4000 --key-size 512 --pbkdf argon2id --verify-passphrase
# cryptsetup luksFormat /dev/<disk>2 --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 4000 --key-size 512 --pbkdf argon2id
[Enter the generated key]
# cryptsetup open --type luks /dev/<disk2> luks
```
Now to create a new LVM volume group, choose $n \in \mathbb{N}$ accordingly:
Create the LVM volume group
```
# vgcreate vg<n> /dev/mapper/luks
# vgcreate vg /dev/mapper/luks
```
Then create partitions inside the volume group:
```
# lvcreate --name alp_root -L 24G vg<n>
# lvcreate --name alp_var -L 8G vg<n>
# lvcreate --name alp_nix -L 32G vg<n>
# lvcreate --name alp_home -l 100%FREE vg<n>
# lvcreate --name alpine_root -L 24G vg
# lvcreate --name home -L <home-quota> vg
# lvcreate --name var -L 16G vg
# lvcreate --name nix -L 32G vg
```
Now the home partition fills the entirety of the volume group. These sizes should be changed depending on the needs of the user.
> Setting the `<home-quota>` depends on the total size of the volume group, generally try to reserve some empty space in the volume group.
To create the filesystems on the logical partitions:
Create the filesystems on the logical partitions:
```
for i in root var nix home; do
> mkfs.ext4 /dev/vg<n>/alp_$i
for i in alpine_root home var nix; do
> mkfs.ext4 /dev/vg/$i
> done
```
Other filesystems can also be used but `ext4` is the standard for most Linux distrobutions.

4
docs/alpine-server-setup/installation.md
View file

@ -32,7 +32,7 @@ Then install Alpine Linux
> This will also add `grub` as bootloader which will be replaced but for now it will reside on the ESP.
To make it possible to chroot into the system, mount the other directories:
To have a functional chroot into the system, bind the system process directories
```
# for i in dev proc sys run; do
@ -168,7 +168,7 @@ Sign the bootloader with `sbctl`
# sbctl sign -s /esp/efi/boot/bootx64.efi
```
And also remove some remnants of `grub`.
and also remove some remnants of `grub`.
```
# rm -rf /boot/grub

2
docs/alpine-server-setup/post-install/containers.md
View file

@ -83,7 +83,7 @@ and make it executable with
$ chmod +x ~/.local/bin/checkpod
```
To run a pod configured with `~/.config/pods/<pod-name>/<pod-name>.yml`, see [alpine-server]() for examples, create `~/.config/sv/<pod-name>/conf`
To run a pod configured with `~/.config/pods/<pod-name>/<pod-name>.yml`, see [alpine-server](https://git.bijl.us/luc/alpine-server) for examples, create `~/.config/sv/<pod-name>/conf`
```
name="<pod-name>"

4
mkdocs.yml
View file

@ -49,9 +49,9 @@ nav:
- 'Post installation':
- 'Network': alpine-desktop-setup/post-install/network.md
- 'Repositories': alpine-desktop-setup/post-install/repositories.md
- 'Security': alpine-desktop-setup/post-install/security.md
- 'Init system': alpine-desktop-setup/post-install/init-system.md
- 'Firmware and drivers': alpine-desktop-setup/post-install/drivers.md
- 'Security': alpine-desktop-setup/post-install/security.md
- 'Logging': alpine-desktop-setup/post-install/logging.md
- 'Swap': alpine-desktop-setup/post-install/swap.md
- 'Power management': alpine-desktop-setup/post-install/power-management.md
- 'Users': alpine-desktop-setup/post-install/users.md