From 545d63dd1534cdbbb97980af828734fc3acfbb13 Mon Sep 17 00:00:00 2001 From: Luc Date: Sat, 31 Aug 2024 12:53:55 +0200 Subject: [PATCH] Updated provisioning and installation in alpine-desktop install. --- docs/alpine-desktop-setup/installation.md | 80 ++++++++++--------- .../post-install/init-system.md | 37 --------- .../post-install/logging.md | 16 ++++ .../post-install/users.md | 4 +- docs/alpine-desktop-setup/provisioning.md | 65 +++++++++------ docs/alpine-server-setup/installation.md | 4 +- .../post-install/containers.md | 2 +- mkdocs.yml | 4 +- 8 files changed, 103 insertions(+), 109 deletions(-) delete mode 100644 docs/alpine-desktop-setup/post-install/init-system.md create mode 100644 docs/alpine-desktop-setup/post-install/logging.md diff --git a/docs/alpine-desktop-setup/installation.md b/docs/alpine-desktop-setup/installation.md index fc78875..b7c6336 100644 --- a/docs/alpine-desktop-setup/installation.md +++ b/docs/alpine-desktop-setup/installation.md @@ -1,22 +1,22 @@ # Installation -To install the Alpine Linux distribution on the system, the encrypted partition and the efi partition have to be mounted to the main system. +To install the Alpine Linux distribution on the system, the alpine root partition and the EFI partition have to be mounted to the main system. ``` -# mount /dev/vg/alp_root /mnt -t ext4 -# mkdir /mnt/efi -p -# mount /dev/ /mnt/efi -t vfat +# mount /dev/vg/alpine_root /mnt -t ext4 +# mkdir /mnt/esp +# mount /dev/disk/by-label/esp /mnt/esp -t vfat ``` -Then set up the base system using `setup-disk`: +Then install Alpine Linux using `setup disk` ``` # setup-disk -m sys /mnt ``` -This will also add grub as bootloader which will be replaced but for now it will reside on the boot partition. +> This will also add `grub` as bootloader which will be replaced but for now it will reside on the ESP. -To make it possible to chroot into the system, mount the other directories: +To have a functional chroot into the system, bind the system process directories ``` # for i in dev proc sys run; do @@ -35,7 +35,8 @@ The other setup scripts can be used to configure key aspects of the system. Besi # rc-update add acpid default # rc-update add lvm boot # rc-update add seedrng boot -# rm -rf /var/tmp ; ln -s /tmp /var/tmp +# rm -rf /var/tmp +# ln -s /tmp /var/tmp # passwd root ``` @@ -49,19 +50,19 @@ clock_hctosys="NO" clock_systohc="NO" ``` -Edit `/etc/fstab` for correct mounts: +Edit `/etc/fstab` for correct mounts ``` -/dev/disk/by-label/efi /efi vfat defaults,nodev,nosuid,noexec 0 2 -/dev/vg/alp_root / ext4 defaults,noatime 0 1 -/dev/vg/alp_home /home ext4 defaults,noatime,nosuid,nodev 0 2 -/dev/vg/alp_var /var ext4 defaults,nodev,nosuid,noexec 0 2 -/dev/vg/alp_nix /nix ext4 defaults,noatime,nodev,nosuid 0 2 -tmpfs /tmp tmpfs rw,size=4G,nr_inodes=5k,noexec,nodev,nosuid,mode=1777 0 0 -proc /proc proc nosuid,nodev,noexec,hidepid=2 0 0 +/dev/disk/by-label/esp /esp vfat defaults,nodev,nosuid,noexec 0 2 +/dev/vg/alpine_root / ext4 defaults,noatime 0 1 +/dev/vg/home /home ext4 defaults,noatime,nodev,nosuid 0 2 +/dev/vg/var /var ext4 defaults,nodev,nosuid,noexec 0 2 +/dev/vg/nix /nix ext4 defaults,noatime,nodev,nosuid 0 2 +tmpfs /tmp tmpfs rw,size=4G,nr_inodes=5k,nodev,nosuid,noexec,mode=1777 0 0 +proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0 ``` -By default Alpine Linux uses `mkinitfs` to create initramfs, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this `mkinitfs` and `grub-efi `will be replaced with `booster` and `secureboot-hook`. +By default, Alpine Linux uses `mkinitfs` to create an initial ram filesystem, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this `mkinitfs` and `grub-efi `will be replaced with `booster` and `secureboot-hook`. ``` # apk add booster secureboot-hook sbctl @@ -71,9 +72,9 @@ By default Alpine Linux uses `mkinitfs` to create initramfs, although it is mini To configure booster edit `/etc/booster.yaml`: ``` +enable_lvm: true busybox: false modules: vfat,nls_cp437,nls_iso8859_1 -enable_lvm: true ``` The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. First the hook itself will have to be tweaked to use `booster` instead of `mkinitfs`, edit `/etc/kernel-hooks.d/50-secureboot.hook` and change the line: @@ -91,20 +92,19 @@ to: and configure `/etc/kernel-hooks.d/secureboot.conf` for cmdline and secureboot. ``` -cmdline="rw rd.luks.name==luks root=/dev/vg/alp_root modules=ext4 quiet splash rd.lvm.vg=vg" +cmdline="rw rd.luks.name==luks rd.lvm.vg=vg root=/dev/vg/alpine_root modules=ext4 quiet splash" signing_cert="/usr/share/secureboot/keys/db/db.pem" signing_key="/usr/share/secureboot/keys/db/db.key" -output_dir="/efi/EFI/Linux" - +output_dir="/esp/efi/linux" output_name="alpine-linux-{flavor}.efi" ``` -Here `` has to be replaced with the uuid of the partition which contains the volume group: +Here `` has to be replaced with the UUID of the partition which contains the volume group: ``` -# blkid /dev/ >> /etc/kernel-hooks.d/secureboot.conf +# blkid /dev/2 >> /etc/kernel-hooks.d/secureboot.conf ``` Use `sbctl` to create secureboot keys and sign them. @@ -112,7 +112,6 @@ Use `sbctl` to create secureboot keys and sign them. ``` # sbctl create-keys # sbctl enroll-keys -... ``` > Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys. @@ -123,35 +122,40 @@ Now to see if everything went succesfully run: # apk fix kernel-hooks ``` -And it should give no warnings if done properly. +and it should give no warnings if done properly. As discussed earlier `grub` will be replaced, install `gummiboot` as a bootloader. ``` # apk add gummiboot -# gummiboot install --path=/efi -# sbctl sign -s /efi/EFI/gummiboot/gummibootx64.efi -# sbctl sign -s /efi/EFI/Boot/BOOTX64.EFI +# mkdir /esp/loader +# mkdir /esp/efi/boot +# cp /usr/lib/gummiboot/gummibootx64.efi /esp/efi/boot/bootx64.efi ``` -And also remove some remnants of `grub`. +Sign the bootloader with `sbctl` ``` -# rm -rf /efi/EFI/alpine -# rm -rf /efi/grub +# sbctl sign -s /esp/efi/boot/bootx64.efi +``` + +and also remove some remnants of `grub`. + +``` +# rm -rf /boot/grub # rm -rf /etc/default -# cd /boot && unlink boot +# cd /boot && unlink boot && cd .. ``` -`gummiboot` can be configured with the file `/efi/loader/loader.conf` with which the timeout and the default OS can be specified. +`gummiboot` can be configured with the file `/esp/loader/loader.conf` with which the timeout and the default OS can be specified. ``` -default alpine-linux-lts.efi +default alpine-linux-.efi timeout 2 editor no ``` -Before finishing the installation `networkmanager` will be installed for networking. Also install `networkmanager-wifi` and `wpa_supplicant` for wifi functionality. +Before finishing the installation `networkmanager` will be installed for networking. Also install `networkmanager-wifi` and `wpa_supplicant` for Wi-Fi functionality. ``` # apk add networkmanager networkmanager-wifi wpa_supplicant @@ -159,7 +163,7 @@ Before finishing the installation `networkmanager` will be installed for network # rc-update add networkmanager default ``` -Wifi will not yet work. For wifi configuration see the [network section](post-install/network). +Wi-Fi will not yet work. For Wi-Fi configuration see the [network section](post-install/network). > If internet does not work after reboot create the config file as described in the [network section](post-install/network) and restart the service. @@ -171,6 +175,4 @@ Now exit the chroot and you should be able to reboot into a working Alpine syste # reboot ``` -When booting up your screen might appear blank, this is the encryption prompt. Enter the encryption key and press enter to boot. - -> Do note that "Linux Boot Manager" will have to be set to load first in your bios. +When booting up your screen might appear blank, this is the encryption prompt. Enter the encryption key and press enter to boot. \ No newline at end of file diff --git a/docs/alpine-desktop-setup/post-install/init-system.md b/docs/alpine-desktop-setup/post-install/init-system.md deleted file mode 100644 index 812935b..0000000 --- a/docs/alpine-desktop-setup/post-install/init-system.md +++ /dev/null @@ -1,37 +0,0 @@ -# Init system - -## OpenRC - -Alpine Linux uses OpenRC as init system which has a few configuration options that can be changed. Most options are already explained in the `/etc/rc.conf` file which has to be edited. - -### Parallel services - -The boot process can be sped up if services are launched parallel (do note that this *can* potentially lock the boot process). - -``` -rc_parallel="YES" -``` - -### Logging - -What is more important is enabling the logger which logs the rc process. Enable it by setting: - -``` -rc_logger="YES" -``` - -To also log the kernel add `klogd`. - -``` -# apk add sysklogd -# rc-update add klogd boot -``` - -You can view the logs in `/var/log/dmesg` and `/var/log/messages`. - - -## User services using runit - -If `home-manager` has been initialised and logged into the Wayfire session then it should have started a lot of services automatically. These are created and managed through `home-manager`. - -The help and manual pages of `runit` explain how to use `sv` to manage the services. diff --git a/docs/alpine-desktop-setup/post-install/logging.md b/docs/alpine-desktop-setup/post-install/logging.md new file mode 100644 index 0000000..29e8b59 --- /dev/null +++ b/docs/alpine-desktop-setup/post-install/logging.md @@ -0,0 +1,16 @@ +# Logging + +Enable the logger to log the rc-processes by editing `/etc/rc.conf` + +``` +rc_logger="YES" +``` + +To also log the kernel add `klogd`. + +``` +# apk add sysklogd +# rc-update add klogd boot +``` + +You can view the logs in `/var/log/dmesg` and `/var/log/messages`. \ No newline at end of file diff --git a/docs/alpine-desktop-setup/post-install/users.md b/docs/alpine-desktop-setup/post-install/users.md index 0488876..665ad96 100644 --- a/docs/alpine-desktop-setup/post-install/users.md +++ b/docs/alpine-desktop-setup/post-install/users.md @@ -4,7 +4,7 @@ It might be nice to add a user to your system. ## Wheel -Before creating the user install `doas`, to use when root is required: +Before creating the user, install `doas`. To be able to "do as" root when it is required: ``` # apk add doas @@ -18,7 +18,7 @@ permit nopasss :_power cmd /sbin/poweroff permit nopasss :_power cmd /sbin/reboot ``` -and create a `_power` group for users to be able to poweroff the system without root: +and create a `_power` group for users to be able to power off the system without root: ``` # addgroup -S _power diff --git a/docs/alpine-desktop-setup/provisioning.md b/docs/alpine-desktop-setup/provisioning.md index 5c62030..194b40e 100644 --- a/docs/alpine-desktop-setup/provisioning.md +++ b/docs/alpine-desktop-setup/provisioning.md @@ -12,61 +12,74 @@ To set it up `setup-interfaces` and `setup-apkrepos` will be used. A few packages will have to be installed first: ``` -# apk add cryptsetup lvm2 lsblk e2fsprogs gptfdisk dosfstools acpid +# apk add e2fsprogs cryptsetup lvm2 lsblk sgdisk wipefs dosfstools acpid ``` -The drive should be partitioned using `gdisk` (or `cfdisk`). It should have atleast two partitions with one `EFI System` partition and one `Linux filesystem` partition and look something like this: - -| Number of partition | Size | Type | -|:-----:|:-----:|:-----:| -| 1 | 512 MB or more | EFI System | -| 2 | Rest of the drive | Linux filesystem | - -Then to create the filesystem on the efi partition. +Wipe the existing disk partitions ``` -# mkfs.fat -F 32 -n efi /dev/ +# wipefs -a /dev/ +# sgdisk --zap-all /dev/ ``` -The root partition of the system is going to be encrypted using `cryptsetup`. First generate a key that will be used to encrypt the device and save it temporarily to the file `/tmp/crypt-key.txt` with: +Create on the disk an `EFI system` partition (ESP) and a `Linux filesystem` partition ``` -# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/crypt-key.txt && cat /tmp/crypt-key.txt +# sgdisk -n 1:1m:+512m -t 1:ef00 /dev/ +# sgdisk -n 2:0:-10m -t 2:8300 /dev/ ``` -Later on in the guide `clevis` will be used for automatic decryption so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again so make sure to write it down. +Reload the device nodes + +``` +# mdev -s +``` + +Then, format the ESP with a FAT32 filesystem + +``` +# mkfs.fat -F 32 -n esp /dev/1 +``` + +## Volume group creation + +The root partition of the system is going to be encrypted using `cryptsetup`. First generate a key that will be used to encrypt the device and save it temporarily to the file `/tmp/luks.key` with: + +``` +# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/luks.key && cat /tmp/luks.key +``` + +> Later on in the guide `clevis` will be used for automatic decryption. So, this key only has to be entered a few times. However, if any changes are made to the BIOS or secure-boot then this key will be needed again, so make sure to write it down. Then format the partition using `cryptsetup`: ``` -# cryptsetup luksFormat /dev/ --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 4000 --key-size 512 --pbkdf argon2id --verify-passphrase +# cryptsetup luksFormat /dev/2 --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 4000 --key-size 512 --pbkdf argon2id [Enter the generated key] # cryptsetup open --type luks /dev/ luks ``` -Now to create a new LVM volume group, choose $n \in \mathbb{N}$ accordingly: +Create the LVM volume group ``` -# vgcreate vg /dev/mapper/luks +# vgcreate vg /dev/mapper/luks ``` Then create partitions inside the volume group: ``` -# lvcreate --name alp_root -L 24G vg -# lvcreate --name alp_var -L 8G vg -# lvcreate --name alp_nix -L 32G vg -# lvcreate --name alp_home -l 100%FREE vg +# lvcreate --name alpine_root -L 24G vg +# lvcreate --name home -L vg +# lvcreate --name var -L 16G vg +# lvcreate --name nix -L 32G vg ``` -Now the home partition fills the entirety of the volume group. These sizes should be changed depending on the needs of the user. +> Setting the `` depends on the total size of the volume group, generally try to reserve some empty space in the volume group. -To create the filesystems on the logical partitions: +Create the filesystems on the logical partitions: ``` -for i in root var nix home; do -> mkfs.ext4 /dev/vg/alp_$i +for i in alpine_root home var nix; do +> mkfs.ext4 /dev/vg/$i > done ``` - -Other filesystems can also be used but `ext4` is the standard for most Linux distrobutions. diff --git a/docs/alpine-server-setup/installation.md b/docs/alpine-server-setup/installation.md index efbac8f..033545c 100644 --- a/docs/alpine-server-setup/installation.md +++ b/docs/alpine-server-setup/installation.md @@ -32,7 +32,7 @@ Then install Alpine Linux > This will also add `grub` as bootloader which will be replaced but for now it will reside on the ESP. -To make it possible to chroot into the system, mount the other directories: +To have a functional chroot into the system, bind the system process directories ``` # for i in dev proc sys run; do @@ -168,7 +168,7 @@ Sign the bootloader with `sbctl` # sbctl sign -s /esp/efi/boot/bootx64.efi ``` -And also remove some remnants of `grub`. +and also remove some remnants of `grub`. ``` # rm -rf /boot/grub diff --git a/docs/alpine-server-setup/post-install/containers.md b/docs/alpine-server-setup/post-install/containers.md index 1bf44c1..de6ebaa 100644 --- a/docs/alpine-server-setup/post-install/containers.md +++ b/docs/alpine-server-setup/post-install/containers.md @@ -83,7 +83,7 @@ and make it executable with $ chmod +x ~/.local/bin/checkpod ``` -To run a pod configured with `~/.config/pods//.yml`, see [alpine-server]() for examples, create `~/.config/sv//conf` +To run a pod configured with `~/.config/pods//.yml`, see [alpine-server](https://git.bijl.us/luc/alpine-server) for examples, create `~/.config/sv//conf` ``` name="" diff --git a/mkdocs.yml b/mkdocs.yml index e9f14be..7e98742 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -49,9 +49,9 @@ nav: - 'Post installation': - 'Network': alpine-desktop-setup/post-install/network.md - 'Repositories': alpine-desktop-setup/post-install/repositories.md - - 'Security': alpine-desktop-setup/post-install/security.md - - 'Init system': alpine-desktop-setup/post-install/init-system.md - 'Firmware and drivers': alpine-desktop-setup/post-install/drivers.md + - 'Security': alpine-desktop-setup/post-install/security.md + - 'Logging': alpine-desktop-setup/post-install/logging.md - 'Swap': alpine-desktop-setup/post-install/swap.md - 'Power management': alpine-desktop-setup/post-install/power-management.md - 'Users': alpine-desktop-setup/post-install/users.md