diff --git a/docs/alpine-server-setup/installation.md b/docs/alpine-server-setup/installation.md index 033545c..e3f0d2e 100644 --- a/docs/alpine-server-setup/installation.md +++ b/docs/alpine-server-setup/installation.md @@ -2,14 +2,14 @@ To install the Alpine Linux distribution on the system, the datasets of the system pool and the EFI partitions have to be mounted to the main system. -First import and decrypt the system pool +First import and decrypt the system pool. ``` # zpool import -N -R /mnt tank # zfs load-key -L file:///tmp/tank.key tank ``` -Mount the datasets in the system pool and decrypt the home dataset +Mount the datasets in the system pool and decrypt the home dataset. ``` # zfs mount tank/root/alpine @@ -17,26 +17,27 @@ Mount the datasets in the system pool and decrypt the home dataset # zfs mount tank/var ``` -Mount the ESP +Mount the ESP. ``` # mkdir /mnt/esp # mount /dev/md/esp /mnt/esp -t vfat ``` -Then install Alpine Linux +Then install Alpine Linux. ``` +# export BOOTLOADER=none # setup-disk -m sys /mnt ``` > This will also add `grub` as bootloader which will be replaced but for now it will reside on the ESP. -To have a functional chroot into the system, bind the system process directories +To have a functional chroot into the system, bind the system process directories. ``` -# for i in dev proc sys run; do -> mount --rbind --make-rslave /$i /mnt/$i +# for dir in dev proc sys run; do +> mount --rbind --make-rslave /$dir /mnt/$dir > done # chroot /mnt ``` @@ -66,7 +67,7 @@ clock_hctosys="NO" clock_systohc="NO" ``` -Configure the ESP raid array to mount +Configure the ESP raid array to mount. ``` # modprobe raid1 @@ -76,7 +77,7 @@ Configure the ESP raid array to mount # rc-update add mdadm-raid boot ``` -Configure ZFS to mount +Configure ZFS to mount. ``` rc-update add zfs-import sysinit @@ -139,7 +140,7 @@ Use `sbctl` to create secureboot keys and sign them. > Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys. -Set the cache-file of the ZFS pool +Set the cache-file of the ZFS pool. ``` # zpool set cachefile=/etc/zfs/zpool.cache tank @@ -162,13 +163,15 @@ As discussed earlier `grub` will be replaced, install `gummiboot` as a bootloade # cp /usr/lib/gummiboot/gummibootx64.efi /esp/efi/boot/bootx64.efi ``` -Sign the bootloader with `sbctl` +Sign the bootloader with `sbctl`. ``` # sbctl sign -s /esp/efi/boot/bootx64.efi ``` -and also remove some remnants of `grub`. +> One may verify the signed files by running `sbctl verify`, in this case `ESP_PATH=/esp` should be defined to work properly. + +Remove some remnants of `grub`. ``` # rm -rf /boot/grub diff --git a/docs/alpine-server-setup/post-install/containers.md b/docs/alpine-server-setup/post-install/containers.md index de6ebaa..9fe7309 100644 --- a/docs/alpine-server-setup/post-install/containers.md +++ b/docs/alpine-server-setup/post-install/containers.md @@ -20,7 +20,7 @@ Set up the network namespace configuration for the user ``` # modprobe tun -# echo tun >> /etc/modules +# echo tun >> /etc/modules-load.d/tun.conf # for i in subuid subgid; do > echo :100000:65536 >> /etc/$i > done diff --git a/docs/alpine-server-setup/post-install/security.md b/docs/alpine-server-setup/post-install/security.md index 3d8c2f0..64f075c 100644 --- a/docs/alpine-server-setup/post-install/security.md +++ b/docs/alpine-server-setup/post-install/security.md @@ -50,12 +50,11 @@ After reconfiguring `kernel-hooks` try to reboot and it should boot. Although th ### Sysctl -More kernel settings can be configured through sysctl. Edit `/etc/sysctl.d/main.conf`: +More kernel settings can be configured through sysctl. + +Create `/etc/sysctl.d/kernel.conf`: ``` -# Main security configuration. - -## Kernel kernel.kptr_restrict=2 kernel.dmesg_restrict=1 kernel.printk=3 3 3 3 @@ -65,10 +64,17 @@ dev.tty.ldisc_autoload=0 kernel.kexec_load_disabled=1 kernel.sysrq=0 kernel.perf_event_paranoid=3 +``` -## Network +Create `/etc/sysctl.d/network.conf`: + +``` +net.ipv4.icmp_echo_ignore_all=1 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_rfc1337=1 +net.ipv4.tcp_sack=0 +net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.accept_redirects=0 @@ -77,14 +83,13 @@ net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 -net.ipv4.icmp_echo_ignore_all=1 net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 -net.ipv4.tcp_sack=0 -net.ipv4.tcp_dsack=0 -net.ipv4.tcp_fack=0 +``` -## User space +Create `/etc/sysctl.d/user.conf`: + +``` kernel.yama.ptrace_scope=2 vm.mmap_rnd_bits=32 vm.mmap_rnd_compat_bits=16 @@ -92,8 +97,11 @@ fs.protected_symlinks=1 fs.protected_hardlinks=1 fs.protected_fifos=2 fs.protected_regular=2 +``` -## For hardened_malloc +Create `/etc/sysctl.d/malloc.conf`: + +``` vm.max_map_count=1048576 ``` diff --git a/docs/alpine-server-setup/post-install/users.md b/docs/alpine-server-setup/post-install/users.md index eafee41..49b82d4 100644 --- a/docs/alpine-server-setup/post-install/users.md +++ b/docs/alpine-server-setup/post-install/users.md @@ -10,7 +10,7 @@ Before creating the user, install `doas`. To be able to "do as" root when it is # apk add doas ``` -Configure `doas` through `/etc/doas.d/main.conf`: +Configure `doas` through `/etc/doas.d/wheel.conf`: ``` permit persist :wheel as root