Added initial Gentoo Desktop installation
This commit is contained in:
parent
b18efc9901
commit
bbe799a65d
4 changed files with 454 additions and 0 deletions
5
docs/gentoo-desktop-setup/index.md
Normal file
5
docs/gentoo-desktop-setup/index.md
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
# A Gentoo Linux Desktop installation
|
||||||
|
|
||||||
|
This guide will demonstrate how to install [Gentoo Linux](https://www.gentoo.org/) on a desktop. It is meant to be used as a quick overview of all the necessities. It is recommended to read the [Handbook](https://wiki.gentoo.org/wiki/Handbook:AMD64) before attepting this installation.
|
||||||
|
|
||||||
|
This Gentoo installation covers how to install Gentoo Musl AMD64 with UEFI secureboot on an encrypted ZFS root which will be automatically decrypted upon boot using [Zlevis](https://git.bijl.us/luc/zlevis). It will also show how to create a functional graphical session using [River](https://isaacfreund.com/software/river/).
|
355
docs/gentoo-desktop-setup/installation.md
Normal file
355
docs/gentoo-desktop-setup/installation.md
Normal file
|
@ -0,0 +1,355 @@
|
||||||
|
Now is the time to actually install Gentoo.
|
||||||
|
|
||||||
|
First import the pool again:
|
||||||
|
|
||||||
|
```
|
||||||
|
# zpool import -N -R /mnt rpool
|
||||||
|
# zfs load-key -L file:///tmp/rpool.key rpool
|
||||||
|
```
|
||||||
|
|
||||||
|
Then mount the datasets and the ESP on `/mnt`:
|
||||||
|
|
||||||
|
```
|
||||||
|
# mount -t zfs rpool/root/gentoo /mnt
|
||||||
|
# mkdir /mnt/var
|
||||||
|
# mount -t zfs rpool/root/gentoo/var /mnt/var
|
||||||
|
# mkdir /mnt/efi
|
||||||
|
# mount -t vfat /dev/disk/by-label/esp /mnt/efi
|
||||||
|
```
|
||||||
|
|
||||||
|
Now we're going to fetch a stage3 tarball for on the root of the system. Replace the `<release_date>` with the latest tarball release.
|
||||||
|
|
||||||
|
```
|
||||||
|
# cd /mnt
|
||||||
|
# wget https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/stage3-amd64-musl-hardened-<release_date>.tar.xz
|
||||||
|
```
|
||||||
|
|
||||||
|
> There are also other mirrors like `https://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/` which might provide a faster download depending on your location. Check out <https://www.gentoo.org/downloads/mirrors/> for other mirrors.
|
||||||
|
|
||||||
|
> It is also possible to use `links` instead of `wget` which provides a small user interface for navigation: `# links https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened`
|
||||||
|
|
||||||
|
Unpack it in the new root:
|
||||||
|
|
||||||
|
```
|
||||||
|
# tar xpvf stage3-*.tar.xz --numeric-owner
|
||||||
|
```
|
||||||
|
|
||||||
|
Then before finally chrooting into the system simply copy over the `resolv.conf` for internet connection inside the chroot.
|
||||||
|
|
||||||
|
```
|
||||||
|
# cp /etc/resolv.conf /mnt/etc/.
|
||||||
|
# cp /tmp/rpool.key /mnt/tmp
|
||||||
|
# for i in dev proc sys run; do
|
||||||
|
mount --rbind --make-rslave /$i /mnt/$i
|
||||||
|
done
|
||||||
|
# chroot /mnt
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuring the system
|
||||||
|
|
||||||
|
### Portage
|
||||||
|
|
||||||
|
Before installing any software first edit `/etc/portage/make.conf` which acts as the main configuration file for portage. A Gentoo installation is highly personal so diverting from these settings is encouraged. Here's an example file:
|
||||||
|
|
||||||
|
```
|
||||||
|
# Please consult /usr/share/portage/config/make.conf.example for a more
|
||||||
|
# detailed example.
|
||||||
|
COMMON_FLAGS="-march=native -O2 -pipe"
|
||||||
|
CFLAGS="${COMMON_FLAGS}"
|
||||||
|
CXXFLAGS="${COMMON_FLAGS}"
|
||||||
|
FCFLAGS="${COMMON_FLAGS}"
|
||||||
|
FFLAGS="${COMMON_FLAGS}"
|
||||||
|
RUSTFLAGS="${RUSTFLAGS} -C target-cpu=native"
|
||||||
|
|
||||||
|
# MakeOpts
|
||||||
|
MAKEOPTS="-j7 -l5"
|
||||||
|
|
||||||
|
# WARNING: Changing your CHOST is not something that should be done lightly.
|
||||||
|
# Please consult https://wiki.gentoo.org/wiki/Changing_the_CHOST_variable before changing.
|
||||||
|
CHOST="x86_64-pc-linux-musl"
|
||||||
|
|
||||||
|
# NOTE: This stage was built with the bindist USE flag enabled
|
||||||
|
|
||||||
|
# This sets the language of build output to English.
|
||||||
|
# Please keep this setting intact when reporting bugs.
|
||||||
|
LC_MESSAGES=C.utf8
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
PORTAGE_ELOG_CLASSES="log warn error"
|
||||||
|
PORTAGE_LOGDIR="/var/log/portage"
|
||||||
|
PORTAGE_LOGDIR_CLEAN="find \"\${PORTAGE_LOGDIR}\" -type f ! -name \"summary.log*\" -mtime +7 -delete"
|
||||||
|
|
||||||
|
# Only accept free licenses
|
||||||
|
ACCEPT_LICENSE="-* @FREE"
|
||||||
|
|
||||||
|
# USE flags
|
||||||
|
USE="${USE} networkmanager wayland dbus elogind -systemd policykit pam man udev pipewire initramfs secureboot modules-sign dist-kernel -gtkdoc" # ....
|
||||||
|
|
||||||
|
# Emerge settings
|
||||||
|
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --with-bdeps y"
|
||||||
|
|
||||||
|
# For secureboot (will be necessary later)
|
||||||
|
SECUREBOOT_SIGN_KEY="/var/lib/sbctl/keys/db/db.key"
|
||||||
|
SECUREBOOT_SIGN_CERT="/var/lib/sbctl/keys/db/db.pem"
|
||||||
|
MODULES_SIGN_KEY="${SECUREBOOT_SIGN_KEY}"
|
||||||
|
MODULES_SIGN_CERT="${SECUREBOOT_SIGN_CERT}"
|
||||||
|
MODULES_SIGN_HASH="sha512"
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
> Don't forget to change the `MAKEOPTS` to match your CPU and also the `USEFLAGS` to your liking.
|
||||||
|
|
||||||
|
Now finally sync the repositories and try installing a package like `vim`.
|
||||||
|
|
||||||
|
```
|
||||||
|
# emaint sync
|
||||||
|
# emerge --ask --verbose app-editors/vim
|
||||||
|
```
|
||||||
|
|
||||||
|
In theory it should work.
|
||||||
|
|
||||||
|
|
||||||
|
### Fstab
|
||||||
|
|
||||||
|
Simply add these lines to the fstab:
|
||||||
|
|
||||||
|
```
|
||||||
|
rpool/root/gentoo / zfs rw,noatime,xattr,posixacl,casesensitive 0 1
|
||||||
|
rpool/root/gentoo/var /var zfs rw,noatime,nosuid,nodev,xattr,posixacl,casesensitive 0 2
|
||||||
|
/dev/disk/by-label/efi /efi vfat defaults,nodev,nosuid,noexec,umask=0077 0 2
|
||||||
|
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec,mode=1777 0 0
|
||||||
|
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
|
||||||
|
```
|
||||||
|
|
||||||
|
### Date and time
|
||||||
|
|
||||||
|
First install `timezone-data`:
|
||||||
|
|
||||||
|
```
|
||||||
|
# emerge -av sys-libs/timezone-data
|
||||||
|
```
|
||||||
|
|
||||||
|
Create `/etc/env.d/00local` with:
|
||||||
|
|
||||||
|
```
|
||||||
|
TZ="/usr/share/zoneinfo/<region>/<city>"
|
||||||
|
```
|
||||||
|
|
||||||
|
Update the environment:
|
||||||
|
|
||||||
|
```
|
||||||
|
# env-update && source /etc/profile
|
||||||
|
```
|
||||||
|
|
||||||
|
Configure `hwclock` in `/etc/conf.d/hwclock`:
|
||||||
|
|
||||||
|
```
|
||||||
|
clock="UTC"
|
||||||
|
clock_hctosys="NO"
|
||||||
|
clock_systohc="NO"
|
||||||
|
```
|
||||||
|
|
||||||
|
And set up a `ntpd`:
|
||||||
|
|
||||||
|
```
|
||||||
|
# emerge -av net-misc/openntpd
|
||||||
|
# rc-update add ntpd default
|
||||||
|
# rc-service ntpd start
|
||||||
|
```
|
||||||
|
|
||||||
|
### Set up locales
|
||||||
|
|
||||||
|
Install the `musl-locales` package:
|
||||||
|
|
||||||
|
```
|
||||||
|
# emerge -av sys-apps/musl-locales
|
||||||
|
```
|
||||||
|
|
||||||
|
And in `/etc/env.d/01musl_locales` add:
|
||||||
|
|
||||||
|
```
|
||||||
|
MUSL_LOCPATH="/usr/share/i18n/locales/musl"
|
||||||
|
```
|
||||||
|
|
||||||
|
Then choose the desired locale with $n \in \mathbb{N}$:
|
||||||
|
|
||||||
|
```
|
||||||
|
# eselect locale list
|
||||||
|
# eselect locale set <n>
|
||||||
|
# env-update && source /etc/profile
|
||||||
|
```
|
||||||
|
|
||||||
|
### Setting the hostname
|
||||||
|
|
||||||
|
Simply run:
|
||||||
|
|
||||||
|
```
|
||||||
|
echo "<hostname>" > /etc/hostname
|
||||||
|
```
|
||||||
|
|
||||||
|
### Internet
|
||||||
|
|
||||||
|
NetworkManager is an easy to use network manager. Before emerging it, consider adding some USE flags in `/etc/portage/package.use/networkmanager`
|
||||||
|
|
||||||
|
```
|
||||||
|
net-misc/networkmanager dhcpcd -wext
|
||||||
|
```
|
||||||
|
|
||||||
|
And also make sure the `networkmanager` USE flag is enabled in your `make.conf`. Then emerge `networkmananger`:
|
||||||
|
|
||||||
|
```
|
||||||
|
# emerge -av net-misc/networkmanager
|
||||||
|
```
|
||||||
|
|
||||||
|
Then disable any other network services before enabling the service:
|
||||||
|
|
||||||
|
```
|
||||||
|
# rc-update add NetworkManager default
|
||||||
|
# rc-service NetworkManager start
|
||||||
|
```
|
||||||
|
|
||||||
|
## Making the system boot
|
||||||
|
|
||||||
|
### Sbctl
|
||||||
|
|
||||||
|
First off install `sbctl`:
|
||||||
|
|
||||||
|
```
|
||||||
|
# emerge -av sbctl
|
||||||
|
```
|
||||||
|
|
||||||
|
> Verify that Secureboot mode is on and in setup mode with `sbctl status`
|
||||||
|
|
||||||
|
Then create and enroll keys into the system.
|
||||||
|
|
||||||
|
```
|
||||||
|
# sbctl create-keys
|
||||||
|
# sbctl enroll-keys <--microsoft>
|
||||||
|
```
|
||||||
|
|
||||||
|
Use the `--microsoft` flag if the system is unable to use custom keys or when dual booting with Windows.
|
||||||
|
|
||||||
|
## Adding GURU
|
||||||
|
|
||||||
|
GURU is an extra repository which contains packages not available in the main Gentoo repository. Although the packages it contains might not be as well tested as in the main repo they are still necessary for some setups. Add Guru with:
|
||||||
|
|
||||||
|
```
|
||||||
|
# emerge -av app-eselect/eselect-repository
|
||||||
|
# eselect repository enable guru
|
||||||
|
# emaint sync --repo guru
|
||||||
|
```
|
||||||
|
|
||||||
|
To allow unstable packages from GURU, in `/etc/portage/package.accept_keywords/guru`:
|
||||||
|
|
||||||
|
```
|
||||||
|
*/*::guru ~amd64
|
||||||
|
```
|
||||||
|
|
||||||
|
### Zlevis' auto decryption
|
||||||
|
|
||||||
|
`zlevis` is able to unlock an encrypted ZFS root pool with keys saved in a TPM, currently it's only available in the `portage-ample` repository and also has some dependencies in the `guru` repository:
|
||||||
|
|
||||||
|
```
|
||||||
|
# eselect repository add portage-ample git https://git.bijl.us/lnorg/portage-ample
|
||||||
|
# emaint sync -r portage-ample
|
||||||
|
```
|
||||||
|
|
||||||
|
Then before emerging add the `dracut` flag in `/etc/portage/package.use/zlevis`
|
||||||
|
|
||||||
|
```
|
||||||
|
app-crypt/zlevis dracut
|
||||||
|
```
|
||||||
|
|
||||||
|
Then simply install it:
|
||||||
|
|
||||||
|
```
|
||||||
|
# emerge -av app-crypt/zlevis
|
||||||
|
```
|
||||||
|
|
||||||
|
Now add `zlevis` to the pool with
|
||||||
|
|
||||||
|
```
|
||||||
|
# zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/rpool.key) rpool
|
||||||
|
```
|
||||||
|
|
||||||
|
### UKI's
|
||||||
|
|
||||||
|
UKI's in conjuction with secureboot make for a pretty secure bootchain :D <--- deze lijnen moeten nog anders
|
||||||
|
We use `dracut` as initramfs generator and `ukify` as UKI generator.
|
||||||
|
|
||||||
|
Firsty create `/usr/lib/kernel/install.conf`
|
||||||
|
|
||||||
|
```
|
||||||
|
layout=uki
|
||||||
|
initrd_generator=dracut
|
||||||
|
uki_generator=ukify
|
||||||
|
```
|
||||||
|
|
||||||
|
And in `/etc/kernel/uki.conf`
|
||||||
|
|
||||||
|
```
|
||||||
|
[UKI]
|
||||||
|
SecureBootSigningTool=sbsign
|
||||||
|
```
|
||||||
|
|
||||||
|
Portage also has to be told to generate a UKI when installing a kernel this can be done by creating `/etc/portage/package.use/uki`
|
||||||
|
|
||||||
|
```
|
||||||
|
sys-apps/systemd-utils kernel-install boot ukify
|
||||||
|
sys-kernel/installkernel dracut ukify uki
|
||||||
|
```
|
||||||
|
|
||||||
|
These USE flags tell portage also to install `systemd-boot` which can automatically detect UKI's and because of the `secureboot` flag in `/etc/portage/make.conf` it will also automatically sign the bootloader.
|
||||||
|
|
||||||
|
Also allow `linux-firmware`'s license in `/etc/portage/package.license`:
|
||||||
|
|
||||||
|
```
|
||||||
|
# Accepting the license for linux-firmware
|
||||||
|
sys-kernel/linux-firmware linux-fw-redistributable
|
||||||
|
|
||||||
|
# Accepting any license that permits redistribution
|
||||||
|
sys-kernel/linux-firmware @BINARY-REDISTRIBUTABLE
|
||||||
|
```
|
||||||
|
|
||||||
|
Enable the `zlevis` module in `/etc/dracut.conf.d/zlevis.conf`
|
||||||
|
|
||||||
|
```
|
||||||
|
nofsck="yes"
|
||||||
|
add_dracutmodules+=" zlevis "
|
||||||
|
```
|
||||||
|
|
||||||
|
Before installing a kernel define a minimal kernel command line in `/etc/kernel/cmdline`:
|
||||||
|
|
||||||
|
```
|
||||||
|
rw root=ZFS=rpool/root/gentoo quiet splash
|
||||||
|
```
|
||||||
|
|
||||||
|
Then finally install all the necessary packages:
|
||||||
|
|
||||||
|
```
|
||||||
|
# emerge -av sbsigntools systemd-utils linux-firmware gentoo-kernel-bin zfs-kmod
|
||||||
|
```
|
||||||
|
|
||||||
|
It should have done this without throwing any errors.
|
||||||
|
|
||||||
|
Then for a nice boot interface install `systemd-boot` on the ESP:
|
||||||
|
|
||||||
|
```
|
||||||
|
# bootctl install
|
||||||
|
```
|
||||||
|
|
||||||
|
The last thing to do is adding a few ZFS services on boot:
|
||||||
|
|
||||||
|
```
|
||||||
|
# rc-update add zfs-import sysinit
|
||||||
|
# rc-update add zfs-mount sysinit
|
||||||
|
```
|
||||||
|
|
||||||
|
Now exit the chroot and unmount the filesystem with:
|
||||||
|
|
||||||
|
```
|
||||||
|
# umount -lf /mnt
|
||||||
|
```
|
||||||
|
|
||||||
|
The system should boot after reboot!
|
||||||
|
|
89
docs/gentoo-desktop-setup/provisioning.md
Normal file
89
docs/gentoo-desktop-setup/provisioning.md
Normal file
|
@ -0,0 +1,89 @@
|
||||||
|
To install Gentoo this guide wiil be using the Alpine Extended Iso. It provides all of the necessary utilities for bootstrapping Gentoo and is overal pleasant to work with. Make sure to boot with Secureboot in setup mode or to already have keys ready to deploy.
|
||||||
|
|
||||||
|
After booting the Alpine Linux extended ISO, partition the disks. For this action internet is required since `zfs`, `sgdisk` and various other necessary packages are not included on the extended ISO, therefore they need to be obtained from the alpine package repository.
|
||||||
|
|
||||||
|
To set it up `setup-interfaces` and `setup-apkrepos` will be used.
|
||||||
|
|
||||||
|
```
|
||||||
|
# setup-interfaces -ar
|
||||||
|
# setup-apkrepos -c1
|
||||||
|
```
|
||||||
|
|
||||||
|
> To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar.
|
||||||
|
|
||||||
|
A few packages will have to be installed first,
|
||||||
|
|
||||||
|
```
|
||||||
|
# apk add zfs lsblk sgdisk wipefs dosfstools
|
||||||
|
```
|
||||||
|
|
||||||
|
and load the ZFS kernel module
|
||||||
|
|
||||||
|
```
|
||||||
|
# modprobe zfs
|
||||||
|
```
|
||||||
|
|
||||||
|
Wipe the existing disk partitions
|
||||||
|
|
||||||
|
```
|
||||||
|
# zpool labelclear -f /dev/<disk>
|
||||||
|
# wipefs -a /dev/<disk>
|
||||||
|
# sgdisk --zap-all /dev/<disk>
|
||||||
|
```
|
||||||
|
|
||||||
|
Create on the disk an `EFI system` partition (ESP) and a `Linux filesystem` partition
|
||||||
|
|
||||||
|
```
|
||||||
|
# sgdisk -n 1:1m:+512m -t 1:ef00 /dev/<disk>
|
||||||
|
# sgdisk -n 2:0:-10m -t 2:8300 /dev/<disk>
|
||||||
|
```
|
||||||
|
|
||||||
|
Reload the device nodes
|
||||||
|
|
||||||
|
```
|
||||||
|
# mdev -s
|
||||||
|
```
|
||||||
|
|
||||||
|
Then, format the ESP with a FAT32 filesystem
|
||||||
|
|
||||||
|
```
|
||||||
|
# mkfs.fat -F 32 -n esp /dev/<disk>1
|
||||||
|
```
|
||||||
|
|
||||||
|
## ZFS pool creation
|
||||||
|
|
||||||
|
The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/rpool.key` with:
|
||||||
|
|
||||||
|
```
|
||||||
|
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key
|
||||||
|
```
|
||||||
|
|
||||||
|
> Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it.
|
||||||
|
|
||||||
|
Create the system pool:
|
||||||
|
|
||||||
|
```
|
||||||
|
# zpool create -f \
|
||||||
|
-o ashift=12 \
|
||||||
|
-O compression=lz4 \
|
||||||
|
-O acltype=posix \
|
||||||
|
-O xattr=sa \
|
||||||
|
-O dnodesize=auto \
|
||||||
|
-O encryption=on \
|
||||||
|
-O keyformat=passphrase \
|
||||||
|
-O keylocation=prompt \
|
||||||
|
-m none \
|
||||||
|
rpool /dev/<disk>2
|
||||||
|
```
|
||||||
|
|
||||||
|
Then create the system datasets:
|
||||||
|
|
||||||
|
```
|
||||||
|
# zfs create -o mountpoint=none rpool/root
|
||||||
|
# zfs create -o mountpoint=legacy -o quota=48g rpool/root/gentoo
|
||||||
|
# zfs create -o mountpoint=legacy -o quota=32g rpool/root/gentoo/var
|
||||||
|
# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> rpool/home
|
||||||
|
```
|
||||||
|
|
||||||
|
> Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool.
|
||||||
|
|
|
@ -82,6 +82,11 @@ nav:
|
||||||
- 'Update protocol': alpine-server-setup/post-install/update-protocol.md
|
- 'Update protocol': alpine-server-setup/post-install/update-protocol.md
|
||||||
- 'Containers': alpine-server-setup/post-install/containers.md
|
- 'Containers': alpine-server-setup/post-install/containers.md
|
||||||
|
|
||||||
|
- 'Gentoo-desktop setup':
|
||||||
|
- gentoo-desktop-setup/index.md
|
||||||
|
- 'Provisioning': gentoo-desktop-setup/provisioning.md
|
||||||
|
- 'Installation': gentoo-desktop-setup/installation.md
|
||||||
|
|
||||||
- 'Void-desktop setup':
|
- 'Void-desktop setup':
|
||||||
- void-desktop-setup/index.md
|
- void-desktop-setup/index.md
|
||||||
- 'Installation with LVM':
|
- 'Installation with LVM':
|
||||||
|
|
Loading…
Reference in a new issue