lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity
documentation/docs/gentoo-desktop-setup/provisioning.md

3.2 KiB
Raw Blame History

To install Gentoo this guide will be using the Alpine Extended ISO. It provides all of the necessary utilities for bootstrapping Gentoo. Make sure to boot with secureboot in setup mode or to already have keys ready to deploy.

After booting the Alpine Linux extended ISO, partition the disks. For this action internet is required since zfs, sgdisk and various other necessary packages are not included on the extended ISO, therefore they need to be obtained from the alpine package repository.

To set it up setup-interfaces and setup-apkrepos will be used.

sh# setup-interfaces -ar
sh# setup-apkrepos -c1

To use Wi-Fi simply run setup-interfaces -r and select wlan0 or similar.

A few packages will have to be installed first:

sh# apk add zfs lsblk sgdisk wipefs dosfstools zlevis

The zlevis package is as of this moment not yet in the alpine package repository. Try to get it into the bin via a different method and add its dependencies tpm2-tools and jose.

and load the ZFS kernel module:

sh# modprobe zfs

Wipe the existing disk partitions:

sh# zpool labelclear -f /dev/<disk>
sh# wipefs -a /dev/<disk>
sh# sgdisk --zap-all /dev/<disk>

Create on the disk an EFI system partition (ESP) and a Linux filesystem partition:

sh# sgdisk -n 1:1m:+512m -t 1:ef00 /dev/<disk>
sh# sgdisk -n 2:0:-10m -t 2:8300 /dev/<disk>

Reload the device nodes:

sh# mdev -s

Then, format the ESP with a FAT32 filesystem:

sh# mkfs.fat -F 32 -n esp /dev/<disk>1

ZFS pool creation

The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file /tmp/rpool.key with:

sh# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key

While zlevis is used for automatic decryption, this key is required when making changes are made to the BIOS or secureboot, so make sure to save it.

Create the system pool:

sh# zpool create -f \
        -o ashift=12 \
        -O compression=lz4 \
        -O acltype=posix \
        -O xattr=sa \
        -O dnodesize=auto \
        -O encryption=on \
        -O keyformat=passphrase \
        -O keylocation=prompt \
        -m none \
        rpool /dev/<disk>2

Then create the system datasets:

sh# zfs create -o mountpoint=none rpool/root
sh# zfs create -o mountpoint=legacy -o quota=48g rpool/root/gentoo
sh# zfs create -o mountpoint=legacy -o quota=32g rpool/root/gentoo/var
sh# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> rpool/home

Setting the <home-quota> depends on the total size of the pool, generally try to reserve some empty space in the pool.

Write the encryption key to TPM with zlevis:

sh# zlevis encrypt rpool '{}' < /tmp/rpool.key

We are using the default configuration settings for zlevis encrypt but a different configuration is possible by setting '{}' accordingly.

To check if it worked, perform zlevis decrypt rpool.

Finally, export the zpool:

sh# zpool export rpool