phga
/
fresh
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

feat: encrypted root + swap

Browse Source
master
phga 3 years ago
parent 480b29e3b7
commit a0069154f5
Signed by: phga
GPG Key ID: 5249548AA705F019
1 changed files with 56 additions and 21 deletions
Show Stats Download Patch File Download Diff File

75
bootstrap.sh
Unescape View File

@ -5,6 +5,7 @@ do case $opt in
p) PASSWD=${OPTARG} ;; p) PASSWD=${OPTARG} ;;
n) NAME=${OPTARG} ;; n) NAME=${OPTARG} ;;
d) DEV=${OPTARG} ;; d) DEV=${OPTARG} ;;
e) ENC=${OPTARG} ;;
\?) echo "-$OPTARG is not valid" >&2 && exit ;; \?) echo "-$OPTARG is not valid" >&2 && exit ;;
esac esac
done done
@ -20,6 +21,8 @@ init() {
[ -z "$DEV" ] && lsblk -nrpo "name,size,model" && read -p "Provide installation medium (e.g. sda, nvme0n1): " DEV [ -z "$DEV" ] && lsblk -nrpo "name,size,model" && read -p "Provide installation medium (e.g. sda, nvme0n1): " DEV
[[ "$DEV" =~ sd[a-z] ]] && SUF="1-3" && MODE="SATA" [[ "$DEV" =~ sd[a-z] ]] && SUF="1-3" && MODE="SATA"
[[ "$DEV" =~ nvme[0-9]n[0-9] ]] && SUF="p1-3" && MODE="NVME" [[ "$DEV" =~ nvme[0-9]n[0-9] ]] && SUF="p1-3" && MODE="NVME"
[ -z "$ENC" ] && read -p "Do you want the root partition to be encrypted (y/n)? " ENC
[ "$ENC" -eq "y" ] && ENC=true || ENC=false
echo "+---------------------+" echo "+---------------------+"
echo "| Archlinux Bootstrap |" echo "| Archlinux Bootstrap |"
@ -27,17 +30,32 @@ init() {
echo "HOSTNAME = $NAME" echo "HOSTNAME = $NAME"
echo "ROOTPASSWD = ${PASSWD:0:1}***${PASSWD: -1}" echo "ROOTPASSWD = ${PASSWD:0:1}***${PASSWD: -1}"
echo "DEVICEPARTS = $DEV$SUF" echo "DEVICEPARTS = $DEV$SUF"
read -p "Do you want to continue with these values (y/n): " cont echo "ENCRYPTION = $ENC"
read -p "Do you want to continue with these values (y/n)? " cont
[ ! "$cont" = "y" ] && unset NAME PASSWD DEV && init [ ! "$cont" = "y" ] && unset NAME PASSWD DEV && init
echo "Let's GOOOO" echo "Let's GOOOO"
} }
crypt_prepare_disk() {
cryptsetup open --type plain -d /dev/urandom $1 wipe_me
dd if=/dev/zero of=/dev/mapper/wipe_me bs=1M status=progress
cryptsetup close wipe_me
}
crypt_create_fs() {
cryptsetup -y -v luksFormat $1
cryptsetup open $1 root
mkfs.ext4 /dev/mapper/root
}
# stop on error # stop on error
set -e set -e
# initialize important values # initialize important values
init init
[ "$ENC" == true ] && crypt_prepare_disk "/dev/$DEV"
# All values set, start bootstrapping # All values set, start bootstrapping
gdisk /dev/$DEV <<EOF gdisk /dev/$DEV <<EOF
o o
@ -62,25 +80,35 @@ y
EOF EOF
case $MODE in [ $MODE == "NVME" ] && suffix="p" || suffix=""
"NVME")
mkfs.fat -F 32 -n P_EFI /dev/${DEV}p1 mkfs.fat -F 32 -n P_EFI "/dev/$DEV$suffix1"
mkfs.ext4 -L P_ROOT /dev/${DEV}p3 if [ "$ENC" == true ]; then
mkswap -L P_SWAP /dev/${DEV}p2 crypt_create_fs "/dev/$DEV$suffix3"
;; mkfs.ext2 -L cryptswap "/dev/$DEV$suffixp2" 1M # Otherwise label will be lost after reboot
"SATA") else
mkfs.fat -F 32 -n P_EFI /dev/${DEV}1 mkfs.ext4 -L P_ROOT "/dev/$DEV$suffix3"
mkfs.ext4 -L P_ROOT /dev/${DEV}3 mkswap -L P_SWAP "/dev/$DEV$suffix2"
mkswap -L P_SWAP /dev/${DEV}2 fi
;;
esac
ROOT_UUID=$(blkid | grep -Po '/dev/'"$DEV$suffix"'3.* UUID="\K[0-9a-f-]+')
SWAP_UUID=$(blkid | grep -Po '/dev/'"$DEV$suffix"'2.* UUID="\K[0-9a-f-]+')
if [ "$ENC" == true ]; then
mount /dev/mapper/root /mnt
KERNEL_OPTIONS='cryptdevice=UUID='"$ROOT_UUID"':root root=/dev/mapper/root'
else
mount -L P_ROOT /mnt
KERNEL_OPTIONS='root=LABEL=P_ROOT rw resume=LABEL=P_SWAP'
fi
mount -L P_ROOT /mnt # root
mkdir -p /mnt/boot mkdir -p /mnt/boot
mount -L P_EFI /mnt/boot # EFI mount -L P_EFI /mnt/boot # EFI
swapon -L P_SWAP # swap
sed -e '/## Germany/,+1!d' /etc/pacman.d/mirrorlist [ "$ENC" == false ] && swapon -L P_SWAP # swap
sed -i '/## Germany/,+1!d' /etc/pacman.d/mirrorlist
# for server dhcpcd and other programs are not required -> see good2know # for server dhcpcd and other programs are not required -> see good2know
pacstrap /mnt base base-devel linux-zen linux-firmware vi dhcpcd wpa_supplicant dialog git netctl curl pacstrap /mnt base base-devel linux-zen linux-firmware vi dhcpcd wpa_supplicant dialog git netctl curl
@ -88,6 +116,14 @@ genfstab -p /mnt > /mnt/etc/fstab
cat <<EOF > /mnt/root/bootstrap2.sh cat <<EOF > /mnt/root/bootstrap2.sh
#!/bin/bash #!/bin/bash
if [ $ENC == true ]; then
sed -i 's/\(^HOOKS.*block\)/\1 encrypt/' /etc/mkinitcpio.conf
ct_entry="swap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512"
echo $ct_entry >> /etc/crypttab
echo "/dev/mapper/swap none swap defaults 0 0" >> /etc/fstab
fi
ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
@ -106,17 +142,16 @@ cat <<EEE > /boot/loader/entries/arch-uefi.conf
title Arch title Arch
linux /vmlinuz-linux-zen linux /vmlinuz-linux-zen
initrd /initramfs-linux-zen.img initrd /initramfs-linux-zen.img
options root=LABEL=P_ROOT rw resume=LABEL=P_SWAP options $KERNEL_OPTIONS
EEE EEE
cat <<EEE > /boot/loader/entries/arch-uefi-fallback.conf cat <<EEE > /boot/loader/entries/arch-uefi-fallback.conf
title Arch Linux Fallback title Arch Linux Fallback
linux /vmlinuz-linux-zen linux /vmlinuz-linux-zen
initrd /initramfs-linux-zen-fallback.img initrd /initramfs-linux-zen-fallback.img
options root=LABEL=P_ROOT rw resume=LABEL=P_SWAP options $KERNEL_OPTIONS
EEE EEE
cat <<EEE > /boot/loader/loader.conf cat <<EEE > /boot/loader/loader.conf
default arch-uefi default arch-uefi
timeout 1 timeout 1
@ -139,4 +174,4 @@ chmod u+x /mnt/root/bootstrap2.sh
arch-chroot /mnt /root/bootstrap2.sh arch-chroot /mnt /root/bootstrap2.sh
rm /mnt/root/bootstrap2.sh rm /mnt/root/bootstrap2.sh
reboot # reboot

Write Preview
Loading…
Cancel
Save