diff options
| -rwxr-xr-x | cryptuefiinstall | 96 | ||||
| -rwxr-xr-x | mkcryptuefi | 159 |
2 files changed, 255 insertions, 0 deletions
diff --git a/cryptuefiinstall b/cryptuefiinstall new file mode 100755 index 0000000..9b8de4c --- /dev/null +++ b/cryptuefiinstall @@ -0,0 +1,96 @@ +#! /bin/bash + +set -e + +if [ "${UID}" != "0" ]; then + echo "cryptuefiinstall: requires root permissions" + exit 1 +fi + +pacman -Sy +pacman -S --needed --noconfirm parted fzf + +# +# Config questions +# + +DRIVE=$1 +TARGET=$2 + +if [ -z "${DRIVE}" ]; then + DRIVE="/dev/$(lsblk | grep disk | fzf --disabled | awk '{print $1}')" +fi + +if [[ "${DRIVE}" == "/dev/mmcblk"* ]] | [[ "${DRIVE}" == "/dev/nvme"* ]]; then + PART_PREFIX="${DRIVE}p" +else + PART_PREFIX="${DRIVE}" +fi + +if [ -z "${TARGET}" ]; then + TARGET=$(echo "Enter GRUB target (commonly x86_64-efi): " | fzf --disabled --print-query | sed -n '1 p') +fi + +# Needed because otherwise the disk might be overwritten +# without installing a bootable system. +if [ -z "${TARGET}" ]; then + echo -en "\e[1m\e[1;31mGRUB target must not be empty.\e[0m" + exit 1 +fi + +# +# Full Disk Encryption +# + +parted -s ${DRIVE} mklabel gpt +parted -s -a optimal ${DRIVE} mkpart primary fat32 0% 256MiB +parted -s -a optimal ${DRIVE} mkpart primary ext4 256MiB 512MiB +parted -s -a optimal ${DRIVE} mkpart primary ext4 512MiB 100% + +echo "artix" | cryptsetup -q --pbkdf pbkdf2 luksFormat ${PART_PREFIX}2 +echo "artix" | cryptsetup -q open ${PART_PREFIX}2 boot_crypt + +echo "artix" | cryptsetup -q luksFormat ${PART_PREFIX}3 +echo "artix" | cryptsetup -q open ${PART_PREFIX}3 root_crypt + +mkfs.fat -F 32 ${PART_PREFIX}1 && fatlabel ${PART_PREFIX}1 ESP +mkfs.ext4 -F -L BOOT /dev/mapper/boot_crypt +mkfs.btrfs -f /dev/mapper/root_crypt + +mkdir /btrfs +mount -o compress=zstd /dev/mapper/root_crypt /btrfs +btrfs subvolume create /btrfs/root +umount /btrfs + +mount -o compress=zstd,subvol=/root /dev/mapper/root_crypt /mnt +mkdir /mnt/boot +mount /dev/mapper/boot_crypt /mnt/boot +mkdir /mnt/boot/efi +mount ${PART_PREFIX}1 /mnt/boot/efi + +# +# Continue Installation +# + +rc-service ntpd start + +basestrap /mnt base openrc elogind-openrc vim man ntp-openrc git +basestrap /mnt linux linux-firmware + +artix-chroot /mnt bash -c "curl -fsSL https://raw.githubusercontent.com/HimbeerserverDE/artixinstall/main/mkcryptuefi | sh -s -- ${DRIVE} ${PART_PREFIX} ${TARGET}" + +fstabgen -U /mnt >> /mnt/etc/fstab + +umount -R /mnt + +cryptsetup -q close boot_crypt +cryptsetup -q close root_crypt + +echo -e "\n\e[1m\e[1;32mArtix has been successfully installed! It is now safe to reboot." +echo -e "\e[1m\e[1;32mDon't forget to change the root password, disk passwords and hostname." +echo -e "\e[1m\e[1;32mSetting up networking is left to you, dhcpcd and wpa_supplicant are installed." +echo -e "\n\e[1m\e[1;32mRun the following commands to change the disk passwords:" +echo -e "\e[1m\e[1;32m\t# cryptsetup --pbkdf pbkdf2 luksChangeKey ${PART_PREFIX}2" +echo -e "\e[1m\e[1;32m\t# cryptsetup luksChangeKey ${PART_PREFIX}3" +echo -e "\n\e[1m\e[1;32mChoose US compatible passwords as GRUB uses the US keyboard layout." +echo -en "\e[0m" diff --git a/mkcryptuefi b/mkcryptuefi new file mode 100755 index 0000000..0517eeb --- /dev/null +++ b/mkcryptuefi @@ -0,0 +1,159 @@ +#! /bin/bash + +set -e + +function get_cmdline { + sed -r 's/[[:alnum:]]+=/\n&/g' /proc/cmdline | awk -F= "\$1==\"$1\"{print \$2}" | sed 's/.\{1\}$//' +} + +# cmdline options +TIMEZONE=$(get_cmdline tz) +KEYMAP=$(get_cmdline keytable) + +DRIVE=$1 +PART_PREFIX=$2 +TARGET=$3 + +if [[ -z "${DRIVE}" ]] | [[ -z "${PART_PREFIX}" ]] | [[ -z "${TARGET}" ]]; then + echo -e "\e[1m\e[1;31mUsage: mkcryptuefi <drive> <partition prefix> <target>\e[0m" + exit 1 +fi + +ln -sf "/usr/share/zoneinfo/${TIMEZONE}" /etc/localtime +hwclock --systohc + +sed -i "s/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/" /etc/locale.gen +locale-gen + +cat <<EOT > /etc/locale.conf +export LANG="en_US.UTF-8" +export LC_COLLATE="C" +EOT + +sed -i "s/keymap=\"us\"/keymap=\"${KEYMAP}\"/" /etc/conf.d/keymaps + +sed -i "s/HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck)/HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems fsck)/" /etc/mkinitcpio.conf + +pacman -S --needed --noconfirm btrfs-progs grub os-prober efibootmgr device-mapper-openrc cryptsetup-openrc + +BOOT_UUID=$(blkid -s UUID -o value ${PART_PREFIX}2) + +dd bs=512 count=4 if=/dev/random of=/crypto_boot.bin iflag=fullblock +chmod 600 /crypto_boot.bin +echo "artix" | cryptsetup -q luksAddKey ${PART_PREFIX}2 /crypto_boot.bin + +cat <<EOT >> /etc/conf.d/dmcrypt + +target='boot_crypt' +source='/dev/disk/by-uuid/${BOOT_UUID}' +key='/crypto_boot.bin' +EOT + +rc-update add dmcrypt boot + +UUID=$(blkid -s UUID -o value ${PART_PREFIX}3) +sed -i "s/GRUB_CMDLINE_LINUX_DEFAULT=\"loglevel=3 quiet\"/GRUB_CMDLINE_LINUX_DEFAULT=\"loglevel=3 quiet cryptdevice=UUID=${UUID}:root_crypt\"/" /etc/default/grub +sed -i "s/#GRUB_ENABLE_CRYPTODISK=y/GRUB_ENABLE_CRYPTODISK=y/" /etc/default/grub + +dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock +chmod 600 /crypto_keyfile.bin +echo "artix" | cryptsetup -q luksAddKey ${PART_PREFIX}3 /crypto_keyfile.bin + +sed -i "s/FILES=()/FILES=(\/crypto_keyfile.bin)/" /etc/mkinitcpio.conf + +grub-install --target=${TARGET} --efi-directory=/boot/efi --bootloader-id=grub +grub-mkconfig -o /boot/grub/grub.cfg + +mkinitcpio -p linux + +# Enable GRUB to unlock /boot +CRYPTO_UUID=$(blkid -s UUID -o value ${PART_PREFIX}2 | tr -d -) +cat <<EOT > /boot/grub/grub-pre.cfg +set crypto_uuid=${CRYPTO_UUID} +cryptomount -u \$crypto_uuid + +set root=crypto0 +set prefix=(\$root)/grub + +insmod normal +normal +EOT + +grub-mkimage -p /boot/grub -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi -O ${TARGET} disk biosdisk diskfilter luks2 part_msdos cryptodisk gcry_rijndael pbkdf2 gcry_sha256 ext2 +install -v /tmp/grubx64.efi /boot/efi/EFI/GRUB/grubx64.efi + +echo -en 'artix\nartix' | passwd + +# Network +## Hostname +echo artix > /etc/hostname + +cat <<EOT > /etc/hosts +# Static table lookup for hostnames. +# See hosts(5) for details. + +127.0.0.1 localhost +127.0.1.1 artix.local artix + +# IPv6 +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +EOT + +sed -i 's/hostname="localhost"/hostname="artix"/' /etc/conf.d/hostname + +## Networking essentials +pacman -S --noconfirm dhcpcd wpa_supplicant + +# Repositories +## Artix +cat <<EOT >> /etc/pacman.conf + +# +# Custom +# + +# Artix + +[universe] +Server = https://universe.artixlinux.org/\$arch +Server = https://mirror1.artixlinux.org/universe/\$arch +Server = https://mirror.pascalpuffke.de/artix-universe/\$arch +Server = https://artixlinux.qontinuum.space/artixlinux/universe/os/\$arch +Server = https://mirror1.cl.netactuate.com/artix/universe/\$arch +Server = https://ftp.crifo.org/artix-universe/ +EOT + +## Arch +pacman -Sy --needed --noconfirm artix-archlinux-support + +cat <<EOT >> /etc/pacman.conf + +# Arch + +#[testing] +#Include = /etc/pacman.d/mirrorlist-arch + +[extra] +Include = /etc/pacman.d/mirrorlist-arch + +#[community-testing] +#Include = /etc/pacman.d/mirrorlist-arch + +[community] +Include = /etc/pacman.d/mirrorlist-arch + +#[multilib-testing] +#Include = /etc/pacman.d/mirrorlist-arch + +#[multilib] +#Include = /etc/pacman.d/mirrorlist-arch +EOT + +pacman-key --populate archlinux +pacman -Sy + +rc-update add ntpd default + +exit 0 |