From fb2317eea23e934a4c0b900e3401b8ca7cff6134 Mon Sep 17 00:00:00 2001
From: Maurice Zhou <ja@apvc.uk>
Date: Tue, 15 Jun 2021 19:17:59 +0800
Subject: [PATCH] June-2021 update

fix indentation

GRUB 2.06 does not work with LUKS2

use separate file in /etc/profile.d

Use systemd-firstboot to configure locales, tz, etc

instructions for non-interactive system-firstboot

systemd-firstboot has bugs for setting root password

Signed-off-by: Maurice Zhou <ja@apvc.uk>
---
 docs/Developer Resources/Custom Packages.rst  |   1 +
 .../Arch Linux/Root on ZFS/1-preparation.rst  |  22 +---
 .../Root on ZFS/3-system-configuration.rst    |  32 ++---
 .../Root on ZFS/4-optional-configuration.rst  |  31 ++---
 .../Arch Linux/Root on ZFS/5-bootloader.rst   | 115 ++++++++----------
 5 files changed, 87 insertions(+), 114 deletions(-)

diff --git a/docs/Developer Resources/Custom Packages.rst b/docs/Developer Resources/Custom Packages.rst
index 795ca3b..2f487f1 100644
--- a/docs/Developer Resources/Custom Packages.rst	
+++ b/docs/Developer Resources/Custom Packages.rst	
@@ -73,6 +73,7 @@ ZFS 2.1 release:
 -  **RHEL/CentOS 8, Fedora**:
 
 .. code:: sh
+
    sudo dnf install --skip-broken epel-release gcc make autoconf automake libtool rpm-build kernel-rpm-macros libtirpc-devel libblkid-devel libuuid-devel libudev-devel openssl-devel zlib-devel libaio-devel libattr-devel elfutils-libelf-devel kernel-devel-$(uname -r) python3 python3-devel python3-setuptools python3-cffi libffi-devel ncompress
    sudo dnf install --skip-broken --enablerepo=epel --enablerepo=powertools python3-packaging dkms
 
diff --git a/docs/Getting Started/Arch Linux/Root on ZFS/1-preparation.rst b/docs/Getting Started/Arch Linux/Root on ZFS/1-preparation.rst
index 96dfd4c..b458e62 100644
--- a/docs/Getting Started/Arch Linux/Root on ZFS/1-preparation.rst	
+++ b/docs/Getting Started/Arch Linux/Root on ZFS/1-preparation.rst	
@@ -7,8 +7,8 @@ Preparation
    :local:
 
 #. Download
-   `2021.05.01 <https://mirrors.ocf.berkeley.edu/archlinux/iso/2021.05.01/archlinux-2021.05.01-x86_64.iso>`__
-   Live ISO and `signature <https://archlinux.org/iso/2021.05.01/archlinux-2021.05.01-x86_64.iso.sig>`__.
+   `2021.06.01 <https://mirrors.ocf.berkeley.edu/archlinux/iso/2021.06.01/archlinux-2021.06.01-x86_64.iso>`__
+   Live ISO and `signature <https://archlinux.org/iso/2021.06.01/archlinux-2021.06.01-x86_64.iso.sig>`__.
 
 #. Follow `installation guide on Arch wiki <https://wiki.archlinux.org/title/Installation_guide>`__
    up to **Update the system clock**.
@@ -28,7 +28,7 @@ Preparation
 
 #.  Install ZFS::
 
-     LIVE_ZFS_PKG="zfs-linux-2.0.4_5.11.16.arch1.1-1-x86_64.pkg.tar.zst"
+     LIVE_ZFS_PKG="zfs-linux-2.0.4_5.12.8.arch1.1-1-x86_64.pkg.tar.zst"
      LIVE_ZFS_UTILS="zfs-utils-2.0.4-1-x86_64.pkg.tar.zst"
      LIVE_ZFS_MIRROR="https://mirror.sum7.eu/archlinux/archzfs"
      pacman -U --noconfirm ${LIVE_ZFS_MIRROR}/archzfs/x86_64/${LIVE_ZFS_UTILS} || \
@@ -37,22 +37,6 @@ Preparation
      pacman -U --noconfirm ${LIVE_ZFS_MIRROR}/archive_archzfs/${LIVE_ZFS_PKG}
      modprobe zfs
 
-#. Timezone
-
-   List available timezones with::
-
-    ls /usr/share/zoneinfo/
-
-   Store target timezone in a variable::
-
-    INST_TZ=/usr/share/zoneinfo/Asia/Irkutsk
-
-#. Host name
-
-   Store the host name in a variable::
-
-    INST_HOST='archonzfs'
-
 #. Kernel variant
 
    Store the kernel variant in a variable.
diff --git a/docs/Getting Started/Arch Linux/Root on ZFS/3-system-configuration.rst b/docs/Getting Started/Arch Linux/Root on ZFS/3-system-configuration.rst
index c21b450..2ed1db0 100644
--- a/docs/Getting Started/Arch Linux/Root on ZFS/3-system-configuration.rst	
+++ b/docs/Getting Started/Arch Linux/Root on ZFS/3-system-configuration.rst	
@@ -51,10 +51,6 @@ System Configuration
     HOOKS=(base udev autodetect modconf block keyboard zfs filesystems)
     EOF
 
-#. Host name::
-
-    echo $INST_HOST > /mnt/etc/hostname
-
 #. Enable DHCP on all ethernet ports::
 
      tee /mnt/etc/systemd/network/20-default.network <<EOF
@@ -74,18 +70,27 @@ System Configuration
    Alternatively, install a network manager such as
    ``NetworkManager``.
 
-#. Timezone::
+#. Enable internet time sync::
 
-    ln -sf $INST_TZ /mnt/etc/localtime
     hwclock --systohc
     systemctl enable systemd-timesyncd --root=/mnt
 
-#. Locale::
+#. Interactively set locale, keymap, timezone, hostname and root password::
 
-    echo "en_US.UTF-8 UTF-8" >> /mnt/etc/locale.gen
-    echo "LANG=en_US.UTF-8" >> /mnt/etc/locale.conf
+    rm -f /mnt/etc/localtime
+    systemd-firstboot --root=/mnt --force --prompt --root-password=PASSWORD
 
-   Other locales should be added after reboot.
+   This can be non-interactive, see man page for details::
+
+    rm -f /mnt/etc/localtime
+    systemd-firstboot --root=/mnt --force \
+     --locale="en_US.UTF-8" --locale-messages="en_US.UTF-8" \
+     --keymap=us --timezone="Europe/Berlin" --hostname=myHost \
+     --root-password=PASSWORD --root-shell=/bin/bash
+
+   ``systemd-firstboot`` has bugs for setting root password, reset it here::
+
+    arch-chroot /mnt passwd
 
 #. Ignore kernel updates::
 
@@ -112,12 +117,9 @@ System Configuration
 
     source /root/chroot
 
-#. Apply locales::
+#. Apply locales, change if needed::
 
+    echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
     locale-gen
 
 #. `Add archzfs repo <../0-archzfs-repo.html>`__.
-
-#. Set root password::
-
-     passwd
diff --git a/docs/Getting Started/Arch Linux/Root on ZFS/4-optional-configuration.rst b/docs/Getting Started/Arch Linux/Root on ZFS/4-optional-configuration.rst
index 82f71d0..32cfec2 100644
--- a/docs/Getting Started/Arch Linux/Root on ZFS/4-optional-configuration.rst	
+++ b/docs/Getting Started/Arch Linux/Root on ZFS/4-optional-configuration.rst	
@@ -80,9 +80,7 @@ Note: This will disable password with SSH.
     mkdir /etc/cryptkey.d/
     chmod 700 /etc/cryptkey.d/
     dd bs=32 count=1 if=/dev/urandom of=/etc/cryptkey.d/rpool_$INST_UUID-${INST_ID}-key-zfs
-    for i in ${DISK[@]}; do
-      dd bs=32 count=1 if=/dev/urandom of=/etc/cryptkey.d/${i##*/}-part2-bpool_$INST_UUID-key-luks
-    done
+    dd bs=32 count=1 if=/dev/urandom of=/etc/cryptkey.d/bpool_$INST_UUID-key-luks
 
 #. Backup boot pool::
 
@@ -104,12 +102,15 @@ Note: This will disable password with SSH.
 #. Create LUKS containers::
 
     for i in ${DISK[@]}; do
-     cryptsetup luksFormat -q --type luks1 --key-file /etc/cryptkey.d/${i##*/}-part2-bpool_$INST_UUID-key-luks $i-part2
-     echo $LUKS_PWD | cryptsetup luksAddKey --key-file /etc/cryptkey.d/${i##*/}-part2-bpool_$INST_UUID-key-luks $i-part2
-     cryptsetup open ${i}-part2 ${i##*/}-part2-luks-bpool_$INST_UUID --key-file /etc/cryptkey.d/${i##*/}-part2-bpool_$INST_UUID-key-luks
-     echo ${i##*/}-part2-luks-bpool_$INST_UUID ${i}-part2 /etc/cryptkey.d/${i##*/}-part2-bpool_$INST_UUID-key-luks discard >> /etc/crypttab
+     cryptsetup luksFormat -q --type luks1 --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2
+     echo $LUKS_PWD | cryptsetup luksAddKey --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2
+     cryptsetup open ${i}-part2 ${i##*/}-part2-luks-bpool_$INST_UUID --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks
+     echo ${i##*/}-part2-luks-bpool_$INST_UUID ${i}-part2 /etc/cryptkey.d/bpool_$INST_UUID-key-luks discard >> /etc/crypttab
     done
 
+   GRUB 2.06 still does not have complete support for LUKS2, LUKS1
+   is used instead.
+
 #. Embed key file in initrd::
 
     echo 'FILES=(/etc/cryptkey.d/* )' >> /etc/mkinitcpio.conf
@@ -158,6 +159,11 @@ Note: This will disable password with SSH.
      mount /boot/efis/${i##*/}-part1
     done
 
+#. As keys are stored in initrd,
+   set secure permissions for ``/boot``::
+
+    chmod 700 /boot
+
 #. Change root pool password to key file::
 
     zfs change-key -l \
@@ -179,11 +185,6 @@ Note: This will disable password with SSH.
    If ``zfsencryptssh`` is not removed, initrd will
    stuck at ``fail to load key material`` and fail to boot.
 
-#. As keys are stored in initrd,
-   set secure permissions for ``/boot``::
-
-    chmod 700 /boot
-
 #. Enable GRUB cryptodisk::
 
      echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
@@ -259,9 +260,9 @@ boot from it. This enables system recovery and re-installation.
 
     mkdir /boot/efi/iso
     cd /boot/efi/iso
-    # select a mirror # curl -O https://mirrors.ocf.berkeley.edu/archlinux/iso/2021.05.01/archlinux-2021.05.01-x86_64.iso
-    curl -O https://archlinux.org/iso/2021.05.01/archlinux-2021.05.01-x86_64.iso.sig
-    gpg --auto-key-retrieve --verify archlinux-2021.05.01-x86_64.iso.sig
+    # select a mirror # curl -O https://mirrors.ocf.berkeley.edu/archlinux/iso/2021.06.01/archlinux-2021.06.01-x86_64.iso
+    curl -O https://archlinux.org/iso/2021.06.01/archlinux-2021.06.01-x86_64.iso.sig
+    gpg --auto-key-retrieve --verify archlinux-2021.06.01-x86_64.iso.sig
 
    Additionally you can build your own live image
    with `archiso package <https://gitlab.archlinux.org/archlinux/archiso>`__.
diff --git a/docs/Getting Started/Arch Linux/Root on ZFS/5-bootloader.rst b/docs/Getting Started/Arch Linux/Root on ZFS/5-bootloader.rst
index 01bfb28..8f1629f 100644
--- a/docs/Getting Started/Arch Linux/Root on ZFS/5-bootloader.rst	
+++ b/docs/Getting Started/Arch Linux/Root on ZFS/5-bootloader.rst	
@@ -22,8 +22,8 @@ Workarounds have to be applied.
 
    Solution::
 
-    echo 'export ZPOOL_VDEV_NAME_PATH=YES' >> /etc/profile
-    source /etc/profile
+    echo 'export ZPOOL_VDEV_NAME_PATH=YES' >> /etc/profile.d/zpool_vdev_name_path.sh
+    source /etc/profile.d/zpool_vdev_name_path.sh
 
    Note that ``sudo`` will not read ``/etc/profile`` and will
    not pass variables in parent shell. Consider setting the following
@@ -48,26 +48,29 @@ Install GRUB
 
 #. Generate initrd::
 
-     mkinitcpio -P
+    mkinitcpio -P
 
 #. When in doubt, install both legacy boot
    and EFI.
 
+#. Create GRUB boot directory, in ESP and boot pool::
+
+    mkdir -p /boot/efi/EFI/arch
+    mkdir -p /boot/grub
+
+   Boot environment-specific configuration (kernel, etc)
+   is stored in ``/boot/grub/grub.cfg``, enabling rollback.
+
 #. If using legacy booting, install GRUB to every disk::
 
     for i in ${DISK[@]}; do
-     grub-install --target=i386-pc $i
+     grub-install --boot-directory /boot/efi/EFI/arch --target=i386-pc $i
     done
 
 #. If using EFI::
 
-    grub-install && grub-install --removable
-    # mirror ESP content
-    ESP_MIRROR=$(mktemp -d)
-    cp -r /boot/efi/EFI $ESP_MIRROR
-    for i in /boot/efis/*; do
-     cp -r $ESP_MIRROR/EFI $i
-    done
+    grub-install --boot-directory /boot/efi/EFI/arch --efi-directory /boot/efi/
+    grub-install --boot-directory /boot/efi/EFI/arch --efi-directory /boot/efi/ --removable
     for i in ${DISK[@]}; do
      efibootmgr -cgp 1 -l "\EFI\arch\grubx64.efi" \
      -L "arch-${i##*/}" -d ${i}
@@ -75,64 +78,21 @@ Install GRUB
 
 #. Generate GRUB Menu::
 
-    grub-mkconfig -o /boot/grub/grub.cfg
+    grub-mkconfig -o /boot/efi/EFI/arch/grub/grub.cfg
+    cp /boot/efi/EFI/arch/grub/grub.cfg /boot/grub/grub.cfg
+
+#. For both legacy and EFI booting: mirror ESP content::
+   
+    ESP_MIRROR=$(mktemp -d)
+    cp -r /boot/efi/EFI $ESP_MIRROR
+    for i in /boot/efis/*; do
+     cp -r $ESP_MIRROR/EFI $i
+    done
 
 Enable Secure Boot
 ----------------------------
 
-This is optional.
-
-- Method 1: Generate and enroll your own certificates, then sign bootloader
-  with these keys.
-
-  This is the most secure method, see
-  `here <https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html>`__
-  and `ArchWiki article
-  <https://wiki.archlinux.org/title/Secure_Boot#Using_your_own_keys>`__
-  for more information. However, enrolling your own key
-  `might brick your motherboard
-  <https://h30434.www3.hp.com/t5/Notebook-Operating-System-and-Recovery/Black-screen-after-enabling-secure-boot-and-installing/td-p/6754130>`__.
-
-  Tip: The author of this installation guide has
-  bricked EliteBook 820 G3 with ``KeyTool.efi`` during enrollment.
-
-- Method 2: Use a preloader
-  signed with `Microsoft Corporation UEFI CA
-  <https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt>`__ certificate.
-  See `ArchWiki article <https://wiki.archlinux.org/title/Secure_Boot#Using_a_signed_boot_loader>`__
-  and `here <https://www.rodsbooks.com/efi-bootloaders/secureboot.html>`__.
-
-  Example configuration with `signed PreLoader.efi
-  <https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/>`__::
-
-   # download signed PreLoader and HashTool
-   curl -LO https://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi
-   curl -LO https://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi
-   # rename GRUB to loader.efi
-   mv /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/loader.efi
-
-   mv PreLoader.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
-   mv HashTool.efi /boot/efi/EFI/BOOT/
-
-   # mirror ESP content
-   ESP_MIRROR=$(mktemp -d)
-   cp -r /boot/efi/EFI $ESP_MIRROR
-   for i in /boot/efis/*; do
-    cp -r $ESP_MIRROR/EFI $i
-   done
-
-   for i in ${DISK[@]}; do
-    efibootmgr -cgp 1 -l "\EFI\BOOT\BOOTX64.EFI" \
-    -L "arch-PreLoader-${i##*/}" -d ${i}
-   done
-
-  After reboot, re-enable Secure Boot in firmware settings, save and reboot.
-  After enabling Secure Boot,
-  enroll the hash of ``loader.efi`` with ``HashTool.efi``::
-
-   # OK -> Enroll Hash -> loader.efi -> Yes -> Reboot System -> Yes
-
-  Re-enrolling the hash is needed if GRUB has been reinstalled.
+This is optional. `See Arch Wiki article <https://wiki.archlinux.org/title/Secure_Boot>`__.
 
 Finish Installation
 ~~~~~~~~~~~~~~~~~~~~
@@ -159,3 +119,28 @@ Finish Installation
 #. Reboot::
 
     reboot
+
+#. After reboot, consider adding a normal user::
+
+    myUser=UserName
+    zfs create $(df --output=source /home | tail -n +2)/${myUser}
+    useradd -MUd /home/${myUser} -c 'My Name' ${myUser}
+    zfs allow -u ${myUser} mount,snapshot,destroy $(df --output=source /home | tail -n +2)/${myUser}
+    chown -R ${myUser}:${myUser} /home/${myUser}
+    chmod 700 /home/${myUser}
+    passwd ${myUser}
+
+   Set up cron job to snapshot user home everyday::
+
+    dnf install cronie
+    systemctl enable --now cronie
+    crontab -eu ${myUser}
+    #@daily zfs snap $(df --output=source /home/${myUser} | tail -n +2)@$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)
+    zfs list -t snapshot -S creation $(df --output=source /home/${myUser} | tail -n +2)
+
+   Install package groups::
+
+    pacman -Sg        # query package groups
+    pacman -S 'gnome'
+    pacman -S 'plasma'
+