bunch of fixes
This commit is contained in:
parent
ec6cdedeec
commit
d2dabb5912
63
build.py
63
build.py
@ -288,20 +288,16 @@ text
|
||||
|
||||
# Wipe all disk
|
||||
zerombr
|
||||
bootloader --location=mbr --boot-drive=sda
|
||||
clearpart --all --initlabel
|
||||
|
||||
# Disk partitioning information
|
||||
part btrfs.boot --fstype=btrfs --size=5120 --ondisk=sda
|
||||
part btrfs.boot --fstype=btrfs --size=5120 --ondisk=sdb
|
||||
part btrfs.main --fstype=btrfs --encrypted --grow --fsoptions="compress=zstd:1,space_cache=v2" --ondisk=sda
|
||||
part btrfs.main --fstype=btrfs --encrypted --grow --fsoptions="compress=zstd:1,space_cache=v2" --ondisk=sdb
|
||||
# Boot partitions (5GB each)
|
||||
part /boot --fstype=btrfs --size=5120 --ondisk=sda
|
||||
part /boot --fstype=btrfs --size=5120 --ondisk=sdb
|
||||
|
||||
# BTRFS subvolumes
|
||||
btrfs /boot --label=fedora-boot btrfs.boot
|
||||
btrfs none --label=fedora-btrfs btrfs.main
|
||||
btrfs /home --subvol --name=home fedora-btrfs
|
||||
btrfs /db --subvol --name=db fedora-btrfs
|
||||
# Main data partitions with LUKS
|
||||
part / --fstype=btrfs --encrypted --cipher=aes-xts-plain64 --luks-version=luks2 --grow --ondisk=sda
|
||||
part / --fstype=btrfs --encrypted --cipher=aes-xts-plain64 --luks-version=luks2 --grow --ondisk=sdb
|
||||
|
||||
# Package source
|
||||
url --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
|
||||
@ -324,8 +320,9 @@ tpm2-tools
|
||||
tpm2-tss
|
||||
cryptsetup
|
||||
systemd
|
||||
mdadm
|
||||
curl
|
||||
shim-x64
|
||||
grub2-efi-x64
|
||||
%end
|
||||
|
||||
# Pre-installation script
|
||||
@ -351,43 +348,28 @@ EOF
|
||||
printf "\n=== Nullpoint Installation Progress ===\r\n" > /dev/tty1
|
||||
printf "Press Alt+F3 to view detailed installation logs\r\n" > /dev/tty1
|
||||
printf "Press Alt+F1 to return to main installation screen\r\n" > /dev/tty1
|
||||
printf "Current step: Setting up storage and encryption...\r\n\n" > /dev/tty1
|
||||
printf "Current step: Setting up TPM and Tang...\r\n\n" > /dev/tty1
|
||||
{{
|
||||
# Generate secure passphrase
|
||||
printf "Generating secure passphrase...\r\n" > /dev/tty1
|
||||
LUKS_PASSPHRASE=$(openssl rand -base64 32)
|
||||
# Get the LUKS passphrase that was used during installation
|
||||
LUKS_PASSPHRASE=$(cat /tmp/luks-passphrase.txt)
|
||||
echo "$LUKS_PASSPHRASE" > /root/luks-passphrase.txt
|
||||
chmod 600 /root/luks-passphrase.txt
|
||||
|
||||
# Create RAID1 for boot
|
||||
printf "Creating RAID1 array for boot...\r\n" > /dev/tty1
|
||||
mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1 --metadata=1.2
|
||||
mkfs.btrfs -f -L boot /dev/md0
|
||||
|
||||
# Setup LUKS on data partitions
|
||||
printf "Setting up LUKS encryption...\r\n" > /dev/tty1
|
||||
echo -n "$LUKS_PASSPHRASE" | tr -d "\n" | cryptsetup luksFormat /dev/sda2 --type luks2 --key-file -
|
||||
echo -n "$LUKS_PASSPHRASE" | tr -d "\n" | cryptsetup luksFormat /dev/sdb2 --type luks2 --key-file -
|
||||
|
||||
# Setup Clevis
|
||||
# Setup Clevis for TPM and Tang
|
||||
printf "Configuring Clevis for TPM and Tang...\r\n" > /dev/tty1
|
||||
clevis luks bind -d /dev/sda2 tpm2 -c /etc/clevis/tpm2.conf
|
||||
clevis luks bind -d /dev/sda2 tang -c /etc/clevis/tang.conf
|
||||
clevis luks bind -d /dev/sdb2 tpm2 -c /etc/clevis/tpm2.conf
|
||||
clevis luks bind -d /dev/sdb2 tang -c /etc/clevis/tang.conf
|
||||
|
||||
# Open LUKS volumes
|
||||
printf "Opening LUKS volumes...\r\n" > /dev/tty1
|
||||
echo -n "$LUKS_PASSPHRASE" | tr -d "\n" | cryptsetup luksOpen /dev/sda2 root_a --key-file -
|
||||
echo -n "$LUKS_PASSPHRASE" | tr -d "\n" | cryptsetup luksOpen /dev/sdb2 root_b --key-file -
|
||||
|
||||
# Create BTRFS
|
||||
printf "Creating BTRFS filesystem...\r\n" > /dev/tty1
|
||||
mkfs.btrfs -f -d raid1 -m raid1 /dev/mapper/root_a /dev/mapper/root_b
|
||||
# Get BTRFS UUID (same for all devices in the filesystem)
|
||||
BTRFS_UUID=$(blkid -s UUID -o value /dev/mapper/luks-$(blkid -s UUID -o value /dev/sda2))
|
||||
|
||||
# Create subvolumes
|
||||
printf "Creating BTRFS subvolumes...\r\n" > /dev/tty1
|
||||
mount /dev/mapper/root_a /mnt
|
||||
# Mount both devices for RAID1
|
||||
mount -t btrfs -o raid1 UUID=$BTRFS_UUID /mnt
|
||||
btrfs subvolume create /mnt/@root
|
||||
btrfs subvolume create /mnt/@home
|
||||
btrfs subvolume create /mnt/@db
|
||||
chattr +C /mnt/@db
|
||||
@ -395,16 +377,11 @@ printf "Current step: Setting up storage and encryption...\r\n\n" > /dev/tty1
|
||||
# Setup fstab
|
||||
printf "Configuring system mount points...\r\n" > /dev/tty1
|
||||
cat > /etc/fstab << EOF
|
||||
/dev/md0 /boot btrfs defaults 0 0
|
||||
/dev/mapper/root_a / btrfs compress=zstd 0 0
|
||||
/dev/mapper/root_a /home btrfs subvol=@home,compress=zstd 0 0
|
||||
/dev/mapper/root_a /db btrfs subvol=@db,nodatacow,noatime,compress=zstd 0 0
|
||||
UUID=$BTRFS_UUID / btrfs subvol=@root,compress=zstd,raid1 0 0
|
||||
UUID=$BTRFS_UUID /home btrfs subvol=@home,compress=zstd,raid1 0 0
|
||||
UUID=$BTRFS_UUID /db btrfs subvol=@db,nodatacow,noatime,compress=zstd,raid1 0 0
|
||||
EOF
|
||||
|
||||
# Save RAID configuration
|
||||
printf "Saving RAID configuration...\r\n" > /dev/tty1
|
||||
mdadm --detail --scan > /etc/mdadm.conf
|
||||
|
||||
# Enable services
|
||||
printf "Enabling system services...\r\n" > /dev/tty1
|
||||
systemctl enable clevis-luks-askpass.service
|
||||
|
||||
Loading…
Reference in New Issue
Block a user