dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bunch of fixes

Browse Source
This commit is contained in:
Dominik Moritz Roth 2025-05-13 18:41:52 +02:00
parent ec6cdedeec
commit d2dabb5912
1 changed files with 20 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
build.py
View File

@ -288,20 +288,16 @@ text
# Wipe all disk # Wipe all disk
zerombr zerombr
bootloader --location=mbr --boot-drive=sda
clearpart --all --initlabel clearpart --all --initlabel
# Disk partitioning information # Disk partitioning information
part btrfs.boot --fstype=btrfs --size=5120 --ondisk=sda # Boot partitions (5GB each)
part btrfs.boot --fstype=btrfs --size=5120 --ondisk=sdb part /boot --fstype=btrfs --size=5120 --ondisk=sda
part btrfs.main --fstype=btrfs --encrypted --grow --fsoptions="compress=zstd:1,space_cache=v2" --ondisk=sda part /boot --fstype=btrfs --size=5120 --ondisk=sdb
part btrfs.main --fstype=btrfs --encrypted --grow --fsoptions="compress=zstd:1,space_cache=v2" --ondisk=sdb
# BTRFS subvolumes # Main data partitions with LUKS
btrfs /boot --label=fedora-boot btrfs.boot part / --fstype=btrfs --encrypted --cipher=aes-xts-plain64 --luks-version=luks2 --grow --ondisk=sda
btrfs none --label=fedora-btrfs btrfs.main part / --fstype=btrfs --encrypted --cipher=aes-xts-plain64 --luks-version=luks2 --grow --ondisk=sdb
btrfs /home --subvol --name=home fedora-btrfs
btrfs /db --subvol --name=db fedora-btrfs
# Package source # Package source
url --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch url --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
@ -324,8 +320,9 @@ tpm2-tools
tpm2-tss tpm2-tss
cryptsetup cryptsetup
systemd systemd
mdadm
curl curl
shim-x64
grub2-efi-x64
%end %end
# Pre-installation script # Pre-installation script
@ -351,43 +348,28 @@ EOF
printf "\n=== Nullpoint Installation Progress ===\r\n" > /dev/tty1 printf "\n=== Nullpoint Installation Progress ===\r\n" > /dev/tty1
printf "Press Alt+F3 to view detailed installation logs\r\n" > /dev/tty1 printf "Press Alt+F3 to view detailed installation logs\r\n" > /dev/tty1
printf "Press Alt+F1 to return to main installation screen\r\n" > /dev/tty1 printf "Press Alt+F1 to return to main installation screen\r\n" > /dev/tty1
printf "Current step: Setting up storage and encryption...\r\n\n" > /dev/tty1 printf "Current step: Setting up TPM and Tang...\r\n\n" > /dev/tty1
{{ {{
# Generate secure passphrase # Get the LUKS passphrase that was used during installation
printf "Generating secure passphrase...\r\n" > /dev/tty1 LUKS_PASSPHRASE=$(cat /tmp/luks-passphrase.txt)
LUKS_PASSPHRASE=$(openssl rand -base64 32)
echo "$LUKS_PASSPHRASE" > /root/luks-passphrase.txt echo "$LUKS_PASSPHRASE" > /root/luks-passphrase.txt
chmod 600 /root/luks-passphrase.txt chmod 600 /root/luks-passphrase.txt
# Create RAID1 for boot # Setup Clevis for TPM and Tang
printf "Creating RAID1 array for boot...\r\n" > /dev/tty1
mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1 --metadata=1.2
mkfs.btrfs -f -L boot /dev/md0
# Setup LUKS on data partitions
printf "Setting up LUKS encryption...\r\n" > /dev/tty1
echo -n "$LUKS_PASSPHRASE" | tr -d "\n" | cryptsetup luksFormat /dev/sda2 --type luks2 --key-file -
echo -n "$LUKS_PASSPHRASE" | tr -d "\n" | cryptsetup luksFormat /dev/sdb2 --type luks2 --key-file -
# Setup Clevis
printf "Configuring Clevis for TPM and Tang...\r\n" > /dev/tty1 printf "Configuring Clevis for TPM and Tang...\r\n" > /dev/tty1
clevis luks bind -d /dev/sda2 tpm2 -c /etc/clevis/tpm2.conf clevis luks bind -d /dev/sda2 tpm2 -c /etc/clevis/tpm2.conf
clevis luks bind -d /dev/sda2 tang -c /etc/clevis/tang.conf clevis luks bind -d /dev/sda2 tang -c /etc/clevis/tang.conf
clevis luks bind -d /dev/sdb2 tpm2 -c /etc/clevis/tpm2.conf clevis luks bind -d /dev/sdb2 tpm2 -c /etc/clevis/tpm2.conf
clevis luks bind -d /dev/sdb2 tang -c /etc/clevis/tang.conf clevis luks bind -d /dev/sdb2 tang -c /etc/clevis/tang.conf
# Open LUKS volumes # Get BTRFS UUID (same for all devices in the filesystem)
printf "Opening LUKS volumes...\r\n" > /dev/tty1 BTRFS_UUID=$(blkid -s UUID -o value /dev/mapper/luks-$(blkid -s UUID -o value /dev/sda2))
echo -n "$LUKS_PASSPHRASE" | tr -d "\n" | cryptsetup luksOpen /dev/sda2 root_a --key-file -
echo -n "$LUKS_PASSPHRASE" | tr -d "\n" | cryptsetup luksOpen /dev/sdb2 root_b --key-file -
# Create BTRFS
printf "Creating BTRFS filesystem...\r\n" > /dev/tty1
mkfs.btrfs -f -d raid1 -m raid1 /dev/mapper/root_a /dev/mapper/root_b
# Create subvolumes # Create subvolumes
printf "Creating BTRFS subvolumes...\r\n" > /dev/tty1 printf "Creating BTRFS subvolumes...\r\n" > /dev/tty1
mount /dev/mapper/root_a /mnt # Mount both devices for RAID1
mount -t btrfs -o raid1 UUID=$BTRFS_UUID /mnt
btrfs subvolume create /mnt/@root
btrfs subvolume create /mnt/@home btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@db btrfs subvolume create /mnt/@db
chattr +C /mnt/@db chattr +C /mnt/@db
@ -395,16 +377,11 @@ printf "Current step: Setting up storage and encryption...\r\n\n" > /dev/tty1
# Setup fstab # Setup fstab
printf "Configuring system mount points...\r\n" > /dev/tty1 printf "Configuring system mount points...\r\n" > /dev/tty1
cat > /etc/fstab << EOF cat > /etc/fstab << EOF
/dev/md0 /boot btrfs defaults 0 0 UUID=$BTRFS_UUID / btrfs subvol=@root,compress=zstd,raid1 0 0
/dev/mapper/root_a / btrfs compress=zstd 0 0 UUID=$BTRFS_UUID /home btrfs subvol=@home,compress=zstd,raid1 0 0
/dev/mapper/root_a /home btrfs subvol=@home,compress=zstd 0 0 UUID=$BTRFS_UUID /db btrfs subvol=@db,nodatacow,noatime,compress=zstd,raid1 0 0
/dev/mapper/root_a /db btrfs subvol=@db,nodatacow,noatime,compress=zstd 0 0
EOF EOF
# Save RAID configuration
printf "Saving RAID configuration...\r\n" > /dev/tty1
mdadm --detail --scan > /etc/mdadm.conf
# Enable services # Enable services
printf "Enabling system services...\r\n" > /dev/tty1 printf "Enabling system services...\r\n" > /dev/tty1
systemctl enable clevis-luks-askpass.service systemctl enable clevis-luks-askpass.service