------------------------------------- ## HOST Permit root login, disable ipv6, keyfile, install dropbear e configure (porta, fix ip) e upgrade initraf, script dentro initramfs blocca riavvio e fa partire bear, console su kernel check backport in repository debian # Install zfs Site: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html#step-1-prepare-the-install-environment Site: https://saveriomiroddi.github.io/Installing-Ubuntu-on-a-ZFS-root-with-encryption-and-mirroring/#procedure echo "deb http://deb.debian.org/debian buster main contrib" >> /etc/apt/sources.list echo "deb http://deb.debian.org/debian buster-backports main contrib" >> /etc/apt/sources.list apt-get update apt install --yes gdisk dkms dpkg-dev linux-headers-$(uname -r) apt install --yes -t buster-backports --no-install-recommends zfs-dkms modprobe zfs apt install --yes -t buster-backports zfsutils-linux # Dropbear install # Site: https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/ # Site: https://matt.ucc.asn.au/dropbear/dropbear.html apt-get --yes install dropbear-initramfs echo 'DROPBEAR_OPTIONS="-s -j -k -p 4747"' >> /etc/dropbear-initramfs/config # Generate local key with ssh-keygen -t rsa -b 4096 and copy to machine COPY_LOCAL_SSH_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLkDWpZ9MfP47Q9gzapCRxwXCLdYT6zOid5ras7cdmuHZEDtCA/sSpn6Ro3g/EF8FaDNltG26NMnTV1q3hWY19hK1ukL6QMnCQ+SxeowQ7RcPV9kHuybA9VtIhfEBN3hyWmzm7S2G4tDZlF2cKRe9G6yTHiNVcQLoCSYULo6gFPw== hank@joe" #echo "no-port-forwarding,no-agent-forwarding,no-x11-forwarding ssh-rsa $COPY_LOCAL_SSH_KEY" >> /etc/dropbear-initramfs/authorized_keys echo "$COPY_LOCAL_SSH_KEY" >> /etc/dropbear-initramfs/authorized_keys # IP-GATEWAY-NETMASK-DEVINAME (Insert network static ip server value) echo 'IP="192.168.69.116::192.168.69.1:255.255.255.0::enp1s0:off"' >> /etc/initramfs-tools/initramfs.conf file: /usr/share/initramfs-tools/scripts/local search: local_mount_root file: /usr/share/initramfs-tools/init search: local_bottom count_steps=0 max_steps=60 #Wait 1 hour and boot while [ ! -f "/condor" ] && [ "$count_steps" -lt "$max_steps" ] do count_steps=$(( count_steps + 1)) sleep 60 echo "DROPBEAR ACTIVE $count_steps min." done echo "End" update-initramfs -u --- REBOOT --- (Access with dropbear) ## initramfs mkdir /mnt cd /root cp -a bin boot etc home initrd.img initrd.img.old lib lib32 lib64 libx32 media mnt opt root sbin srv tmp usr var vmlinuz vmlinuz.old /mnt/ cd / umount /root mkdir /mnt/proc mkdir /mnt/sys mkdir /mnt/run #mkdir /mnt/tmp mkdir /mnt/dev mount -o rbind /proc/ /mnt/proc/ mount -o rbind /sys/ /mnt/sys/ mount -o rbind /run/ /mnt/run/ mount -o rbind /dev/ /mnt/dev/ ## chroot mode chroot /mnt /bin/bash --login modprobe zfs # !!! Remember to copy boot directory mount /dev/vda2 /mnt/ cp -a /mnt/* /boot/ umount /mnt # !!! SET GOOD NAME DEVICE HD first_disk_id="/dev/vda" second_disk_id="/dev/vdb" # Delete data on disk sgdisk --zap-all $first_disk_id sgdisk --zap-all $second_disk_id # Partion Disk with uefi space sgdisk -n1:1M:+512M -t1:EF00 $first_disk_id # EFI boot sgdisk -n2:0:+512M -t2:BF01 $first_disk_id # Boot pool sgdisk -n3:0:0 -t3:BF01 $first_disk_id # Root pool sgdisk -n1:+512M:+512M -t1:BF01 $second_disk_id # Boot pool sgdisk -n2:0:0 -t2:BF01 $second_disk_id # Root pool # Check partition sgdisk --print /dev/vda sgdisk --print /dev/vdb #Install manager fat file system for UEFI boot and format apt-get install dosfstools modprobe vfat modprobe nls_cp437 modprobe nls_ascii mkfs.fat -F 32 -n EFI ${first_disk_id}1 #Set variables bpool_mirror_arg=${second_disk_id}1 encryption_options=(-O encryption=on -O keylocation=prompt -O keyformat=passphrase) rpool_mirror_arg=${second_disk_id}2 zpool create "${encryption_options[@]}" -o ashift=12 -O acltype=posixacl -O compression=off -O dnodesize=auto -O relatime=on -O xattr=sa -O normalization=formD -O devices=off -O mountpoint=/ -R /mnt rpool mirror ${first_disk_id}3 $rpool_mirror_arg zfs create -o canmount=noauto -o mountpoint=/ rpool/root mkdir /mnt/boot zpool create -d -o ashift=12 -O devices=off -O mountpoint=/boot -R /mnt/ bpool mirror ${first_disk_id}2 $bpool_mirror_arg cp -rf --preserve=all bin boot etc home initrd.img initrd.img.old lib lib32 lib64 libx32 media opt root sbin srv usr var vmlinuz vmlinuz.old tmp /mnt/ mkdir /mnt/{dev,proc,sys,run} exit # Esci da chroot mount -o rbind /dev/ /mnt/mnt/dev/ mount -o rbind /sys/ /mnt/mnt/sys/ mount -o rbind /proc/ /mnt/mnt/proc/ mount -o rbind /run/ /mnt/mnt/run/ chroot /mnt/mnt/ /bin/bash --login first_disk_id="/dev/vda" # !!! Comment line /etc/fstab sed -i "s/^/#/g" /etc/fstab apt install --yes zfs-initramfs zfs-dkms grub-efi-amd64-signed shim-signed echo PARTUUID=$(blkid -s PARTUUID -o value ${first_disk_id}1) /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab mkdir /boot/efi # note modprobe nls_cp437 modprobe nls_ascii modprobe vfat mount /dev/vda1 /boot/efi/ grub-install grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck perl -i -pe 's/(GRUB_CMDLINE_LINUX=")/${1}root=ZFS=rpool /' /etc/default/grub echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub update-grub cat > /etc/systemd/system/zfs-import-bpool.service <> /etc/fstab echo RESUME=none > /etc/initramfs-tools/conf.d/resume mount /boot mount /boot/efi # reconfigure initramfs # clean script code from vi /usr/share/initramfs-tools/init # modify /usr/share/initramfs-tools/scripts/zfs ZFS_CMD="${ZPOOL} import -N ${ZPOOL_FORCE} ${ZPOOL_IMPORT_OPTS}" ZFS_STDERR="$($ZFS_CMD "$pool" 2>&1)" ZFS_ERROR="$?" log_begin_msg "\nWait for Passowrd Encrypt Pool!!!\n" #/sbin/zpool import -f rpool #/sbin/zfs load-key -L prompt rpool while [ ! -f "condor" ] do echo -e "Wathing for Key!\n" sleep 60 done /sbin/zfs set mountpoint=/root rpool /sbin/zfs mount rpool /sbin/zpool import -f bpool /sbin/zfs set mountpoint=/root/boot bpool KERNEL=`ls /usr/lib/modules/ | cut -d/ -f1 | sed 's/linux-image-//'` update-initramfs -u -k $KERNEL exit # initramfs sync umount -l -r /boot/efi umount -l -r /boot umount -l -r /mnt/mnt/dev/ umount -l -r /mnt/mnt/proc umount -l -r /mnt/mnt/sys umount -l -r /mnt/mnt/run umount -l -r /mnt/dev/ umount -l -r /mnt/proc umount -l -r /mnt/sys umount -l -r /mnt/run umount -l -r /mnt/mnt ==== REBOOT AND LOGIN WITH DROPBEAR ssh -c aes256-ctr -p 4747 root@HOST-IP /sbin/zfs load-key -L prompt rpool && touch /condor