Getch

A CLI tool to install Gentoo or Void Linux with default: + DNS over HTTPS (with Quad9). + Vim | Nano installed. + Iptables installed (not configured). + Sudo installed (not configured). + iwd installed if wifi is detected. + No GUI installed.

Hardened System: + sysctl.conf with TCP/IP stack hardening and more Arch + Kernel parameters enforced (dmesg restricted, kexec disabled, etc) + Kernel source (Gentoo) patched with bask.

Description

Actually, Getch support only the x86_64 architecture and only with the following archives: + Gentoo: stage3-amd64-systemd Gentoo. + Void: rootfs glibc Void.

Filesystem supported (with or without encryption) + Ext4 + Lvm + ZFS

Boot Manager: + Gentoo: BIOS will use Grub2 and systemd-boot for UEFI. + Void: use only Grub2, encryption for the root fs use luks1.

The ISO images i was able to test and that works: + Archlinux + Archaeidae: Custom Archiso that includes ZFS support.

Dependencies

Getch is build without external libs, so it only require ruby >= 2.5.

Install

Getch is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.
With gem installed:

$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/szorfein/getch/master/certs/szorfein.pem)
$ gem install getch -P HighSecurity

If you want to try the master branch (can be unstable):

# git clone https://github.com/szorfein/getch
# cd getch
# ruby -I lib bin/getch -h

Usage

Just ensure than the script is run with a root account.

# getch -h

After an install by Getch, take a look on the wiki.

Examples

For a french user:

# getch --zoneinfo "Europe/Paris" --language fr_FR --keymap fr

Install Gentoo on LVM and use a different root disk /dev/sdc

# getch --format lvm --disk sdc

Encrypt your disk with LVM with a french keymap

# getch --format lvm --encrypt --keymap fr

Encrypt with ext4 and create a new user ninja:

# getch --format ext4 --encrypt --username ninja

With ZFS, if used with --encrypt, it use the native ZFS encryption:

# getch --format zfs

With Void Linux:

# getch --os void --encrypt -k fr

Troubleshooting

Old VG for LVM

If a old volume group exist, getch may fail to partition your disk. You have to clean up your device before proceed with vgremove and pvremove. An short example how doing this with a volume group named vg0:

# vgdisplay | grep vg0
# vgremove -f vg0
# pvremove -f /dev/sdb

Encryption enable on BIOS with ext4

To decrypt your disk on BIOS system, you have to enter your password twice. One time for Grub and another time for Genkernel. {post}[https://wiki.archlinux.org/index.php/GRUB#Encrypted_/boot].
Also with GRUB, only a us keymap is working.

ZFS for Gentoo

When Gentoo boot the first time, the pool may fail to start, it's happen when the pool has not been export to the ISO. So just export your pool from the genkernel shell:

The zpool name should be visible (rpool-150ed here), so enter in the Genkernel shell:

> shell
zpool import -f -N -R /tmp rpool-150ed
zpool export -a

Then, just reboot now, it's all.

INFO: To create the zpool, getch use the 5 fist characters from the partuuid, just replace sdX by your real device:

# ls -l /dev/disk/by-partuuid/ | grep sdX4
-> 150ed969...

The pool will be called rpool-150ed.

ZFS for Void Linux - Enable the boot pool

You have some extras step to do after booting to enable the boot pool, you need this pool when you update your system. It's used mainly by Grub and Dracut. By default, your /boot is empty because your boot pool is not imported…

# zpool import -N bpool150ed
# zfs mount bpool150ed/BOOT/void
# ls /boot

You should see something in the boot (initramfs, vmlinuz).. Recreate the initramfs.

# xbps-reconfigure -fa

Transform the boot pool in legacy mode and add this to the fstab:

# zfs set mountpoint=legacy bpool150ed/BOOT/void
# echo "bpool150ed/BOOT/void /boot zfs defaults 0 0" >> /etc/fstab
# mount /boot

The /boot should not be empty again and then, reboot. fstab should do this automatically now.

ZFS Encrypted with Void

Well, another weird issue, the first time you boot on your encrypted pool, nothing append. Dracut try to mount inexistent device. Just wait for enter in the shell:

# ls /lib/dracut/hooks/initqueue/finished/*
# rm /lib/dracut/hooks/initqueue/finished/dev*
# exit

Dracut should finally start mount-zfs.sh and ask for your password. After you first login, follow instructions above for recompile the initramfs and mount the boot pool and your good.