2020-04-21 14:26:45 +00:00
|
|
|
## About gentoo-install
|
2019-12-31 14:28:42 -01:00
|
|
|
|
2020-04-21 14:15:49 +00:00
|
|
|
This script performs a reasonably minimal installation of gentoo. An EFI system is highly
|
|
|
|
recommended, but legacy BIOS boot is still supported.
|
2020-01-06 19:34:44 -01:00
|
|
|
It does everything from the ground up, including creating partitions, downloading
|
|
|
|
and extracting the stage3 archive, initial system configuration and optionally installing
|
|
|
|
some additional software. The script only supports OpenRC and not systemd.
|
|
|
|
|
|
|
|
The system will temporarily use `sys-kernel/vanilla-kernel-bin`, which should be suitable
|
|
|
|
to boot most systems out of the box. I strongly recommend you to replace this kernel
|
|
|
|
with a custom built one, when the system is functional. If you are looking for a way
|
2020-04-21 14:15:49 +00:00
|
|
|
to detect and manage your kernel configuration, have a look at [autokernel](https://github.com/oddlama/autokernel).
|
2020-01-06 19:34:44 -01:00
|
|
|
|
2020-04-21 14:26:45 +00:00
|
|
|
## Quick start
|
|
|
|
|
|
|
|
Edit `scripts/config.sh` and execute `./install` in any live system.
|
|
|
|
This will apply the selected partitioning scheme (with confirmation), and properly
|
|
|
|
install the selected stage3 gentoo system. The new system will by default use
|
|
|
|
`vanilla-kernel-bin` as the kernel, and an initramfs generated with dracut to provide
|
|
|
|
a bootable environment. The script can optionally install `sshd` and `ansible` to
|
|
|
|
allow for quick setup of the new system. So when the script finishes, you can
|
|
|
|
directly begin to deploy your specific setup.
|
|
|
|
|
2020-01-06 19:34:44 -01:00
|
|
|
## Overview
|
|
|
|
|
|
|
|
Here is a quick overview of what this script does:
|
|
|
|
|
|
|
|
* Does everything minus something
|
2020-04-21 14:15:49 +00:00
|
|
|
* Partition disks (supports gpt, raid, luks)
|
2020-01-06 19:34:44 -01:00
|
|
|
* Download and cryptographically verify the newest stage3 tarball
|
|
|
|
* Extract the stage3 tarball
|
|
|
|
* Sync portage tree
|
|
|
|
* Configure the base system
|
|
|
|
- Set hostname
|
|
|
|
- Set timezone
|
|
|
|
- Set keymap
|
|
|
|
- Generate and select locale
|
|
|
|
- Prepare `zz-autounmask` files for portage autounmasking
|
2020-04-21 14:15:49 +00:00
|
|
|
* Select best gentoo portage mirrors
|
2020-01-06 19:34:44 -01:00
|
|
|
* Install git (so you can add your portage overlays later)
|
|
|
|
* Install `sys-kernel/vanilla-kernel-bin` (temporarily, until you replace it)
|
|
|
|
* Copy kernel to efi partition
|
|
|
|
* Create boot entry using efibootmgr
|
|
|
|
* Generate fstab
|
|
|
|
* Lets you set a root password
|
|
|
|
|
|
|
|
Also, optionally the following will be done:
|
|
|
|
|
|
|
|
* Install sshd with secure config
|
|
|
|
* Install dhcpcd
|
|
|
|
* Install ansible, create ansible user and add authorized ssh key
|
|
|
|
* Install additional packages provided in config
|
|
|
|
|
|
|
|
Anything else is probably out of scope for this script,
|
|
|
|
but you can obviously do anything later on when the system is booted.
|
|
|
|
I highly recommend building a custom kernel and maybe encrypting your
|
|
|
|
root filesystem. Have a look at the [Recommendations](#Recommendations) section.
|
|
|
|
|
2020-04-21 14:26:45 +00:00
|
|
|
## Install
|
2020-01-06 19:38:28 -01:00
|
|
|
|
|
|
|
Installing gentoo with this script is simple.
|
|
|
|
|
|
|
|
1. Boot into the live system of your choice. As the script requires some utilities,
|
|
|
|
I recommend using a live system where you can quickly install new software.
|
|
|
|
Any [Arch Linux](https://www.archlinux.org/download/) live iso works fine.
|
|
|
|
2. Clone this repository
|
2020-01-06 19:43:11 -01:00
|
|
|
3. Edit `scripts/config.sh`, and particularily pay attention to
|
2020-01-06 19:38:28 -01:00
|
|
|
the device which will be partitioned. The script will ask before partitioning,
|
|
|
|
but better be safe than sorry.
|
2020-01-06 19:43:11 -01:00
|
|
|
4. Execute `./install`. The script will tell you if your live
|
2020-01-06 19:38:28 -01:00
|
|
|
system is missing any required software.
|
|
|
|
|
2020-04-21 14:26:45 +00:00
|
|
|
### Config
|
2020-01-06 19:34:44 -01:00
|
|
|
|
|
|
|
The config file `scripts/config.sh` allows you to adjust some parameters of the installation.
|
|
|
|
The most important ones will probably be the device to partition, and the stage3 tarball name
|
2020-01-06 19:38:28 -01:00
|
|
|
to install. By default you will get the hardened nomultilib profile without systemd.
|
2020-01-06 19:34:44 -01:00
|
|
|
|
2020-04-21 14:26:45 +00:00
|
|
|
### (Optional) sshd
|
2020-01-06 19:34:44 -01:00
|
|
|
|
|
|
|
The script can provide a fully configured ssh daemon with reasonably good security settings.
|
2020-01-09 17:02:52 -01:00
|
|
|
It will by default run on port `2222`, only allow ed25519 keys, restrict the key exchange
|
|
|
|
algorithms, disable any password based authentication, and only allow specifically mentioned
|
|
|
|
users to use ssh service (none by default).
|
2020-01-06 19:34:44 -01:00
|
|
|
|
|
|
|
To add a user to the list of allowed users, append `AllowUsers myuser` to `/etc/ssh/sshd_config`.
|
|
|
|
I recommend to create a separate group for all ssh users (like `sshusers`) and
|
|
|
|
to use `AllowGroups sshusers`. You should adjust this to your preferences when
|
|
|
|
the system is installed.
|
|
|
|
|
2020-04-21 14:26:45 +00:00
|
|
|
### (Optional) Ansible
|
2020-01-06 19:34:44 -01:00
|
|
|
|
|
|
|
This script can install ansible, create a system user for ansible and add an ssh key of
|
|
|
|
you choice to the `.authorized_keys` file. This allows you to directly use ansible when
|
|
|
|
the new system is up to configure the rest of the system.
|
|
|
|
|
2020-04-21 14:26:45 +00:00
|
|
|
### (Optional) Additional packages
|
2020-01-06 19:34:44 -01:00
|
|
|
|
|
|
|
You can enter any amount of additional packages to be installed on the target system.
|
|
|
|
These will simply be passed to a final `emerge` call before the script is done.
|
|
|
|
Autounmasking will be done automatically.
|
|
|
|
|
2020-04-21 14:26:45 +00:00
|
|
|
### Troubleshooting
|
2020-01-06 19:43:11 -01:00
|
|
|
|
|
|
|
The script checks every command for success, so if anything fails during installation,
|
|
|
|
you will be given a proper message of what went wrong. Inside the chroot,
|
|
|
|
most commands will be executed in some kind of try loop, and allow you to
|
|
|
|
fix problems interactively with a shell, to retry, or to skip the command.
|
|
|
|
|
2020-04-21 14:26:45 +00:00
|
|
|
## Recommendations
|
2020-01-06 19:34:44 -01:00
|
|
|
|
|
|
|
There are some things that you probably want to do after installing the base system,
|
|
|
|
or should consider:
|
|
|
|
|
2020-01-06 19:38:28 -01:00
|
|
|
* Read the news with `eselect news read`.
|
2020-01-06 19:34:44 -01:00
|
|
|
* Use a custom kernel (config and hardening, see [kernconf](https://github.com/oddlama/kernconf)), and remove `vanilla-kernel-bin`
|
|
|
|
* Adjust `/etc/portage/make.conf`
|
|
|
|
- Set `CFLAGS` to `-O2 -pipe -march=native` for native builds
|
|
|
|
- Set `CPU_FLAGS_X86` using the `cpuid2cpuflags` tool
|
|
|
|
- Set `MAKEOPTS` to `-jN` with N being the amount of threads used for building
|
|
|
|
- Set `EMERGE_DEFAULT_OPTS` to `-jN` if you want parallel emerging
|
|
|
|
- Set `FEATURES="buildpkg"` if you want to build binary packages
|
|
|
|
* Use a safe umask like `umask 0077`
|
2020-01-09 17:02:52 -01:00
|
|
|
* Edit `/etc/ssh/sshd_config`, change the port if you want and create a `sshusers` group.
|
2020-01-06 19:34:44 -01:00
|
|
|
* Encrypt your system using LUKS
|
|
|
|
- Remount the root fs read-only
|
|
|
|
- Use `rsync -axHAWXS --numeric-ids --info=progress2 / /path/to/backup` to safely backup the whole
|
|
|
|
system including all extended attributes.
|
|
|
|
- Encrypt partition with LUKS
|
|
|
|
- Use rsync to restore the saved system root.
|
2020-01-03 21:48:49 -01:00
|
|
|
|
2020-04-21 14:26:45 +00:00
|
|
|
## References
|
2020-01-03 21:48:49 -01:00
|
|
|
|
|
|
|
* [Sakaki's EFI Install Guide](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide)
|
|
|
|
* [Gentoo AMD64 Handbook](https://wiki.gentoo.org/wiki/Handbook:AMD64)
|