#!/bin/sh set -v # Based on # https://wiki.alpinelinux.org/wiki/LVM_on_LUKS # Prerequisites for this script # setup-interfaces # ifup eth0 # Ask for passwords IFS= read -sp 'Encryption password:' ENCPWD echo # Set up repositories cat </etc/apk/repositories http://dl-cdn.alpinelinux.org/alpine/v3.8/main http://dl-cdn.alpinelinux.org/alpine/v3.8/community EOF # Install disk management tools apk --no-cache add lvm2 cryptsetup e2fsprogs syslinux # Create disk partitions cat </mnt/etc/fstab /dev/vg0/root / ext4 rw,noatime,data=ordered 0 1 ${BOOT_UUID} /boot ext4 rw,noatime,data=ordered 0 2 /dev/vg0/swap swap swap defaults 0 0 EOF echo "system /dev/sda2 none luks" >/mnt/etc/crypttab # Rebuild initfs sed -i 's/lvm/lvm cryptsetup/' /mnt/etc/mkinitfs/mkinitfs.conf mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt $(ls /mnt/lib/modules) # Update extlinux (ignore the errors) sed -i 's/rootfstype=ext4/rootfstype=ext4 cryptroot=\/dev\/sda2 cryptdm=system/' /mnt/etc/update-extlinux.conf chroot /mnt update-extlinux # Set time zone chroot /mnt setup-timezone -z Europe/Prague # Install basic system apk --no-cache add apache2-utils gettext wget https://dl.dasm.cz/basic.tar -O - | tar xf - -C /mnt chroot /mnt apk --no-cache add ca-certificates curl bridge e2fsprogs-extra gettext iptables kbd-misc libcap libressl libseccomp postfix python3 py3-bcrypt py3-cffi py3-cryptography py3-dnspython py3-jinja2 py3-requests py3-six py3-werkzeug nginx util-linux acme-sh@vm lxc@vm for SERVICE in cgroups consolefont crond iptables networking nginx ntpd postfix swap urandom vmmgr; do ln -s /etc/init.d/${SERVICE} /mnt/etc/runlevels/boot done ADMINPWD=$(htpasswd -bnBC 10 "" "${ENCPWD}" | tr -d ':\n' | sed 's/$2y/$2b/') envsubst /mnt/srv/vm/config.json # Change root password echo "root:$(head -c 18 /dev/urandom | base64)" | chroot /mnt chpasswd # Cleanup rm -rf /mnt/root mkdir /mnt/root # Install bootloader to MBR dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda # Unmount and shut down umount /mnt/boot umount /mnt vgchange -a n cryptsetup luksClose system poweroff