A collection of scripts and configuration files used to quickly deploy a minimal Arch Linux installation with ZFS on root and encryption using dm-crypt/LUKS.
Please note that these scripts are system specific and subject to change depending on hardware configuration of the destination computer.
Scripts are written for Bash and must be executed in this shell. They are designed for and tested on Arch Linux only!
Also note that these scripts are not designed to accommodate all types of hardware, installation and configuration options. Installation script is made to suite a specific use case and contain configuration options that are specific for the destination computer, i.e. locale. System hardening that is performed by configuration script is not official common best practices and are subject to debate and changes in the future.
This script deploys a minimal Arch Linux installation base with ZFS on root and encryption using dm-crypt/LUKS.
Script only supports a single disk drive configuration and will automatically partition the disk with the following scheme.
+---------------------------------------------------------------------------+
| /dev/disk/by-id/ata|nvme-Manufacturer_Model_Number |
+-------------------+-------------------------------------------------------+
| ESP partition: | Linux filesystem partition: |
+-------------------+-------------------------------------------------------+
| 550 MB | Remaining disk space |
| | |
| Not encrypted | Encrypted |
+-------------------+-------------------------------------------------------+
Script is designed to be used on a UEFI system only. No legacy BIOS support, hence no Master Boot Record (MBR) will be created.
The EFI System Partition (ESP) is mounted to /efi. The root partition (/) is a ZFS pool (rpool) encrypted with dm-crypt/LUKS (crypt-root).
ata|nvme-Manufacturer_Model_Number-part1
└─ ESP (/efi)
ata|nvme-Manufacturer_Model_Number-part2
└─ crypt-root (/)
└─ ZFS pool (rpool)
The following ZFS datasets will be automatically created during installation.
| Name | Mountpoint |
|---|---|
rpool |
/ |
rpool/ROOT |
none |
rpool/ROOT/arch |
/ |
rpool/home |
/home |
rpool/home/root |
/root |
rpool/opt |
/opt |
rpool/srv |
/srv |
rpool/usr |
/usr |
rpool/usr/local |
/usr/local |
rpool/var |
/var |
rpool/var/cache |
/var/cache |
rpool/var/lib |
/var/lib |
rpool/var/lib/libvirt |
/var/lib/libvirt |
rpool/var/log |
/var/log |
rpool/var/tmp |
/var/tmp |
Installation is performed using the Arch Linux instalation image (archiso).
It must however be embedded with the archzfs packages. Consult the Arch wiki for instructions on creating a custom archiso image with archzfs packages.
An alternative to building a custom archiso image is to download the pre-built image from the ALEZ project, as it already contains archzfs packages.
Prior to script execution, boot the Arch Linux installation image that has the archzfs packages embedded (see prerequisites above).
Update repositories in the Arch Linux live environment.
# pacman -Sy --noconfirm
Install Git.
# pacman -S --noconfirm git
Download Git repository.
# git clone https://github.com/pwyde/deploy-arch-linux.git
# cd deploy-arch-linux
Start the scripted installation.
# bash install-arch-zfs-root.sh --install
| Option | Description |
|---|---|
-i,--install |
Performs installation and configuration on destination system. |
-p,--post-install |
Performs post-installation configuration. This option is only used when performing configuration in the chroot environment. Should NOT be used when executing script. |
-h,--help |
Display help message including available options. |
The resulting Arch Linux installation with ZFS on root contains a few configuration options that must be known and cannot or should not be changed in the future.
- The
encrypthook only allows for a single encrypted disk. Hence a ZFS pool mirror/raidz is not possible with two or more LUKS encrypted drives. - The
systemdhook cannot be used when creating the initramfs image withmkinitcpiocommand. If systemd is used in the initramfs, the AUR packagemkinitcpio-sd-zfsmust be installed and thezfshook must be changed tosd-zfs. Keep in mind that this hook uses different kernel parameters than the defaultzfshook. Also note that this package has not received any updates during the last couple of years. The developer has also stated on the GitHub project page that he is not actively maintaining it anymore.
There are also other considerations that should be taken into account on the resulting system.
- Due to limitations of the ESP and boot loader (systemd-boot), a copy of the Linux kernel and initramfs image will be stored on the non-encrypted partition. The copy procedure is handled automoatically by the custom systemd service unit named
update-esp.path. This makes the resulting system subject to Evil Maid attacks due to the exposed kernel and initramfs image. This should be mitigated by enabling Secure Boot and preferably with custom keys. The AUR packagescryptbootandsbupdatecan assist with this procedure.
Script performs post-deployment configuration on a newly installed Arch Linux system. Used for installing utilities/tools and basic system hardening.
Script performs the following configuration changes:
- Configure pacman.
- Initializing and refresh the keyring.
- Configure makepkg.
- Update packages.
- Create a regular user.
- Configure SSH.
- SSH daemon and client hardening.
- Creates dedicated SSH user group and adds specified user to group.
- Configure hostname.
- Configure console colors.
- Configure file and inode limits.
- Configure journal size limit.
- Configure swappiness.
- Disable core dumps.
- Set a timeout for sudo sessions.
- TCP/IP stack hardening.
- Restrict access to kernel logs.
- Disable Speck kernel module.
- Secure kernel pointers in /proc filesystem.
- Restrict access to ptrace.
- Hide PIDs.
Script can also automatically install paru as the preferred AUR helper if the --aur-helper option is specified (optional).
| Option | Description |
|---|---|
-c,--configure |
Apply system configuration and hardening included in script. |
-a,--aur-helper |
Install preferred AUR helper (paru). |
-h,--help |
Display help message including available options. |
Script is based from and inspired by the following sources:
- Arch Linux on an encrypted ZFS root system
- Arch Linux on ZFS - Part 1: Embed ZFS in Archiso
- Arch Linux on ZFS - Part 2: Installation
- Arch Linux on ZFS - Part 3: Backups, Snapshots and Other Features
- Ubuntu 18.04 Root on ZFS
This project is licensed under the GNU General Public License v3.0. See the LICENSE file for more information.