1
0
IaC/ansible/roles/archinstall/tasks/main.yml

136 lines
4.5 KiB
YAML
Raw Normal View History

2022-10-24 02:50:38 +00:00
---
- name: attach installation iso as virtual media
- name: boot from installation iso
- name: detect booted ip address
- name: configure disks
2023-08-11 15:37:30 +00:00
# Specify root disk and part, set to type 23 (linux root x86-64), label root
# Specify efi disk and part, set to type 1 (efi system), label efi
# format efi partition
# mkfs.fat -F32 /dev/mmcblk0p1
# Ecrypt root partition
# cryptsetup -y -v luksFormat /dev/sda1 # TODO add keyfile/password automatically
# cryptsetup open /dev/sda1 root
# mkfs.ext4 /dev/mapper/root
# mkdir /mnt/root
# mount /dev/mapper/root /mnt/root
# mkdir /mnt/root/efi
# mount /dev/mmcblk0p1 /mnt/root/efi
# Add cryptsetup params to kernel cmdline
# cryptdevice=UUID=device-UUID:root root=/dev/mapper/root rw
# add efi to /etc/fstab
2023-09-25 13:52:28 +00:00
# mkdir /mnt/mountpoint/etc
# sudo genfstab -L /mnt/mountpoint >> /mnt/mountpoint/etc/fstab
2023-08-11 15:37:30 +00:00
2022-10-24 02:50:38 +00:00
- name: sync ntp
2023-08-11 15:37:30 +00:00
# timedatectl set-timezone Australia/Brisbane
# timedatectl set-ntp true
# run reflector to get a list of mirrors
# relfector -c AU --save /etc/pacman.d/mirrorlist
# update dbs
# pacman -Sy
# pacstrap
2024-04-13 04:49:48 +00:00
# pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils inetutils ethtool qemu-guest-agent arch-install-scripts lsof
# desktop
# pacstrap -K /mnt base linux linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils inetutils ethtool arch-install-scripts lsof btrfs-progs plasma-meta plasma-wayland-session kde-system dolphin-plugins
2023-08-11 15:37:30 +00:00
# gen fstab
# genfstab -L /mnt/root >> /mnt/root/etc/fstab
#
# chroot from here
#
# set hostname
# echo hv00 > /etc/hostname
2023-08-14 12:27:29 +00:00
# TODO add entries to /etc/hosts
# 127.0.0.1 localhost
# ::1 localhost
# 127.0.1.1 static_fqdn
2023-08-11 15:37:30 +00:00
# link timezone
# ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime
# enable ntp again
# timedatectl set-ntp true # TODO move this post reboot
# sync hardware clock
# hwclock --systohc
# set locale
# sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen
# locale-gen
# echo LANG=en_US.UTF-8 > /etc/locale.conf
# uncomment wheel group in /etc/sudoers
# sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers
# add user
# useradd -u 1000 -U -m -b /home/ -G wheel -s /bin/bash ladmin
# set new user password
2023-09-25 13:52:28 +00:00
# disable root user
2023-08-11 15:37:30 +00:00
# passwd -l root
2023-09-25 13:52:28 +00:00
# usermod -s /sbin/nologin root
2023-08-11 15:37:30 +00:00
# create /etc/kernel/cmdline file
2024-04-13 04:49:48 +00:00
# the uuids are the DISK uuids from /dev/disk/by-uuid, NOT the partuuids
2023-08-11 15:37:30 +00:00
# echo 'cryptdevice=dbbb9fb2-5509-4701-a2bb-5660934a5378:root root=/dev/mapper/root rw' > /etc/kernel/cmdline
2024-04-13 04:49:48 +00:00
# for sd-encrypt hook
2023-08-11 15:37:30 +00:00
# echo 'rd.luks.name=dbbb9fb2-5509-4701-a2bb-5660934a5378=root root=/dev/mapper/root rw' > /etc/kernel/cmdline
2024-04-13 04:49:48 +00:00
2023-08-13 04:03:03 +00:00
# create a default systemd-networkd config
# enable systemd-networkd
# enable sshd
# enable ufw service
# enable ufw firewall
# create ufw config to allow ssh port 22
2022-10-24 02:50:38 +00:00
2023-09-25 13:52:28 +00:00
# modify mkinitcpio presets
# template file?
# output to default efi path ESP/efi/boot/bootx64.efi
# modify mkinitcpio.conf for encryption
2023-08-11 15:37:30 +00:00
# old HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck)
# new HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)
2023-08-13 04:03:03 +00:00
# sed -i 's/^HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/g' /etc/mkinitcpio.conf
# geneate sb keys with sbctl
# keys go to /usr/share/secureboot/keys/db/db.pem
# enroll sbctl keys
# add console= option to cmdline file
# create initcpio post hook /etc/initcpio/post/uki-sbsign
# make /etc/initcpio/post/uki-sbsign executable
# chmod +x /etc/initcpio/post/uki-sbsign
# make initcpio
# mkinitcpio -p linux-lts
# vfio and iommu
# add 'intel_iommu=on iommu=pt' to kernel cmdline
# add vfio binding
# vp2420 iGPU = 8086:4555
# add vfio-pci ids to /etc/kernel/cmdline
# vfio-pci.ids=8086:4555
# add vfio modules to mkinitcpio.conf
# MODULES=(vfio_pci vfio vfio_iommu_type1)
# ensure modconf hook is in mkinitcpio.conf
2024-04-13 04:49:48 +00:00
# HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)
# efibootmgr NO BACKSLASH ON A ROOT FILE
# efibootmgr -c -d /dev/nvme0n1 -p 1 -L "Arch Linux" -l "archlinux.efi"