--- - name: attach installation iso as virtual media - name: boot from installation iso - name: detect booted ip address - name: configure disks # Specify root disk and part, set to type 23 (linux root x86-64), label root # Specify efi disk and part, set to type 1 (efi system), label efi # format efi partition # mkfs.fat -F32 /dev/mmcblk0p1 # Ecrypt root partition # cryptsetup -y -v luksFormat /dev/sda1 # TODO add keyfile/password automatically # cryptsetup open /dev/sda1 root # mkfs.ext4 /dev/mapper/root # mkdir /mnt/root # mount /dev/mapper/root /mnt/root # mkdir /mnt/root/efi # mount /dev/mmcblk0p1 /mnt/root/efi # Add cryptsetup params to kernel cmdline # cryptdevice=UUID=device-UUID:root root=/dev/mapper/root rw # add efi to /etc/fstab - name: sync ntp # timedatectl set-timezone Australia/Brisbane # timedatectl set-ntp true # run reflector to get a list of mirrors # relfector -c AU --save /etc/pacman.d/mirrorlist # update dbs # pacman -Sy # pacstrap # pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup # sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils # gen fstab # genfstab -L /mnt/root >> /mnt/root/etc/fstab # # chroot from here # # set hostname # echo hv00 > /etc/hostname # link timezone # ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime # enable ntp again # timedatectl set-ntp true # TODO move this post reboot # sync hardware clock # hwclock --systohc # set locale # sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen # locale-gen # echo LANG=en_US.UTF-8 > /etc/locale.conf # uncomment wheel group in /etc/sudoers # sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /etc/sudoers # add user # useradd -u 1000 -U -m -b /home/ -G wheel -s /bin/bash ladmin # set new user password # disable root password # passwd -l root # create /etc/kernel/cmdline file # echo 'cryptdevice=dbbb9fb2-5509-4701-a2bb-5660934a5378:root root=/dev/mapper/root rw' > /etc/kernel/cmdline # echo 'rd.luks.name=dbbb9fb2-5509-4701-a2bb-5660934a5378=root root=/dev/mapper/root rw' > /etc/kernel/cmdline # create a default systemd-networkd config # enable systemd-networkd # enable sshd # enable ufw service # enable ufw firewall # create ufw config to allow ssh port 22 # modify mkinitcpio for encryption # old HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck) # new HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck) # sed -i 's/^HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/g' /etc/mkinitcpio.conf # geneate sb keys with sbctl # keys go to /usr/share/secureboot/keys/db/db.pem # enroll sbctl keys # add console= option to cmdline file # create initcpio post hook /etc/initcpio/post/uki-sbsign # make /etc/initcpio/post/uki-sbsign executable # chmod +x /etc/initcpio/post/uki-sbsign # make initcpio # mkinitcpio -p linux-lts # vfio and iommu # add 'intel_iommu=on iommu=pt' to kernel cmdline # add vfio binding # vp2420 iGPU = 8086:4555 # add vfio-pci ids to /etc/kernel/cmdline # vfio-pci.ids=8086:4555 # add vfio modules to mkinitcpio.conf # MODULES=(vfio_pci vfio vfio_iommu_type1) # ensure modconf hook is in mkinitcpio.conf # HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)