User:TheAifam5/Handbook/Installation

Gentoo on ZFS with native encryption on Root, TPM2 and per-user YubiKey
This page describes my personal steps of installing Gentoo on ZFS with native encryption on root enabled, TPM2 and per-user YubiKey support.

TODO

 * Add support for unlocking home directory using the fingerprint scanner as main or/and alternative - right now that is not important.

Requirements

 * 1) Time and a little bit knowledge
 * 2) Bootable Live Unix-based distro with ZFS support (like nchevsky/systemrescue-zfs)
 * 3) *Note: This page is based a custom build of nchevsky/systemrescue-zfs with ZFS 2.1.0 and Systemrescue 8.0
 * 4) YubiKey (at least 2 for backup)
 * 5) Device with TPM2
 * 6) Internet connection

Preparing live environment
Boot to the image and setup the environment as follow:

Disk layout
Create 2 partitions of size 842098 MiB and 16384MiB on NVME #1 and NVME #2 leaving the rest for the over-provisioning. Now create 4 partitions on SATA #1 and SATA #2 of size 512MiB, 32768MiB, 382909MiB and 16384MiB.

EFI (512 MiB)
First partition of SATA #1 and SATA #2 will represent the EFI partition and mirrored.

ZPOOL (1225007 MiB)
First partition of NVME #1 and NVME #2 will be in RAID 1 and the third partition of SATA #1 and SATA #2 will be also in RAID 1. All partition mentioned will be used to create a single mirrored ZPOOL.

ZIL (32768 MiB)
Second partition of NVME #1 and NVME #2 will be in RAID 1 to create a single mirrored ZIL.

L2ARC (32768 MiB)
Fourth partition of SATA #1 and SATA #2 will be used as is to create a L2ARC cache.

SWAP (65536 MiB)
Second partition of SATA #1 and SATA #2 will be used as is to create SWAP partition.

Dataset structure verification
You might want to verify the structure of created datasets:Afterwards you can mount the home directory from the userdata dataset:

Extraction and setup
First of all, we need to extract the Gentoo onto ZFS, it might take a while:Afterwards we can create an EFI directory and mount it:Also ZFS Cache file, resolv.conf and hostid needs to be copied:

Chrooting
Everything should be prepared now, we can chroot into the environment using:Now, just setup the chrooted environment:

Base System
Select the default gentoo repository, it will fetch the state of the last 24 hoursYou might want also to update to the newest but only if is required:Put Portage and genkernel TMPDIR on tmpfsMount tmpfs and update packagesConfigure portage make.conf

List and verify that the proper profile is selected:Increase RLIMIT_MEMLOCK

Set locale

Update configurationUpdate OpenRC configuration

Blacklist nouveau driver

Install toolsCopy the output from cpuid2cpuflags command and configure portage make.conf

Configure USE flagsDisable PAM for busybox and reove netifrc and newnetInstall NetworkManagerCleanup and update worldAutomatically symlink the kernelInstall microcodePut it into portage make.confInstall genkernel and pf-sourcesCheck if kernel is selectedConfigure genkernelCreate wrapper around genkernelAnd make it executable

System Packages
Add kernel config Build kernel & Update config Install system packagesRemove netifrcEnable services

ZFS Module & Tools
Apply compatibility patches for 5.14 kernels Install ZFS 2.1.0 and set compatibility kernel version to 5.14Configure ARCCheck if /etc/hostid is present, otherwise executeEnable services

Build Kernel
Build kernel, initramfs, adjust EFI entries Finish __NOINDEX__