User:TheAifam5/Handbook/Installation

Gentoo on ZFS with native encryption on Root, TPM2 and per-user YubiKey
This page describes my personal steps of installing Gentoo on ZFS with native encryption on root enabled, TPM2 and per-user YubiKey support.

TODO

 * Add support for unlocking home directory using the fingerprint scanner as main or/and alternative - right now that is not important.

Requirements

 * 1) Time and a little bit knowledge
 * 2) Bootable Live Unix-based distro with ZFS support (like nchevsky/systemrescue-zfs)
 * 3) *Note: This page is based a custom build of nchevsky/systemrescue-zfs with ZFS 2.1.0 and Systemrescue 8.0
 * 4) YubiKey (at least 2 for backup)
 * 5) Device with TPM2
 * 6) Internet connection

Preparing live environment
Boot to the image and setup the environment as follow:

Disk layout
NVME drives will be used as ZFS pools without partition. SATA drives will contain 3 partitions: EFI (512 MiB), SWAP (32 GiB) and remaining space will be assigned for the ZFS pool.

EFI (512 MiB available)
First partition of SATA #1 and SATA #2 will represent the EFI partition and mirrored.

ZPOOL (1.33 TiB available)
First partition of NVME #1 and NVME #2 will be in RAID 1 and the third partition of SATA #1 and SATA #2 will be also in RAID 1. All partition mentioned will be used to create a single mirrored ZPOOL.

SWAP (64 GiB available)
Second partition of SATA #1 and SATA #2 will be used as is to create SWAP partition.

Dataset structure verification
You might want to verify the structure of created datasets:Export ZFS pool:Re-import ZFS pool and load keys:Afterwards you can mount the home directory from the userdata dataset:

Extraction and setup
First of all, we need to extract the Gentoo onto ZFS, it might take a while:Afterwards we can create an EFI directory and mount it:Also ZFS Cache file, resolv.conf and hostid needs to be copied:

Chrooting
Everything should be prepared now, we can chroot into the environment using:Now, just setup the chrooted environment:

Base System
Select the default gentoo repository, it will fetch the state of the last 24 hoursYou might want also to update to the newest but only if is required:Put Portage and genkernel TMPDIR on tmpfsAdd required use flags:Setup localeGenerate localeSelect localeList and verify that the proper profile is selected:Configure portage make.conf Increase RLIMIT_MEMLOCKMount tmpfs and update packagesUpdate OpenRC configuration

Install toolsCopy the output from cpuid2cpuflags command and configure portage make.conf

Configure USE flagsDisable PAM for busybox:Uninstall cpuid2cpuflags and cleanup:Update world:Enable unstable branch:Follow the libxcrypt migration if needed here: Project:Toolchain/libcrypt implementation or just execute:Update the world, remove backup of crypt.h and cleanup:Automatically symlink the kernel:Install microcode:Put it into portage make.conf:Install genkernel, pf-sources and intel-microcode:Check if kernel is selected:Configure genkernel:Create wrapper around genkernel:And make it executable:

System Packages
Add kernel config Build kernel & Update config: Install system packages:Enable services:Adjust eix configuration:Enable KMS for nvidia driver:

ZFS Module & Tools
Apply compatibility patches for 5.14 kernels Install ZFS 2.1.0 and set compatibility kernel version to 5.14Configure ARCCheck if /etc/hostid is present, otherwise executeEnable services

Build Kernel & Initramfs & EfiStub
Generate mdamd.conf Build kernel, initramfs, adjust EFI entries Add SWAP and boot parition to fstab Change hostname Setup keymap to de-latin1Setup networkingForce --ask on portageAdd user and setup passwordSetup ZFS PAM module for home directoriesExit chroot and unmount the drives

Userland
Boot to the system, type a password for your rpool/ROOT dataset, then mount user datasetConfigure USEAdd X, driver and toolsInstall kitty, picom, emacs, AwesomeWM and PipeWire with BlueZSetup pulseaudioSet hostnameConfigure LightDMConfigure LightDM Mini GreeterConfigure XorgInstall Discord and BetterDiscordCtlUpdate world, cleanup, enable USE doc and install qemu:Afterwards remove alsa-plugins from /etc/portage/package.use/media-plugins

remove /etc/portage/package.use/dev-tmp

Install https://github.com/Lorago/dots

__NOINDEX__