This tool is meant to be used with arch linux after a base installation has been performed.
Ansible will be installed after the base install to double-check our work and handle the rest.
Setup for:
- ansible
- yay
- i3
- vim
- zsh
- ruby
- chef
First go to archlinux downloads and download the latest .iso file.
Burn it to a cd or memory stick.
dd bs=4M if=~/Downloads/archlinuxinstall.iso of=/dev/sdb && sync
Boot up into the live arch linux environment and wipe your drives.
First, create a temporary encrypted container on the partition (sdXY) or the full disk (sdX) to be encrypted, e.g. using default encryption parameters and a random key via the --key-file /dev/{u}random option
cryptsetup open --type plain /dev/sdXY container --key-file /dev/random
Second, check it exists:
fdisk -l
Disk /dev/mapper/container: 1000 MB, 1000277504 bytes
Wipe the container with zeros. A use of if=/dev/urandom is not required as the encryption cipher is used for randomness.
dd if=/dev/zero of=/dev/mapper/container bs=1M status=progress
Finally, close the temporary container:
cryptsetup close container
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 477G 0 disk
|-sda1 8:1 0 487M 0 part /boot
`-sda2 8:2 0 476.5G 0 part
`-vg 254:0 0 476.5G 0 crypt
|-vg-swap 254:1 0 8G 0 lvm [SWAP]
|-vg-root 254:2 0 100G 0 lvm /
|-vg-var 254:3 0 100G 0 lvm /var
`-vg-home 254:4 0 268.5G 0 lvm /home
# partitions for /boot and /(encrypted drive)
parted -s /dev/sda mklabel msdos
parted -s -a optimal /dev/sda mkpart primary 0% 512MB
parted -s -a optimal /dev/sda mkpart primary 512MB 100%
# encrypt
cryptsetup luksFormat /dev/sda2
# password: # *use yubikey for 2FA*
# open encrypted drive
cryptsetup open /dev/sda2 cryptolvm
# password: # *use yubikey for 2FA*
wget https://raw.githubusercontent.com/jahrik/ansible-arch-workstation/master/partitioning.sh
# create volume group
pvcreate /dev/mapper/cryptolvm
vgcreate vg /dev/mapper/cryptolvm
# create logical volumes
lvcreate -L 8G vg -n swap
lvcreate -L 100G vg -n root
lvcreate -L 100G vg -n var
lvcreate -l 100%FREE vg -n home
mkfs.ext4 /dev/sda1
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-var
mkfs.ext4 /dev/mapper/vg-home
mkswap /dev/mapper/vg-swap
mount /dev/mapper/vg-root /mnt
mkdir /mnt/home
mount /dev/mapper/vg-home /mnt/home
mkdir /mnt/var
mount /dev/mapper/vg-var /mnt/var
swapon /dev/mapper/vg-swap
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
pacstrap /mnt base base-devel
genfstab -U -p /mnt >> /mnt/etc/fstab
Check to see it was written.
cat /mnt/etc/fstab
arch-chroot /mnt /bin/bash
pacman -S vim
pacman -S iw wpa_supplicant dialog
# first change root password
passwd
Edit /etc/mkinitcpio.conf and add the word "encrypt" and "lvm2" to HOOKS='...' just before "filesystems"
...
HOOKS="base udev autodetect modconf keyboard encrypt lvm2 block filesystems fsck"
...
Then run the command
mkinitcpio -p linux
pacman -S grub
Edit /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:vg root=/dev/mapper/vg-root"
Configure grub
grub-install --target=i386-pc /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
pacman -S zsh
groupadd <user>
useradd -m -g <user> -s /bin/zsh <user>
pacman -S sudo
Add user to /etc/sudoers.d/config
<user> ALL=(ALL) NOPASSWD: ALL
Stuff and things go here...
...
...
Not working yet. Need to build a new packer arch box for testing.
Testing locally for now...
Bring up an arch box
vagrant up
Check the status of vagrant
vagrant status
Current machine states:
arch-vm running (virtualbox)
SSH into a box
vagrant ssh arch-vm.dev
Run the playbook against the vm
ansible-playbook site.yml