From b1acba96400443cf6a9cba4203af44b1332e9433 Mon Sep 17 00:00:00 2001 From: Andrey Prokopenko <9478806+andrey42@users.noreply.github.com> Date: Sun, 23 Feb 2020 17:27:03 +0100 Subject: [PATCH] updated encryption --- hetzner-debian10-zfs-setup.sh | 38 +++++++++++++++++------------------ hetzner-ubuntu18-zfs-setup.sh | 34 +++++++++++++++---------------- 2 files changed, 35 insertions(+), 37 deletions(-) diff --git a/hetzner-debian10-zfs-setup.sh b/hetzner-debian10-zfs-setup.sh index c360946..36637b6 100644 --- a/hetzner-debian10-zfs-setup.sh +++ b/hetzner-debian10-zfs-setup.sh @@ -5,7 +5,7 @@ fully automatic script to install Debian 10 with ZFS root on Hetzner VPS WARNING: all data on the disk will be destroyed How to use: add SSH key to the rescue console, set it OS to linux64, then press mount rescue and power sysle -Next, connect via SSH to console, and run the script +Next, connect via SSH to console, and run the script Answer script questions about desired hostname and ZFS ARC cache size To cope with network failures its higly recommended to run the script inside screen console screen -dmS zfs @@ -19,10 +19,10 @@ set -o nounset # Variables v_bpool_name= -v_bpool_tweaks= +v_bpool_tweaks= v_rpool_name= -v_rpool_tweaks= -declare -a v_selected_disks +v_rpool_tweaks= +declare -a v_selected_disks v_swap_size= # integer v_free_tail_space= # integer v_hostname= @@ -126,9 +126,9 @@ function check_prerequisites { echo "SSH pubkey file is absent, please add it to the rescue system setting, then reboot into rescue system and run the script" exit 1 fi - if ! dpkg-query --showformat="\${Status}" -W dialog 2> /dev/null | grep "install ok installed" &> /dev/null; then + if ! dpkg-query --showformat="\${Status}" -W dialog 2> /dev/null | grep "install ok installed" &> /dev/null; then apt install --yes dialog - fi + fi } function initial_load_debian_zed_cache { @@ -139,7 +139,7 @@ function initial_load_debian_zed_cache { chroot_execute "zed -F &" local success=0 - + if [[ ! -e /mnt/etc/zfs/zfs-list.cache/rpool ]] || [[ -e /mnt/etc/zfs/zfs-list.cache/rpool && (( $(ls -l /mnt/etc/zfs/zfs-list.cache/rpool 2> /dev/null | cut -d ' ' -f 5) == 0 )) ]]; then chroot_execute "zfs set canmount=noauto rpool" @@ -151,9 +151,9 @@ function initial_load_debian_zed_cache { break else sleep 1 - fi + fi done - else + else success=1 fi @@ -173,7 +173,7 @@ function find_suitable_disks { udevadm trigger - # shellcheck disable=SC2012 + # shellcheck disable=SC2012 ls -l /dev/disk/by-id | tail -n +2 | perl -lane 'print "@F[8..10]"' > "$c_disks_log" local candidate_disk_ids @@ -430,10 +430,10 @@ function unmount_and_export_fs { zpools_exported=1 echo "all zfs pools were succesfully exported" break; - else + else sleep 1 - fi - done + fi + done set -e if (( zpools_exported != 1 )); then echo "failed to export zfs pools" @@ -472,12 +472,12 @@ ask_root_password ask_hostname -clear +clear echo "===========remove unused kernels in rescue system=========" -for kver in $(find /lib/modules/* -maxdepth 0 -type d | grep -v "$(uname -r)" | cut -s -d "/" -f 4); do +for kver in $(find /lib/modules/* -maxdepth 0 -type d | grep -v "$(uname -r)" | cut -s -d "/" -f 4); do apt purge --yes "linux-headers-$kver" - apt purge --yes "linux-image-$kver" + apt purge --yes "linux-image-$kver" done echo "======= installing zfs on rescue system ==========" @@ -512,7 +512,7 @@ echo "======= create zfs pools and datasets ==========" bpool_disks_partitions=() if [[ $v_encrypt_rpool == "1" ]]; then - encryption_options=(-O "encryption=on" -O "keylocation=prompt" -O "keyformat=passphrase") + encryption_options=(-O "encryption=aes-256-gcm" -O "keylocation=prompt" -O "keyformat=passphrase") fi for selected_disk in "${v_selected_disks[@]}"; do @@ -524,7 +524,7 @@ echo "======= create zfs pools and datasets ==========" pools_mirror_option=mirror else pools_mirror_option= - fi + fi zpool create \ $v_bpool_tweaks -O canmount=off -O devices=off \ @@ -611,9 +611,7 @@ iface lo inet6 loopback auto ens3 iface ens3 inet dhcp - dns-nameservers 213.133.98.98 213.133.99.99 213.133.100.100 -# control-alias ens3 iface ens3 inet6 static address ${ip6addr_prefix}:1/64 gateway fe80::1 diff --git a/hetzner-ubuntu18-zfs-setup.sh b/hetzner-ubuntu18-zfs-setup.sh index 30f109d..db6b6c1 100644 --- a/hetzner-ubuntu18-zfs-setup.sh +++ b/hetzner-ubuntu18-zfs-setup.sh @@ -5,7 +5,7 @@ fully automatic script to install Ubuntu 18 LTS with ZFS root on Hetzner VPS WARNING: all data on the disk will be destroyed How to use: add SSH key to the rescue console, set it OS to linux64, then press mount rescue and power sysle -Next, connect via SSH to console, and run the script +Next, connect via SSH to console, and run the script Answer script questions about desired hostname and ZFS ARC cache size To cope with network failures its higly recommended to run the script inside screen console screen -dmS zfs @@ -19,10 +19,10 @@ set -o nounset # Variables v_bpool_name= -v_bpool_tweaks= +v_bpool_tweaks= v_rpool_name= -v_rpool_tweaks= -declare -a v_selected_disks +v_rpool_tweaks= +declare -a v_selected_disks v_swap_size= # integer v_free_tail_space= # integer v_hostname= @@ -126,9 +126,9 @@ function check_prerequisites { echo "SSH pubkey file is absent, please add it to the rescue system setting, then reboot into rescue system and run the script" exit 1 fi - if ! dpkg-query --showformat="\${Status}" -W dialog 2> /dev/null | grep "install ok installed" &> /dev/null; then + if ! dpkg-query --showformat="\${Status}" -W dialog 2> /dev/null | grep "install ok installed" &> /dev/null; then apt install --yes dialog - fi + fi } @@ -138,7 +138,7 @@ function find_suitable_disks { udevadm trigger - # shellcheck disable=SC2012 + # shellcheck disable=SC2012 ls -l /dev/disk/by-id | tail -n +2 | perl -lane 'print "@F[8..10]"' > "$c_disks_log" local candidate_disk_ids @@ -395,10 +395,10 @@ function unmount_and_export_fs { zpools_exported=1 echo "all zfs pools were succesfully exported" break; - else + else sleep 1 - fi - done + fi + done set -e if (( zpools_exported != 1 )); then echo "failed to export zfs pools" @@ -437,12 +437,12 @@ ask_root_password ask_hostname -clear +clear echo "===========remove unused kernels in rescue system=========" -for kver in $(find /lib/modules/* -maxdepth 0 -type d | grep -v "$(uname -r)" | cut -s -d "/" -f 4); do +for kver in $(find /lib/modules/* -maxdepth 0 -type d | grep -v "$(uname -r)" | cut -s -d "/" -f 4); do apt purge --yes "linux-headers-$kver" - apt purge --yes "linux-image-$kver" + apt purge --yes "linux-image-$kver" done echo "======= installing zfs on rescue system ==========" @@ -477,7 +477,7 @@ echo "======= create zfs pools and datasets ==========" bpool_disks_partitions=() if [[ $v_encrypt_rpool == "1" ]]; then - encryption_options=(-O "encryption=on" -O "keylocation=prompt" -O "keyformat=passphrase") + encryption_options=(-O "encryption=aes-256-gcm" -O "keylocation=prompt" -O "keyformat=passphrase") fi for selected_disk in "${v_selected_disks[@]}"; do @@ -489,7 +489,7 @@ echo "======= create zfs pools and datasets ==========" pools_mirror_option=mirror else pools_mirror_option= - fi + fi zpool create \ $v_bpool_tweaks -O canmount=off -O devices=off \ @@ -539,12 +539,12 @@ if [[ $v_swap_size -gt 0 ]]; then "$v_rpool_name/swap" udevadm settle - + mkswap -f "/dev/zvol/$v_rpool_name/swap" fi echo "======= setting up initial system packages ==========" -debootstrap --arch=amd64 bionic "$c_zfs_mount_dir" "$c_deb_packages_repo" +debootstrap --arch=amd64 bionic "$c_zfs_mount_dir" "$c_deb_packages_repo" zfs set devices=off "$v_rpool_name"