8. Bootup Setup
8.1. Basic Configuration¶
Setup /etc/fstab:
SWAP_UUID="$(blkid -s UUID -o value /mapperSwap)" && \
SYSTEM_UUID="$(blkid -s UUID -o value /mapperSystem)" && \
echo "" >> /etc/fstab && \
echo "
$(while read -r i; do
echo "UUID=$(blkid -s UUID -o value "$i") ${i/devE/boot\/e} vfat noatime,dmask=0027,fmask=0137 0 0"
done < <(find /devEfi* -maxdepth 0))
UUID=${SWAP_UUID} none swap sw 0 0
UUID=${SYSTEM_UUID} / btrfs noatime,subvol=@root 0 0
UUID=${SYSTEM_UUID} /home btrfs noatime,subvol=@home 0 0
UUID=${SYSTEM_UUID} /var/cache/binpkgs btrfs noatime,subvol=@binpkgs 0 0
UUID=${SYSTEM_UUID} /var/cache/distfiles btrfs noatime,subvol=@distfiles 0 0
UUID=${SYSTEM_UUID} /var/db/repos/gentoo btrfs noatime,subvol=@ebuilds 0 0
UUID=${SYSTEM_UUID} /var/tmp btrfs noatime,subvol=@var_tmp 0 0
" | column -o " " -t >> /etc/fstab && \
echo -e "\e[1;32mSUCCESS\e[0m"
Setup /etc/hosts (copy&paste one command after the other):
# Set the hostname of your choice
my_hostname="micro"
rsync -a /etc/hosts /etc/._cfg0000_hosts && \
sed -i "s/localhost$/localhost ${my_hostname}/" /etc/._cfg0000_hosts && \
echo -e "\e[1;32mSUCCESS\e[0m"
Disable "magic SysRq" for security sake:
mkdir /etc/sysctl.d && \
echo "kernel.sysrq = 0" > /etc/sysctl.d/99sysrq.conf
(Optional) Install miscellaneous tools:
emerge -at app-misc/screen app-portage/gentoolkit
8.2. systemd Preparation¶
Apply systemd useflags:
touch /etc/sysctl.conf && \
# add LUKS volume and systemd-boot support
echo "sys-apps/systemd boot cryptsetup kernel-install" >> /etc/portage/package.use/main && \
emerge -atuDN @world
Do some initial configuration:
systemd-machine-id-setup && \
systemd-firstboot --prompt && \
echo -e "\e[1;32mSUCCESS\e[0m"
If you don't plan to keep your setup slim for the later SELinux setup, the use of preset files may be s.th. to consider:
Most services are disabled when systemd is first installed. A "preset" file is provided, and may be used to enable a reasonable set of default services. (source)
systemctl preset-all
# or
systemctl preset-all --preset-mode=enable-only
8.3. Secure Boot¶
Warnings on OptionROM
While using sbctl, take warnings such as the following serious and make sure to understand the implications:
Could not find any TPM Eventlog in the system. This means we do not know if there is any OptionROM present on the system.
etc.
Please read the FAQ for more information: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom
In order to add your custom keys, "setup mode" must have been enabled in your "UEFI Firmware Settings" before booting into SystemRescue.
Install "app-crypt/sbctl":
emerge -at app-crypt/sbctl
Create and enroll secure boot files (link) (copy&paste one command after the other):
❯ sbctl status
Installed: ✗ sbctl is not installed
Setup Mode: ✗ Enabled
Secure Boot: ✗ Disabled
❯ sbctl create-keys
Created Owner UUID 4cdeb60c-d2ce-4ed9-af89-2b659c21f6e4
Creating secure boot keys...✓
Secure boot keys created!
❯ sbctl enroll-keys
Enrolling keys to EFI variables...✓
Enrolled keys to the EFI variables!
❯ sbctl status
Installed: ✓ sbctl is installed
Owner GUID: 4cdeb60c-d2ce-4ed9-af89-2b659c21f6e4
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: none