Debian

Install Debian with LUKS2 Btrfs and GRUB via Debootstrap

Source: https://gist.github.com/meeas/b574e4bede396783b1898c90afa20a30

Use a Debian Live ISO
Single LUKS2 encrypted partition
Single Btrfs filesystem with @, @home, @swap, and other subvolumes
Encrypted swapfile in Btrfs subvolume
systemd-boot bootloader
Optional removal of crypto keys from RAM during laptop suspend
Optional configurations for laptops

Pre-installation setup

Boot into the live ISO, open a terminal, and become root. Install the needed packages.

1sudo -i
2apt update
3apt install -y debootstrap cryptsetup arch-install-scripts

Create partitions.

1cfdisk /dev/nvme0n1

GPT partition table
512M /dev/nvme0n1p1 EFI System partition (EF00)
100%+ /dev/nvme0n1p2 Linux filesystem

1mkfs.fat -F 32 -n EFI /dev/nvme0n1p1
2cryptsetup -y -v --type luks2 luksFormat --label Debian /dev/nvme0n1p2
3cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
4mkfs.btrfs /dev/mapper/cryptroot

Make Btrfs subvolumes.

1mount /dev/mapper/cryptroot /mnt
2btrfs subvolume create /mnt/@
3btrfs subvolume create /mnt/@home
4btrfs subvolume create /mnt/@swap
5umount -lR /mnt

Re-mount subvolumes as partitions.

1mount -t btrfs -o defaults,subvol=@,compress=zstd:1 /dev/mapper/cryptroot /mnt
2mkdir -p /mnt/{boot,home}
3mkdir /mnt/boot/efi
4mount /dev/nvme0n1p1 /mnt/boot/efi
5mount -t btrfs -o defaults,subvol=@home,compress=zstd:1 /dev/mapper/cryptroot /mnt/home

Setup swapfile.

1mkdir -p /mnt/swap
2mount -t btrfs -o subvol=@swap /dev/mapper/cryptroot /mnt/swap
3touch /mnt/swap/swapfile
4chmod 600 /mnt/swap/swapfile
5chattr +C /mnt/swap/swapfile
6btrfs property set ./swapfile compression none
7dd if=/dev/zero of=/mnt/swap/swapfile bs=1M count=16384
8mkswap /mnt/swap/swapfile
9swapon /mnt/swap/swapfile

Base installation

Create a nested subvolume for /var/log under the @ subvolume. This will be automounted with @ so there is no need to add it to /etc/fstab. Nested subvolumes are not included in snapshots of the parent subvolume. Creating a nested subvolume for /var/log will ensure the log files remain untouched when we restore the rootfs from a snapshot.

1mkdir -p /mnt/var
2btrfs subvolume create /mnt/var/log
3debootstrap --arch amd64 <suite> /mnt

Copy the mounted file systems table.

Bind the pseudo-filesystems for chroot.

1mount --rbind /dev /mnt/dev
2mount --rbind /sys /mnt/sys
3mount -t proc proc /mnt/proc

Generate fstab.

1genfstab -U /mnt >> /mnt/etc/fstab

Chroot into the new system.

1cp -v /etc/resolv.conf /mnt/etc/
2chroot /mnt

Configure the new installation

Set the timezone, locale, keyboard configuration, and console.

1apt install -y locales
2dpkg-reconfigure tzdata locales keyboard-configuration console-setup

Set the hostname.

1echo 'hostname' > /etc/hostname
2echo '127.0.1.1 hostname.localdomain hostname' >> /etc/hosts

Configure APT sources on /etc/apt/sources.list

1deb https://deb.debian.org/debian <suite> main contrib non-free non-free-firmware
2deb https://deb.debian.org/debian <suite>-updates main contrib non-free non-free-firmware
3deb https://deb.debian.org/debian <suite>-backports main contrib non-free non-free-firmware
4deb https://deb.debian.org/debian-security <suite>-security main contrib non-free non-free-firmware

Install essential packages.

1apt update -t <suite>-backports
2apt dist-upgrade -t <suite>-backports
3apt install -y neovim linux-image-amd64 linux-headers-amd64 firmware-linux firmware-linux-nonfree sudo command-not-found systemd-timesyncd systemd-resolved cryptsetup cryptsetup-initramfs efibootmgr btrfs-progs grub-efi

Install desktop environment.

1apt install task-gnome-desktop task-desktop task-ssh-server

If installing on a laptop:

1sudo apt install -y task-laptop powertop

Create users and groups.

1passwd root
2adduser jas
3echo "jas ALL=(ALL) NOPASSWD: ALL" | tee -a /etc/sudoers.d/jas
4chmod 440 /etc/sudoers.d/jas
5usermod -aG systemd-journal jas

Setting up the bootloader

Optional package for extra protection of suspended laptops.

1apt install cryptsetup-suspend

Setup encryption parameters.

1blkid -s UUID -o value /dev/nvme0n1p2

Edit /etc/crypttab.

1cryptroot UUID=<uuid> none luks

Setup bootloader.

1grub-install --target=x86_64-efi --efi-directory=/boot/efi --recheck --bootloader-id="Debian"

Edit /etc/default/grub.

1GRUB_CMDLINE_LINUX_DEFAULT=""
2GRUB_CMDLINE_LINUX=""
3GRUB_ENABLE_CRYPTODISK=y
4GRUB_TERMINAL=console

Update grub.

1update-grub

Exit chroot and reboot.

1exit
2umount -lR /mnt
3reboot

Emergency recovery from live ISO

 1sudo -i
 2cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
 3mount -t btrfs -o defaults,subvol=@,compress=zstd:1 /dev/mapper/cryptroot /mnt
 4mount /dev/nvme0n1p1 /mnt/boot/efi
 5mount -t btrfs -o defaults,subvol=@home,compress=zstd:1 /dev/mapper/cryptroot /mnt/home
 6mount -t btrfs -o subvol=@swap /dev/mapper/cryptroot /mnt/swap
 7swapon /mnt/swap/swapfile
 8mount --rbind /dev /mnt/dev
 9mount --rbind /sys /mnt/sys
10mount -t proc proc /mnt/proc
11chroot /mnt

Reply to this post by email ↪