### Preparing the setup environment - Boot on a Debian LiveUSB Of course, check its integrity first! - Fetch the keys for the ZoL repos (0x201C31294D5843EA & 0xA9D5A1C0F14AB620), check the fingerprints. - Add `http://archive.zfsonlinux.org/debian` to `sources.list` - `apt update && apt install debian-zfs cryptsetup` - `modprobe zfs` Now, you have a ZFS-capable Debian system. ### Partitionning and formatting I used the hostname (`vacuum`) in volume names, by convention. - Partition the drive with `fdisk /dev/sda`; here, I used MBR. I allocated 1GiB to `/boot`, and the rest to the LUKS volume. - `cryptsetup luksFormat /dev/sda2` The defaults parameter use `AES-XTS` with `SHA1`. - `cryptsetup luksOpen /dev/sda2 vacuum-crypt` - `dd if=/dev/zero of=/dev/mapper/vacuum-crypt` Zeroing out the encrypted volume results in cryptogarbage in the physical drive. That's as good as initialising `/dev/sda2` with `/dev/urandom` and much faster. 0xCAFE time again! - `zpool create -o ashift=12 -o altroot=/mnt/vacuum vacuum /dev/mapper/vacuum-crypt` - `ashift` specifies the alignment (as a power of 2): 4k sectors - `altroot` makes our ZFS tree appear temporarily in `/mnt` - `zfs set atime=off vacuum` - `zfs create -o mountpoint=none vacuum/ROOT` This is a ZFS dataset which is only used to contain bootable systems, it should never be mounted. - `zfs create -o mountpoint=/ vacuum/ROOT/debian` - `zpool set bootfs=vacuum/ROOT/debian vacuum` - `zfs create -o mountpoint=/home -o compression=lz4 vacuum/home` - `zfs create vacuum/ROOT/debian/usr` `zfs create vacuum/ROOT/debian/var` `zfs create -o compression=lz4 -o setuid=off -o exec=off vacuum/ROOT/debian/var/log` `zfs create -o compression=lz4 -o setuid=off -o exec=off vacuum/ROOT/debian/var/cache` - `zpool export vacuum` This makes sure all the metadata is written to disk and the volumes released. ### Installing Debian - `zpool import -R /mnt/vacuum vacuum` Re-import the pool - `mkdir -p /mnt/vacuum/etc/zfs && zpool set cachefile=/mnt/etc/zfs/zpool.cache vacuum` The cache file is needed for a successful boot (it's used for locks) - `mkdir /mnt/boot && mount /dev/sda1 /mnt/vacuum/boot` - `apt install debootstrap` - `debootstrap stretch /mnt/vacuum http://debian.ffgraz.net/debian` - `mount --bind /dev /mnt/vacuum/dev` `mount --bind /proc /mnt/vacuum/proc` `mount --bind /sys /mnt/vacuum/sys` - edit `/mnt/vacuum/etc/hostname`, `/mnt/vacuum/etc/hosts`, `/mnt/vacuum/etc/network/interfaces` - create `/mnt/vacuum/etc/apt/apt.conf.d/00InstallRecommends`: APT::Install-Recommends "false"; APT::Install-Suggests "false"; - `chroot /mnt/vacuum` - Edit `/etc/apt/sources.list`, pick your favorite mirror and add `contrib` and `non-free`. Make sure a security mirror is there, like: # Yes, I'm aware this is not an official security mirror. deb http://debian.ffgraz.net/security jessie/updates main contrib non-free deb-src http://debian.ffgraz.net/security jessie/updates main contrib non-free - `apt update && apt install locales lsb-release sudo` - `locale-gen en_US.UTF-8` - `apt install debian-zfs linux-image-amd64` 0xCAFE time again! - `apt install grub-pc zfs-initramfs` Don't install Grub on any volume, `grub-probe` would fail (cf #824974). - `adduser fuzzy && usermod -a -G sudo,adm fuzzy` - `passwd -l root` This makes sure `root` cannot login by password. - `ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime` - edit `/etc/fstab`: /dev/mapper/vacuum-crypt / zfs defaults 0 0 /dev/disk/by-label/vacuum-boot /boot auto nodev,nosuid,noexec 0 0 - edit `/etc/crypttab`: vacuum-crypt /dev/sda2 none luks For some yet-unknown reason, using `/dev/disk/by-uuid` failed. - `apt install cryptsetup kbd console-setup` - `apt install busybox-static` Required for `zfs-initramfs` - `update-initramfs -k all -u` Rebuild the init ramdisk, to get the crypto & ZFS modules in there. - `grub-install /dev/sda` - Manually create a minimal `/boot/grub/grub.cfg`: insmod linux linux /vmlinuz-4.5.0-2-amd64 root=ZFS=vacuum/ROOT/debian initrd /initrd.img-4.5.0-2-amd64 - `zfs snapshot -r vacuum@$(date +%Y%m%d-%H%M)` You have a pristine system, it's a good time to snapshot. - exit the `chroot` - `umount /mnt/vacuum/boot /mnt/vacuum/dev /mnt/vacuum/proc /mnt/vacuum/sys` - `zfs umount -a && zpool export vacuum` - `reboot && sacrifice goat && pray` At the Grub prompt, just type `boot` to boot.