Skip to content

Instantly share code, notes, and snippets.

@someburner

someburner/multiboot-btrfs-luks.md

Created June 17, 2024 07:42
Show Gist options
  • Save someburner/3cfc6cb4a072719ca2263fa4cb752af9 to your computer and use it in GitHub Desktop.
Save someburner/3cfc6cb4a072719ca2263fa4cb752af9 to your computer and use it in GitHub Desktop.
Download ZIP
multiboot ubuntu arch windows 11 btrfs with LUKS
Raw
multiboot-btrfs-luks.md

Windows + ubuntu 22 + arc - btrfs multi

Collection of notes of what eventually worked for me as I attempted this. Many guides and references used but most of them were not using LUKS + btrfs + multiboot, so I had to guess and check a bit.

Useful tools / tips / notes

Various tips and notes in this section for making this process easier and faster.

Dry-run (emu)

When experimenting, it will make your life a lot easier to perform as many steps as possible in a VM first. Best options are quickemu and virtualbox.

quickemu

See quickemu.md for details.

Ventoy (ISO boot manager)

Ventoy is a nice peice of software that allows you to simply drop in ISO files onto a single disk. This is very handy for multiboot or having access to multiple live/recovery images.

  • For windows, may need to try WIMBOOT.
  • For openwrt, special attention needed. See here

Windows 11

If you experience issues getting Windows 11 to detect a drive for install, you may need to use the official Windows media creation tool. Seems to be a recent issue with the latest Windows 11 22H2.

/boot and /boot/efi

  • efi is pretty straightforward, set it to 512MB, don't put a ton of stuff in there
  • for multiboot, most people say "dont use a single /boot"
    • Why? Because if you do grub/kernel/whatever operations on one OS it could screw up the other. For example an apt-update that has new linux kernels, or purging old ones.
    • Conversely, separate boot partitions on encrypted setup require a lot of configuration
  • This may be the best answer I've seen.
    • Designate your primary OS as the one that gets to perform boot operations
    • Mount other OSes as ro or don't mount /boot for them at all. Manage kernel updates manually.
    • Manage the other OSes from your primary OS.
  • In terms of size, I think bigger is better. With multiple OSes and potential for kernel modules.

bootloader / grub

  • Generally seems that nobody thinks encrypting /boot provides much in way of security, but makes everything very difficult.

  • https://help.ubuntu.com/community/Grub2/Installing

  • If using btrfs, lvm is not really necessary. so btrfs || (lvm + (xfs || ext4)).

  • btrfs not good for large files (?) or databases, like mongo. Might be good to leave 100gb or so as ext4 for that.

  • use zstd:1 (compress-force=zstd:1 recommeneded) or lzo mount option. see here.

  • can recompress already written using btrfs fi defrag -calgo

  • or use mount -o remount,compress=zstd

  • more on btrfs mount options

  • Top level search --fs-uuid --set-root <UUID> should be UUID of the /boot partition that contains linux img

  • Next line linux /vmlinuz-4.19-x86_64 root UUID=<UUID> ... should be UUID top level btrfs disk (I think?)

btrfs

Creation

Use --csum xxhash for faster checksums. AFAIK this cannot be changed.

mkfs.btrfs --csum xxhash

mount options

space_cache=v2,compress-force=zstd:1,noatime

shared subvolume

In my case, I wanted to be able to have various project/code folders to share the same relative path across distros, but I didn't want to have duplicates in each home folder. My solution was to make a subvol called share. Then in each home folder, I added symlinks to the share/whatever folder. This can be done after installation easily.

Example fstab:

/dev/mapper/nvme0n1p5_crypt /share btrfs defaults,space_cache=v2,compress-force=zstd:1,noatime,nodiscard,subvol=@share 0 0
/dev/mapper/nvme0n1p5_crypt /home btrfs defaults,space_cache=v2,compress-force=zstd:1,noatime,nodiscard,subvol=@home 0 2
# I don't think mount order matters?

Then on each distro, do:

cd ~
ln -s /share/a_shared_dir a_shared_dir

Only issue I've experienced so far is things like python envs obviously must be recreated/different for each distro.

Guide

Overview

Assumptions

  • 1 or more bootable USB drives for nix / windows ISOs
  • Guide is for a 2TB laptop install, tweak numbers as needed
  • For the sake of not having clutter, it is assumed you know when you need to use sudo or not.

Procedure

  1. Boot live CD and arrange disk with gparted
  • Wipe disk fully (optional)
  • create GPT partition table
  • Create EFI and boot partitions
  • Create NTFS partition for Windows
  • Create other volumes as needed

  1. Install windows

  2. Install primary linux system

  • perform additional steps for btrfs (mount options, etc)
  1. Install additional distros
  • change @, @home to @x @x_home
  • update grub, fstab, crypttab for each

Terms used

vdax, vdax_crypt:

These refer to the partition on which luks is installed (e.g. primary linux distro). Depending on how many additional partitions you decide to make prior to installation, vdax may be vda4, vda5, vda6, etc. In this guide, I set up -most- of the partitions prior to linux install, and install windows first, so generally the number will be whatever windows is + 2.

1. GPT Setup

  1. NOTE: Leave ~400gb unallocated for easier btrfs management, or other tests/tasks

  2. Boot ubuntu ISO on usb drive, choose "try ubuntu"

  3. Open gparted and create:

  • Device -> New PT of type gpt
  • 550 MB primary partion. Type=FAT32, Name=EFI, Label=EFI
    • NOTE: Once created you'll see an error flag about needing dosfstools, mtools in order to read. This can be ignored.
    • packaged memtest86 requires FAT16, but lots of reports of FAT16 causing trouble elsewhere.
    • If you need to memtest, get a more recent version (6+) memtest86+ 64bit and drop the ISO onto Ventoy.
  • 2048 MB primary partion. Type=ext4, Name=/boot
  • 280 GB primary partition. Type=NTFS, Name=win11
    • This is to contain windows
    • NOTE: For testing, windows needs at least ~40GB. In practice, should probably allocate at least ~200GB.
    • Windows + Drivers + etc is at least ~50GB.
    • Another 30 GB for programs, toolchains, etc.
    • leaves about 200 GB for games. Some games can be massive in size.
  • 100 GB primary. Type=ext4, Name=db
    • for non-sensitive database storage, x-distro storage

Once done, click Apply.

  1. Edit EFI partition flags and select esp, boot.

2. Windows Setup

  1. Boot windows ISO and install windows to the previously created NTFS parition (vda3).

  2. Reboot windows as needed until it's happy

Note: Windows will create a small additional partition after its own once fully installed.

3. Primary setup

  1. Boot ubuntu ISO

  2. For drive install, choose "something else"

  • with remaining space, or up to whatever you want, choose 'physical volume for encryption'

  • set crypto password, and close

  • the installer will work for a bit re-arranging the space, you should see /dev/vdax and /dev/vdax_crypt move up top

  • at this point, close the installer. these changes will persist, but we want to create our own btrfs filesystem with xxhash

  • open terminal and do sudo mkfs.btrfs –-csum xxhash /dev/mapper/vdax_crypt

  • now open the installer again

NOTE: It appears that this mostly works. The only thing that appears to be skipped is the creation of the /etc/crypttab file. More on that later. You will also need to re-run grub chroot-ed after.

  • for /boot ext4 partition, change to ext4 (again?) and set mount point to /boot
  • for vdax_crypt, change to btrfs and set mount point to /
  1. Run installer to completion, but stay in setup after!

After complete, check that btrfs was created with xxhash

sudo btrfs inspect-internal dump-super /dev/mapper/vdax_crypt | grep csum

IMPORTANT !!!

  1. You must also add the -container- /dev/vdax UUID to /etc/crypttab:
# mount the drive
mount /dev/mapper/sdax_crypt /mnt

# check the uuid of the vdax container
lsblk -o uuid,name

# this will spit out the drives and their UUIDs. Look for the vdax_crypt drive
# Ex: You should see something like this
# 039a4bb5-4bc9-4536-be4d-3c8d7d444ad2 |--vda6
# 503bd511-d98b-4a4a-aa9c-df11ba942f75   |--vda6_crypt
#
# In this case, luks is on the vda6 partition, mapped to vda6_crypt
# You want to use the top-level vda6 uuid (what I call a container),
# which is 039a4bb5-4bc9-4536-be4d-3c8d7d444ad2

# create the file if DNE
nano /mnt/@/etc/crypttab

# enter this in
vdax_crypt UUID=039a4bb5-4bc9-4536-be4d-3c8d7d444ad2 none luks,discard

# change vdax for your partition number, and of course UUID. Save and exit.

To check that this is all OK, perform:

sudo update-initramfs -u -k all
  1. It is necessary to re-run grub from inside the new install to get it going all the way. You have a couple options:

a.) Reboot. You get stuck in a initramfs shell. From here, you can just do

cryptsetup luksOpen /dev/vdax vdax_crypt
# enter passphrase

# TODO is it /real_root?
mount -o subvol=@ /dev/mapper/vdax_crypt /real_root

# then hit ctrl+d

b.) mount and chroot into the freshly installed system, then run update-grub

TODO:

  • mount subvols
  • (re?)mount boot vols
  • chroot and run grub
# mount root subvol
mount -o space_cache=v2,compress-force=zstd:1,noatime,subvol=@ /dev/mapper/vdax_crypt /mnt
# create mount points for home and boot
mkdir -p /mnt/{home,boot}
# mount home
mount -o space_cache=v2,compress-force=zstd:1,noatime,subvol=@home /dev/mapper/vdax_crypt /mnt/home

# mount /boot to /mnt/boot
# NOTE: recommended to check which device is /boot with blkid
mount /dev/vda2 /mnt/boot
# likewise for /boot/efi
mount /dev/vda1 /mnt/boot/efi

# mount proc, dev, sys
mount -t proc /proc /mnt/proc
mount --rbind /sys /mnt/sys
mount --rbind /dev /mnt/dev
# mount --rbind /run /mnt/run

# chroot
chroot /mnt /bin/bash

# initramfs
update-initramfs -u -k all

nano /etc/default/grub
# Change these
GRUB_DEFAULT=saved
GRUB_TIMEOUT=5
GRUB_TIMEOUT_STYLE=menu
# Add this
GRUB_FONT="/boot/grub/fonts/unicode.pf2"

# update grub
grub-mkconfig
grub-update
# make a copy for future installs
cd /boot/grub
cp grub.cfg grub-ubu22-OG.cfg

# cleanup
# exit chroot
exit

# unmount boot
umount /mnt/boot/efi
umount /mnt/boot

# unmount
umount /mnt/dev/pts
umount /mnt/{proc,sys,dev}
umount /mnt/home
umount /mnt
  1. Reboot into primary system and do some edits

NOTE: If you can't boot, it's likely due to somethig wrong in the last few steps.

sudo su
nano /etc/default/grub

# Change these
GRUB_DEFAULT=saved
GRUB_TIMEOUT=5

grub-mkconfig
update-grub

# edit fstab params for @ and @home
nano /etc/fstab

# Make your btrfs mount options look like this:
/dev/mapper/vdax_crypt /      btrfs   space_cache=v2,compress-force=zstd:1,noatime,subvol=@      0  1
/dev/mapper/vdax_crypt /home  btrfs   space_cache=v2,compress-force=zstd:1,noatime,subvol=@home  0  1

4. Secondary+ setup

Note: I used this guide as a reference. However in our case we are using an unencrypted /boot partition, so a lot of the grub edits are not required.

TODO: Can/should all of this be done with chroot?

4a. Prepare previous install

  1. (optional) If using quickemu or similar, now would be a good time to backup your .img in order to recover from mistakes / try things.

  2. Choose a name for the last installed distro

For each new disto we want to add, we will be changing the btrfs @ and @home mount points to something more descriptive. For example, if the last disto we installed was ubuntu 22.04, we will change these to @u22 and @u22_home. You may change these however you like, but try to think ahead for new versions and maintain some consistency.

The following steps will assume the above situation/suggestion.

  1. Boot into primary distro for grub and fstab edits
nano /etc/fstab
# change @ to @u22
# change @home to @u22_home
# save + exit

nano /boot/grub/grub.conf

# TODO: Research wtf this is even for, since it could easily break
# if there is a font="/@/usr/..." line, go ahead and change that to..
# font="/@u22/usr/..."
# ..now, as that saves us from having to run update-grub

# locate each menuentry line of the system were changing. in my case there are 3, but it will vary.
# replace subvol=@ with subvol=@u22
# save + exit

Now shutdown the system.

NOTE: Be aware that at this point, your previous install won't boot.

  1. Boot to a live ISO, preferably that of your primary. Choose 'Try Ubuntu' or similar.

for quickemu: You will need to press ESC repeatedly to get to the qemu bootloader and select the live disk. If you miss it, you will be stuck in grub. In this case, close the window, do:

# find the pid
ps -aux | grep qemu
# kill it
kill -9 <pid>
# try again
  1. Mount the encrypted volume and rename
# decrypt
cryptsetup luksOpen /dev/vdax vdax_crypt
# enter your luks passphrase
# create a mount point
mkdir /mnt/vdax_crypt
# mount it
mount /dev/mapper/vdax_crypt /mnt/vdax_crypt

# nagivate to mount point
cd /mnt/vdax_crypt
# move subvolumes
mv @ @u22
mv @home @u22_home

# unmount
cd
umount /mnt/vdax_crypt

Remove install media and reboot. You should now be able to boot back into the previous system.

4b. Install next system

  • Each linux system is going to vary a bit here.
  • It is highly likely that GUI installers will not work, but YMMV.
  • Best bet is to keep a .img of your current emu system, figure out what works or doesnt, then perform it on your actual system
  • Given the above, this section will try to focus on things that should apply to all distros, e.g. grub / fstab stuff.
  • For each distro I'll make notes

arch install

Manjaro installer sucks which is not a good sign, so let's just do arch proper. There is apparently an arch gui ISO that is a barebones arch with GUI installer that can probably be used to install from a GUI env, but seems like extra work just to have a gui.

BTRFS notes here.

0. Make your life easier

Boot into main distro and copy these files to /boot somewhere, e.g. /boot/backups

  • /etc/fstab
  • /etc/crypttab
  • ls -lAh /boot > /boot/backups/bootdir-ubu22

1. Boot live cd

Boot the live CD and choose installer option.

2. (optional) Connect SSH terminal

This makes it a lot easier to copy/paste commands. See quickemu.md for SSH on emu.

# inside arch term
# set root pw (temporary, for ISO / installer, make it easy)
passwd

# For real install on a laptop, perform the steps here
# for VM, skip the wifi section
# https://wiki.archlinux.org/title/Wpa_supplicant
nano /etc/wpa_supplicant/wpa_supplicant.conf
# enter this
ctrl_interface=/run/wpa_supplicant
update_config=1
# save + exit

# start wpa_supplicant
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
# run cli
wpa_cli

> add_network
> set_network 0 ssid "SSID"
> set_network 0 psk "PASS"
> enable_network 0
# this should eventually authenticate, if not, figure out why
> save_config
> quit

# start sshd (if needed)
systemctl start sshd.service

# determine ip addr
ip addr

# from remote host (emu)
ssh root@localhost -p 22220

# from remote host (real)
ssh root@192.168.x.x

3. Arch install

Mounting / btrfs setup

# make sure it works
pacman -Sy

# mount crypt device
cryptsetup luksOpen /dev/vdax vdax_crypt
mount /dev/mapper/vdax_crypt /mnt
cd /mnt
ls
cd

# create new btrfs subvolumes
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
umount /mnt

# Set btrfs mount options to var
brtfsopts="defaults,space_cache=v2,compress-force=zstd:1,noatime"

# mount root subvol
mount -o defaults,space_cache=v2,compress-force=zstd:1,noatime,subvol=@ /dev/mapper/vdax_crypt /mnt

# create mount points for home and boot
mkdir -p /mnt/{home,boot}

# mount home
mount -o defaults,space_cache=v2,compress-force=zstd:1,noatime,subvol=@home /dev/mapper/vdax_crypt /mnt/home

# mount /boot to /mnt/boot
# NOTE: recommended to check which device is /boot with blkid
mount /dev/vda2 /mnt/boot
# likewise for /boot/efi
mount /dev/vda1 /mnt/boot/efi

pacstrap

# kde - depends on a buncha stuff already
pacstrap /mnt base linux linux-firmware mkinitcpio \
	vim sudo nano grub bash \
	btrfs-progs cryptsetup \
	xdg-user-dirs plasma-meta kde-applications-meta sddm-kcm

# kde - oneliner
pacstrap /mnt base linux linux-firmware mkinitcpio vim sudo nano grub bash btrfs-progs cryptsetup xdg-user-dirs plasma-meta kde-applications-meta sddm-kcm

# vm
pacstrap /mnt base linux linux-firmware \
	btrfs-progs coreutils diffutils \
	cryptsetup \
	efibootmgr e2fsprogs efivar \
	networkmanager wpa_supplicant wireless_tools reflector curl wget \
	bash nano sudo vi vim man man-db man-pages \
	git python \
	pulseaudio \
	mkinitcpio

fstab

genfstab -U /mnt >> /mnt/etc/fstab

# for now, save this to /boot
cp /mnt/etc/fstab /mnt/boot/backups/fstab-archgen

# NOTE: if you copied fstab and crypttab like you should have, you can skip this
# mount u22 to /tmp/u22
mkdir /tmp/u22
mount -o $btrfsopts,subvol=@u22 /dev/mapper/vdax_crypt /tmp/u22
# get fstab, crypttab
cp /tmp/u22/etc/fstab /boot/fstab-u22
cp /tmp/u22/etc/crypttab /boot/crypttab-u22
umount /tmp/u22

# copy crypttab to arch
cat /mnt/boot/backups/crypttab-ubu22-og >> /mnt/etc/crypttab

# change arch fstab to look like ubuntus (or just copy and change the @/@home?)
nano /mnt/etc/fstab

chroot

arch-chroot /mnt

# set timezone
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

# run hwclock
hwclock --systohc

nano /etc/locale.gen
# uncomment these
en_US.UTF-8 UTF-8
en_US ISO-8859-1 

# generate locales
locale-gen

# set LANG to new /etc/locale.conf
echo LANG=en_US.UTF-8 > /etc/locale.conf

# Set keyboard layout
echo KEYMAP=us > /etc/vconsole.conf

#and font
echo FONT=MesloLGS >> /etc/vconsole.conf

# set hostname
echo your-hostname > /etc/hostname

# edit mkinitcpio.conf
nano /etc/mkinitcpio.conf
# add cryptsetup to BINARIES
# add encrypt btrfs to HOOKS
# add resume if using swap file
HOOKS=(base keyboard udev autodetect modconf block keymap encrypt btrfs filesystems resume)
# IMPORTANT: encrypt must come after udev, and before filesystems

# re-run mkinitcpio
# TODO: change config for a specific initramfs img name
mkinitcpio -P linux

# set root password
passwd

If /etc/crypttab or corresponding kernel parameters exist I think you should be able to systemctl start systemd-cryptsetup@<name-of-mapper>.service from the emergency shell. Perhaps you can also "systemctl start cryptsetup.target" to have all devices encrypted, but I'm not sure if targets work this way.

grub

README:

  • For now this is manual. I couldn't be bothered to figure out how to have update-grub work cleanly for multiboot.
  • You need to be very careful with grub, particularly on ubuntu which will update it as part of apt upgrade.
  • Make backups before/after any updates
  • Generally speaking, if doing arch + ubuntu/debian, you only need to worry about ubuntu updates. Arch updates use the same filenames for each kernel/initrd image.
  • if you make manual edits to grub.cfg, update-grub will do all kinds of weird things. again, just make backups of working configs, learn a bit about the cfg structure, and you should be fine.
nano /etc/grub/grub.cfg
# copy the top menuentry for Ubuntu and rename it Arch-kde, --class arch
# on the linux line, set subvol=@
# on initrd line, change to /initramfs-linux.img
# on linux line, change to /vmlinuz-linux
# change linux line to be like this:
# /vmlinuz-linux root/dev/mapper/vda5_crypt cryptdevice=/dev/vdax:vdax_crypt ro rootflags=subvol=@

manjaro-kde-23 install

I ended up using arch+kde. Too many weird problems with manjaro. This is not complete.

Method 1: majaro basestrap

https://nerdstuff.org/posts/2020/2020-004_arch_linux_luks_btrfs_systemd-boot/

NOTE: manjaro tools: https://wiki.manjaro.org/index.php/Manjaro-tools

  • pacstrap -> basestrap
  • genfstab --> fstabgen
  • arch-chroot --> manjaro-chroot.

basestrap + chroot cmds

sudo pacman -Fy pacstrap

sudo mkdir /mnt/home
sudo mkdir /mnt/boot

sudo mount /dev/vda1 /mnt/boot

sudo basestrap /mnt base linux65 linux-firmware btrfs-progs sudo manjaro-zsh-config intel-ucode networkmanager wpa_supplicant nano vi vim mkinitcpio man

fstabgen -U /mnt > /tmp/fstab.tmp
cat /tmp/fstab.tmp
# copy these to /etc/fstab

echo <your-hostname> > /etc/hostname
echo LANG=en_US.UTF-8 > /etc/locale.conf

# nano /etc/locale.gen
# uncomment these
en_US.UTF-8 UTF-8
en_US ISO-8859-1 

# generate locales
locale-gen

# Set keyboard layout and font
echo KEYMAP=us > /etc/vconsole.conf
echo FONT=MesloLGS >> /etc/vconsole.conf

# set timezone
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

# re-run mkinitcpio
# TODO: change config for a specific initramfs img name
mkinitcpio -P

# set root password
passwd

# add sudo user
pacman -S sudo
useradd -m -G wheel -s /bin/bash <user>

# allow sudo users to elevate
nano /etc/sudoers
# uncomment this line:
# %wheel   ALL=(ALL)   ALL
# save + exit

# set password for user
passwd <user>
# > enter pw

# install some CLI utils
pacman -S konsole openssh

# enable networking at boot
systemctl enable NetworkManager.service

# enable sshd at boot
systemctl enable sshd.service

# optional, enable sddm.service
systemctl enable sddm.service

fstab

Notes:

  • Below config examples are WIP and edited manually. I have not figured out a clean way to do this yet, but appears to work fine.
  • using UUIDs instead of /dev/mapper/vdax_crypt resulted in requiring double passwords on boot. Or maybe it was due to mounting rw. Unsure.
  • the manual tweaking is bad since any grub/kernel updates on any subvol could fuck it all up. But should be easy to fix.

/etc/fstab:

  • This should be valid for all distros
  • Each time a new distro is installed, and @ and @home are moved, it must also be changed here
# <file system> <dir> <type> <options> <dump> <pass>

# mount point for vdax_crypt (root)
# NOTE: Instead of /dev/mapper/vdax_crypt, you could just put UUID=1e303449-c645-4b5d-9dc4-013aac26392c
/dev/mapper/vdax_crypt                    /        btrfs defaults,subvol=@ 0 1

# mount unencrypted /boot
# NOTE: could probably also just be /dev/vda2
UUID=7d25a095-4e8a-4f4d-b5f1-2c40a0412c12 /boot     ext4 defaults        0       2

# mount unencrypted /boot/efi
# NOTE: could probably also just be /dev/vda1
UUID=E497-B45B /boot/efi vfat umask=0077 0 1

# mount point for vdax_crypt (home)
/dev/mapper/vdax_crypt /home btrfs defaults,subvol=@home 0 2

crypttab

/etc/crypttab:

# NOTE: THIS MUST BE CONTAINER UUID
# E.G.: sudo cryptsetup -v luksDump /dev/vdax
vdax_crypt UUID=5baf398c-b594-42b3-801e-e0af46184dd3 none luks,discard

grub

Some caveats from above apply here.

Example configs:

Ubuntu 22:

menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-1e303449-c645-4b5d-9dc4-013aac26392c' {
        recordfail
        load_video
        gfxmode $linux_gfx_mode
        insmod gzio
        if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
        insmod part_gpt
        insmod ext2
        search --no-floppy --fs-uuid --set=root 7d25a095-4e8a-4f4d-b5f1-2c40a0412c12
        linux   /vmlinuz-6.2.0-35-generic root=UUID=1e303449-c645-4b5d-9dc4-013aac26392c ro rootflags=subvol=@u  quiet splash $vt_handoff
        initrd  /initrd.img-6.2.0-35-generic
}

Arch:

menuentry 'Manjaro Linux' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-5baf398c-b594-42b3-801e-e0af46184dd3' {
        savedefault
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt
        insmod fat
        search --no-floppy --fs-uuid --set=root 7d25a095-4e8a-4f4d-b5f1-2c40a0412c12
        linux   /vmlinuz-4.19-x86_64 cryptdevice=UUID=5baf398c-b594-42b3-801e-e0af46184dd3:vdax_crypt root=/dev/mapper/vdax_crypt ro rootflags=subvol=@  quiet udev.log_priority=3
        initrd  /intel-ucode.img /initramfs-4.19-x86_64.img
}

On target system

> login as root

# to get networking
systemctl enable NetworkManager.service
systemctl restart NetworkManager.service

# add sudo user
pacman -S sudo
useradd -m -G wheel -s /bin/bash <user>

# allow sudo users to elevate
nano /etc/sudoers
# uncomment this line:
# %wheel   ALL=(ALL)   ALL
# save + exit

# set password for user
passwd <user>
# > enter pw

# install some CLI utils
pacman -S konsole openssh

# setup openssh
mkdir -p /root/.ssh
# touch /root/.ssh/authorized_keys # TODO
systemctl restart sshd.service
# NOTE: to ssh into quickemu, do:
ssh <user>@localhost -p 22220
# > enter p/w

# install GUI
pacman -S gdm
systemctl enable gdm
systemctl start gdm

cryptsetup

cryptsetup luksOpen /dev/vdax vdax_crypt
mkdir /mnt/vdax_crypt
mount /dev/mapper/vdax_crypt /mnt/vdax_crypt

### do stuff ###
sudo chroot /mnt/rootfs/@
exit
###

sudo umount /mnt/rootfs
sudo cryptsetup luksClose ubu22

Misc useful links

https://mutschler.dev/linux/ubuntu-btrfs-20-04/#step-3-optional-optimize-mount-options-for-ssd-or-nvme-drives

https://github.com/quickemu-project/quickemu/compare/master...wmutschl:quickemu:Tweaks

https://gist.github.com/luispabon/db2c9e5f6cc73bb37812a19a40e137bc

plus

https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019

or

https://mutschler.dev/linux/pop-os-btrfs-22-04/

Ubuntu bootstrap

TODO: this is likely the easier way to install ubuntu for this type of setup

https://semjonov.de/posts/2021-09/minimal-ubuntu-installation-with-debootstrap/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment