ubuntu-bootstrap

Bootstrapper for remote installation of Ubuntu server with encrypted, remotely unlockable root (on ZFS).

Introduction

The purpose of this script is to bootstrap an Ubuntu server installation with root on LUKS encrypted ZFS or another FS, over SSH from a hosted rescue environment. The specific features of this installation are as follows:

1. LUKS encrypted (ZFS) root, remotely unlockable via SSH
2. Unencrypted /boot (on ext4)
3. Basic GPT partitioning with /boot, optional swap partition and root
4. Initramfs with Dropbear, using the same SSH key as main sudoer admin account (see below) and same SSH server key as the main OpenSSH server (except the user is root)
5. Disables systemd-resolved (static resolv.conf)
6. Disables network interface renaming (uses old eth0 naming)
7. Sets up an "admin" sudoer account

The LUKS container is encrypted with a passphrase rather than a key, to allow regular logins via console, should the need arise.

This setup is ubuntu-minimal (debootstrap'd), and sufficient for successful reboot into a working Ubuntu server, from which config management can pick up and continue with the installation.

Wishlist

1. Add ext4, xfs or another FS beside ZFS
2. LUKS keys in addition to passphrase
3. Configurable cryptsetup options (key size, iterations, ...)
4. Make removal of systemd-resolved optional
5. Make net.ifnames optional
6. Bootstrap SaltStack minion that can pick up config right after reboot
7. Add more rescue environments, maybe as separate plugins instead
8. Set up /boot on more than one drive

WARNING! This is alpha-grade software. Used in production by the author but it still requires more testing and tuning to be generally applicable.