ZFS-root/ZFS-root.conf.example at master · Halfwalker/ZFS-root · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
#
# Pre-configuration for ZFS-root.sh
# Any vars not set here will be prompted for
#

#
#       DANGER ZONE
#
# wipe_fresh - are going to NUKE this system for a new install ?
#   y - Will query for disks to use and totally wipe them
#   n - Only creates a new dataset under <pool>/ROOT/<suite>
#       This is then selectable under zfsbootmenu
#
# WIPE_FRESH=y

# Proxy config - apt-cacher-ng
#
# PROXY="http://bondi.local:3142/"
PROXY=

#
# Main username and comment
#
USERNAME="george"
UCOMMENT="George of the Jungle"
UPASSWORD="password"

#
# Space-separated list of github users from which to pull SSH keys
#
AUTHKEYS=

#
# System name, main zfs pool name, boot pool name
#
MYHOSTNAME="test"
POOLNAME="test"

#
# What version of Ubuntu to install
# noble, jammy, focal, bionic
#
SUITE="noble"

#
# If multidisk, select main pool raid level
# single, mirror, raidz1, raidz2, raidz3
#
RAIDLEVEL="mirror"

#
# Enable UEFI SecureBoot if available
# NOTE: System must be in SecureBoot Setup mode
#       For VirtualBox delete the VM .nvram file
#       For other systems see the UEFI SecureBoot config section in the bios
#
SECUREBOOT=n

#
# Enable auto-signing of rEFInd and ZFSBootMenu .efi bundles when changes are made
# NOTE: Without auto-signing, YOU must manage the signing of the .efi bundles and
#       any other bootables in /boot/efi/EFI
#       Forgetting to sign new bundles or mistakes may render the system unbootable
AUTOSIGN=y

#
# Swap size in megabytes - if HIBERNATE or LUKS set then this
# is a partition otherise it's a zfs dataset.
# Set to 0 to disable swap
#
SIZE_SWAP=300

#
# Disk encryption and passphrase if ZFSENC or LUKS
# NOENC, ZFSENC, LUKS
#
# If Disk encryption is enabled with ZFSENC or LUKS, then also decide
# on enabling Dropbear for remote unlocking.
# NOTE: Trap for young players ...
#       Dropbear expects to see the network when the system boots.
#       If it's NOT there (eg. laptop with docking station unplugged)
#       then it might sit waiting until timout for the network to show up.
#       RTNETLINK answers: File exists will appear and it will just sit ...
# So, do not enable Dropbear for laptops
#
# For ZFS encryption, the passphrase is stored in /etc/zfs/zroot.key and /etc/zfs/zroot.homekey
# zroot.key is for the root datasets, zroot.homekey for the home datasets
# This is so the user can change the key for home so it's different from root
# See `zfs change-key` command
# It is safe to store the keys there as they're not visible until the main root
# dataset is unlocked
#
# NOTE: If DROPBEAR is set to y here, then ZFSBOOTMENU_BINARY_TYPE below will
#       be forced to LOCAL so the zfsbootmenu initramfs can be rebuilt to include
#       Dropbear
#
DISCENC="NOENC"
PASSPHRASE="password"
DROPBEAR=n

#
# For zfsbootmenu there are 3 different ways to install
#   EFI    : Uses a single EFI image - for UEFI systems only
#   KERNEL : Same binary but with the vmlinuz/initrd extracted
#            Can be used with legacy non-UEFI systems as well as UEFI systems
#   LOCAL  : Built and install from the git repo
#
# The EFI image precludes a working syslinux config though - that requires
# a vmlunuz/initrd set to work.  In general the KERNEL option is most flexible.
# If you KNOW you won't use the install in a non-UEFI system later, then the
# EFI image is simplest.
#
# NOTE: If Dropbear is required for remote unlocking of LUKS or ZFS enecryption
#       then you must select LOCAL.  This is because Dropbear must be included
#       in the initramfs for zfsbootmenu.  If DROPBEAR above is set to y, then
#       any value here will be overridden to LOCAL
#
ZFSBOOTMENU_BINARY_TYPE=KERNEL

#
# For the zfsbootmenu repo type you can choose
#   TAGGED : Pulls the latest stable tagged release
#   GIT    : Pulls the latest full repo, which may be in flux
#
ZFSBOOTMENU_REPO_TYPE=TAGGED

#
# Any extra options to add to the ZFSBootMenu boot command-line.  Some motherboards
# (looking at you Supermicro X10) have problems when the ZBM default hook
# 90-xhci-unbind.sh runs, as it kills power to the USB ports.  For those we
# disable that hook script.
# See https://docs.zfsbootmenu.org/en/v3.0.x/man/zfsbootmenu.7.html
#
ZFSBOOTMENU_CMDLINE="zbm.skip_hooks=90-xhci-unbind.sh"

#
# Basic options for install
# See script for descriptions
# Be sure to set ALL vars here to y or n, otherwise script will prompt for them
#
RESCUE=y
GOOGLE=n
HWE=y
ZREPL=y
HIBERNATE=n
DELAY=n
SOF=n
GNOME=n
KDE=n
NEON=n
XFCE=n

# If you have Nvidia video HW and you *know* which version of driver you want
# it can be preset here. Leaving undefined will cause the script to prompt.
# The package installed will be : nvidia-driver-${NVIDIA}
#
# none for no driver
# 390 or 470 for legacy driver
# 550 for current latest, or whatever version you prefer
NVIDIA=none

# If installing Sound Open Firmware binaries (mostly for laptops) choose
# the version here.  Defaults to 2025.05.1
# SOF_VERSION=2024.06
SOF_VERSION=2025.05.1

#
# Below are additional options that can be set that do NOT have a menu process
# to ask for their values.  Less-likely to be used, and larger ones that are not
# conducive to entering via keyboard ...
#

# Any SSH pubkey to add to new system main user
# This can be in addition to the Github user keys specified above
##    SSHPUBKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3uB7roSJ3EYs9hBAQiUZ9Of53Lm3+JZ6ZVokZnp3CRoRfuVT3zND7DAQYSCo+0MZaaydGB1JrWQfgLImWouiC4bsZEzNhnX6uYQ8qSL8zxsK7xOfeVocP+FHdkKcB85giQFp/onuNwHBWLXw9iC2Z/rrbjN2dPSaDKFWQT7ukE2vqt9TQ6mMpYFBCiHpJUfSxXjgjL7Y1MN58QCJ+PesQEY8hh1DzRBwgY0lY9LYAdrqWwj6AIPPawZTcJnNAwz9wO3a8hAS6i9dK+zHDtSIlArevmP8mpcqhpHEtKZ4TbAel7YRtbvY+w7pENbXQiiNMRkdZ28m6FJAFlIHv/wMpUhgZG3SyfFTDg33VhVFlS0qzvIYjTxMPjGLT4oBXK3+CSBuZKwE3xG39S/oTu++feTCtSu5VZZm9rkzrE77tIoWfGi0eGbfJURP9F9q96F0YuNUAS+gnCw5LzR48sMjqXcUpNHVRwi8XE7TDgl7Fk4JHfJelL3LBjFsZC7uaLmy8I1tk+87xTFd0VyG0cAaX/jMbWn1XGVo1V1uXFYRVmfyiPcJBhUaPQ6z1QDXQzsQLed9nQL9qFFPyjoL0zN7Fp+AVka0kPNhkEl0HIL8KqU7cuoypSeA7EO8Qxk7ay8nSP1PLlYzVUZEvEleBjPHTzO6YZxNMRLZSljp8BoY+lw== Johnny Bravo"

##    ####################################################################
##    # Specify the host key for the new root-on-zfs system ?
##    # Can be the RSA or ECDSA key from /etc/ssh
##    # Leave blank for no specific key - ie: use whatever is generated by the openssh installation
##    # Comes in handy for repeated testing/installs so you don't have to
##    # keep editing ~/.ssh/known_hosts
##    # Be sure to use SINGLE quotes for private key
##    HOST_ECDSA_KEY='-----BEGIN EC PRIVATE KEY-----
##    MHcCAQEEIO+XmG1AGCiQUejcjS/aVMGaocBe7TCsEmLctyNoJWFqoAoGCCqGSM49
##    AwEHoUQDQgAEMG1kiuILJZsxJCi1j5xOrA2CpNETWQ5rA94tgjsX6aqpI8re1pwa
##    /rnYIYrCL/JafwsmlqKG/HfrkvgozqVn/A==
##    -----END EC PRIVATE KEY-----'
##    # Be sure to use DOUBLE quotes for public key
##    HOST_ECDSA_KEY_PUB="ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDBtZIriCyWbMSQotY+cTqwNgqTRE1kOawPeLYI7F+mqqSPK3tacGv652CGKwi/yWn8LJpaihvx365L4KM6lZ/w= root@installerbox"

##    # Be sure to use SINGLE quotes for private key
##    HOST_RSA_KEY='-----BEGIN RSA PRIVATE KEY-----
##    MIIEpQIBAAKCAQEAzCR0pGQ2ITL2KSgzeASWCGgP+mNQRv+Z7VlOCyjmVctODDl3
##    SiMHdsLRyhcP1M9jfTBEncKrt4AQIt1f1bjAG4kNEgh18dMUYWtIIZ3HlGP+Ieux
##    EixkakZ2o1qnhmfPG7W3pnw6UHwwZw3Qg6H760PWAmU12gG3YOEuq9DKmBdw2i80
##    jqcGGREj+BIdROuPKdH+n3DGE0phQ+NwQzMU77czPh1XwcLBGGpEvvk1zbavyqv5
##    dunsz3msMuJZH2oBE2PeWr8E2x+nNQ2XZIZdHJD8WJMiPBvHUBYMo7CSEAzwdWcs
##    g8f4umes/LKakv9/h4e47dOOzU1xFwCNo9lOnQIDAQABAoIBAQCPL8Lgy6lr/+LJ
##    W3k+ZXkWzGboqWBVbFL7N/iVu0pUQxWrXWNejNNfaabcqPBhxFV0Kbb3MORhAWJQ
##    EhZ2Qe/9YFPaojSYOgXBjw45BgJHAxvtjvPUW27TXDk6uwtmKsoKFZuLGveMHI+W
##    uQnYSnX4vswNQhBTqYCGY2vo97oikoyTLGEPURbyNpc1NOI7TGuOXHmOAEhw7WN8
##    jd1wTm2TEjdqMO6Zk03VJn9h5yu6sR7siqEkzIF5p/sfOXoA2Iwh3Sazrsv63R2p
##    XBYhnfnrM3UuEd4cKGJjXrv1gxNu1AKGKdq34izjKw/YKJhGRuiLh+9gdMva2TcV
##    dqOqfYQBAoGBAPm2ocF2Hn10Ud/UkcqQc2uPV7+bHhNALzHG5YeXH9vHJq/rm9D8
##    UFt3OBneaZMXCWRSl1dTlidmt+yl2wk0JyWFmEHZK2wDu+qcRPKT6y4Du+7QRBQY
##    IwrBHWi8reCbM/wL+s8cEGFt19ip6jw1K1JIxkTtC2vtG0ayPATJJyexAoGBANFI
##    IAEnZuf3zqECjdNfSr8ITMIfLZhDs/oPBzWUkwMm9jaIi+cf96hSlLFhMWANZOM6
##    i2x/68AHT9hINqo25cJeQB0UqLeHaU2JDAKn3LOLtCu7D0bpZKbAVFVgd3XsYrRJ
##    z5+Zz80WyXa+pHTqnrhTP0xkvCCmbWjz+Q5T9jytAoGBAKAOzvmpE3wITd5xaw1y
##    r3iXBYCcFZfzQQzf1wmk9Vey+/oww8wdnggyj3QNWpBcaLm0MqtXuVwB/AwkdxQc
##    KKdlTSWP5MQ0VIPZrFvsMgdpf1FgjvJuUi+3fnk+zxizgougxh9wdpNsi7ilmK0E
##    y4LPgL53TiXccepLnirXIFDRAoGAXLzaOcitCCO+c4i/Migq5iYWZXsNaEiwCyH3
##    rt2Mm7v7JMUzQZLf2r3lWAjaqVamGy8JM2YoIKrczdmKJ7k17QB45qoN7W3a0tnk
##    8ZRS71j72NkGdwTbbi0R8ddSeHXsczm2AGJXO+laEv19wLVq6gExrneBCfLVzsk1
##    1wyLs+0CgYEAuux1i+/7TMh1LyaiNbqQt4uzlDR+EWnbOBTtku9cE7u/dHuy1roE
##    QA4S2UhEX0sXdekqsFsIS/Qo3+H9pLC8mAZ1X0sQl102z2Cks1WVruodf8tF58iu
##    FCMSOeHX+wYqyZSm1zLDONoneY5B3zu1Grc8dZRJSons3iaXWl7zj3M=
##    -----END RSA PRIVATE KEY-----'
##    # Be sure to use DOUBLE quotes for public key
##    HOST_RSA_KEY_PUB="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMJHSkZDYhMvYpKDN4BJYIaA/6Y1BG/5ntWU4LKOZVy04MOXdKIwd2wtHKFw/Uz2N9MESdwqu3gBAi3V/VuMAbiQ0SCHXx0xRha0ghnceUY/4h67ESLGRqRnajWqeGZ88btbemfDpQfDBnDdCDofvrQ9YCZTXaAbdg4S6r0MqYF3DaLzSOpwYZESP4Eh1E648p0f6fcMYTSmFD43BDMxTvtzM+HVfBwsEYakS++TXNtq/Kq/l26ezPeawy4lkfagETY95avwTbH6c1DZdkhl0ckPxYkyI8G8dQFgyjsJIQDPB1ZyyDx/i6Z6z8spqS/3+Hh7jt047NTXEXAI2j2U6d root@installerbox"

##    # Be sure to use SINGLE quotes for private key
##    HOST_ED25519_KEY='-----BEGIN OPENSSH PRIVATE KEY-----
##    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
##    QyNTUxOQAAACBckxO9i08hCtufRbx/3I9SnA5hqtjgV12p/feHZXzK2gAAAJhy0ygJctMo
##    CQAAAAtzc2gtZWQyNTUxOQAAACBckxO9i08hCtufRbx/3I9SnA5hqtjgV12p/feHZXzK2g
##    AAAEAif3Z2Yf5YpmESEK10UpcXvBv+hqhxZ54h+H5hJjJJcVyTE72LTyEK259FvH/cj1Kc
##    DmGq2OBXXan994dlfMraAAAAEnJvb3RAdWJ1bnR1LXNlcnZlcgECAw==
##    -----END OPENSSH PRIVATE KEY-----'
##    # Be sure to use DOUBLE quotes for public key
##    HOST_ED25519_KEY_PUB="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyTE72LTyEK259FvH/cj1KcDmGq2OBXXan994dlfMra root@installerbox"
##    #
##    ####################################################################