diff --git a/src/installer.sh b/src/installer.sh new file mode 100644 index 0000000..b04fec9 --- /dev/null +++ b/src/installer.sh @@ -0,0 +1,22 @@ +# === Motivation === +# Keep the official installer as the configuration authority. +# === Problem Statement === +# We need a clean handoff so the installer uses existing mounts without reformatting. +# === Scope === +# In scope: instructions and guardrails for the user during the installer run. +# Out of scope: automated installer configuration. +# === Concepts === +# Handoff: a pause where the wrapper delegates to the installer. +# === Decisions === +# Provide clear, minimal guidance to avoid overriding prepared filesystems. +# Support only CLI installer flow to keep guidance consistent. +# === Alternatives Considered === +# Fully scripted installation rejected for this phase. +# === Constraints === +# The wrapper must not hide or alter installer behavior. +# === Open Questions === +# Should we provide a checklist or step-by-step guide during the installer handoff? +# How do we detect if the installer reformatted filesystems against our intent? +# Should we monitor the installer process, or fully delegate control? +# === Success Criteria === +# The installer completes using the prepared mounts without reformatting. diff --git a/src/postinstall.sh b/src/postinstall.sh new file mode 100644 index 0000000..655d6cd --- /dev/null +++ b/src/postinstall.sh @@ -0,0 +1,36 @@ +# === Motivation === +# Ensure the system can boot with encrypted root after installation. +# === Problem Statement === +# Post-install steps must align initramfs, bootloader, and encryption metadata. +# === Scope === +# In scope: required configuration updates inside the installed system. +# Out of scope: package selection and user account management. +# === Concepts === +# Initramfs: early boot image that unlocks encrypted storage. +# Bootloader config: entries that point to the encrypted root. +# Dracut modules: crypt (LUKS unlock), resume (hibernation support if swap file used). +# Crypttab: /etc/crypttab maps LUKS UUIDs to device names for initramfs. +# GRUB cryptodisk: GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub enables LUKS unlock. +# Kernel parameters: rd.luks.uuid= tells dracut which LUKS container to unlock. +# === Decisions === +# Keep post-install steps explicit and minimal, focused on boot viability. +# Default to GRUB because it is widely supported on Void without systemd dependencies. +# Regenerate initramfs for all installed kernels to avoid boot drift. +# Use UUID-based references in /etc/crypttab for stability across device naming changes. +# Enable dracut crypt module explicitly in /etc/dracut.conf.d/10-crypt.conf. +# Set GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub to allow GRUB to unlock LUKS. +# Add rd.luks.uuid= to GRUB_CMDLINE_LINUX for initramfs LUKS unlock. +# Run grub-install to embed cryptodisk support, then grub-mkconfig to update menu entries. +# === Alternatives Considered === +# Skipping post-install updates rejected because it risks unbootable systems. +# systemd-boot and rEFInd rejected as defaults due to availability and scope constraints. +# EFISTUB rejected as default because it increases manual UEFI entry management. +# === Constraints === +# Steps must run in the target system context. +# === Open Questions === +# Should we generate a rescue initramfs in addition to the default one? +# Should we verify GRUB can unlock LUKS2 before rebooting, or trust the configuration? +# How do we handle future kernel updates - should we document the dracut reconfiguration process? +# Should swap file activation be configured in this phase, or deferred to first boot? +# === Success Criteria === +# After reboot, the system prompts for decryption and boots successfully.