docs/server-os/posts/01-alpine-install.md: update

docs/server-os/posts/01-alpine-install.md

@@ -12,7 +12,7 @@ categories:
     - Base installation
 ---
 
-This blog entry will demonstrate how to install [Alpine Linux](https://www.alpinelinux.org/) for a server application. Alpine Linux will run on a raid configured encrypted ZFS filesystem with automatic decryption using TPM. Alpine Linux makes a good base for a server because of its simplicity, lightweightness and security. Check out the [Alpine Linux wiki](https://wiki.alpinelinux.org/wiki/Main_Page) for additional resources and information.
+This blog entry will demonstrate how to install `x86_64` [Alpine Linux](https://www.alpinelinux.org/) for a server application. Alpine Linux will run on a raid configured encrypted ZFS filesystem with automatic decryption using TPM. Alpine Linux makes a good base for a server because of its simplicity, lightweightness and security. Check out the [Alpine Linux wiki](https://wiki.alpinelinux.org/wiki/Main_Page) for additional resources and information.
 
 <!-- more -->
 
@@ -25,20 +25,18 @@ After booting the Alpine Linux extended ISO, partition the disks. For this actio
 To set it up the `setup-interfaces` and `setup-apkrepos` scripts present on the Alpine Linux ISO will be used.
 
 ``` shell-session
-sh# setup-interfaces -ar
+sh# setup-interfaces -ar #(1)!
 sh# setup-apkrepos -c1
 ```
 
-> To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar.
+1. To use Wi-Fi simply run `setup-interfaces -r` and select `wlan0` or similar.
 
 A few packages will have to be installed first.
 
 ``` shell-session
-sh# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm zlevis
+sh# apk add zfs lsblk sgdisk wipefs dosfstools mdadm zlevis
 ```
 
-> The `zlevis` package is as of this moment not yet in the alpine package repository. Try to get it into the `bin` via a different method and add its dependencies `tpm2-tools` and `jose`. 
-
 and load the ZFS kernel module:
 
 ``` shell-session
@@ -156,12 +154,10 @@ sh# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o
 Write the encryption key to TPM with `zlevis`:
 
 ``` shell-session
-sh# zlevis encrypt rpool '{}' < /tmp/rpool.key
+sh# zlevis encrypt rpool '{"pcr_ids":"0,1,7"}' < /tmp/rpool.key #(1)!
 ```
 
-> We are using the default configuration settings for `zlevis encrypt` but a different configuration is possible by setting `'{}'` accordingly.
+1. See [zlevis functionality](https://docs.ampel.dev/zlevis/functionality/) to see the functionality of each `pcr_id`, and the other options that can be set.
-
-<break>
 
 > To check if it worked, perform `zlevis decrypt rpool`.
 
@@ -245,8 +241,8 @@ sh# rc-update add mdadm-raid boot
 Configure ZFS to mount:
 
 ``` shell-session
-sh# rc-update add zfs-import sysinit
 sh# rc-update add zfs-mount sysinit
+sh# rc-update add zfs-import sysinit
 sh# rc-update add zfs-load-key sysinit
 ```
 
@@ -264,20 +260,20 @@ proc                    /proc       proc    nodev,nosuid,noexec,hidepid=2
 
 Install the following packages to make `mkinitfs` compatible with secureboot and TPM decryption:
 
-``` shell-sessions
+``` shell-session
-sh# apk add secureboot-hook sbctl tpm2-tools zlevis 
+sh# apk add secureboot-hook sbctl zlevis zlevis-mkinitfs #(1)!
 ```
 
-Configure `mkinitfs` to disable trigger and to add the `zlevis-hook`:
+1. The `mkinitfs-zlevis` package is as of this moment not yet in the alpine package repository, for the relevant steps see the [zlevis mkinitfs-implementation](https://docs.ampel.dev/zlevis/implementation/#mkinitfs). 
+
+Configure `mkinitfs` to disable the trigger and to add the `zlevis` module:
 
 ``` shell title="/etc/mkinitfs/mkinitfs.conf"
 features="... zlevis"
 disable_trigger="yes"
 ```
 
-> The `mkinitfs` package that supports `zlevis` is as of this moment not yet in the alpine package repository, for the relevant steps see the [zlevis mkinitfs-implementation](https://docs.ampel.dev/zlevis). 
+The most important step is the creation of a UKI using the `secureboot-hook` of `mkinitfs`, which also automatically signs them. Configure the `kernel-hooks` to set the kernel cmdline options and secureboot:
-
-The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. Configure the `kernel-hooks` to set the kernel cmdline options and secureboot:
 
 ``` shell title="/etc/kernel-hooks.d/secureboot.conf"
 cmdline="rw root=ZFS=rpool/root/alpine rootflags=noatime quiet splash"
@@ -285,7 +281,7 @@ cmdline="rw root=ZFS=rpool/root/alpine rootflags=noatime quiet splash"
 signing_cert="/var/lib/sbctl/keys/db/db.pem"
 signing_key="/var/lib/sbctl/keys/db/db.key"
 
-output_dir="/efi/efi/linux"
+output_dir="/efi/EFI/Linux"
 output_name="alpine-linux-{flavor}.efi"
 ```
 
@@ -293,10 +289,10 @@ Use `sbctl` to create secureboot keys and sign them:
 
 ``` shell-session
 sh# sbctl create-keys
-sh# sbctl enroll-keys
+sh# sbctl enroll-keys #(1)!
 ```
 
-> Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.
+1. Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.
 
 Set the cache-file of the ZFS pool:
 
@@ -312,16 +308,16 @@ sh# apk fix kernel-hooks
 
 and it should give no warnings if done properly. 
 
-To install `gummiboot` as friendly bootloader:
+To install `systemd-boot` as friendly bootloader:
 
 ``` shell-session
-sh# apk add gummiboot
+sh# apk add systemd-boot
-sh# gummiboot install
+sh# bootctl install
 ```
 
 > One may verify the signed files by running `sbctl verify`.
 
-Configure `gummiboot` to specify the timeout and the default OS :
+Configure `systemd-boot` to specify the timeout and the default OS :
 
 ``` shell title="/efi/loader/loader.conf"
 default alpine-linux-lts.efi