refactor(script): Update archlinux-keyring before pacstrap

Reviewed-on: #29

.gitignore

@@ -1 +1,2 @@
 archzbm_settings.env
+.idea

README.md

@@ -109,6 +109,30 @@ In cases where a variable is both exported prior to script execution and specifi
 
 Known options are as follows.
 
+### Kernel downgrade
+
+By default we install newest `linux` and `linux-headers` packages into a `chroot`. Once we're in that `chroot` we then install newest [AUR zfs-dkms package](https://aur.archlinux.org/packages/zfs-dkms). You may want to override `linux` and `linux-headers` versions to ensure you end up with a compatible mix between them and `zfs-dkms`.
+
+For example:
+```
+export ARCHZBM_KERNEL_VER=6.5.9.arch2
+```
+
+In our `chroot` this will trigger execution of:
+```
+downgrade --ala-only 'linux=6.5.9.arch2' 'linux-headers=6.5.9.arch2' --ignore always
+```
+
+Where `downgrade` is the [AUR downgrade package](https://aur.archlinux.org/packages/downgrade). This will downgrade `linux` and `linux-headers` and will add a setting to your `/etc/pacman.conf`:
+```
+[options]
+IgnorePkg = linux linux-headers
+```
+
+Setting `ARCHZBM_KERNEL_VER` to an empty string `''` or keeping it undefined are both valid and will retain newest versions instead of downgrading.
+
+Also read [Kernel selection](#kernel-selection) for details.
+
 ### Compression
 
 By default we create a zpool with ZFS property `compression=on`. If the `lz4_compress` pool feature is active this will by default enable `compression=lz4`. See `man 7 zfsprops` for example in ZFS 2.1.9 for details. See `zpool get feature@lz4_compress <pool>` to check this feature's status on your `<pool>`.
@@ -243,7 +267,7 @@ This syntax crutch allows you to use the full range of Dropbear-supported `autho
 
 An interactive questionnaire can guide you through settings and goes like this:
 
-![Command line setup questionnaire](https://i.imgur.com/RhCStdu.gif)
+![Command line setup questionnaire](https://i.imgur.com/OXG75GH.gif)
 
 To do the questionnaire yourself start this script with the `setup` argument:
 
@@ -296,6 +320,24 @@ When it comes to the point that your SSH client sends an are-your-still-there me
 
 This effectively configures your SSH client to remain connected even through somewhat lossy hops to the Dropbear daemon; and to cleanly disconnect 3 seconds and some change after you've executed whatever you needed to do in ZFSBootMenu.
 
+# Kernel selection
+
+This script compiles ZFS via Arch Linux' [Dynamic Kernel Module Support](https://wiki.archlinux.org/title/Dynamic_Kernel_Module_Support) (DKMS). Not all kernels allow for successful compilation, in some instances a particularly recent kernel version may change APIs to such a degree that ZFS compilation simply fails.
+
+We strongly suggest to that you:
+
+- Firstly, refer to a resource such as the [Arch Linux Archive package version list](https://archive.archlinux.org/packages/l/linux/) to find out what newest kernel version this script will install.
+- Secondly, research if newest [AUR zfs-dkms package](https://aur.archlinux.org/packages/zfs-dkms) is compatible with that kernel. Two reasonable points of contact are AUR and its comments section for `zfs-dkms` where users quickly report issues; and the [github.com/openzfs/zfs issues list](https://github.com/openzfs/zfs/issues).
+
+An example for this is that `linux-6.6.1.arch1-1-x86_64` came out on Wednesday, November 8, 2023 at a time when newest `zfs-dkms` package version [was 2.2.0](https://aur.archlinux.org/cgit/aur.git/commit/?h=zfs-dkms&id=da1b6372c57b16f2781a7fda2b95971bb392c5ee) which did not compile against `linux` 6.6.x.
+
+You'd then set for example:
+```
+export ARCHZBM_KERNEL_VER=6.5.9.arch2
+```
+
+Where any 6.5.x version is known to work well with `zfs-dkms`. See also [Kernel downgrade](#kernel-downgrade) for details on how to configure this.
+
 # Flavor choices
 
 We make the following opinionated flavor choices. Feel free to change them to your liking.
@@ -418,7 +460,7 @@ In order to generate a new master key after you've changed your user key as ment
         --large-block \
         --compressed \
         'zpool/root/archlinux-sxu@rekey' | \
-
+    \
     zfs receive \
         -Fvu \
         -o 'encryption=on' \

setup.sh

@@ -36,6 +36,17 @@ trap '[ "$?" -ne 77 ] || exit 77' ERR
 
 declare zpool_drive efi_drive boot_drive part_schema
 
+function calculate_prefix_from_netmask () {
+    # https://stackoverflow.com/a/50419919
+    c='0'
+    x='0'"$(printf -- '%o' ${1//./ })"
+    while [ "${x}" -gt '0' ]; do
+        # Modulo then bitwise-shift x and store as new x
+        let c+="$(( x % 2 ))" 'x>>=1'
+    done
+    printf -- '%s' '/'"${c}";
+}
+
 function setup_env_vars () {
     printf -- '%s\n' \
         'We will go over a series of questions to create an answer file with' \
@@ -57,26 +68,29 @@ function setup_env_vars () {
     echo '----------------------------------------'
     echo
 
-    echo "Do you want compressed datasets?"
-    select arg_compressed in "Compressed" "Uncompressed"; do
+    read -u3 -p 'Please type kernel version to use, leave empty for latest, confirm with <Enter>: ' ARCHZBM_KERNEL_VER
+    echo
+
+    echo 'Do you want compressed datasets?'
+    select arg_compressed in 'Compressed' 'Uncompressed'; do
         case "${arg_compressed}" in
-            Compressed)
+            'Compressed')
                 break
                 ;;
-            Uncompressed)
+            'Uncompressed')
                 ARCHZBM_ZFSPROPS_NO_COMPRESSION='true'
                 break
                 ;;
         esac
     done <&3 && echo
 
-    echo "Do you want encrypted datasets?"
-    select arg_encrypted in "Encrypted" "Unencrypted"; do
+    echo 'Do you want encrypted datasets?'
+    select arg_encrypted in 'Encrypted' 'Unencrypted'; do
         case "${arg_encrypted}" in
-            Encrypted)
+            'Encrypted')
                 break
                 ;;
-            Unencrypted)
+            'Unencrypted')
                 ARCHZBM_ZFSPROPS_NO_ENCRYPTION='true'
                 break
                 ;;
@@ -84,14 +98,14 @@ function setup_env_vars () {
     done <&3 && echo
 
     if [[ "${arg_encrypted}" = 'Encrypted' ]]; then
-        echo "Do you want a custom dataset decryption password?"
-        select arg_custom_dataset_pw in "Yes" "No"; do
+        echo 'Do you want a custom dataset decryption password?'
+        select arg_custom_dataset_pw in 'Yes' 'No (use '"'"'password'"'"')'; do
             case "${arg_custom_dataset_pw}" in
-                Yes)
+                'Yes')
                     want_custom_dataset_pw='true'
                     break
                     ;;
-                No)
+                'No (use '"'"'password'"'"')')
                     break
                     ;;
             esac
@@ -104,14 +118,14 @@ function setup_env_vars () {
         fi
     fi
 
-    echo "Do you want a custom 'root' user password?"
-    select arg_custom_root_pw in "Yes" "No"; do
+    echo 'Do you want a custom '"'"'root'"'"' user password?'
+    select arg_custom_root_pw in 'Yes' 'No (use '"'"'password'"'"')'; do
         case "${arg_custom_root_pw}" in
-            Yes)
+            'Yes')
                 want_custom_root_pw='true'
                 break
                 ;;
-            No)
+            'No (use '"'"'password'"'"')')
                 break
                 ;;
         esac
@@ -123,7 +137,7 @@ function setup_env_vars () {
         echo
     fi
 
-    echo "Do you want an SSH daemon in ZFSBootMenu?"
+    echo 'Do you want an SSH daemon in ZFSBootMenu?'
     select arg_ssh_in_zbm in "Yes" "No"; do
         case "${arg_ssh_in_zbm}" in
             Yes)
@@ -137,8 +151,8 @@ function setup_env_vars () {
     done <&3 && echo
 
     if [[ "${want_ssh_in_zbm}" ]]; then
-        echo "How do you want to assign an IP address in ZFSBootMenu?"
-        select arg_ip_autoconf_method in "Statically" "Dynamically, DHCP" "Dynamically, BOOTP" "Dynamically, RARP"; do
+        echo 'How do you want to assign an IP address in ZFSBootMenu?'
+        select arg_ip_autoconf_method in 'Statically' 'Dynamically, DHCP' 'Dynamically, BOOTP' 'Dynamically, RARP'; do
             case "${arg_ip_autoconf_method}" in
                 'Statically')
                     ARCHZBM_NET_AUTOCONF='none'
@@ -173,8 +187,8 @@ function setup_env_vars () {
             echo
         fi
 
-        echo "Do you want a custom SSH listening port?"
-        select arg_custom_ssh_port in "Yes (let me specify)" "No (keep port 22)"; do
+        echo 'Do you want a custom SSH listening port?'
+        select arg_custom_ssh_port in 'Yes (let me specify)' 'No (keep port 22)'; do
             case "${arg_custom_ssh_port}" in
                 'Yes (let me specify)')
                     want_custom_ssh_port='true'
@@ -191,8 +205,8 @@ function setup_env_vars () {
             echo
         fi
 
-        echo "Do you want the SSH daemon to use a custom keepalive send interval?"
-        select arg_custom_ssh_keepalive_intvl in "Yes (let me specify)" "No (keep 1)"; do
+        echo 'Do you want the SSH daemon to use a custom keepalive send interval?'
+        select arg_custom_ssh_keepalive_intvl in 'Yes (let me specify)' 'No (keep 1)'; do
             case "${arg_custom_ssh_keepalive_intvl}" in
                 'Yes (let me specify)')
                     want_custom_keepalive_intvl='true'
@@ -213,7 +227,126 @@ function setup_env_vars () {
         echo
     fi
 
-    for env_var in 'ARCHZBM_ZFSPROPS_NO_COMPRESSION' 'ARCHZBM_ZFSPROPS_NO_ENCRYPTION' 'ARCHZBM_ZPOOL_PASSWORD' 'ARCHZBM_ROOT_PASSWORD' 'ARCHZBM_NET_AUTOCONF' 'ARCHZBM_NET_DEVICE' 'ARCHZBM_NET_CLIENT_IP' 'ARCHZBM_NET_NETMASK' 'ARCHZBM_NET_GATEWAY_IP' 'ARCHZBM_SSH_PORT' 'ARCHZBM_SSH_KEEPALIVE_INTVL' 'ARCHZBM_SSH_AUTH_KEYS'; do
+    if [[ "${want_ssh_in_zbm}" ]]; then
+        echo 'Do you want to define operating system'"'"'s IP address?'
+        select arg_os_ip in 'Yes (let me specify)' 'Yes (use ZBM addresses)' 'No (DHCP is fine)'; do
+            case "${arg_os_ip}" in
+                'Yes (let me specify)')
+                    want_custom_ip_in_os='true'
+                    want_dns_and_ntp='true'
+                    break
+                    ;;
+                'Yes (use ZBM addresses)')
+                    ARCHZBM_OS_CLIENT_IP="${ARCHZBM_NET_CLIENT_IP}"
+                    ARCHZBM_NET_CLIENT_IP_PREFIX="$(calculate_prefix_from_netmask "${ARCHZBM_NET_NETMASK}")"
+                    ARCHZBM_OS_CLIENT_IP+="${ARCHZBM_NET_CLIENT_IP_PREFIX}"
+                    ARCHZBM_OS_GATEWAY_IP="${ARCHZBM_NET_GATEWAY_IP}"
+                    want_dns_and_ntp='true'
+                    break
+                    ;;
+                'No (DHCP is fine)')
+                    break
+                    ;;
+            esac
+        done <&3 && echo
+
+        if [[ "${want_custom_ip_in_os}" ]]; then
+            read -u3 -p 'Interface IP address with CIDR prefix (a.b.c.d/nn): ' ARCHZBM_OS_CLIENT_IP
+            echo
+
+            read -u3 -p 'Gateway IP address: ' ARCHZBM_OS_GATEWAY_IP
+            echo
+        fi
+    else
+        echo 'Do you want to define operating system'"'"'s IP address?'
+        select arg_os_ip in 'Yes (let me specify)' 'No (DHCP is fine)'; do
+            case "${arg_os_ip}" in
+                'Yes (let me specify)')
+                    want_own_ip_in_os='true'
+                    want_dns_and_ntp='true'
+                    break
+                    ;;
+                'No (DHCP is fine)')
+                    break
+                    ;;
+            esac
+        done <&3 && echo
+
+        if [[ "${want_own_ip_in_os}" ]]; then
+            read -u3 -p 'Interface IP address with CIDR prefix (a.b.c.d/nn): ' ARCHZBM_OS_CLIENT_IP
+            echo
+
+            read -u3 -p 'Gateway IP address: ' ARCHZBM_OS_GATEWAY_IP
+            echo
+        fi
+    fi
+
+    if [[ "${want_ssh_in_zbm}" ]]; then
+        echo 'Do you want to define OS '"'"'root'"'"' user'"'"'s SSH pub key?'
+        select arg_root_pub_keys in 'Yes (let me specify)' 'Yes (use ZBM pub keys)' 'No (don'"'"'t enable sshd.service)'; do
+            case "${arg_root_pub_keys}" in
+                'Yes (let me specify)')
+                    want_custom_pub_keys_in_os='true'
+                    break
+                    ;;
+                'Yes (use ZBM pub keys)')
+                    ARCHZBM_OS_SSH_AUTH_KEYS="${ARCHZBM_SSH_AUTH_KEYS}"
+                    break
+                    ;;
+                'No (don'"'"'t enable sshd.service)')
+                    break
+                    ;;
+            esac
+        done <&3 && echo
+
+        if [[ "${want_custom_pub_keys_in_os}" ]]; then
+            read -u3 -p 'Please type SSH pub keys on one line separated by double-commas (,,) and confirm with <Enter>: ' ARCHZBM_OS_SSH_AUTH_KEYS
+            echo
+        fi
+    else
+        echo 'Do you want to define OS root user'"'"'s SSH pub key?'
+        select arg_root_pub_keys in 'Yes (let me specify)' 'No (don'"'"'t enable sshd.service)'; do
+            case "${arg_root_pub_keys}" in
+                'Yes (let me specify)')
+                    want_own_pub_key_in_os='true'
+                    break
+                    ;;
+                'No (don'"'"'t enable sshd.service)')
+                    break
+                    ;;
+            esac
+        done <&3 && echo
+
+        if [[ "${want_own_pub_key_in_os}" ]]; then
+            read -u3 -p 'Please type SSH pub keys on one line separated by double-commas (,,) and confirm with <Enter>: ' ARCHZBM_OS_SSH_AUTH_KEYS
+            echo
+        fi
+    fi
+
+    if [[ "${want_dns_and_ntp}" ]]; then
+        read -u3 -p 'Specify one or more comma-separated DNS IPs: ' ARCHZBM_OS_DNS_IP
+        echo
+
+        echo 'Do you want to override Arch Linux'"'"' NTP servers?'
+        select arg_custom_ntp in 'Yes' 'No'; do
+            case "${arg_custom_ntp}" in
+                'Yes')
+                    want_own_ntp='true'
+                    break
+                    ;;
+                'No')
+                    break
+                    ;;
+            esac
+        done <&3 && echo
+
+        if [[ "${want_own_ntp}" ]]; then
+            read -u3 -p 'Specify one or more comma-separated NTP hostnames or IPs: ' ARCHZBM_OS_NTP_IP
+            echo
+        fi
+    fi
+
+    for env_var in 'ARCHZBM_KERNEL_VER' 'ARCHZBM_ZFSPROPS_NO_COMPRESSION' 'ARCHZBM_ZFSPROPS_NO_ENCRYPTION' 'ARCHZBM_ZPOOL_PASSWORD' 'ARCHZBM_ROOT_PASSWORD' 'ARCHZBM_NET_AUTOCONF' 'ARCHZBM_NET_DEVICE' 'ARCHZBM_NET_CLIENT_IP' 'ARCHZBM_NET_NETMASK' 'ARCHZBM_NET_GATEWAY_IP' 'ARCHZBM_SSH_PORT' 'ARCHZBM_SSH_KEEPALIVE_INTVL' 'ARCHZBM_SSH_AUTH_KEYS' 'ARCHZBM_OS_CLIENT_IP' 'ARCHZBM_OS_GATEWAY_IP' 'ARCHZBM_OS_SSH_AUTH_KEYS' 'ARCHZBM_OS_DNS_IP' 'ARCHZBM_OS_NTP_IP'; do
         if [[ "${!env_var}" ]]; then
             printf -- '%s='"'"'%s'"'"'\n' \
                 "${env_var}" "${!env_var}" \
@@ -224,7 +357,7 @@ function setup_env_vars () {
     printf -- '%s\n' \
         'Done, please rerun script now with just' \
         '... | bash' \
-        'so without the '"'"'setup'"'"' argument's
+        'so without the '"'"'setup'"'"' argument'
     exit 77
 }
 
@@ -296,19 +429,34 @@ function update_pacman_db () {
     systemctl start reflector
     # In an ISO and for the minimal number of packages we need we do not
     # care about partial upgrades
-    pacman -Syyuu --noconfirm
+    #
+    # Are we better off not attempting an upgrade inside the ISO?
+    # Let's try and find out.
+    # while ! pacman -Syyuu --needed --noconfirm --downloadonly; do
+    #     sleep 5
+    # done
+    # pacman -Syyuu --needed --noconfirm
+    pacman -Syy
 }
 
 function install_pkgs () {
     #1.5
     printf -- '%s\n' 'Installing packages ...'
+    while ! pacman -S --needed --noconfirm --downloadonly "${@}"; do
+        sleep 5
+    done
     pacman -S --needed --noconfirm "${@}"
 }
 
 function install_zfs () {
     #1.6
     declare reset_colors='\033[0m'
-    curl -s 'https://raw.githubusercontent.com/eoli3n/archiso-zfs/master/init' | bash
+    if modinfo 'zfs' &>/dev/null; then
+        >&3 printf -- '%s\n' \
+            'ZFS kernel module is loaded, no need to install ...'
+    else
+        curl -s 'https://raw.githubusercontent.com/eoli3n/archiso-zfs/master/init' | bash
+    fi
     printf -- "${reset_colors}"
 }
 
@@ -630,27 +778,30 @@ function install_archlinux () {
     #1.12
     pacman_dl_parallel
     pacman_dont_check_space
-    pacstrap /mnt              \
-        base                   \
-        base-devel             \
-        linux                  \
-        linux-headers          \
-        linux-firmware         \
-        amd-ucode              \
-        efibootmgr             \
-        vim                    \
-        git                    \
-        iwd                    \
-        networkmanager         \
-        network-manager-applet \
-        dialog                 \
-        os-prober              \
-        reflector              \
-        bluez                  \
-        bluez-utils            \
-        man-db                 \
-        xdg-utils              \
-        xdg-user-dirs
+    pacman --noconfirm -S archlinux-keyring
+    while ! pacstrap /mnt              \
+                base                   \
+                base-devel             \
+                linux                  \
+                linux-headers          \
+                linux-firmware         \
+                amd-ucode              \
+                efibootmgr             \
+                vim                    \
+                git                    \
+                iwd                    \
+                networkmanager         \
+                network-manager-applet \
+                dialog                 \
+                os-prober              \
+                reflector              \
+                bluez                  \
+                bluez-utils            \
+                man-db                 \
+                xdg-utils              \
+                xdg-user-dirs; do
+        sleep 5
+    done
 }
 
 function gen_fstab () {
@@ -786,8 +937,49 @@ function add_zfs_hook_to_initramfs () {
         '/mnt/etc/mkinitcpio.conf'
 }
 
-function set_initramfs_build_list () {
+function replace_systemd_initramfs_with_udev () {
     #1.17
+    # Replace systemd-boot hooks with udev hooks in initramfs. For some odd
+    # reason we have not yet understood the modern default on a fresh Arch
+    # Linux installation ('systemd' and 'sd-vconsole' hooks) doesn't cleanly
+    # boot into a boot environment via ZFSBootMenu.
+    #
+    # 1. If we left both hooks in place we'd see an error related
+    # to '/dev/gpt-auto-root'; that can be worked around by loading the 'vfat'
+    # module via the 'MODULES=(...)' array in '/etc/mkinitcpio.conf'.
+    #
+    # 2. On next try we see the system failing into an emergency shell at a
+    # later point in initramfs execution due to a failure with
+    # 'initrd-switch-root.service'. Since the 'systemd' hook disables the
+    # 'root' account we enter a non-functional emergency shell. See
+    # https://wiki.archlinux.org/title/Mkinitcpio section 6.7 "Cannot open
+    # access to console, the root account is locked" where we learn that we can
+    # install AUR package initcpio-hook-shadowcopy and load the 'shadowcopy'
+    # hook right after the 'systemd' hook in order to get a fully functional
+    # emergency shell.
+    #
+    # 3. On next try 'initrd-switch-root.service' fails into a functional
+    # emergency shell which allows us to check systemd status of
+    # 'initrd-switch-root.service'. This seems to tell us that '/sysroot' is
+    # wanted but missing which appears to be true.
+    #
+    # At this point in December 2025 we stopped investigating how to properly
+    # pair 'systemd' and 'sd-vconsole' hooks with ZFSBootMenu. We're instead
+    # replacing both as follows:
+    #
+    #     systemd <--> udev
+    # sd-vconsole <--> consolefont
+    #
+    # This cleanly boots a boot environment. Further investigation may be
+    # warranted at a later date. For now this workaround is good enough.
+    in_file_in_array_insert_n_before_m '/mnt/etc/mkinitcpio.conf' 'HOOKS' 'udev' 'systemd'
+    in_file_in_array_remove_n '/mnt/etc/mkinitcpio.conf' 'HOOKS' 'systemd'
+    in_file_in_array_insert_n_before_m '/mnt/etc/mkinitcpio.conf' 'HOOKS' 'consolefont' 'sd-vconsole'
+    in_file_in_array_remove_n '/mnt/etc/mkinitcpio.conf' 'HOOKS' 'sd-vconsole'
+}
+
+function set_initramfs_build_list () {
+    #1.18
     # No need to build fallback initramfs, our new fallback is ZFS snapshots
     sed -ri \
         -e '/^#/d' \
@@ -801,7 +993,7 @@ function set_initramfs_build_list () {
 }
 
 function add_zfs_files_to_new_os () {
-    #1.18
+    #1.19
     for zfs_file in '/etc/hostid' '/etc/zfs/zpool.cache' $([[ ! "${ARCHZBM_ZFSPROPS_NO_ENCRYPTION}" ]] && printf -- '%s' '/etc/zfs/'"${zpool_name}"'.key'); do
         rsync -av --itemize-changes {'','/mnt'}"${zfs_file}"
     done
@@ -901,12 +1093,12 @@ function get_aur_helper () {
     usermod --append --groups 'wheel' 'build'
     printf -- '%s\n' '%wheel ALL=(ALL:ALL) NOPASSWD: ALL' > '/etc/sudoers.d/10-wheel-group-no-passwd-prompt'
     pushd /tmp
-    git clone https://aur.archlinux.org/paru-bin.git
-    chown -R 'build:' 'paru-bin'
-    pushd 'paru-bin'
+    git clone https://aur.archlinux.org/paru-git.git
+    chown -R 'build:' 'paru-git'
+    pushd 'paru-git'
     sudo --user 'build' makepkg -si --noconfirm
     popd
-    rm -rf 'paru-bin'
+    rm -rf 'paru-git'
     popd
 }
 
@@ -959,7 +1151,6 @@ EFI:
   ImageDir: /efi/EFI/ZBM
   Versions: false
   Enabled: true
-  Stub: /usr/share/zfsbootmenu/stubs/linuxx64.efi.stub/linuxx64.efi.stub  # workaround: https://github.com/zbm-dev/zfsbootmenu/discussions/501
 Kernel:
   CommandLine: ro loglevel=0 zbm.import_policy=hostid
   Prefix: vmlinuz
@@ -1146,7 +1337,7 @@ function get_disks_with_one_efipart () {
     # Find disks that have exactly one EFI partition and where that EFI
     # partition is partition number 1. We expect exactly one disk to meet
     # these criteria. Anything else and we bail.
-    disks_with_one_efipart="$(lsblk --output PATH,PARTTYPE --json --tree | jq --raw-output '.[][] | select(.children | length > 0) | select( any (.children[]; (.path | test("^[^[:digit:]]+1")) and (.parttype=="'"${partition_types[gpt_efi]}"'")) and ([select(.children[].parttype=="'"${partition_types[gpt_efi]}"'")] | length == 1) ) | .path')"
+    disks_with_one_efipart="$(lsblk --output PATH,PARTTYPE --json --tree | jq --raw-output '.[][] | select(.children | length > 0) | select( any (.children[]; (.path | test("^[^[:digit:]]+(.*?[[:digit:]]+p)?1")) and (.parttype=="'"${partition_types[gpt_efi]}"'")) and ([select(.children[].parttype=="'"${partition_types[gpt_efi]}"'")] | length == 1) ) | .path')"
     if [[ "$(wc -l <<<"${disks_with_one_efipart}")" -eq '1' ]] && [[ "$(wc -c <<<"${disks_with_one_efipart}")" -gt '1' ]]; then
         printf -- '%s' "${disks_with_one_efipart}"
         return 0
@@ -1156,6 +1347,10 @@ function get_disks_with_one_efipart () {
 
 function install_os_in_chroot () {
     #2.2
+    dd if='/dev/zero' of='/swapfile' bs='1M' count='2048'
+    losetup '/dev/loop9' '/swapfile'
+    mkswap '/dev/loop9'
+    swapon '/dev/loop9'
     ### Reinit keyring
     # As keyring is initialized at boot, and copied to the install dir with pacstrap, and ntp is running
     # Time changed after keyring initialization, it leads to malfunction
@@ -1163,6 +1358,9 @@ function install_os_in_chroot () {
     rm -rf '/etc/pacman.d/gnupg'
     pacman-key --init
     pacman-key --populate archlinux
+    while ! pacman -S archlinux-keyring --noconfirm --downloadonly; do
+        sleep 5
+    done
     pacman -S archlinux-keyring --noconfirm
 
     locale-gen
@@ -1173,6 +1371,13 @@ function install_os_in_chroot () {
     unleash_makepkg                             #2.5
     add_motd_getting_started_msg                #2.6
     get_aur_helper                              #2.7
+    if [[ "${ARCHZBM_KERNEL_VER}" ]]; then
+        paru_install 'downgrade'
+        yes | downgrade --ala-only \
+            'linux='"${ARCHZBM_KERNEL_VER}" \
+            'linux-headers='"${ARCHZBM_KERNEL_VER}" \
+            --ignore always
+    fi
     paru_install 'zfs-dkms' 'zfs-utils' 'jq'
     hwclock --systohc
     mkinitcpio -P
@@ -1192,6 +1397,9 @@ function install_os_in_chroot () {
         add_syslinux_pacman_hook
     fi
     add_zbm_pacman_hook
+    swapoff '/dev/loop9'
+    losetup -d '/dev/loop9'
+    rm '/swapfile'
 }
 
 function set_root_pw () {
@@ -1207,11 +1415,54 @@ function set_root_pw () {
 
 function configure_networking () {
     #3.3
+    local -a dns_addresses ntp_addresses
+
+    # Begin network unit file with a default top section
     cat > '/mnt/etc/systemd/network/50-wired.network' <<"EOF"
 [Match]
 Name=en*
 
 [Network]
+EOF
+
+    # Decide on what comes next in network unit file
+    if  [[ "${ARCHZBM_OS_CLIENT_IP}" ]]  || \
+        [[ "${ARCHZBM_OS_GATEWAY_IP}" ]] || \
+        [[ "${ARCHZBM_OS_DNS_IP}" ]]     || \
+        [[ "${ARCHZBM_OS_NTP_IP}" ]]; then
+
+        cat >> '/mnt/etc/systemd/network/50-wired.network' <<EOF
+Address=${ARCHZBM_OS_CLIENT_IP}
+Gateway=${ARCHZBM_OS_GATEWAY_IP}
+EOF
+
+        if [[ "${ARCHZBM_OS_DNS_IP}" ]]; then
+            mapfile -t dns_addresses < <(<<<"${ARCHZBM_OS_DNS_IP}" tr ',' '\n' | sed '/^$/d')
+        else
+            dns_addresses+=('8.8.8.8')
+            dns_addresses+=('8.8.4.4')
+        fi
+        for dns_addr in "${dns_addresses[@]}"; do
+            cat >> '/mnt/etc/systemd/network/50-wired.network' <<EOF
+DNS=${dns_addr}
+EOF
+        done
+
+        if [[ "${ARCHZBM_OS_NTP_IP}" ]]; then
+            mapfile -t ntp_addresses < <(<<<"${ARCHZBM_OS_NTP_IP}" tr ',' '\n' | sed '/^$/d')
+            for ntp_addr in "${ntp_addresses[@]}"; do
+                cat >> '/mnt/etc/systemd/network/50-wired.network' <<EOF
+NTP=${ntp_addr}
+EOF
+            done
+        fi
+
+        cat >> '/mnt/etc/systemd/network/50-wired.network' <<"EOF"
+IPForward=yes
+Domains=~.
+EOF
+    else
+        cat >> '/mnt/etc/systemd/network/50-wired.network' <<"EOF"
 DHCP=ipv4
 IPForward=yes
 
@@ -1219,33 +1470,56 @@ IPForward=yes
 UseDNS=yes
 RouteMetric=10
 EOF
+    fi
+
     systemctl enable 'systemd-networkd' --root='/mnt'
     systemctl disable 'systemd-networkd-wait-online' --root='/mnt'
 }
 
-function configure_dns () {
+function configure_sshd () {
     #3.4
+    local pub_key_line
+
+    cat >> '/mnt/etc/ssh/sshd_config.d/40-defaults.conf' <<"EOF"
+PasswordAuthentication no
+PermitRootLogin yes
+EOF
+
+    while IFS= read -r pub_key_line; do
+        printf -- '%s\n' "${pub_key_line}" >> '/mnt/root/.ssh/authorized_keys'
+    done < <(<<<"${ARCHZBM_OS_SSH_AUTH_KEYS}" sed -r -e 's/,,/\n/g')
+
+    systemctl enable 'sshd.service' --root='/mnt'
+}
+
+function configure_dns () {
+    #3.5
     rm '/mnt/etc/resolv.conf'
     ln -s '/run/systemd/resolve/stub-resolv.conf' '/mnt/etc/resolv.conf'
 
     # Optionally you may want /etc/systemd/network/50-wired.network to use
     # UseDNS=no and hardcode DNS server(s) here:
     # sed -i 's/^#DNS=.*/DNS=1.1.1.1/' /mnt/etc/systemd/resolved.conf
-    systemctl enable 'systemd-resolved' --root='/mnt'
+    systemctl enable 'systemd-resolved.service' --root='/mnt'
+}
+
+function configure_ntp () {
+    #3.6
+    systemctl enable 'systemd-timesyncd.service' --root='/mnt'
 }
 
 function configure_reflector () {
-    #3.5
+    #3.7
     systemctl enable 'reflector.service' 'reflector.timer' --root='/mnt'
 }
 
 function configure_zfs () {
-    #3.6
-    systemctl enable 'zfs-import-cache' 'zfs-mount' 'zfs-import.target' 'zfs.target' --root='/mnt'
+    #3.8
+    systemctl enable 'zfs-import-cache.service' 'zfs-mount.service' 'zfs-import.target' 'zfs.target' --root='/mnt'
 }
 
 function configure_zfs_mount_gen () {
-    #3.7
+    #3.9
     mkdir -p '/mnt/etc/zfs/zfs-list.cache'
     touch '/mnt/etc/zfs/zfs-list.cache/'"${zpool_name}"
     zfs list -H -o name,mountpoint,canmount,atime,relatime,devices,exec,readonly,setuid,nbmand | sed 's/\/mnt//' > '/mnt/etc/zfs/zfs-list.cache/'"${zpool_name}"
@@ -1253,7 +1527,7 @@ function configure_zfs_mount_gen () {
 }
 
 function set_new_uefi_boot_entries () {
-    #3.8
+    #3.10
     declare -a uefi_images
     mapfile -t uefi_images < \
         <(find '/mnt/efi/EFI/ZBM' -type f -iname '*.efi' -print0 | \
@@ -1296,7 +1570,7 @@ function set_new_uefi_boot_entries () {
 }
 
 function umount_all () {
-    #3.9
+    #3.11
     if [[ "${part_schema}" = 'mbr' ]]; then
         umount '/mnt/boot/syslinux'
     else
@@ -1308,16 +1582,20 @@ function umount_all () {
 
 function finalize_os_setup () {
     #3.1
-    set_root_pw                                 #3.2
-    configure_networking                        #3.3
-    configure_dns                               #3.4
-    configure_reflector                         #3.5
-    configure_zfs                               #3.6
-    configure_zfs_mount_gen                     #3.7
-    if [[ "${part_schema}" = 'gpt' ]]; then
-        set_new_uefi_boot_entries               #3.8
+    set_root_pw                                     #3.2
+    configure_networking                            #3.3
+    if [[ "${ARCHZBM_OS_SSH_AUTH_KEYS}" ]]; then
+        configure_sshd                              #3.4
     fi
-    umount_all                                  #3.9
+    configure_dns                                   #3.5
+    configure_ntp                                   #3.6
+    configure_reflector                             #3.7
+    configure_zfs                                   #3.8
+    configure_zfs_mount_gen                         #3.9
+    if [[ "${part_schema}" = 'gpt' ]]; then
+        set_new_uefi_boot_entries                   #3.10
+    fi
+    umount_all                                      #3.11
 }
 
 function main () {
@@ -1325,29 +1603,30 @@ function main () {
         arg_parse "${@}"
     fi
     if we_are_changerooted; then
-        install_os_in_chroot                    #2.2
+        install_os_in_chroot                        #2.2
     else
-        no_kernel_update_in_iso                 #1.1
-        set_ntp                                 #1.2
-        resize_cow_space                        #1.3
-        update_pacman_db                        #1.4
-        install_pkgs 'jq'                       #1.5
-        install_zfs                             #1.6
-        uefi_or_bios                            #1.7
-        load_settings_file                      #1.8
-        setup_zpool                             #1.9
-        mount_system                            #1.10
-        copy_zpool_cache                        #1.11
-        install_archlinux                       #1.12
-        gen_fstab                               #1.13
-        set_hostname                            #1.14
-        set_locale                              #1.15
-        add_zfs_hook_to_initramfs               #1.16
-        set_initramfs_build_list                #1.17
-        add_zfs_files_to_new_os                 #1.18
-        enter_chroot                            #2.1
+        no_kernel_update_in_iso                     #1.1
+        set_ntp                                     #1.2
+        resize_cow_space                            #1.3
+        update_pacman_db                            #1.4
+        install_pkgs 'jq'                           #1.5
+        install_zfs                                 #1.6
+        uefi_or_bios                                #1.7
+        load_settings_file                          #1.8
+        setup_zpool                                 #1.9
+        mount_system                                #1.10
+        copy_zpool_cache                            #1.11
+        install_archlinux                           #1.12
+        gen_fstab                                   #1.13
+        set_hostname                                #1.14
+        set_locale                                  #1.15
+        add_zfs_hook_to_initramfs                   #1.16
+        replace_systemd_initramfs_with_udev         #1.17
+        set_initramfs_build_list                    #1.18
+        add_zfs_files_to_new_os                     #1.19
+        enter_chroot                                #2.1
         # We're done in chroot
-        finalize_os_setup                       #3.1
+        finalize_os_setup                           #3.1
     fi
 }