• One raspberry pi zero W
  • One sd card

Download Alpine linux

We’ll use the almost latest version: 3.9.2 (3.9.3 would not work for some reason) The one to use for RPI is the raspberry pi (surprising :P) armhf.

On your local computer (assuming you re using linux)

Mount the sdcard (should be automated, if not, you probably know how to do that and you probably don’t need that tutorial)

List your disks:

sudo fdisk -l
Disk /dev/sda: 14,8 GiB, 15836643328 bytes, 30930944 sectors

The disk you just inserted should be available in the list. It most likely should be called /dev/sda.

You’ll create 3 partitions:

  • 256MiB partition for alpine itself (have to be of type 0x0c - W95 FAT32 (LBA))
  • 1GiB partition for the cache and config files
  • 13.5GiB partition for your var folder
sudo fdisk /dev/sda
n - p - 1 - +256M - t - 1 - c - a - w
n - p - 2 - +1G - w
n - p - 3 - - - w

Format you first partition to fat, and the 2 others to ext4

sudo mkfs.vfat -F 32 /dev/sda1
sudo mkfs.ext4 /dev/sda2
sudo mkfs.ext4 /dev/sda3

Check where it is mounted:


sda           8:0    1  14,8G  0 disk
├─sda1        8:1    1   256M  0 part /run/media/youruser/24CB-FC98
├─sda2        8:2    1     1G  0 part /run/media/youruser/4bb8adf3-f1c9-4367-8e38-7c09bad775ee
└─sda3        8:3    1  13,5G  0 part /run/media/youruser/42b25298-f013-483c-845c-9408e330bb75

Extract your previously downloaded alpine linux to the root of this partition:

sudo tar -C /run/media/youruser/24CB-FC98 -xzf ~/Downloads/alpine-rpi-3.9.2-armhf.tar.gz

For reasons (in the alpine wiki):

echo enable_uart=1 > /run/media/youruser/24CB-FC98/usercfg.txt

unmount the sdcard:

umount /run/media/toto/10F8-4DDB

On your rpi0

Put back the sdcard into the rpi and boot it up (with keyboard and screen).

Mount your 2 other partitions:

mkdir /media/mmcblk0p2
mkdir /media/mmcblk0p3
mount /dev/mmcblk0p2 /media/mmcblk0p2
mount /dev/mmcblk0p3 /media/mmcblk0p3

and run the setup:


And let yourself be guided, don’t forget to set the config and cache partition mmcblk0p2 to be saved to.

As of now, it seems there is a bug for the dhcp lease, just install wpa_supplicant and and add it to boot:

apk add wpa_supplicant
rc-update add wpa_supplicant boot

Enable community repositories (for visudo):

vi /etc/apk/repositories
apk update

Add a user and add its group to the sudoers:

addgroup -S maintenance && adduser maintenance -G maintenance
apk add sudo
"%maintenance ALL=(ALL) ALL"
chown root:root /etc/sudoers
lbu add /home/maintenance

And don’t forget the commit and most importantly, don’t forget to set a password for it, so it’s not visible to anyone getting access to your sdcard!

lbu commit -p YOURPASSWORD

Back on your local computer


Unzip the local backup tarball (host.apkovl.tar.gz):

mkdir -p ~/alpine-install/armv6/lb
tar -C ~/alpine-install/armv6/lb -xzf /sda2mountpoint/host.apkovl.tar.gz

ssh connection

Add your ssh key to the authorized_keys of the maintenance user and allow ssh connection

ssh-keygen -t rsa -C "youremail"
mkdir -p ~/alpine-install/armv6/lb/home/maintenance/.ssh
cat ~/.ssh/ > ~/alpine-install/armv6/lb/home/maintenance/.ssh/authorized_keys
chmod 700 ~/alpine-install/armv6/lb/home/maintenance/.ssh
chmod 600 ~/alpine-install/armv6/lb/home/maintenance/.ssh/authorized_keys
chown root:root ~/alpine-install/armv6/lb/etc/sudoers

Auto mount mmcblk0p3

Add as well your 3rd partition to fstab:

echo "/dev/mmcblk0p3 /media/mmcblk0p3 ext4 rw,relatime 0 0" >> ~/alpine-install/armv6/lb/etc/fstab

Bonus: change the welcome message

echo "Welcome home\!" > ~/alpine-install/armv6/lb/etc/motd

Copy back the lbu to your sdcard

Recompress everything (be careful to change the host to your selected hostname):

sudo tar -czvf ~/alpine-install/armv6/host.apkovl.tar.gz -C ~/alpine-install/armv6/lb .
rm -rf ~/alpine-install/armv6/lb
sudo cp ~/alpine-install/armv6/host.apkovl.tar.gz /sda2mountpoint/
umount /sda2mountpoint

Connecting through ssh

Put back the sdcar in the rpi0 and boot.

Connect via ssh with the maintenance user:

ssh -vv -i ~/.ssh/id_rsa maintenance@

Tips if you have errors, on you rpi, just uncomment the two following lines in /etc/sshd_config, and you should see logs in /var/log/auth.log:

    SyslogFacility AUTH
    LogLevel INFO

Making sure maintenance stays the owner of its home:

sudo chown -r maintenance:maintenance /home/maintenance

Securing SSH connection

Let’s secure the ssh connection by removing the password access and enabling 2FA

Install needed packages:

apk add google-authenticator openssh-server-pam

As the maintenance user, run googleauthenticator and follow the config (don’t forget to add your 2FA).

Inside /etc/ssh/sshdconfig: (add if not present)

ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive

then create the PAM sshd conf:

echo "auth required" > /etc/pam.d/sshd

and restart sshd

sudo rc-service sshd restart

You can just run the googleauthenticator ith the maintenance user and still disallow root login in sshd. and don’t forget to commit!

lbu commit -p YOURPASSWORD

Addendum: More disk available

Diskless alpine is great as the fs is readonly and it’s the safest and cleanest wa to install it. Problem: the RAM is not THAT big in a rpi0, hence, once you start playing with things that are bigger, it doesn’t work. Solution: use the overlayfs, it will allow you to deport some folders in the last, biggest partition, in a persistent manner.

For example, if you want to use /var/test, you can overlay /var/test:

echo "overlay /var/test overlay lowerdir=/var/test,upperdir=/media/mmcblk0p3/var/test 0 0" >> ~/alpine-install/armv6/lb/etc/fstab

Update 2019/06/03

We can use parted to automate the disk formatting:

sudo parted --script -a optimal /dev/sda \
    mklabel gpt \
    mkpart primary fat32 0% 256MiB \
    mkpart primary ext4 256MiB 2GiB \
    mkpart primary ext4 2GiB 100% \
    set 1 boot on &&
sudo mkfs.vfat -F 32 /dev/sda1 &&
sudo mkfs.ext4 /dev/sda2 &&
sudo mkfs.ext4 /dev/sda3