Automate luks password during install

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

hosts/common/configs/system/nix-install/default.nix

@@ -8,6 +8,7 @@
         iputils
         jq
         nix
+        sops
         inputs.disko.packages.${system}.disko
       ];
       text = builtins.readFile ./install.sh;

hosts/common/configs/system/nix-install/install.completion.zsh

@@ -4,7 +4,6 @@ _nix-install_completion() {
     '-m[Mode: 'install' or 'repair']:mode:(install repair)'
     '-h[Host to configure]:host:($(_list_hosts))'
     '-k[Key file to copy to user config]:key:($(_list_keys))'
-    '-p[LUKS password file to use for encryption]:password_file:_files'
     '-c[Copy configuration to target]'
     '-r[Reboot after completion]'
   )

hosts/common/configs/system/nix-install/install.sh

@@ -8,7 +8,6 @@ usage() {
   echo "  -m mode             Mode: 'install' or 'repair'."
   echo "  -h host             Host to configure."
   echo "  -k key              Key file to copy to user config."
-  echo "  -p password_file    LUKS password file to use for encryption."
   echo "  -c                  Copy configuration to target."
   echo "  -r                  Reboot after completion."
   exit 1
@@ -50,22 +49,10 @@ check_key() {
 }
 
 set_password_file() {
-  if [[ -n "$password_file" ]]; then
+  SOPS_AGE_KEY_FILE="$(realpath "$flake/secrets/$key/key.txt")"
-    if [[ ! -f "$password_file" ]]; then
+  export SOPS_AGE_KEY_FILE
-      echo "LUKS key file '$password_file' not found."
+  sops --decrypt --extract "['luks']" "$flake/hosts/$host/secrets/secrets.yaml" > /tmp/installer.key
-      exit 1
+  unset SOPS_AGE_KEY_FILE
-    fi
-
-    ln -sf "$(realpath "$password_file")" /tmp/installer.key
-  else
-    echo "Enter password for LUKS encryption:"
-    IFS= read -r -s password
-    echo "Enter password again to confirm: "
-    IFS= read -r -s password_check
-    [ "$password" != "$password_check" ]
-    echo -n "$password" > /tmp/installer.key
-    unset password password_check
-  fi
 }
 
 prepare_disk() {
@@ -115,45 +102,40 @@ cleanup() {
   if [[ -d "$root" ]]; then rmdir "$root"; fi
 }
 
-check_root
+main() {
-check_network
+  check_root
+  check_network
 
-if [[ "$#" -lt 1 ]]; then
+  if [[ "$#" -lt 1 ]]; then usage; fi
-  usage
-fi
 
-flake="$(realpath "$1")"
+  flake="$(realpath "$1")"
-check_flake
+  check_flake
-shift
+  shift
 
-mode=""
+  mode=""
-host=""
+  host=""
-key=""
+  key=""
-password_file=""
+  copy_config_flag="false"
-copy_config_flag="false"
+  reboot_flag="false"
-reboot_flag="false"
 
-while getopts "m:h:k:p:cr" opt; do
+  while getopts "m:h:k:cr" opt; do
     case "$opt" in
       m) mode="$OPTARG" ;;
       h) host="$OPTARG" ;;
       k) key="$OPTARG" ;;
-    p) password_file="$OPTARG" ;;
       c) copy_config_flag="true" ;;
       r) reboot_flag="true" ;;
       *) usage ;;
     esac
-done
+  done
 
-if [[ -z "$mode" || -z "$host" ]]; then
+  if [[ -z "$mode" || -z "$host" ]]; then usage; fi
-  usage
-fi
 
-check_host
+  check_host
-check_key
+  check_key
-until set_password_file; do echo "Passwords did not match, please try again."; done
+  set_password_file
 
-case "$mode" in
+  case "$mode" in
     install)
       prepare_disk "destroy,format,mount"
       copy_keys
@@ -170,4 +152,7 @@ case "$mode" in
       echo "Invalid mode: $mode"
       usage
       ;;
-esac
+  esac
+}
+
+main "$@"