Automate luks password during install
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
@@ -8,6 +8,7 @@
|
|||||||
iputils
|
iputils
|
||||||
jq
|
jq
|
||||||
nix
|
nix
|
||||||
|
sops
|
||||||
inputs.disko.packages.${system}.disko
|
inputs.disko.packages.${system}.disko
|
||||||
];
|
];
|
||||||
text = builtins.readFile ./install.sh;
|
text = builtins.readFile ./install.sh;
|
||||||
|
|||||||
@@ -4,7 +4,6 @@ _nix-install_completion() {
|
|||||||
'-m[Mode: 'install' or 'repair']:mode:(install repair)'
|
'-m[Mode: 'install' or 'repair']:mode:(install repair)'
|
||||||
'-h[Host to configure]:host:($(_list_hosts))'
|
'-h[Host to configure]:host:($(_list_hosts))'
|
||||||
'-k[Key file to copy to user config]:key:($(_list_keys))'
|
'-k[Key file to copy to user config]:key:($(_list_keys))'
|
||||||
'-p[LUKS password file to use for encryption]:password_file:_files'
|
|
||||||
'-c[Copy configuration to target]'
|
'-c[Copy configuration to target]'
|
||||||
'-r[Reboot after completion]'
|
'-r[Reboot after completion]'
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -8,7 +8,6 @@ usage() {
|
|||||||
echo " -m mode Mode: 'install' or 'repair'."
|
echo " -m mode Mode: 'install' or 'repair'."
|
||||||
echo " -h host Host to configure."
|
echo " -h host Host to configure."
|
||||||
echo " -k key Key file to copy to user config."
|
echo " -k key Key file to copy to user config."
|
||||||
echo " -p password_file LUKS password file to use for encryption."
|
|
||||||
echo " -c Copy configuration to target."
|
echo " -c Copy configuration to target."
|
||||||
echo " -r Reboot after completion."
|
echo " -r Reboot after completion."
|
||||||
exit 1
|
exit 1
|
||||||
@@ -50,22 +49,10 @@ check_key() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
set_password_file() {
|
set_password_file() {
|
||||||
if [[ -n "$password_file" ]]; then
|
SOPS_AGE_KEY_FILE="$(realpath "$flake/secrets/$key/key.txt")"
|
||||||
if [[ ! -f "$password_file" ]]; then
|
export SOPS_AGE_KEY_FILE
|
||||||
echo "LUKS key file '$password_file' not found."
|
sops --decrypt --extract "['luks']" "$flake/hosts/$host/secrets/secrets.yaml" > /tmp/installer.key
|
||||||
exit 1
|
unset SOPS_AGE_KEY_FILE
|
||||||
fi
|
|
||||||
|
|
||||||
ln -sf "$(realpath "$password_file")" /tmp/installer.key
|
|
||||||
else
|
|
||||||
echo "Enter password for LUKS encryption:"
|
|
||||||
IFS= read -r -s password
|
|
||||||
echo "Enter password again to confirm: "
|
|
||||||
IFS= read -r -s password_check
|
|
||||||
[ "$password" != "$password_check" ]
|
|
||||||
echo -n "$password" > /tmp/installer.key
|
|
||||||
unset password password_check
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
prepare_disk() {
|
prepare_disk() {
|
||||||
@@ -115,59 +102,57 @@ cleanup() {
|
|||||||
if [[ -d "$root" ]]; then rmdir "$root"; fi
|
if [[ -d "$root" ]]; then rmdir "$root"; fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_root
|
main() {
|
||||||
check_network
|
check_root
|
||||||
|
check_network
|
||||||
|
|
||||||
if [[ "$#" -lt 1 ]]; then
|
if [[ "$#" -lt 1 ]]; then usage; fi
|
||||||
usage
|
|
||||||
fi
|
|
||||||
|
|
||||||
flake="$(realpath "$1")"
|
flake="$(realpath "$1")"
|
||||||
check_flake
|
check_flake
|
||||||
shift
|
shift
|
||||||
|
|
||||||
mode=""
|
mode=""
|
||||||
host=""
|
host=""
|
||||||
key=""
|
key=""
|
||||||
password_file=""
|
copy_config_flag="false"
|
||||||
copy_config_flag="false"
|
reboot_flag="false"
|
||||||
reboot_flag="false"
|
|
||||||
|
|
||||||
while getopts "m:h:k:p:cr" opt; do
|
while getopts "m:h:k:cr" opt; do
|
||||||
case "$opt" in
|
case "$opt" in
|
||||||
m) mode="$OPTARG" ;;
|
m) mode="$OPTARG" ;;
|
||||||
h) host="$OPTARG" ;;
|
h) host="$OPTARG" ;;
|
||||||
k) key="$OPTARG" ;;
|
k) key="$OPTARG" ;;
|
||||||
p) password_file="$OPTARG" ;;
|
c) copy_config_flag="true" ;;
|
||||||
c) copy_config_flag="true" ;;
|
r) reboot_flag="true" ;;
|
||||||
r) reboot_flag="true" ;;
|
*) usage ;;
|
||||||
*) usage ;;
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [[ -z "$mode" || -z "$host" ]]; then usage; fi
|
||||||
|
|
||||||
|
check_host
|
||||||
|
check_key
|
||||||
|
set_password_file
|
||||||
|
|
||||||
|
case "$mode" in
|
||||||
|
install)
|
||||||
|
prepare_disk "destroy,format,mount"
|
||||||
|
copy_keys
|
||||||
|
install
|
||||||
|
if [[ "$copy_config_flag" == "true" ]]; then copy_config; fi
|
||||||
|
if [[ "$reboot_flag" == "true" ]]; then finish; fi
|
||||||
|
;;
|
||||||
|
repair)
|
||||||
|
prepare_disk "mount"
|
||||||
|
install
|
||||||
|
if [[ "$reboot_flag" == "true" ]]; then finish; fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Invalid mode: $mode"
|
||||||
|
usage
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
done
|
}
|
||||||
|
|
||||||
if [[ -z "$mode" || -z "$host" ]]; then
|
main "$@"
|
||||||
usage
|
|
||||||
fi
|
|
||||||
|
|
||||||
check_host
|
|
||||||
check_key
|
|
||||||
until set_password_file; do echo "Passwords did not match, please try again."; done
|
|
||||||
|
|
||||||
case "$mode" in
|
|
||||||
install)
|
|
||||||
prepare_disk "destroy,format,mount"
|
|
||||||
copy_keys
|
|
||||||
install
|
|
||||||
if [[ "$copy_config_flag" == "true" ]]; then copy_config; fi
|
|
||||||
if [[ "$reboot_flag" == "true" ]]; then finish; fi
|
|
||||||
;;
|
|
||||||
repair)
|
|
||||||
prepare_disk "mount"
|
|
||||||
install
|
|
||||||
if [[ "$reboot_flag" == "true" ]]; then finish; fi
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Invalid mode: $mode"
|
|
||||||
usage
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|||||||
Reference in New Issue
Block a user