Automate luks password during install
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
		| @@ -8,6 +8,7 @@ | ||||
|         iputils | ||||
|         jq | ||||
|         nix | ||||
|         sops | ||||
|         inputs.disko.packages.${system}.disko | ||||
|       ]; | ||||
|       text = builtins.readFile ./install.sh; | ||||
|   | ||||
| @@ -4,7 +4,6 @@ _nix-install_completion() { | ||||
|     '-m[Mode: 'install' or 'repair']:mode:(install repair)' | ||||
|     '-h[Host to configure]:host:($(_list_hosts))' | ||||
|     '-k[Key file to copy to user config]:key:($(_list_keys))' | ||||
|     '-p[LUKS password file to use for encryption]:password_file:_files' | ||||
|     '-c[Copy configuration to target]' | ||||
|     '-r[Reboot after completion]' | ||||
|   ) | ||||
|   | ||||
| @@ -8,7 +8,6 @@ usage() { | ||||
|   echo "  -m mode             Mode: 'install' or 'repair'." | ||||
|   echo "  -h host             Host to configure." | ||||
|   echo "  -k key              Key file to copy to user config." | ||||
|   echo "  -p password_file    LUKS password file to use for encryption." | ||||
|   echo "  -c                  Copy configuration to target." | ||||
|   echo "  -r                  Reboot after completion." | ||||
|   exit 1 | ||||
| @@ -50,22 +49,10 @@ check_key() { | ||||
| } | ||||
|  | ||||
| set_password_file() { | ||||
|   if [[ -n "$password_file" ]]; then | ||||
|     if [[ ! -f "$password_file" ]]; then | ||||
|       echo "LUKS key file '$password_file' not found." | ||||
|       exit 1 | ||||
|     fi | ||||
|  | ||||
|     ln -sf "$(realpath "$password_file")" /tmp/installer.key | ||||
|   else | ||||
|     echo "Enter password for LUKS encryption:" | ||||
|     IFS= read -r -s password | ||||
|     echo "Enter password again to confirm: " | ||||
|     IFS= read -r -s password_check | ||||
|     [ "$password" != "$password_check" ] | ||||
|     echo -n "$password" > /tmp/installer.key | ||||
|     unset password password_check | ||||
|   fi | ||||
|   SOPS_AGE_KEY_FILE="$(realpath "$flake/secrets/$key/key.txt")" | ||||
|   export SOPS_AGE_KEY_FILE | ||||
|   sops --decrypt --extract "['luks']" "$flake/hosts/$host/secrets/secrets.yaml" > /tmp/installer.key | ||||
|   unset SOPS_AGE_KEY_FILE | ||||
| } | ||||
|  | ||||
| prepare_disk() { | ||||
| @@ -115,12 +102,11 @@ cleanup() { | ||||
|   if [[ -d "$root" ]]; then rmdir "$root"; fi | ||||
| } | ||||
|  | ||||
| main() { | ||||
|   check_root | ||||
|   check_network | ||||
|  | ||||
| if [[ "$#" -lt 1 ]]; then | ||||
|   usage | ||||
| fi | ||||
|   if [[ "$#" -lt 1 ]]; then usage; fi | ||||
|  | ||||
|   flake="$(realpath "$1")" | ||||
|   check_flake | ||||
| @@ -129,29 +115,25 @@ shift | ||||
|   mode="" | ||||
|   host="" | ||||
|   key="" | ||||
| password_file="" | ||||
|   copy_config_flag="false" | ||||
|   reboot_flag="false" | ||||
|  | ||||
| while getopts "m:h:k:p:cr" opt; do | ||||
|   while getopts "m:h:k:cr" opt; do | ||||
|     case "$opt" in | ||||
|       m) mode="$OPTARG" ;; | ||||
|       h) host="$OPTARG" ;; | ||||
|       k) key="$OPTARG" ;; | ||||
|     p) password_file="$OPTARG" ;; | ||||
|       c) copy_config_flag="true" ;; | ||||
|       r) reboot_flag="true" ;; | ||||
|       *) usage ;; | ||||
|     esac | ||||
|   done | ||||
|  | ||||
| if [[ -z "$mode" || -z "$host" ]]; then | ||||
|   usage | ||||
| fi | ||||
|   if [[ -z "$mode" || -z "$host" ]]; then usage; fi | ||||
|  | ||||
|   check_host | ||||
|   check_key | ||||
| until set_password_file; do echo "Passwords did not match, please try again."; done | ||||
|   set_password_file | ||||
|  | ||||
|   case "$mode" in | ||||
|     install) | ||||
| @@ -171,3 +153,6 @@ case "$mode" in | ||||
|       usage | ||||
|       ;; | ||||
|   esac | ||||
| } | ||||
|  | ||||
| main "$@" | ||||
|   | ||||
		Reference in New Issue
	
	Block a user