l init: rework with xfs and luksPassword
This commit is contained in:
parent
f1a507bb48
commit
1774a149f9
@ -1,25 +1,20 @@
|
|||||||
{ pkgs, lib, pubkey ? "", disk ? "/dev/sda", vgname ? "pool", luksmap ? "luksmap", keyfile ? "/root/keyfile", ... }:
|
{ pkgs, lib, vgname ? "vgname", luksmap ? "luksmap", ... }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
pkgs.writeText "init" ''
|
pkgs.writeScript "init" ''
|
||||||
#! /bin/sh
|
#!/usr/bin/env nix-shell
|
||||||
# usage: curl xu/~tv/init | sh
|
#! nix-shell -i bash -p jq parted libxfs
|
||||||
set -efu
|
set -efu
|
||||||
# TODO nix-env -f '<nixpkgs>' -iA jq # if not exists (also version)
|
|
||||||
# install at tmp location
|
|
||||||
|
|
||||||
|
disk=$1
|
||||||
|
|
||||||
case $(cat /proc/cmdline) in
|
if mount | grep -q "$disk"; then
|
||||||
*' root=LABEL=NIXOS_ISO '*) :;;
|
echo "target device is already mounted, bailout"
|
||||||
*) echo Error: unknown operating system >&2; exit 1;;
|
exit 2
|
||||||
esac
|
fi
|
||||||
|
|
||||||
keyfile=${keyfile}
|
luksdev="$disk"3
|
||||||
|
|
||||||
disk=${disk}
|
|
||||||
|
|
||||||
luksdev=${disk}3
|
|
||||||
luksmap=/dev/mapper/${luksmap}
|
luksmap=/dev/mapper/${luksmap}
|
||||||
|
|
||||||
vgname=${vgname}
|
vgname=${vgname}
|
||||||
@ -29,13 +24,7 @@ pkgs.writeText "init" ''
|
|||||||
rootdev=/dev/mapper/${vgname}-root
|
rootdev=/dev/mapper/${vgname}-root
|
||||||
homedev=/dev/mapper/${vgname}-home
|
homedev=/dev/mapper/${vgname}-home
|
||||||
|
|
||||||
#
|
read -p "LUKS Password: " lukspw
|
||||||
#generate keyfile
|
|
||||||
#
|
|
||||||
|
|
||||||
if ! test -e "$keyfile"; then
|
|
||||||
dd if=/dev/urandom bs=512 count=2048 of=$keyfile
|
|
||||||
fi
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# partitioning
|
# partitioning
|
||||||
@ -61,14 +50,13 @@ pkgs.writeText "init" ''
|
|||||||
|
|
||||||
if ! cryptsetup isLuks "$luksdev"; then
|
if ! cryptsetup isLuks "$luksdev"; then
|
||||||
# aes xts-plain64
|
# aes xts-plain64
|
||||||
cryptsetup luksFormat "$luksdev" "$keyfile" \
|
echo -n "$lukspw" | cryptsetup luksFormat "$luksdev" - \
|
||||||
-h sha512 \
|
-h sha512 \
|
||||||
--iter-time 5000
|
--iter-time 5000
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! test -e "$luksmap"; then
|
if ! test -e "$luksmap"; then
|
||||||
cryptsetup luksOpen "$luksdev" "$(basename "$luksmap")" \
|
echo "$lukspw" | cryptsetup luksOpen "$luksdev" "$(basename "$luksmap")" -
|
||||||
--key-file "$keyfile"
|
|
||||||
fi
|
fi
|
||||||
# cryptsetup close
|
# cryptsetup close
|
||||||
|
|
||||||
@ -95,11 +83,11 @@ pkgs.writeText "init" ''
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if ! test "$(blkid -o value -s TYPE "$rootdev")" = btrfs; then
|
if ! test "$(blkid -o value -s TYPE "$rootdev")" = btrfs; then
|
||||||
mkfs.btrfs "$rootdev"
|
mkfs.xfs "$rootdev"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! test "$(blkid -o value -s TYPE "$homedev")" = btrfs; then
|
if ! test "$(blkid -o value -s TYPE "$homedev")" = btrfs; then
|
||||||
mkfs.btrfs "$homedev"
|
mkfs.xfs "$homedev"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
@ -134,12 +122,5 @@ pkgs.writeText "init" ''
|
|||||||
parted "$disk" print
|
parted "$disk" print
|
||||||
lsblk "$disk"
|
lsblk "$disk"
|
||||||
|
|
||||||
key='${pubkey}'
|
|
||||||
if [ "$(cat /root/.ssh/authorized_keys 2>/dev/null)" != "$key" ]; then
|
|
||||||
mkdir -p /root/.ssh
|
|
||||||
echo "$key" > /root/.ssh/authorized_keys
|
|
||||||
fi
|
|
||||||
systemctl start sshd
|
|
||||||
ip route
|
|
||||||
echo READY.
|
echo READY.
|
||||||
''
|
''
|
||||||
|
Loading…
Reference in New Issue
Block a user