From a0069154f5f722ce5dc7bfd15f22d852a7d0b6d0 Mon Sep 17 00:00:00 2001 From: phga Date: Fri, 11 Mar 2022 20:33:34 +0100 Subject: [PATCH] feat: encrypted root + swap --- bootstrap.sh | 77 ++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 56 insertions(+), 21 deletions(-) diff --git a/bootstrap.sh b/bootstrap.sh index e5ed1d3..b3a9fc3 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -5,6 +5,7 @@ do case $opt in p) PASSWD=${OPTARG} ;; n) NAME=${OPTARG} ;; d) DEV=${OPTARG} ;; + e) ENC=${OPTARG} ;; \?) echo "-$OPTARG is not valid" >&2 && exit ;; esac done @@ -20,6 +21,8 @@ init() { [ -z "$DEV" ] && lsblk -nrpo "name,size,model" && read -p "Provide installation medium (e.g. sda, nvme0n1): " DEV [[ "$DEV" =~ sd[a-z] ]] && SUF="1-3" && MODE="SATA" [[ "$DEV" =~ nvme[0-9]n[0-9] ]] && SUF="p1-3" && MODE="NVME" + [ -z "$ENC" ] && read -p "Do you want the root partition to be encrypted (y/n)? " ENC + [ "$ENC" -eq "y" ] && ENC=true || ENC=false echo "+---------------------+" echo "| Archlinux Bootstrap |" @@ -27,17 +30,32 @@ init() { echo "HOSTNAME = $NAME" echo "ROOTPASSWD = ${PASSWD:0:1}***${PASSWD: -1}" echo "DEVICEPARTS = $DEV$SUF" - read -p "Do you want to continue with these values (y/n): " cont + echo "ENCRYPTION = $ENC" + read -p "Do you want to continue with these values (y/n)? " cont [ ! "$cont" = "y" ] && unset NAME PASSWD DEV && init echo "Let's GOOOO" } +crypt_prepare_disk() { + cryptsetup open --type plain -d /dev/urandom $1 wipe_me + dd if=/dev/zero of=/dev/mapper/wipe_me bs=1M status=progress + cryptsetup close wipe_me +} + +crypt_create_fs() { + cryptsetup -y -v luksFormat $1 + cryptsetup open $1 root + mkfs.ext4 /dev/mapper/root +} + # stop on error set -e # initialize important values init +[ "$ENC" == true ] && crypt_prepare_disk "/dev/$DEV" + # All values set, start bootstrapping gdisk /dev/$DEV < see good2know pacstrap /mnt base base-devel linux-zen linux-firmware vi dhcpcd wpa_supplicant dialog git netctl curl @@ -88,6 +116,14 @@ genfstab -p /mnt > /mnt/etc/fstab cat < /mnt/root/bootstrap2.sh #!/bin/bash + +if [ $ENC == true ]; then + sed -i 's/\(^HOOKS.*block\)/\1 encrypt/' /etc/mkinitcpio.conf + ct_entry="swap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512" + echo $ct_entry >> /etc/crypttab + echo "/dev/mapper/swap none swap defaults 0 0" >> /etc/fstab +fi + ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime echo "en_US.UTF-8 UTF-8" > /etc/locale.gen @@ -106,17 +142,16 @@ cat < /boot/loader/entries/arch-uefi.conf title Arch linux /vmlinuz-linux-zen initrd /initramfs-linux-zen.img -options root=LABEL=P_ROOT rw resume=LABEL=P_SWAP +options $KERNEL_OPTIONS EEE cat < /boot/loader/entries/arch-uefi-fallback.conf title Arch Linux Fallback linux /vmlinuz-linux-zen initrd /initramfs-linux-zen-fallback.img -options root=LABEL=P_ROOT rw resume=LABEL=P_SWAP +options $KERNEL_OPTIONS EEE - cat < /boot/loader/loader.conf default arch-uefi timeout 1 @@ -139,4 +174,4 @@ chmod u+x /mnt/root/bootstrap2.sh arch-chroot /mnt /root/bootstrap2.sh rm /mnt/root/bootstrap2.sh -reboot +# reboot