diff --git a/install.conf b/install.conf index 1117ba4..8736771 100644 --- a/install.conf +++ b/install.conf @@ -8,5 +8,6 @@ FILESYSTEM xfs IMAGE /root/images/Alma-9-latest-amd64-base.tar.gz CRYPTPASSWORD changeme +PART /boot/efi esp 256M PART /boot ext4 2G PART / xfs all crypt \ No newline at end of file diff --git a/install.sh b/install.sh index ee3b307..0c7079c 100644 --- a/install.sh +++ b/install.sh @@ -236,7 +236,7 @@ fi echo -e "\n[+] Starting Hetzner installimage..." echo "The installer will now run. Follow any prompts if needed." echo "" -if ! $INSTALLIMAGE_CMD -a -c /root/install.conf -s /root/post-install.sh; then +if ! $INSTALLIMAGE_CMD -a -c /root/install.conf -x /root/post-install.sh; then echo -e "\nERROR: Installation failed!" exit 1 fi diff --git a/post-install.sh b/post-install.sh index 1281403..b74f42d 100755 --- a/post-install.sh +++ b/post-install.sh @@ -104,7 +104,8 @@ dnf config-manager --set-enabled crb dnf install -y \ clevis clevis-luks clevis-tang clevis-tpm2 tpm2-tools tpm2-tss \ git zsh tmux neovim python3-pip \ - dracut-clevis dropbear tree curl wget nano + dracut-clevis dracut-network \ + dropbear tree curl wget nano # Install lsd and bat from GitHub releases (not in repos) echo "[+] Installing lsd and bat..." @@ -174,10 +175,65 @@ systemctl enable clevis-luks-askpass.service # Configure dropbear for remote unlock echo "[+] Configuring dropbear for remote unlock..." +# Install dropbear-dracut module +cat > /usr/lib/dracut/modules.d/60dropbear/module-setup.sh << 'EOF' +#!/bin/bash +check() { + require_binaries dropbear || return 1 + return 0 +} + +depends() { + echo network + return 0 +} + +install() { + inst_multiple dropbear dropbearkey + mkdir -p "$initdir/etc/dropbear" + # Copy authorized keys + [ -f /etc/dropbear/authorized_keys ] && inst /etc/dropbear/authorized_keys /etc/dropbear/authorized_keys + # Generate host keys if not present + [ -f /etc/dropbear/dropbear_rsa_host_key ] || dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key + [ -f /etc/dropbear/dropbear_ecdsa_host_key ] || dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key + [ -f /etc/dropbear/dropbear_ed25519_host_key ] || dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key + inst /etc/dropbear/dropbear_*_host_key + inst_hook cmdline 60 "$moddir/dropbear-start.sh" + inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks +} +EOF + +cat > /usr/lib/dracut/modules.d/60dropbear/dropbear-start.sh << 'EOF' +#!/bin/bash +info "Starting dropbear SSH server..." +[ -d /etc/dropbear ] || mkdir -p /etc/dropbear +dropbear -E -s -j -k -p 2222 -P /var/run/dropbear.pid +EOF + +cat > /usr/lib/dracut/modules.d/60dropbear/unlock-luks.sh << 'EOF' +#!/bin/bash +echo "Unlocking LUKS devices..." +for device in /dev/mapper/luks-*; do + if [ -b "$device" ]; then + cryptsetup luksOpen "$device" "${device##*/}" + fi +done +echo "Devices unlocked. System will continue booting..." +EOF + +chmod +x /usr/lib/dracut/modules.d/60dropbear/*.sh + +# Copy SSH key for dropbear mkdir -p /etc/dropbear echo "${SSH_KEY}" > /etc/dropbear/authorized_keys chmod 600 /etc/dropbear/authorized_keys +# Add dracut configuration for network and dropbear +cat > /etc/dracut.conf.d/99-dropbear.conf << 'EOF' +add_dracutmodules+=" network dropbear " +install_items+=" /etc/dropbear/authorized_keys /etc/dropbear/dropbear_*_host_key " +EOF + # Regenerate initramfs echo "[+] Regenerating initramfs..." dracut -f --regenerate-all @@ -201,6 +257,8 @@ echo "IMPORTANT: The LUKS passphrase is set in install.conf" echo "Save it securely for recovery purposes." echo "" echo "After reboot:" -echo "- System will unlock automatically if TPM/Tang configured" -echo "- Or SSH to port 22 for manual unlock" -echo "- Then SSH as user '${ALMA_USER}'" \ No newline at end of file +echo "- SSH to port 2222 to unlock LUKS: ssh -p 2222 root@" +echo "- Run 'unlock-luks' and enter the LUKS passphrase" +echo "- Once unlocked, SSH to port 22 as user '${ALMA_USER}'" +echo "" +echo "If TPM/Tang is configured, automatic unlock will be attempted first" \ No newline at end of file