fixes (dropbear etc)

install.conf

@@ -8,5 +8,6 @@ FILESYSTEM xfs
 IMAGE /root/images/Alma-9-latest-amd64-base.tar.gz
 CRYPTPASSWORD changeme
 
+PART /boot/efi esp 256M
 PART /boot ext4 2G
 PART / xfs all crypt

install.sh

@@ -236,7 +236,7 @@ fi
 echo -e "\n[+] Starting Hetzner installimage..."
 echo "The installer will now run. Follow any prompts if needed."
 echo ""
-if ! $INSTALLIMAGE_CMD -a -c /root/install.conf -s /root/post-install.sh; then
+if ! $INSTALLIMAGE_CMD -a -c /root/install.conf -x /root/post-install.sh; then
     echo -e "\nERROR: Installation failed!"
     exit 1
 fi

post-install.sh

@@ -104,7 +104,8 @@ dnf config-manager --set-enabled crb
 dnf install -y \
   clevis clevis-luks clevis-tang clevis-tpm2 tpm2-tools tpm2-tss \
   git zsh tmux neovim python3-pip \
-  dracut-clevis dropbear tree curl wget nano
+  dracut-clevis dracut-network \
+  dropbear tree curl wget nano
 
 # Install lsd and bat from GitHub releases (not in repos)
 echo "[+] Installing lsd and bat..."
@@ -174,10 +175,65 @@ systemctl enable clevis-luks-askpass.service
 
 # Configure dropbear for remote unlock
 echo "[+] Configuring dropbear for remote unlock..."
+# Install dropbear-dracut module
+cat > /usr/lib/dracut/modules.d/60dropbear/module-setup.sh << 'EOF'
+#!/bin/bash
+check() {
+    require_binaries dropbear || return 1
+    return 0
+}
+
+depends() {
+    echo network
+    return 0
+}
+
+install() {
+    inst_multiple dropbear dropbearkey
+    mkdir -p "$initdir/etc/dropbear"
+    # Copy authorized keys
+    [ -f /etc/dropbear/authorized_keys ] && inst /etc/dropbear/authorized_keys /etc/dropbear/authorized_keys
+    # Generate host keys if not present
+    [ -f /etc/dropbear/dropbear_rsa_host_key ] || dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
+    [ -f /etc/dropbear/dropbear_ecdsa_host_key ] || dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
+    [ -f /etc/dropbear/dropbear_ed25519_host_key ] || dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key
+    inst /etc/dropbear/dropbear_*_host_key
+    inst_hook cmdline 60 "$moddir/dropbear-start.sh"
+    inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks
+}
+EOF
+
+cat > /usr/lib/dracut/modules.d/60dropbear/dropbear-start.sh << 'EOF'
+#!/bin/bash
+info "Starting dropbear SSH server..."
+[ -d /etc/dropbear ] || mkdir -p /etc/dropbear
+dropbear -E -s -j -k -p 2222 -P /var/run/dropbear.pid
+EOF
+
+cat > /usr/lib/dracut/modules.d/60dropbear/unlock-luks.sh << 'EOF'
+#!/bin/bash
+echo "Unlocking LUKS devices..."
+for device in /dev/mapper/luks-*; do
+    if [ -b "$device" ]; then
+        cryptsetup luksOpen "$device" "${device##*/}"
+    fi
+done
+echo "Devices unlocked. System will continue booting..."
+EOF
+
+chmod +x /usr/lib/dracut/modules.d/60dropbear/*.sh
+
+# Copy SSH key for dropbear
 mkdir -p /etc/dropbear
 echo "${SSH_KEY}" > /etc/dropbear/authorized_keys
 chmod 600 /etc/dropbear/authorized_keys
 
+# Add dracut configuration for network and dropbear
+cat > /etc/dracut.conf.d/99-dropbear.conf << 'EOF'
+add_dracutmodules+=" network dropbear "
+install_items+=" /etc/dropbear/authorized_keys /etc/dropbear/dropbear_*_host_key "
+EOF
+
 # Regenerate initramfs
 echo "[+] Regenerating initramfs..."
 dracut -f --regenerate-all
@@ -201,6 +257,8 @@ echo "IMPORTANT: The LUKS passphrase is set in install.conf"
 echo "Save it securely for recovery purposes."
 echo ""
 echo "After reboot:"
-echo "- System will unlock automatically if TPM/Tang configured"
+echo "- SSH to port 2222 to unlock LUKS: ssh -p 2222 root@<server-ip>"
-echo "- Or SSH to port 22 for manual unlock"
+echo "- Run 'unlock-luks' and enter the LUKS passphrase"
-echo "- Then SSH as user '${ALMA_USER}'"
+echo "- Once unlocked, SSH to port 22 as user '${ALMA_USER}'"
+echo ""
+echo "If TPM/Tang is configured, automatic unlock will be attempted first"