From bf051cba2a43f313d67894e56ba09f171927ff97 Mon Sep 17 00:00:00 2001
From: Dominik Roth <mail@dominik-roth.eu>
Date: Mon, 18 Aug 2025 00:30:35 +0200
Subject: [PATCH] FiXeS

---
 post-install.sh | 81 ++++++++++++++++++++++++++++++++-----------------
 1 file changed, 53 insertions(+), 28 deletions(-)

diff --git a/post-install.sh b/post-install.sh
index 52f5ca9..e7cfe8d 100755
--- a/post-install.sh
+++ b/post-install.sh
@@ -82,13 +82,16 @@ chown -R ${ALMA_USER}:${ALMA_USER} /home/${ALMA_USER}/.ssh
 
 # Install oh-my-zsh and powerlevel10k
 echo "[+] Installing oh-my-zsh and powerlevel10k..."
-# Download and run oh-my-zsh installer as the user
-su - ${ALMA_USER} -c 'sh -c "$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended' || echo "WARNING: oh-my-zsh installation failed"
+# Download and run oh-my-zsh installer as the user with proper environment
+export RUNZSH=no
+export CHSH=no
+su - ${ALMA_USER} -c 'export RUNZSH=no; export CHSH=no; sh -c "$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"' || echo "WARNING: oh-my-zsh installation failed"
 # Clone powerlevel10k theme
 su - ${ALMA_USER} -c 'git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ~/.oh-my-zsh/custom/themes/powerlevel10k' || echo "WARNING: powerlevel10k installation failed"
 
-# Note: Dotfiles need to be copied manually after installation
-echo "[!] Dotfiles will need to be configured manually after first boot"
+# Install dotfiles from git repo
+echo "[+] Installing dotfiles..."
+su - ${ALMA_USER} -c 'cd ~ && git clone https://git.dominik-roth.eu/dodox/nullpoint.git /tmp/nullpoint-dotfiles && cp /tmp/nullpoint-dotfiles/dotfiles/.* . 2>/dev/null || true && rm -rf /tmp/nullpoint-dotfiles' || echo "WARNING: dotfiles installation failed"
 
 # Set up MOTD
 if [ "$ENABLE_MOTD" = true ]; then
@@ -101,10 +104,21 @@ fi
 # Install additional packages
 echo "[+] Installing additional packages..."
 dnf install -y \
-  clevis clevis-luks clevis-tang clevis-tpm2 tpm2-tools tpm2-tss \
+  clevis clevis-luks tpm2-tools tpm2-tss \
   tmux neovim python3-pip \
-  dracut-clevis dracut-network \
-  dropbear tree nano || exit 1
+  tree gcc make zlib-devel autoconf automake || exit 1
+
+# Build and install dropbear from source since AlmaLinux doesn't package it
+echo "[+] Installing dropbear from source..."
+cd /tmp
+wget -q https://matt.ucc.asn.au/dropbear/releases/dropbear-2022.83.tar.bz2
+tar xf dropbear-2022.83.tar.bz2
+cd dropbear-2022.83
+./configure --prefix=/usr/local --enable-static
+make PROGRAMS="dropbear dropbearkey" MULTI=1
+make install
+ln -sf /usr/local/bin/dropbear /usr/bin/dropbear
+ln -sf /usr/local/bin/dropbearkey /usr/bin/dropbearkey
 
 # Install lsd and bat
 echo "[+] Installing lsd and bat..."
@@ -178,11 +192,14 @@ systemctl enable clevis-luks-askpass.service
 
 # Configure dropbear for remote unlock
 echo "[+] Configuring dropbear for remote unlock..."
-# Install dropbear-dracut module
+
+# Create dropbear dracut module
+mkdir -p /usr/lib/dracut/modules.d/60dropbear
+
 cat > /usr/lib/dracut/modules.d/60dropbear/module-setup.sh << 'EOF'
 #!/bin/bash
 check() {
-    require_binaries dropbear || return 1
+    require_binaries dropbear dropbearkey || return 1
     return 0
 }
 
@@ -194,44 +211,53 @@ depends() {
 install() {
     inst_multiple dropbear dropbearkey
     mkdir -p "$initdir/etc/dropbear"
+    
     # Copy authorized keys
     [ -f /etc/dropbear/authorized_keys ] && inst /etc/dropbear/authorized_keys /etc/dropbear/authorized_keys
-    # Generate host keys if not present
-    [ -f /etc/dropbear/dropbear_rsa_host_key ] || dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
-    [ -f /etc/dropbear/dropbear_ecdsa_host_key ] || dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
-    [ -f /etc/dropbear/dropbear_ed25519_host_key ] || dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key
-    inst /etc/dropbear/dropbear_*_host_key
+    
+    # Copy host keys
+    inst /etc/dropbear/dropbear_*_host_key /etc/dropbear/ 2>/dev/null || true
+    
+    # Install startup script
     inst_hook cmdline 60 "$moddir/dropbear-start.sh"
+    
+    # Install unlock script
     inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks
+    chmod +x "$initdir/bin/unlock-luks"
 }
 EOF
 
 cat > /usr/lib/dracut/modules.d/60dropbear/dropbear-start.sh << 'EOF'
 #!/bin/bash
-info "Starting dropbear SSH server..."
+info "Starting dropbear SSH server on port 2222..."
 [ -d /etc/dropbear ] || mkdir -p /etc/dropbear
+[ -f /etc/dropbear/dropbear_rsa_host_key ] || dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
 dropbear -E -s -j -k -p 2222 -P /var/run/dropbear.pid
 EOF
 
 cat > /usr/lib/dracut/modules.d/60dropbear/unlock-luks.sh << 'EOF'
 #!/bin/bash
-echo "Unlocking LUKS devices..."
-for device in /dev/mapper/luks-*; do
-    if [ -b "$device" ]; then
-        cryptsetup luksOpen "$device" "${device##*/}"
-    fi
-done
-echo "Devices unlocked. System will continue booting..."
+echo "Available LUKS devices:"
+ls /dev/mapper/luks-* 2>/dev/null
+echo "Run: systemctl start systemd-cryptsetup@<device>.service"
+echo "Or use: cryptsetup luksOpen /dev/md/<X> <name>"
+echo "Then: exit"
+/bin/bash
 EOF
 
 chmod +x /usr/lib/dracut/modules.d/60dropbear/*.sh
 
-# Copy SSH key for dropbear
+# Setup dropbear
 mkdir -p /etc/dropbear
 echo "${SSH_KEY}" > /etc/dropbear/authorized_keys
 chmod 600 /etc/dropbear/authorized_keys
 
-# Add dracut configuration for network and dropbear
+# Generate host keys
+dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
+dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
+dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key
+
+# Configure dracut
 cat > /etc/dracut.conf.d/99-dropbear.conf << 'EOF'
 add_dracutmodules+=" network dropbear "
 install_items+=" /etc/dropbear/authorized_keys /etc/dropbear/dropbear_*_host_key "
@@ -260,8 +286,7 @@ echo "IMPORTANT: The LUKS passphrase is set in install.conf"
 echo "Save it securely for recovery purposes."
 echo ""
 echo "After reboot:"
-echo "- SSH to port 2222 to unlock LUKS: ssh -p 2222 root@<server-ip>"
-echo "- Run 'unlock-luks' and enter the LUKS passphrase"
+echo "- SSH to port 2222 for remote unlock: ssh -p 2222 root@<server-ip>"
+echo "- Run 'unlock-luks' and follow the instructions to unlock LUKS"
 echo "- Once unlocked, SSH to port 22 as user '${ALMA_USER}'"
-echo ""
-echo "If TPM/Tang is configured, automatic unlock will be attempted first"
\ No newline at end of file
+echo "- LUKS passphrase: [see installer output]"
\ No newline at end of file