#!/bin/bash
#
# System installer.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see
# .
# Load.
source $APP_BASE/lib/hydra/functions || exit 1
hydra_config_load
# Create a logical volume.
function hydra_provision_lvcreate {
local volume="$1"
local size="$2"
local space
if [ -z "$volume" ] || [ "$size" == "0" ]; then
return
fi
if ! lvdisplay $vg/$volume &> /dev/null; then
echo "Creating logical volume $volume..."
if [ "$size" == "-1" ]; then
space="-l 100%FREE"
else
space="-L $size"
fi
# See http://forums.funtoo.org/viewtopic.php?id=1206
# https://bbs.archlinux.org/viewtopic.php?id=124615
if [ "$disable_zeroing" == "y" ]; then
hydra_sudo_run lvcreate -Z n $space -n $volume $vg
else
hydra_sudo_run lvcreate $space -n $volume $vg
fi
fi
}
# Cryptsetup wrapper.
function hydra_cryptsetup {
if [ ! -z "$1" ] && [ -b "$1" ]; then
# Run cryptsetup with custom parameters
#hydra_sudo_run cryptsetup --cipher aes-xts-plain64:sha256 --key-size 512 --hash sha512 --iter-time 5000 --use-random -y -q luksFormat $1
# GRUB2 from bookworm (or even older) still does not support LUKS2, which seems
# the default type for luksFormat since bullseye at least
# See https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
hydra_sudo_run cryptsetup --use-random -y -q luksFormat --type luks1 $1
# Run cryptsetup mostly with defaults
#hydra_sudo_run cryptsetup --use-random -y -q luksFormat $1
fi
}
# Create a physical volume.
function hydra_provision_create_volume {
local volume="$1"
if [ -z "$volume" ] || [ ! -b "/dev/mapper/$vg-$volume" ]; then
return
fi
if [ "$encrypt" == "y" ]; then
echo "Creating encrypted $volume device..."
hydra_cryptsetup /dev/mapper/$vg-$volume
hydra_sudo_run cryptsetup luksOpen /dev/mapper/$vg-$volume provision-$volume
hydra_sudo_run mkfs.ext4 /dev/mapper/provision-$volume
if [ "$volume" == "root" ]; then
install_device="/dev/mapper/provision-root"
fi
else
echo "Creating $volume device..."
hydra_sudo_run mkfs.ext4 /dev/mapper/$vg-$volume
if [ "$volume" == "root" ]; then
install_device="/dev/mapper/$vg-root"
fi
fi
}
# Determine optimal partition start taking into account disk alignment
# This function needs to know where the last partition ends
function partition_sector_start {
local sector_start="$1"
local last_partition_end="$2"
local optimal_sector_size="$3"
while (( $sector_start <= $last_partition_end + 1)); do
sector_start="$(($sector_start + $optimal_sector_size))"
done
echo $sector_start
}
# Make sure there is provision config.
function hydra_provision_config {
local base_arch="`uname -m`"
if [ "$base_arch" == "x86_64" ]; then
base_arch="amd64"
else
base_arch="i386"
fi
hydra_user_config interactive y "Interactive mode? (y/n)"
hydra_user_config device /dev/sdb "Physical device(s) (more than one auto sets RAID mode)"
hydra_user_config swap_size 2000 "Swap size (in MB, 0 to not create it)"
hydra_user_config root_size 40G "Size of root partition (-1 for all free space)"
if [ "$root_size" != "-1" ]; then
hydra_user_config home_size 40G "Size of home partition (0 to not create it, -1 for all free space)"
else
home_size="0"
fi
if [ "$root_size" != "-1" ] && [ "$home_size" != "-1" ]; then
hydra_user_config var_size 40G "Size of var partition (0 to not create it, -1 for all free space)"
else
var_size="0"
fi
hydra_user_config encrypt y "Encrypt volumes? (if RAID, then encryption is default) (y/n)"
if [ "$encrypt" == "y" ]; then
hydra_user_config garbage y "Pre-fill volumes with garbage? (y/n)"
fi
if [ "$swap_size" != "0" ]; then
hydra_user_config random_swap y "Random swap? (y/n)"
fi
hydra_user_config disable_zeroing n "Disable zeroing of LVM volumes? (y/n)"
hydra_user_config discards n "Enable discards on volumes (TRIM etc)? (y/n)"
hydra_user_config hostname machine "Hostname"
hydra_user_config domain example.org "Domain"
hydra_user_config arch $base_arch "System arch"
hydra_user_config version bullseye "Distro version"
hydra_user_config vg $hostname "Install vg"
hydra_user_config grub y "Setup GRUB? (y/n)"
hydra_user_config boot_mode uefi "Boot mode? (UEFI/BIOS)"
# Sanitize boot_mode param
boot_mode="`echo $boot_mode | tr '[:upper:]' '[:lower:]'`"
if [ "$boot_mode" == "uefi" ]; then
hydra_user_config secure_boot y "Use SecureBoot? (y/n)"
hydra_user_config uefi_update_nvram y "Set NVRAM boot variables for GRUB? (y/n)"
fi
hydra_user_config initramfs initramfs-tools "Initramfs manager? (initramfs-tools/dracut)"
hydra_user_config mirror https://deb.debian.org/debian/ "Debian mirror"
hydra_user_config ssh y "Install openssh-server? (y/n)"
# Check arch
if [ "$arch" == "armel" ] || [ "$arch" == "armhf" ]; then
echo "You probably want to run provision-raspi instead of provision"
exit 1
fi
# Set discards config
if [ "$discards" == "y" ]; then
crypttab_discards=",discard"
fi
}
# Load configuration
hydra_provision_config_load $1
# Parameters
WORK="/tmp/debootstrap"
# Set environment
export LC_ALL=C
# Get config parameters.
hydra_provision_config
# Check for requirements.
for req in debootstrap cryptsetup lvm2 parted; do
hydra_install_package $req
done
# Warning.
if [ "$interactive" == "y" ]; then
echo "WARNING: about to create partitions on $device!"
echo "WARNING: make sure you have backups of the important data from this device!"
echo "Press ENTER to continue, Ctrl-C to abort."
read answer
fi
# Check number of devices
num_devices="`echo $device | wc -w`"
# Set partition naming scheme
#
# "Partition device names are a combination of the drive's device name and the
# partition number assigned to them in the partition table, i.e.
# /dev/drivepartition. For drives whose device name ends with a number, the
# drive name and partition number is separated with the letter "p", i.e.
# /dev/driveppartition."
#
# -- https://wiki.archlinux.org/title/Device_file
#
#if echo $device | grep -q -E 'nvme|mmcblk'; then
if echo $device | grep -q -E '[0-9]$'; then
partition_separator="p"
else
partition_separator=""
fi
# RAID: do this instead of regular partitioning.
if [ "$num_devices" != "1" ]; then
# Force encryption and fix device name.
encrypt="y"
physical_devices="$device"
device="/dev/md/$hostname"
for dev in $physical_devices; do
hydra_sudo_run parted -s -- $dev mklabel gpt
hydra_sudo_run parted -s -- $dev mkpart ext4 1M 100%
hydra_sudo_run parted -s -- $dev set 1 raid on
done
hydra_install_package mdadm
mdadm --create --verbose $device --level=1 --raid-devices=$num_devices $physical_devices
# See https://bbs.archlinux.org/viewtopic.php?id=148250
hydra_sudo_run dd if=/dev/zero of=$device bs=1M count=32
boot_device="$device"
syst_device="$device"
else
# Partition alignment
# See https://rainbow.chard.org/2013/01/30/how-to-align-partitions-for-best-performance-using-parted/
# https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-block
# https://people.redhat.com/msnitzer/docs/io-limits.txt
mebibyte="$((1024*1024))"
block="`echo $device | sed -e 's|^/dev/||'`"
optimal_size="`cat /sys/block/$block/queue/optimal_io_size`"
# Use a default of 1 MiB for the optimal size
# See https://access.redhat.com/articles/3911611
# https://blog.hqcodeshop.fi/archives/273-GNU-Parted-Solving-the-dreaded-The-resulting-partition-is-not-properly-aligned-for-best-performance.html
# http://opensource.hqcodeshop.com/Parted%20calculator/parted_mkpart_calc.sh
if [ "$optimal_size" == "0" ]; then
optimal_size="$mebibyte"
fi
alignment_offset="`cat /sys/block/$block/alignment_offset`"
block_size="`cat /sys/block/$block/queue/physical_block_size`"
start="$((($optimal_size + $alignment_offset) / $block_size))"
optimal_sector_size="$(($optimal_size / $block_size))"
if [ "$boot_mode" == "bios" ]; then
# Sector size for a 1MB partition, BIOS mode
grub_size="$(($mebibyte/$block_size))"
grub_end="$(($start + $grub_size - 1))"
else
# Sector size for a 300MB partition, UEFI mode
# See https://wiki.archlinux.org/title/Parted#UEFI/GPT_examples
grub_size="$(($mebibyte/$block_size*300))"
grub_end="$(($start + $grub_size - 1))"
fi
# Regular disk partitioning.
hydra_sudo_run parted -s -- $device mklabel gpt
#hydra_sudo_run parted -s -- $device unit MB mkpart non-fs 2 3
if [ "$boot_mode" == "bios" ]; then
# See https://unix.stackexchange.com/questions/190317/gnu-parted-resizepart-in-script#202872
# https://bugs.launchpad.net/ubuntu/+source/parted/+bug/1270203
# https://techtitbits.com/2018/12/using-parteds-resizepart-non-interactively-on-a-busy-partition/
# https://serverfault.com/questions/870594/resize-partition-to-maximum-using-parted-in-non-interactive-mode
#hydra_sudo_run parted -s ---pretend-input-tty -- $device mkpart non-fs ${start}s ${grub_end}s Yes
#hydra_sudo_run parted $device mkpart non-fs ${start}s ${grub_end}s Yes Ignore quit
#hydra_sudo_run parted -s ---pretend-input-tty $device < /dev/null; then
echo "Creating physical volume..."
hydra_sudo_run pvcreate $syst_device
fi
if ! vgdisplay $vg &> /dev/null; then
echo "Creating volume group..."
hydra_sudo_run vgcreate $vg $syst_device
fi
# Activate volume group
hydra_sudo_run vgchange -a y $vg
# Create swap partition
if [ "$swap_size" != "0" ]; then
hydra_provision_lvcreate swap $swap_size
fi
# Create root partition.
hydra_provision_lvcreate root $root_size
# Create home partition.
if [ "$home_size" != "0" ]; then
hydra_provision_lvcreate home $home_size
fi
# Create var partition.
if [ "$var_size" != "0" ]; then
hydra_provision_lvcreate var $var_size
fi
# Garbage.
if [ "$garbage" == "y" ]; then
echo "Filling volumes with garbage..."
hydra_sudo_run dd if=/dev/urandom of=/dev/mapper/$vg-root
if [ -b "/dev/mapper/$vg-home" ]; then
hydra_sudo_run dd if=/dev/urandom of=/dev/mapper/$vg-home
fi
if [ -b "/dev/mapper/$vg-var" ]; then
hydra_sudo_run dd if=/dev/urandom of=/dev/mapper/$vg-var
fi
if [ "$swap_size" != "0" ]; then
hydra_sudo_run dd if=/dev/urandom of=/dev/mapper/$vg-swap
fi
fi
# Make sure that the mountpoint exists
hydra_sudo_run mkdir -p $WORK
# Setup mountpoint and make sure it's not mounted due to a failed install.
if cat /proc/mounts | cut -d ' ' -f 2 | grep -q "^$WORK$"; then
hydra_sudo_run umount $WORK
for folder in proc dev home var boot sys; do
if cat /proc/mounts | cut -d ' ' -f 2 | grep -q "^$WORK/$folder$"; then
hydra_sudo_run umount $WORK/$folder
fi
done
fi
# Create swap fs.
if [ "$swap_size" != "0" ] && [ "$random_swap" != "y" ]; then
hydra_cryptsetup /dev/mapper/$vg-swap
hydra_sudo_run cryptsetup luksOpen /dev/mapper/$vg-swap provision-swap
hydra_sudo_run mkswap /dev/mapper/provision-swap
fi
# Create root fs
hydra_provision_create_volume root
# Create home fs.
if [ "$home_size" != "0" ]; then
hydra_provision_create_volume home
fi
# Create var fs.
if [ "$var_size" != "0" ]; then
hydra_provision_create_volume var
fi
# Mount root volume.
hydra_sudo_run mount $install_device $WORK/
# Mount additional volumes.
if [ "$home_size" != "0" ]; then
mkdir $WORK/home
if [ "$encrypt" == "y" ]; then
hydra_sudo_run mount /dev/mapper/provision-home $WORK/home
else
hydra_sudo_run mount /dev/mapper/$vg-home $WORK/home
fi
fi
if [ "$var_size" != "0" ]; then
hydra_sudo_run mkdir $WORK/var
if [ "$encrypt" == "y" ]; then
hydra_sudo_run mount /dev/mapper/provision-var $WORK/var
else
hydra_sudo_run mount /dev/mapper/$vg-var $WORK/var
fi
fi
# Non-interactive installation
APT_INSTALL="hydra_sudo_run LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot $WORK/ apt-get install"
# Initial system install.
echo "Installing base system..."
hydra_sudo_run LC_ALL=C DEBIAN_FRONTEND=noninteractive debootstrap --force-check-gpg --arch=$arch $version $WORK/ $mirror
# Initial configuration.
echo "Applying initial configuration..."
hydra_sudo_run mount none -t proc $WORK/proc
hydra_sudo_run mount none -t sysfs $WORK/sys
hydra_sudo_run mount -o bind /run/ $WORK/run
hydra_sudo_run mount -o bind /dev/ $WORK/dev
hydra_sudo_run mount -o bind /dev/pts $WORK/dev/pts
echo LANG=C | $SUDO tee $WORK/etc/default/locale > /dev/null
if [ "$boot_mode" == "uefi" ]; then
hydra_sudo_run mount none -t efivarfs $WORK/sys/firmware/efi/efivars
fi
# Resolver configuration.
echo "domain $domain" | $SUDO tee $WORK/etc/resolv.conf > /dev/null
echo "search $hostname.$domain" | $SUDO tee -a $WORK/etc/resolv.conf > /dev/null
grep nameserver /etc/resolv.conf | $SUDO tee -a $WORK/etc/resolv.conf > /dev/null
# Hostname configuration.
echo $hostname.$domain | $SUDO tee $WORK/etc/hostname > /dev/null
echo "127.0.0.1 localhost" | $SUDO tee -a $WORK/etc/hosts > /dev/null
# This ordering is important for facter correctly guess the domain name
echo "127.0.0.1 $hostname.$domain $hostname" | $SUDO tee -a $WORK/etc/hosts > /dev/null
# Invert hostname contents to avoid http://projects.puppetlabs.com/issues/2533
tac $WORK/etc/hosts | $SUDO tee $WORK/etc/hosts.new > /dev/null
hydra_sudo_run mv $WORK/etc/hosts.new $WORK/etc/hosts
# Apt
if [ "$version" != "sid" ]; then
echo "deb http://security.debian.org/debian-security $version-security main contrib non-free" | $SUDO tee -a $WORK/etc/apt/sources.list
echo "deb-src http://security.debian.org/debian-security $version-security main contrib non-free" | $SUDO tee -a $WORK/etc/apt/sources.list
fi
# Initial upgrade.
echo "Applying initial upgrades..."
hydra_sudo_run chroot $WORK/ apt-get update
hydra_sudo_run chroot $WORK/ apt-get upgrade -y
$APT_INSTALL locales cryptsetup lvm2 -y
# Crypttab.
echo "Configuring crypttab..."
echo "# " | $SUDO tee $WORK/etc/crypttab > /dev/null
if [ "$encrypt" == "y" ]; then
cat <<-EOF | $SUDO tee $WORK/etc/crypttab > /dev/null
root /dev/mapper/$vg-root none luks$crypttab_discards
EOF
fi
if [ "$home_size" != "0" ] && [ "$encrypt" == "y" ]; then
cat <<-EOF | $SUDO tee -a $WORK/etc/crypttab > /dev/null
home /dev/mapper/$vg-home none luks$crypttab_discards
EOF
fi
if [ "$var_size" != "0" ] && [ "$encrypt" == "y" ]; then
cat <<-EOF | $SUDO tee -a $WORK/etc/crypttab > /dev/null
var /dev/mapper/$vg-var none luks$crypttab_discards
EOF
fi
if [ "$swap_size" != "0" ] && [ "$random_swap" == "y" ]; then
cat <<-EOF | $SUDO tee -a $WORK/etc/crypttab > /dev/null
swap /dev/mapper/$vg-swap /dev/random swap,cipher=aes-xts-plain64:sha256
EOF
fi
if [ "$swap_size" != "0" ] && [ "$random_swap" != "y" ]; then
cat <<-EOF | $SUDO tee -a $WORK/etc/crypttab > /dev/null
swap /dev/mapper/$vg-swap none luks,swap
EOF
fi
# Fstab.
echo "Configuring fstab..."
hydra_sudo_run touch $WORK/etc/fstab
#echo "" | $SUDO tee $WORK/etc/fstab > /dev/null
if [ "$swap_size" != "0" ]; then
cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null
/dev/mapper/swap none swap sw 0 0
EOF
fi
if [ "$encrypt" == "y" ]; then
cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null
/dev/mapper/root / ext4 defaults,errors=remount-ro 0 1
EOF
else
cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null
/dev/mapper/$vg-root / ext4 defaults,errors=remount-ro 0 1
EOF
fi
if [ "$home_size" != "0" ]; then
if [ "$encrypt" == "y" ]; then
cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null
/dev/mapper/home /home ext4 defaults,errors=remount-ro 0 2
EOF
else
cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null
/dev/mapper/$vg-home /home ext4 defaults,errors=remount-ro 0 2
EOF
fi
fi
if [ "$var_size" != "0" ]; then
if [ "$encrypt" == "y" ]; then
cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null
/dev/mapper/var /var ext4 defaults,errors=remount-ro 0 2
EOF
else
cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null
/dev/mapper/$vg-var /var ext4 defaults,errors=remount-ro 0 2
EOF
fi
fi
if [ "$boot_mode" == "uefi" ]; then
cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null
${esp_device} /boot/efi vfat defaults,errors=remount-ro 0 2
EOF
fi
# LVM.
if [ "$discards" == "y" ]; then
$SUDO sed -i -e 's/issue_discards = 0/issue_discards = 1/' $WORK/etc/lvm/lvm.conf
fi
# Boot device must be available before installing kernel and initramfs.
if [ "$grub" == "y" ] && [ "$encrypt" != "y" ]; then
echo "Boot device setup..."
hydra_sudo_run mkfs.ext4 $boot_device
hydra_sudo_run mount $boot_device $WORK/boot
fi
# Kernel.
echo "Installing kernel..."
cat <<-EOF | $SUDO tee $WORK/etc/kernel-img.conf > /dev/null
do_initrd = Yes
EOF
if [ "$arch" == "i386" ]; then
kernel_arch="686"
else
kernel_arch="$arch"
fi
# Kernel.
$APT_INSTALL linux-image-$kernel_arch -y
# Initramfs.
echo "Creating initramfs..."
if [ "$initramfs" == "initramfs-tools" ]; then
$APT_INSTALL initramfs-tools cryptsetup-initramfs -y
cat <<-EOF | $SUDO tee $WORK/etc/initramfs-tools/modules > /dev/null
dm-mod
dm-crypt
dm-raid
aes
sha256
EOF
#if [ -e "$WORK/etc/cryptsetup-initramfs/conf-hook" ]; then
# hydra_sudo_run sed -i -e 's/#CRYPTSETUP=/CRYPTSETUP=y/' $WORK/etc/cryptsetup-initramfs/conf-hook
#fi
cat <<-EOF | $SUDO tee $WORK/etc/initramfs-tools/conf.d/cryptsetup.conf > /dev/null
CRYPTSETUP=y
EOF
hydra_sudo_run chroot $WORK update-initramfs -u
else
$APT_INSTALL dracut -y
# Ensure initramfs-tools is absent
hydra_sudo_run chroot $WORK apt-get autoremove -y
fi
# Grub.
if [ "$grub" == "y" ]; then
echo "Setting up GRUB..."
# Ensure this folder exists
hydra_sudo_run mkdir $WORK/boot/grub
if [ "$boot_mode" == "bios" ]; then
$APT_INSTALL grub-pc -y
else
if [ "$arch" == "amd64" ]; then
grub_arch="x86_64"
else
grub_arch="$arch"
fi
if [ "$uefi_update_nvram" == "n" ]; then
grub_uefi_nvram="--no-nvram"
fi
if [ "$secure_boot" == "y" ]; then
grub_uefi_secure_boot="--uefi-secure-boot"
$APT_INSTALL grub-efi-${arch}-signed -y
else
$APT_INSTALL grub-efi-${arch} -y
fi
# Looks like this is a dependency need for GRUB to be able to
# include this new system as an option in the UEFI NVRAM
$APT_INSTALL efibootmgr -y
# Make UEFI partition available
hydra_sudo_run mkdir $WORK/boot/efi
hydra_sudo_run mount $esp_device $WORK/boot/efi
fi
# Old /etc/default format
#hydra_sudo_run sed -i -e \
# 's/^GRUB_CMDLINE_LINUX_DEFAULT="quiet"$/GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"/' \
# $WORK/etc/default/grub
cat <<-EOF | $SUDO tee $WORK/etc/default/grub.d/cmdline.cfg > /dev/null
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"
EOF
hydra_sudo_run chroot $WORK/ update-grub
if [ "$encrypt" == "y" ]; then
# Old /etc/default format
#echo '' | $SUDO tee -a $WORK/etc/default/grub > /dev/null
#echo '# Full Disk Encryption Support' | $SUDO tee -a $WORK/etc/default/grub > /dev/null
#echo 'GRUB_ENABLE_CRYPTODISK=y' | $SUDO tee -a $WORK/etc/default/grub > /dev/null
#echo 'GRUB_PRELOAD_MODULES="lvm cryptodisk mdraid1x"' | $SUDO tee -a $WORK/etc/default/grub > /dev/null
cat <<-EOF | $SUDO tee $WORK/etc/default/grub.d/fde.cfg > /dev/null
# Full Disk Encryption Support
GRUB_ENABLE_CRYPTODISK="y"
GRUB_PRELOAD_MODULES="lvm crypto cryptodisk luks mdraid1x"
EOF
hydra_sudo_run chroot $WORK/ update-grub
# Fix menu entry
hydra_sudo_run sed -i -e "s|root=/dev/mapper/provision-root|root=/dev/mapper/root|g" $WORK/boot/grub/grub.cfg
hydra_sudo_run sed -i -e "s|root=/dev/mapper/$hostname-unlocked|root=/dev/mapper/root|g" $WORK/boot/grub/grub.cfg
fi
if [ "$boot_mode" == "bios" ]; then
hydra_sudo_run chroot $WORK/ grub-install --recheck --force $device
else
# Bootloader ID currently needs to be "Debian"
# See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925309
grub_opts="$grub_uefi_nvram $grub_uefi_secure_boot --bootloader-id=Debian"
hydra_sudo_run chroot $WORK/ grub-install --target=${grub_arch}-efi \
--efi-directory=/boot/efi \
$grub_opts
fi
fi
# Set boot partition config
if [ "$grub" == "y" ] && [ "$encrypt" != "y" ]; then
# Use UUID
# Reboot device must be calculated after filesystem creation and grub installation
#
# We use lsblk instead of blkid. From blkid(8):
#
# When device is specified, tokens from only this device are displayed. It is
# possible to specify multiple device arguments on the command line. If none
# is given, all devices which appear in /proc/partitions are shown, if they are
# recognized.
#
# Note that blkid reads information directly from devices and for non-root
# users it returns cached unverified information. It is better to use lsblk
# --fs to get a user-friendly overview of filesystems and devices. lsblk(8)
# is also easy to use in scripts. blkid is mostly designed for system services
# and to test libblkid functionality.
#reboot_device="`blkid | grep ^$boot_device: | cut -d ' ' -f 2 | sed -e 's/"//g'`"
#reboot_device="`blkid $boot_device | cut -d ' ' -f 2 | sed -e 's/"//g'`"
reboot_device="`lsblk $boot_device -n -o UUID`"
# Use device name: might lead to wrong results
# During install boot_device might be /dev/sdb2, but on boot be /dev/sda2
#reboot_device="$boot_device"
echo "UUID=$reboot_device /boot ext4 defaults,errors=remount-ro 0 2" | $SUDO tee -a $WORK/etc/fstab > /dev/null
hydra_sudo_run chroot $WORK update-initramfs -u
fi
# Utils.
echo "Installing basic utilities..."
$APT_INSTALL zsh screen cron lsb-release openssl -y
# Networking.
hydra_provision_networking
# SSH.
if [ "$ssh" == "y" ]; then
echo "Installing OpenSSH daemon..."
$APT_INSTALL openssh-server -y
hydra_sudo_run chroot $WORK/ service ssh stop
fi
# Sudo.
echo "Installing sudo..."
$APT_INSTALL sudo -y
echo "%sudo ALL=NOPASSWD: ALL" | $SUDO tee $WORK/etc/sudoers.d/local > /dev/null
$SUDO chmod 440 $WORK/etc/sudoers.d/local
echo "Choose a root password."
hydra_sudo_run chroot $WORK passwd root
# Fingerprints
if [ "$ssh" == "y" ]; then
hydra_provision_fingerprints
fi
echo "Umounting installation device..."
if [ "$boot_mode" == "uefi" ]; then
hydra_sudo_run umount $WORK/boot/efi
hydra_sudo_run umount $WORK/sys/firmware/efi/efivars
fi
if [ "$grub" == "y" ] && [ "$encrypt" != "y" ]; then
hydra_sudo_run umount $WORK/boot
fi
hydra_sudo_run umount $WORK/sys $WORK/proc $WORK/dev/pts $WORK/dev $WORK/run $WORK
if [ "$swap_size" != "0" ]; then
hydra_sudo_run cryptsetup luksClose provision-swap
fi
if [ "$encrypt" == "y" ]; then
hydra_sudo_run cryptsetup luksClose provision-root
fi
hydra_sudo_run vgchange -a n $vg
cat <<-EOF
Now proceeed with final steps:
- Create an user account with sudo privileges.
- Network setup.
- Review fstab, crypttab and optional GRUB configuration.
See https://padrao.fluxo.info/install for more information.
If you know what you're doing, you might test and finish the installation using:
sudo kvm -m 512 -hda $device
EOF