#!/bin/bash # Copyright (C) 2022 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later # todo: put this script and this library into ansible source /usr/local/lib/err #### begin arg processing ### usage() { cat <&2 usage 1 fi read -r disk_type gb hostname <<<"$@" #### end arg processing ### if ! type -p apg &>/dev/null; then apt install -y apg fi if ! mountpoint -q /mnt2; then echo "$0: error: expected /mnt2 to be a mountpoint, run /root/open-crypt-luks-keys-loopback" >&2 fi case $disk_type in hdd) volgroups=( vgata-WDC_WD4004FZWX-00GBGB0_NHG3PK4M vgata-ST4000DM000-1F2168_Z3028BKA vgata-WDC_WD40EZRX-00SPEB0_WD-WCC4E0304017 ) ;; sdd) volgroups=( vgata-Samsung_SSD_850_EVO_1TB_S3PJNB0J902536K vgata-Samsung_SSD_850_EVO_1TB_S3PJNF0J909382V vgata-Samsung_SSD_850_EVO_1TB_S3PJNF0J909379K ) ;; esac for vg in ${volgroups[@]}; do lvdev=/dev/$vg/$hostname if [[ -e $lvdev ]]; then echo "$0: skipping creation of existing lv: $lvdev" else m lvcreate -L ${gb}g -n $hostname $vg fi done keyfile=/mnt2/$hostname if [[ ! -s $keyfile ]]; then apg -m 25 -x 25 -n1 | tr -d '\n' >$keyfile # directory is already 700, just being thorough m chmod 600 $keyfile fi crypttab_err=false mountdir=/mnt/$hostname mkdir -p $mountdir integrity_devs=() if $mdraid; then for vg in ${volgroups[@]}; do lvdev=/dev/$vg/$hostname integrity_name=integrity-$vg-$hostname integrity_dev=/dev/mapper/$integrity_name integrity_devs+=($integrity_dev) if [[ -e $integrity_dev ]]; then echo "$0: skipping creation of existing integrity dev: $integrity_dev" else m time integritysetup --batch-mode format $lvdev m integritysetup open --allow-discards $lvdev $integrity_name fi done mddev=/dev/md/md$hostname if [[ -e $mddev ]]; then echo "$0: skipping creation of existing mddev: $mddev" else # get stable auto-assembled names # https://serverfault.com/questions/763870/raid-device-on-rename-appended-with-0 if ! grep -Fxq "HOMEHOST " /etc/mdadm/mdadm.conf; then sed -i '/^ *HOMEHOST/d' /etc/mdadm/mdadm.conf echo "HOMEHOST " >>/etc/mdadm/mdadm.conf m update-initramfs -u -k all fi yes yes | m mdadm --create /dev/md/md$hostname --level 1 --raid-devices=3 ${integrity_devs[@]} || [[ $? == 141 ]] fi luks_name=crypt-$hostname luks_dev=/dev/mapper/$luks_name if [[ -e $luks_dev ]]; then echo "$0: skipping creation of existing luks dev: $luks_dev" else yes YES | m cryptsetup luksFormat $mddev $keyfile || [[ $? == 141 ]] echo appending to /etc/crypttab echo "$luks_name $mddev $keyfile discard,luks" | tee -a /etc/crypttab m cryptdisks_start $luks_name fi m mkfs.ext4 $luks_dev else luks_devs=() for vg in ${volgroups[@]}; do lvdev=/dev/$vg/$hostname # todo add apg to automatically installed packages yes YES | m cryptsetup luksFormat $lvdev $keyfile || [[ $? == 141 ]] luks_name=crypt-$vg-$hostname echo appending to /etc/crypttab line="$luks_name $lvdev $keyfile discard,luks,noauto" if grep -Fq "$lvdev" /etc/crypttab; then if grep -Fx "$line" /etc/crypttab; then echo "$0: crypttab line already found ^. not adding" else echo "$0: error: found existing lvdev: $lvdev in /etc/crypttab that is different than expected:" echo "$line" echo "saving exit 1 until script completes. manual intervention required" crypttab_err=true fi else echo "appending to /etc/crypttab:" echo "$line" | tee -a /etc/crypttab fi m cryptdisks_start $luks_name luks_devs+=(/dev/mapper/$luks_name) done m mkfs.btrfs -f -m raid1c3 -d raid1c3 ${luks_devs[@]} m mount ${luks_devs[0]} $mountdir m btrfs sub create $mountdir/root m umount $mountdir fi if $crypttab_err; then echo "$0: crypttab error, exiting 1, see above." exit 1 fi