--- /dev/null
+#!/bin/bash
+# Copyright (C) 2022 Ian Kelling
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# todo: put this script and this library into ansible
+source /usr/local/lib/err
+
+#### begin arg processing ###
+usage() {
+ cat <<EOF
+Usage: ${0##*/} [mdraid] hdd|sdd size_in_GB fqdn
+create disk for vm
+
+-h|--help Print help and exit.
+
+EOF
+ exit $1
+}
+m() { printf "%s\n" "$*"; "$@"; }
+
+
+mdraid=false
+case $1 in
+ mdraid)
+ mdraid=true
+ shift
+ ;;
+ --help)
+ usage
+ ;;
+esac
+
+if (( $# != 3 )); then
+ echo "$0: error: expected 3 arguments" >&2
+ usage 1
+fi
+
+read -r disk_type gb hostname <<<"$@"
+#### end arg processing ###
+
+if ! type -p apg &>/dev/null; then
+ apt install -y apg
+fi
+
+if ! mountpoint -q /mnt2; then
+ echo "$0: error: expected /mnt2 to be a mountpoint, run /root/open-crypt-luks-keys-loopback" >&2
+fi
+
+case $disk_type in
+ hdd)
+ volgroups=(
+ vgata-WDC_WD4004FZWX-00GBGB0_NHG3PK4M
+ vgata-ST4000DM000-1F2168_Z3028BKA
+ vgata-WDC_WD40EZRX-00SPEB0_WD-WCC4E0304017
+ )
+ ;;
+ sdd)
+ volgroups=(
+ vgata-Samsung_SSD_850_EVO_1TB_S3PJNB0J902536K
+ vgata-Samsung_SSD_850_EVO_1TB_S3PJNF0J909382V
+ vgata-Samsung_SSD_850_EVO_1TB_S3PJNF0J909379K
+ )
+ ;;
+esac
+
+for vg in ${volgroups[@]}; do
+ lvdev=/dev/$vg/$hostname
+ if [[ -e $lvdev ]]; then
+ echo "$0: skipping creation of existing lv: $lvdev"
+ else
+ m lvcreate -L ${gb}g -n $hostname $vg
+ fi
+done
+
+keyfile=/mnt2/$hostname
+if [[ ! -s $keyfile ]]; then
+ apg -m 25 -x 25 -n1 | tr -d '\n' >$keyfile
+ # directory is already 700, just being thorough
+ m chmod 600 $keyfile
+fi
+
+crypttab_err=false
+
+mountdir=/mnt/$hostname
+mkdir -p $mountdir
+integrity_devs=()
+if $mdraid; then
+ for vg in ${volgroups[@]}; do
+ lvdev=/dev/$vg/$hostname
+ integrity_name=integrity-$vg-$hostname
+ integrity_dev=/dev/mapper/$integrity_name
+ integrity_devs+=($integrity_dev)
+ if [[ -e $integrity_dev ]]; then
+ echo "$0: skipping creation of existing integrity dev: $integrity_dev"
+ else
+ m time integritysetup --batch-mode format $lvdev
+ m integritysetup open --allow-discards $lvdev $integrity_name
+ fi
+ done
+ mddev=/dev/md/md$hostname
+ if [[ -e $mddev ]]; then
+ echo "$0: skipping creation of existing mddev: $mddev"
+ else
+ # get stable auto-assembled names
+ # https://serverfault.com/questions/763870/raid-device-on-rename-appended-with-0
+ if ! grep -Fxq "HOMEHOST <ignore>" /etc/mdadm/mdadm.conf; then
+ sed -i '/^ *HOMEHOST/d' /etc/mdadm/mdadm.conf
+ echo "HOMEHOST <ignore>" >>/etc/mdadm/mdadm.conf
+ m update-initramfs -u -k all
+ fi
+ yes yes | m mdadm --create /dev/md/md$hostname --level 1 --raid-devices=3 ${integrity_devs[@]} || [[ $? == 141 ]]
+ fi
+ luks_name=crypt-$hostname
+ luks_dev=/dev/mapper/$luks_name
+ if [[ -e $luks_dev ]]; then
+ echo "$0: skipping creation of existing luks dev: $luks_dev"
+ else
+ yes YES | m cryptsetup luksFormat $mddev $keyfile || [[ $? == 141 ]]
+ echo appending to /etc/crypttab
+ echo "$luks_name $mddev $keyfile discard,luks" | tee -a /etc/crypttab
+ m cryptdisks_start $luks_name
+ fi
+ m mkfs.ext4 $luks_dev
+else
+
+ luks_devs=()
+ for vg in ${volgroups[@]}; do
+ lvdev=/dev/$vg/$hostname
+ # todo add apg to automatically installed packages
+ yes YES | m cryptsetup luksFormat $lvdev $keyfile || [[ $? == 141 ]]
+ luks_name=crypt-$vg-$hostname
+ echo appending to /etc/crypttab
+ line="$luks_name $lvdev $keyfile discard,luks,noauto"
+ if grep -Fq "$lvdev" /etc/crypttab; then
+ if grep -Fx "$line" /etc/crypttab; then
+ echo "$0: crypttab line already found ^. not adding"
+ else
+ echo "$0: error: found existing lvdev: $lvdev in /etc/crypttab that is different than expected:"
+ echo "$line"
+ echo "saving exit 1 until script completes. manual intervention required"
+ crypttab_err=true
+ fi
+ else
+ echo "appending to /etc/crypttab:"
+ echo "$line" | tee -a /etc/crypttab
+ fi
+ m cryptdisks_start $luks_name
+ luks_devs+=(/dev/mapper/$luks_name)
+ done
+
+ m mkfs.btrfs -f -m raid1c3 -d raid1c3 ${luks_devs[@]}
+ m mount ${luks_devs[0]} $mountdir
+ m btrfs sub create $mountdir/root
+ m umount $mountdir
+fi
+
+if $crypttab_err; then
+ echo "$0: crypttab error, exiting 1, see above."
+ exit 1
+fi