From 81e0e0b826ebffdee7d809ee4dff1338af7692e1 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sun, 8 May 2016 00:28:07 -0700
Subject: [PATCH] fix various arch issues

With 9 disks, the kernel cmdline was
~2100 chars, but it's limited to 2048.
So, modified the encrypt hook to use the kernel
args less. Now it's down to ~800 chars.
---
 arch-init                            |  65 ++-----------
 arch-init-chroot                     |  52 ++++------
 arch-init-remote                     |  18 +++-
 arch-iso-init.sh                     |  18 ++++
 arch-pxe                             |  12 +--
 encrypt                              | 129 +++++++++++++++++++++++++
 encrypt.upstream                     | 139 +++++++++++++++++++++++++++
 fai-redep                            |  34 +++++--
 fai/config/distro-install-common/end |   2 +-
 fai/config/hooks/partition.DEFAULT   |   9 +-
 pxe-server                           |   3 +-
 11 files changed, 368 insertions(+), 113 deletions(-)
 create mode 100644 arch-iso-init.sh
 create mode 100644 encrypt
 create mode 100644 encrypt.upstream

diff --git a/arch-init b/arch-init
index d1c5542..a9e5d68 100755
--- a/arch-init
+++ b/arch-init
@@ -17,7 +17,7 @@ if [[ $hostname == tp ]]; then
     ROOTPW="$TPPASS"
 fi
 
-(( $# >= 2 )) || { echo "error: need 2 arguments"; exit 1; }
+(( $# >= 1 )) || { echo "$0: error: need 1 or 2 arguments"; exit 1; }
 
 mv /root/devbyid /usr/bin
 
@@ -39,7 +39,6 @@ export -f ifclass
 for x in $(bash 50-host-classes); do
     export CLASS_$x=true
 done
-export CLASS_TWO_DISK=true
 export LUKS_DIR=/root/luks
 export HOSTNAME=$hostname
 export DISTRO=arch
@@ -47,6 +46,7 @@ chmod +x partition.DEFAULT
 
 export PARTITION_PROMPT=true
 
+# to be idempotent if we fail after partitioning
 already_partitioned=true
 mount_out=$(mount)
 for dir in /mnt{,/home,/boot,/q}; do
@@ -69,6 +69,7 @@ export rootn=1
 export bootn=3
 export swapn=2
 export BOOT_DEVICE
+export ROOT_PARTITIONS
 sed -ri "/^crypt_dev_\S+$rootn /d" /tmp/fai/crypttab
 
 if ! $already_partitioned; then
@@ -84,64 +85,18 @@ cp /root/luks/host-$hostname /mnt/crypto_keyfile.bin
 chmod 600 /mnt/crypto_keyfile.bin
 
 
-shopt -s extglob
-case $hostname in
-    # todo: these hosts are broken, not updated to new fai hyrbrid scripts.
-    frodo)
-
-        # for this system, no separate /boot, to keep partitions simple,
-        # since we want simpler backup recovery.
-        mount -U $rootid /mnt
-        ;;&
-    treetowl)
-        mount /dev/mapper/vg_treetowl00-lv02 /mnt
-        mount -U $bootid /mnt/boot
-        ;;&
-    frodo|treetowl)
-        rm -rf /mnt/!(a|i|q|f|boot) /mnt/boot/*
-        ;;
-esac
-
-
-
 if [[ $mirror ]]; then
     echo "$0: 404 errors about core.db etc are normal,
 they will succeed using the secodary mirror"
 fi
 pacstrap /mnt base
 cp /tmp/fai/{fstab,crypttab} /mnt/etc
-cp /usr/bin/devbyid /mnt/root
-case $hostname in
-    frodo)
-        # the root .ssh needs to be like this,
-        # because it\'s used to get the key to mount an encrypted filesystem
-        # on top of itself.
-        d=/mnt/q/root/.ssh
-        rm -rf $d # for idempotency
-        mkdir -p $d
-        scp -oStrictHostKeyChecking=no ian@treetowl:/a/c/machine_specific/frodo/subdir_files/.ssh/* $d
-        cp .ssh/* $d
-        ln -s /q/root/.ssh /mnt/root
-        # background: errors=remount-ro is a debian installer thing. seems like
-        # not a bad idea. man mount says: The default is set in the filesystem
-        # superblock, and can be changed using tune2fs(8)
-
-        cat > /mnt/etc/fstab <<'EOF'
-UUID=e9ce7b46-9a21-4e79-b7f7-0b18acb57587  /  ext4  noatime,errors=remount-ro  0  1
-UUID=dd67766f-93c5-4ce3-9877-a1d9841dd4a4  none  swap  sw  0  0
-/dev/sr0  /media/cdrom0  udf,iso9660 user,noauto  0  0
-/dev/mapper/crypta7  /mnt/btrfs_root  btrfs  subvolid=0,noatime,noauto  0  2
-/dev/mapper/crypta7  /a  btrfs  subvol=a,noatime,noauto  0  2
-EOF
-        ;;
-    *)
-        cp -r .ssh /mnt/root
-        cp -r /root/distro-install-common /mnt/root
-        ;;&
-    treetowl)
-        echo "UUID=a9e83bb7-d23d-4de6-ba9f-d88b887f7206  /a  ext4  noatime  0 2" >> /mnt/etc/fstab
-        ;;
-esac
+cp /root/encrypt /mnt/usr/lib/initcpio/hooks
+# not needed anymore
+#cp /usr/bin/devbyid /mnt/root
+
+cp -r .ssh /mnt/root
+cp -r /root/distro-install-common /mnt/root
 
 cp /root/arch-init-chroot /mnt/root
 # for manual commands, arch-chroot /mnt bash
@@ -152,7 +107,7 @@ rm -f /mnt/etc/resolv.conf
 ln -s /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
 
 # not necsesary, but makes reboot go fast.
-umount -R /mnt; sleep 1
+#umount -R /mnt; sleep 1
 
 # causes 255 exit code, so doing this from the caller script.
 # reboot now
diff --git a/arch-init-chroot b/arch-init-chroot
index 6c9d66b..d2e0f97 100755
--- a/arch-init-chroot
+++ b/arch-init-chroot
@@ -55,50 +55,28 @@ cat /etc/fstab
 # which will be the crypt device name under /dev/mapper/
 # https://wiki.archlinux.org/index.php/GRUB#Additional_arguments
 
-first_boot_dev=${BOOT_DEVICE%% *}
-crypt_dev=${first_boot_dev}$rootn
-crypt_name=$(/root/devbyid $crypt_dev)
-crypt_name=crypt_dev_${crypt_name##*/}
+
+root_devs=( ${ROOT_PARTITIONS} )
+first_root_dev=${root_devs[0]}
 
 
 k_args=(
-    cryptdevice=$crypt_dev:$crypt_name:allow-discards
-    root=/dev/mapper/$crypt_name
-    resume=${crypt_dev%[0-9]}$swapn
+    cryptdevices=${ROOT_PARTITIONS// /,}
+    root=/dev/mapper/crypt_dev_${first_root_dev##*/}
+    resume=${first_root_dev%[0-9]}$swapn
 )
-crypt_mapper_devs=(/dev/mapper/crypt_dev_*$rootn)
-crypt_count=${#crypt_mapper_devs[@]}
-if [[ crypt_count == 0 ]]; then
-    echo "$0: error: expected crypt_mapper_devs length to be > 0"
-    ls -la /dev/mapper
-    exit 1
-fi
-keyfile_vars=()
-dup_keys=()
 extra_encrypt_hooks=()
 
 
 # If we have more than 1 to decrypt, arch wiki lead me onto
 # a sort of hacky way run the encrypt hook multiple times.
-for ((i=1; i < $crypt_count; i++)); do
-    extra_encrypt_hooks+=(encrypt$i)
-    if (( i = 1 )); then dup_keys=(" "); fi # prefix with an empty space
-    cp /crypto_keyfile.bin /crypto_keyfile$i.bin
-    dup_keys+=(/crypto_keyfile$i.bin)
-    base=/usr/lib/initcpio
-    cp $base/hooks/encrypt{,$i}
-    cp $base/install/encrypt{,$i}
-    sed -i "s/cryptdevice/cryptdevice$i/" $base/hooks/encrypt$i
-    sed -i "s/cryptkey/cryptkey$i/" $base/hooks/encrypt$i
-    crypt_name=${crypt_mapper_devs[i]#/dev/mapper/}
-    crypt_dev=/dev/${crypt_name#crypt_dev_}
-    k_args+=(cryptdevice$i=$crypt_dev:$crypt_name:allow-discards
-             cryptkey$i=rootfs:/crypto_keyfile$i.bin)
-done
+
+base=/usr/lib/initcpio
+
 
 # https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Configuring_mkinitcpio_2
 # used to have lvm2 after encrypt for lvm, but not using lvm anymore
-for x in encrypt ${extra_encrypt_hooks[@]} btrfs; do
+for x in encrypt btrfs; do
     sed -ri -f - /etc/mkinitcpio.conf <<EOF
 /^ *HOOKS.*\b$x\b/!s/^( *HOOKS=.*)filesystems/\1$x filesystems/
 EOF
@@ -106,7 +84,7 @@ done
 
 # this is the default file, otherwise you use cryptkey=device:fstype:path
 sed -ri -f - /etc/mkinitcpio.conf <<EOF
-s#^\s*FILES=.*#FILES="/crypto_keyfile.bin${dup_keys[*]}"#
+s#^\s*FILES=.*#FILES="/crypto_keyfile.bin"#
 EOF
 echo "$0: FILES:"
 grep FILES /etc/mkinitcpio.conf
@@ -128,7 +106,11 @@ for dev in $BOOT_DEVICE; do
     grub-install --recheck $dev
 done
 grub-mkconfig -o /boot/grub/grub.cfg
-pacman -S --noconfirm openssh unison
+# gtk2 is an optional dependency of unison.
+# debian's unison binary has it linked in,
+# so i install it so I can use the same binary for syncing
+# the two distros.
+pacman -S --noconfirm openssh unison gtk2 rsync
 
 echo "root:$ROOTPW" | chpasswd -e
 
@@ -151,7 +133,7 @@ systemctl enable sshd
 
 rm -rf /home/ian/.ssh
 cp -r /root/.ssh /home/ian
-chown ian:ian /home/ian/.ssh
+chown -R ian:ian /home/ian/.ssh
 # the groups recommended by
 # https://wiki.archlinux.org/index.php/Users_and_groups#Group_list
 usermod -aG games,rfkill,users,uucp,wheel ian
diff --git a/arch-init-remote b/arch-init-remote
index 3cf222c..4210b5f 100755
--- a/arch-init-remote
+++ b/arch-init-remote
@@ -11,18 +11,22 @@ if [[ ! $1 ]]; then
 fi
 host=$1
 
-[[ $host == frodo ]] && scp /a/c/machine_specific/frodo/subdir_files/.ssh/* frodo:.ssh/
+scp -o StrictHostKeyChecking=false -o UserKnownHostsFile=/dev/null \
+    /p/c/machine_specific/$host/filesystem/etc/ssh/* root@$host:/etc/ssh
+
 if [[ -e  /var/cache/pacman/pkg ]]; then
     darkhttpd /var/cache/pacman/pkg &
-    url=http://$HOSTNAME:8080
+    mirror=http://$HOSTNAME:8080
 fi
 faid=/a/bin/fai
 fai_files=(
     distro-install-common
     hooks/partition.DEFAULT
     class/50-host-classes
+
 )
 sudo scp -r /a/bin/fai/arch-init{,-chroot} \
+     /a/bin/fai/encrypt \
      ${fai_files[@]/#//a/bin/fai/fai/config/} \
      /a/bin/devbyid \
      /q/root/luks /q/root/shadow root@$host:
@@ -30,11 +34,15 @@ sudo scp -r /a/bin/fai/arch-init{,-chroot} \
 # on debian, you can use mkpasswd -m sha-512 to generate a pass.
 # arch doesn't have this program. instead, you can do passwd,
 # and extract it from the shadow file.
-ssh root@$host bash -x ./arch-init $host $url
-ssh root@$host reboot now || [[ $? == 255 ]]
+ssh root@$host bash -x ./arch-init $host $mirror
+
+#ssh root@$host reboot now || [[ $? == 255 ]]
+
 # next up is:
 # ssh $host /a/bin/distro-begin
 
-killall darkhttpd
+if [[ -e  /var/cache/pacman/pkg ]]; then
+    killall darkhttpd
+fi
 # todo: this doesn't work. figure out why.
 #kill $!
diff --git a/arch-iso-init.sh b/arch-iso-init.sh
new file mode 100644
index 0000000..e0118f2
--- /dev/null
+++ b/arch-iso-init.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+echo $(date) > /tmp/myarchinit.log
+if ! ip a | grep '^ *inet ' | grep -vF 127.0.0.1; then
+    cat <<'eof'
+We don't have an ipv4 address. Maybe arch doesn't do that for us,
+or we are probably using an ethernet port
+which is not the 1st one, so we haven't automatically done dhcpcd,
+so let's do it on whatever interface has a carrier
+eof
+    for f in /sys/class/net/*; do
+        if [[ `cat $f/carrier` == 1 ]]; then
+            echo $0: running: dhcpcd ${f##*/}
+            dhcpcd ${f##*/}
+            break
+        fi
+    done
+fi
+systemctl start sshd
diff --git a/arch-pxe b/arch-pxe
index 7252f2d..66a79de 100755
--- a/arch-pxe
+++ b/arch-pxe
@@ -6,6 +6,8 @@
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
+x="$(readlink -f "$BASH_SOURCE")"
+script_dir="${x%/*}"
 cd /a/opt
 iso="archlinux-2016.05.01-dual"
 sfs=$iso/arch/x86_64/airootfs.sfs
@@ -14,7 +16,7 @@ ex $iso.iso
 sed -i -f - $iso/arch/boot/syslinux/archiso_pxe64.cfg <<EOF
 1itotaltimeout 1
 /^LABEL arch64_nfs/a menu default
-s/^APPEND .*/\0 script=myarchinit.sh/
+s/^APPEND .*/\0 script=arch-iso-init.sh/
 EOF
 # based on https://blog.chendry.org/2015/02/06/automating-arch-linux-installation.html
 # and https://wiki.archlinux.org/index.php/Remastering_the_Install_ISO
@@ -24,12 +26,8 @@ s unsquashfs $sfs
 s mkdir -p squashfs-root/root/.ssh
 s chmod 755 squashfs-root/root/.ssh
 s cp ~/.ssh/id_rsa.pub squashfs-root/root/.ssh/authorized_keys
-s dd of=squashfs-root/root/myarchinit.sh <<EOF
-#!/bin/bash
-echo $(date) > /tmp/myarchinit.log
-dhcpcd eth0
-systemctl start sshd
-EOF
+
+s cp $script_dir/arch-iso-init.sh squashfs-root/root
 s rm $sfs
 s mksquashfs squashfs-root $sfs -comp xz
 # file transfer to wrt is slow, so remove some useless files
diff --git a/encrypt b/encrypt
new file mode 100644
index 0000000..89cc95f
--- /dev/null
+++ b/encrypt
@@ -0,0 +1,129 @@
+#!/usr/bin/ash
+run_hook() {
+    set -x
+    echo $0
+    modprobe -a -q dm-crypt >/dev/null 2>&1
+    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
+
+    # Get keyfile if specified
+    ckeyfile="/crypto_keyfile.bin"
+    if [ -n "$cryptkey" ]; then
+        IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+
+        if [ "$ckdev" = "rootfs" ]; then
+            ckeyfile=$ckarg1
+        elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
+            case ${ckarg1} in
+                *[!0-9]*)
+                    # Use a file on the device
+                    # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+                    mkdir /ckey
+                    mount -r -t "$ckarg1" "$resolved" /ckey
+                    dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+                    umount /ckey
+                    ;;
+                *)
+                    # Read raw data from the block device
+                    # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+                    dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
+                    ;;
+            esac
+        fi
+        [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
+    fi
+
+    for cryptdev in ${cryptdevices//,/ }; do
+        cryptname=crypt_dev_${cryptdev##*/}
+
+        if [ -n "${cryptoptions}" ]; then
+            cryptargs="${cryptargs} --allow-discards"
+        fi
+        for cryptopt in ${cryptoptions//,/ }; do
+            case ${cryptopt} in
+                no-allow-discards)
+                    cryptargs=""
+                    ;;
+                *)
+                    echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+                    ;;
+            esac
+        done
+
+        if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
+            if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+                dopassphrase=1
+                # If keyfile exists, try to use that
+                if [ -f ${ckeyfile} ]; then
+                    if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
+                        dopassphrase=0
+                    else
+                        echo "Invalid keyfile. Reverting to passphrase."
+                    fi
+                fi
+                # Ask for a passphrase
+                if [ ${dopassphrase} -gt 0 ]; then
+                    echo ""
+                    echo "A password is required to access the ${cryptname} volume:"
+
+                    #loop until we get a real password
+                    while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
+                        sleep 2;
+                    done
+                fi
+                if [ -e "/dev/mapper/${cryptname}" ]; then
+                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+                        export root="/dev/mapper/root"
+                    fi
+                else
+                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
+                    exit 1
+                fi
+            elif [ -n "${crypto}" ]; then
+                msg "Non-LUKS encrypted device found..."
+                if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+                    err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
+                    err "Non-LUKS decryption not attempted..."
+                    return 1
+                fi
+                exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
+                IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+                [ -n "$c_hash" ]    && exe="$exe --hash '$c_hash'"
+                [ -n "$c_cipher" ]  && exe="$exe --cipher '$c_cipher'"
+                [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+                [ -n "$c_offset" ]  && exe="$exe --offset '$c_offset'"
+                [ -n "$c_skip" ]    && exe="$exe --skip '$c_skip'"
+                if [ -f "$ckeyfile" ]; then
+                    exe="$exe --key-file $ckeyfile"
+                else
+                    exe="$exe --verify-passphrase"
+                    echo ""
+                    echo "A password is required to access the ${cryptname} volume:"
+                fi
+                eval "$exe $CSQUIET"
+
+                if [ $? -ne 0 ]; then
+                    err "Non-LUKS device decryption failed. verify format: "
+                    err "      crypto=hash:cipher:keysize:offset:skip"
+                    exit 1
+                fi
+                if [ -e "/dev/mapper/${cryptname}" ]; then
+                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+                        export root="/dev/mapper/root"
+                    fi
+                else
+                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
+                    exit 1
+                fi
+            else
+                err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
+            fi
+        fi
+    done
+    rm -f ${ckeyfile}
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
diff --git a/encrypt.upstream b/encrypt.upstream
new file mode 100644
index 0000000..819c4cf
--- /dev/null
+++ b/encrypt.upstream
@@ -0,0 +1,139 @@
+#!/usr/bin/ash
+
+run_hook() {
+    modprobe -a -q dm-crypt >/dev/null 2>&1
+    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
+
+    # Get keyfile if specified
+    ckeyfile="/crypto_keyfile.bin"
+    if [ -n "$cryptkey" ]; then
+        IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+
+        if [ "$ckdev" = "rootfs" ]; then
+            ckeyfile=$ckarg1
+        elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
+            case ${ckarg1} in
+                *[!0-9]*)
+                    # Use a file on the device
+                    # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+                    mkdir /ckey
+                    mount -r -t "$ckarg1" "$resolved" /ckey
+                    dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+                    umount /ckey
+                    ;;
+                *)
+                    # Read raw data from the block device
+                    # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+                    dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
+                    ;;
+            esac
+        fi
+        [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
+    fi
+
+    if [ -n "${cryptdevice}" ]; then
+        DEPRECATED_CRYPT=0
+        IFS=: read cryptdev cryptname cryptoptions <<EOF
+$cryptdevice
+EOF
+    else
+        DEPRECATED_CRYPT=1
+        cryptdev="${root}"
+        cryptname="root"
+    fi
+
+    warn_deprecated() {
+        echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
+        echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
+    }
+
+    for cryptopt in ${cryptoptions//,/ }; do
+        case ${cryptopt} in
+            allow-discards)
+                cryptargs="${cryptargs} --allow-discards"
+                ;;
+            *)
+                echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+                ;;
+        esac
+    done
+
+    if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
+        if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+            [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+            dopassphrase=1
+            # If keyfile exists, try to use that
+            if [ -f ${ckeyfile} ]; then
+                if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
+                    dopassphrase=0
+                else
+                    echo "Invalid keyfile. Reverting to passphrase."
+                fi
+            fi
+            # Ask for a passphrase
+            if [ ${dopassphrase} -gt 0 ]; then
+                echo ""
+                echo "A password is required to access the ${cryptname} volume:"
+
+                #loop until we get a real password
+                while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
+                    sleep 2;
+                done
+            fi
+            if [ -e "/dev/mapper/${cryptname}" ]; then
+                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+                    export root="/dev/mapper/root"
+                fi
+            else
+                err "Password succeeded, but ${cryptname} creation failed, aborting..."
+                exit 1
+            fi
+        elif [ -n "${crypto}" ]; then
+            [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+            msg "Non-LUKS encrypted device found..."
+            if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+                err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
+                err "Non-LUKS decryption not attempted..."
+                return 1
+            fi
+            exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
+            IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+            [ -n "$c_hash" ]    && exe="$exe --hash '$c_hash'"
+            [ -n "$c_cipher" ]  && exe="$exe --cipher '$c_cipher'"
+            [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+            [ -n "$c_offset" ]  && exe="$exe --offset '$c_offset'"
+            [ -n "$c_skip" ]    && exe="$exe --skip '$c_skip'"
+            if [ -f "$ckeyfile" ]; then
+                exe="$exe --key-file $ckeyfile"
+            else
+                exe="$exe --verify-passphrase"
+                echo ""
+                echo "A password is required to access the ${cryptname} volume:"
+            fi
+            eval "$exe $CSQUIET"
+
+            if [ $? -ne 0 ]; then
+                err "Non-LUKS device decryption failed. verify format: "
+                err "      crypto=hash:cipher:keysize:offset:skip"
+                exit 1
+            fi
+            if [ -e "/dev/mapper/${cryptname}" ]; then
+                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+                    export root="/dev/mapper/root"
+                fi
+            else
+                err "Password succeeded, but ${cryptname} creation failed, aborting..."
+                exit 1
+            fi
+        else
+            err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
+        fi
+    fi
+    rm -f ${ckeyfile}
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
diff --git a/fai-redep b/fai-redep
index cd08887..29f4d15 100755
--- a/fai-redep
+++ b/fai-redep
@@ -9,8 +9,26 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 cd $(dirname $(readlink -f "$BASH_SOURCE"))
 
-ssh root@faiserver rm -rf /srv/fai/config
-scp -r fai/config root@faiserver:/srv/fai
+
+faiserver_host=faiserver
+# i use faiserver as a dns alias, but ssh key is associated with
+# a canonical hostname and we will have ssh warning spam unless we
+# use it, so look it up.
+if addr=$(host faiserver); then
+    addr=${addr##* }
+    if h=$(host $addr); then
+        h=${h##* }
+        faiserver_host=${h%%.*}
+    else
+        echo "$0: warning: host \$addr($addr) failed"
+    fi
+else
+    echo "$0: warning: host faiserver failed"
+fi
+
+
+ssh root@$faiserver_host rm -rf /srv/fai/config
+scp -r fai/config root@$faiserver_host:/srv/fai
 # fai example pass: fai
 #ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1'
 
@@ -22,24 +40,24 @@ scp -r fai/config root@faiserver:/srv/fai
 
 f=/q/root/shadow/standard
 if s test -e $f; then
-    ssh root@faiserver tee -a /srv/fai/config/class/DEFAULT.var <<EOF
+    ssh root@$faiserver_host tee -a /srv/fai/config/class/DEFAULT.var <<EOF
 ROOTPW='$(s cat $f)'
 EOF
 fi
 
 tpvar="$(s cat /q/root/shadow/traci-simple)"
-ssh root@faiserver tee -a /srv/fai/config/class/tp.var <<EOF
+ssh root@$faiserver_host tee -a /srv/fai/config/class/tp.var <<EOF
 ROOTPW='$tpvar'
 EOF
 
 scp ~/.ssh/id_rsa.pub \
-    root@faiserver:/srv/fai/config/files/home/ian/.ssh/authorized_keys/GRUB_PC
+    root@$faiserver_host:/srv/fai/config/files/home/ian/.ssh/authorized_keys/GRUB_PC
 # todo: automatically disable faiserver after a period so
 # these files are not exposed.
 s scp -r /q/root/luks /q/root/shadow/traci{,-simple} \
-  root@faiserver:/srv/fai/config/distro-install-common
-scp /a/bin/devbyid root@faiserver:/srv/fai/nfsroot/usr/local/bin
-ssh root@faiserver bash <<'EOF'
+  root@$faiserver_host:/srv/fai/config/distro-install-common
+scp /a/bin/devbyid root@$faiserver_host:/srv/fai/nfsroot/usr/local/bin
+ssh root@$faiserver_host bash <<'EOF'
 set -eE -o pipefail
 chmod 644 /srv/fai/config/files/home/ian/.ssh/authorized_keys/GRUB_PC
 chmod -R a+rX /srv/fai/config/distro-install-common
diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end
index 9c194fa..79238a5 100755
--- a/fai/config/distro-install-common/end
+++ b/fai/config/distro-install-common/end
@@ -31,10 +31,10 @@ $ROOTCMD rm -rf /root/.unison
 $ROOTCMD ln -sf $dir /root
 $ROOTCMD ln -sf /q/p /
 
+chown -R 1000:1000 $dir
 while true; do
     $ROOTCMD chown 1000:1000 $dir
     $ROOTCMD chmod 700 $dir
     dir=$(dirname $dir)
     [[ $dir != /q ]] || break
 done
-
diff --git a/fai/config/hooks/partition.DEFAULT b/fai/config/hooks/partition.DEFAULT
index fac3155..e64f92b 100755
--- a/fai/config/hooks/partition.DEFAULT
+++ b/fai/config/hooks/partition.DEFAULT
@@ -168,7 +168,7 @@ bpart() { # btrfs a partition
     esac
 }
 
-first_boot_dev=$(bootdev ${devs[0]})
+first_boot_dev=${boot_devs[0]}
 
 # keyfiles generated like:
 # head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost
@@ -197,6 +197,10 @@ swap_mib=$(( $(grep ^MemTotal: /proc/meminfo | \
                    awk '{print $2}') * 3/(${#devs[@]} * 2 ) / 1024 ))
 
 mkdir -p /tmp/fai
+root_devs=()
+for dev in ${devs[@]}; do
+    root_devs+=(`rootdev`)
+done
 shopt -s nullglob
 if $partition; then
     for dev in ${devs[@]}; do
@@ -346,7 +350,10 @@ done
 #BOOT_DEVICE=\${BOOT_DEVICE:-"${devs[0]}"}
 
 # swaplist seems to do nothing.
+
 cat >/tmp/fai/disk_var.sh <<EOF
+# ROOT_PARTITIONS is added by me, used in arch setup.
+ROOT_PARTITIONS="${root_devs[@]}"
 ROOT_PARTITION=\${ROOT_PARTITION:-$first_root_crypt}
 BOOT_PARTITION=\${BOOT_PARTITION:-$first_boot_dev}
 BOOT_DEVICE="${short_devs[@]}"
diff --git a/pxe-server b/pxe-server
index f53bdef..ec299e4 100755
--- a/pxe-server
+++ b/pxe-server
@@ -4,7 +4,8 @@
 # and depending on the type, setup the tftp server.
 
 # usage: $0 TYPE
-# default distro is the base debian/fedora type. others are fai &  arch
+# default distro is the base debian/fedora type. others are fai & arch.
+# for no pxe server, use a no-op like : or true.
 
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-- 
2.30.2