iankelling.org Git - distro-setup/blob - keyscript-on

   1 #!/bin/bash
   2 # I, Ian Kelling, follow the GNU license recommendations at
   3 # https://www.gnu.org/licenses/license-recommendations.en.html. They
   4 # recommend that small programs, < 300 lines, be licensed under the
   5 # Apache License 2.0. This file contains or is part of one or more small
   6 # programs. If a small program grows beyond 300 lines, I plan to switch
   7 # its license to GPL.
   8
   9 # Copyright 2024 Ian Kelling
  10
  11 # Licensed under the Apache License, Version 2.0 (the "License");
  12 # you may not use this file except in compliance with the License.
  13 # You may obtain a copy of the License at
  14
  15 #     http://www.apache.org/licenses/LICENSE-2.0
  16
  17 # Unless required by applicable law or agreed to in writing, software
  18 # distributed under the License is distributed on an "AS IS" BASIS,
  19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  20 # See the License for the specific language governing permissions and
  21 # limitations under the License.
  22
  23
  24
  25 # setup automatic decryption on boot using host-specific key file.
  26 # When changing a hostname, that key needs updating.
  27
  28 set -eE -o pipefail
  29 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
  30
  31 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
  32 if [[ $- != *i* ]]; then
  33   exec &>>/var/log/keyscript-on.log
  34   echo "$0: starting. $(date)"
  35 fi
  36
  37 sed="sed --follow-symlinks"
  38
  39 # for running under corn, we need this, else, if we call
  40 # /sbin/update-initramfs , it will fail with:
  41 # /sbin/update-initramfs: 157: mkinitramfs: not found
  42 PATH="/sbin:$PATH"
  43
  44 if [[ $INVOCATION_ID ]]; then
  45   if [[ -e /b/bash_unpublished/source-state ]]; then
  46     # this is the canonical one
  47     source /b/bash_unpublished/source-state
  48   elif [[ -e /dev/shm/iank-status ]]; then
  49     # This one gets copied by system-status and is useful because it
  50     # exists when /a is unmounted.
  51     source /dev/shm/iank-status
  52   fi
  53   if [[ $MAIL_HOST && $MAIL_HOST != "$HOSTNAME" ]]; then
  54     echo "$0: exiting early: running under systemd as MAIL_HOST"
  55     exit 0
  56   fi
  57 fi
  58
  59 if [[ ! -e /tmp/keyscript-off ]]; then
  60   if [[ $($sed -rn 's/^ID=(.*)/\1/p' /etc/os-release) == arch ]]; then
  61     if ! grep -q '^\s*FILES=' /etc/mkinitcpio.conf; then
  62       $sed -ri 's/^#(\s*FILES=.*)/\1/' /etc/mkinitcpio.conf # uncomment
  63       mkinitcpio -p linux
  64     fi
  65   else
  66     x=decrypt_keyctl
  67     if grep -q "${x}," /etc/crypttab; then
  68       $sed -i "s#${x},#/root/keyscript,#" /etc/crypttab
  69       update-initramfs -u
  70     fi
  71   fi
  72 fi
  73 # switch to easy or hard login pass which is the same as luks
  74 f=/q/root/shadow/traci-simple
  75 [[ $HOSTNAME != tpnew ]] || usermod -p "$(cat $f)" iank
  76
  77 echo "$0: finished. $(date)"