nexus166 · August 25, 2020 12:49 · nexus166 · Oct 13, 2019
diff --git a/debootcrypt.sh b/debootcrypt.sh
 #!/usr/bin/env bash

 set -eo pipefail

 deps=(cryptsetup fdisk openssl ssh-keygen)
 for _d in ${deps[@]}; do command -v "${_d}"; done

 RSA_PUBKEY="${1}"
 [[ -z "${RSA_PUBKEY}" ]] && read -p "Enter path to RSA public key (autogenerated): " RSA_PUBKEY
 [[ -z "${RSA_PUBKEY}" ]] && export RSA_PUBKEY=~/.ssh/id_rsa.pub && ssh-keygen -N '' -f ~/.ssh/id_rsa

 TARGET_DRIVE="${2}"
 while [[ -z "${TARGET_DRIVE}" ]]; do fdisk -l; read -rp "Enter target drive: " TARGET_DRIVE; done
 export TARGET_DRIVE

 #
 ## PARTITIONs

 PART1_SIZE="${3}"
 [[ -z "${PART1_SIZE}" ]] && read -p "Enter /boot partition size (512M): " PART1_SIZE
 [[ -z "${PART1_SIZE}" ]] && export PART1_SIZE="512M"

 PART2_SIZE="${4}"
 while [[ -z "${PART2_SIZE}" ]]; do read -rp "Enter / partition size (e.g. 264G): " PART2_SIZE; done

 sed -e 's/\s*\([\+0-9a-zA-Z]*\).*/\1/' << EOF | fdisk "${TARGET_DRIVE}"
        p # print
        o # delete all
        n # NEW /boot   /dev/xxx1
        p # primary partition
        1 # partition number 1
        # auto first sector
        +${PART1_SIZE} # arg size /boot part
        a # make partition bootable
        p # print
        n # NEW /       /dev/xxx2
        p # primary partition
        2 # partion number 2
        # auto first sector
        +${PART2_SIZE} # arg size / part
        p # print
        w # write the partition table
        q # and we're done
 EOF

 # format /boot
 yes | mkfs.ext3 "${TARGET_DRIVE}1" || true

 #
 ## LUKS

 LUKS_PASSPHRASE=
 while [[ -z "${LUKS_PASSPHRASE}" ]]; do
 	printf 'No key entered, here is one..\t[%s]\n' "$(openssl rand -hex 96)";
 	read -rsp "Enter LUKS passphrase: " LUKS_PASSPHRASE;
 done
 read -rsp "Enter LUKS passphrase again: " _LUKS_PASSPHRASE
 [[ "${_LUKS_PASSPHRASE}" != "${LUKS_PASSPHRASE}" ]] && printf '\n\nYOU FUCKED UP!\n\n' && exit 2
 export LUKS_PASSPHRASE
 unset _LUKS_PASSPHRASE

 _x() { x="${LUKS_PASSPHRASE}" printenv x; }

 cryptsetup -q luksFormat "${TARGET_DRIVE}2" - <(_x)

 CRYPTROOT="cryptroot-$(openssl rand -hex 8)"
 export CRYPTROOT
 cryptsetup luksOpen "${TARGET_DRIVE}2" "${CRYPTROOT}" -d - <(_x)

 unset _x
 unset LUKS_PASSPHRASE

 #
 ## LVM2

 pvcreate "/dev/mapper/${CRYPTROOT}"

 vgcreate vg0 "/dev/mapper/${CRYPTROOT}"

 SWAP_SIZE="${SWAP_SIZE}"
 [[ -z "${SWAP_SIZE}" ]] && read -rp "Enter swap partition size (RAM *2)M: " SWAP_SIZE;
 [[ -z "${SWAP_SIZE}" ]] && export SWAP_SIZE="$(($(free -m | awk '/Mem/ {print $2}') * 2))M"
 lvcreate -L "${SWAP_SIZE}" -n swap vg0
 mkswap /dev/vg0/swap

 lvcreate -l 99%FREE -n root vg0
 mkfs.ext4 /dev/vg0/root

 #
 ## debootstrap

 mount /dev/vg0/root /mnt

 debootstrap --arch amd64 buster /mnt http://deb.debian.org/debian

 cat <<EOCMDLINE | LANG=C.UTF-8 TERM=xterm-color DEBIAN_FRONTEND=noninteractive chroot /mnt
 	apt-get update;
 	apt-get dist-upgrade -y;
 	apt-get install -y makedev;
 	mount -t proc none /proc;
 	cd /dev;
 	MAKEDEV generic;
 EOCMDLINE
 unset EOCMDLINE


 ## TODO by-uuid
 # fstab
 {
 	printf '%s1\t/boot\text3\tdefaults\t0\t2\n' "${TARGET_DRIVE}";
 	printf '/dev/vg0/root\t/\text4\tdefaults\t0\t1\n';
 	printf '/dev/vg0/swap\tnone\tswap\tsw\t0\t0\n';
 	printf 'proc\t/proc\tproc\tdefaults\t0\t0\n';
 } | tee /mnt/etc/fstab

 # crypttab
 #printf '%s\t%s2\tnone\tluks\n' "${CRYPTROOT}" "${TARGET_DRIVE}" | tee /mnt/etc/crypttab
 printf '%s %s2 none luks,discard\n' "${CRYPTROOT}" "${TARGET_DRIVE}" | tee /mnt/etc/crypttab

 mount "${TARGET_DRIVE}1" /mnt/boot
 mount --bind /dev /mnt/dev
 mount -t devpts none /mnt/dev/pts
 mount --bind /sys /mnt/sys
 mount --bind /run /mnt/run
 mount --bind /proc /mnt/proc

 mkdir -vp /mnt/etc/dropbear-initramfs
 cp -av "${RSA_PUBKEY}" /mnt/etc/dropbear-initramfs/authorized_keys
 printf 'DROPBEAR_OPTIONS="-s -j -k -I 60 -p 60022"\n' | tee /mnt/etc/dropbear-initramfs/config
 cat <<EOCMDLINE | LANG=C.UTF-8 TERM=xterm-color DEBIAN_FRONTEND=noninteractive chroot /mnt
 	apt-get update;
 	apt-get dist-upgrade -y;
 	apt-get install -y cryptsetup grub-pc linux-image-amd64 locales lvm2 openssh-server;
 	yes N | apt-get install -y dropbear-initramfs;
 	apt-get clean;
 	apt-get autoclean;
 	update-grub2;
 	grub-install --force "${TARGET_DRIVE}";
 EOCMDLINE
 unset EOCMDLINE

 read -rp "Do you want to make further customizations (setup /etc/network/interfaces, initramfs dhcp /etc/defautl/grub, etc..)? Answering no will unmount everything and reboot(Y/n)" ANSWER
 if [[ "${ANSWER}" == "n" ]]; then
 	umount /mnt/boot /mnt/proc /mnt/sys /mnt/dev;
 	umount /mnt;
 	vgchange -an vg0;
 	cryptsetup -q luksClose "${CRYPTROOT}";
 	sync;
 	shutdown -r now;
 fi
	#!/usr/bin/env bash

	set -eo pipefail

	deps=(cryptsetup fdisk openssl ssh-keygen)
	for _d in ${deps[@]}; do command -v "${_d}"; done

	RSA_PUBKEY="${1}"
	[[ -z "${RSA_PUBKEY}" ]] && read -p "Enter path to RSA public key (autogenerated): " RSA_PUBKEY
	[[ -z "${RSA_PUBKEY}" ]] && export RSA_PUBKEY=~/.ssh/id_rsa.pub && ssh-keygen -N '' -f ~/.ssh/id_rsa

	TARGET_DRIVE="${2}"
	while [[ -z "${TARGET_DRIVE}" ]]; do fdisk -l; read -rp "Enter target drive: " TARGET_DRIVE; done
	export TARGET_DRIVE

	#
	## PARTITIONs

	PART1_SIZE="${3}"
	[[ -z "${PART1_SIZE}" ]] && read -p "Enter /boot partition size (512M): " PART1_SIZE
	[[ -z "${PART1_SIZE}" ]] && export PART1_SIZE="512M"

	PART2_SIZE="${4}"
	while [[ -z "${PART2_SIZE}" ]]; do read -rp "Enter / partition size (e.g. 264G): " PART2_SIZE; done

	sed -e 's/\s\([\+0-9a-zA-Z]\).*/\1/' << EOF \| fdisk "${TARGET_DRIVE}"
	p # print
	o # delete all
	n # NEW /boot /dev/xxx1
	p # primary partition
	1 # partition number 1
	# auto first sector
	+${PART1_SIZE} # arg size /boot part
	a # make partition bootable
	p # print
	n # NEW / /dev/xxx2
	p # primary partition
	2 # partion number 2
	# auto first sector
	+${PART2_SIZE} # arg size / part
	p # print
	w # write the partition table
	q # and we're done
	EOF

	# format /boot
	yes \| mkfs.ext3 "${TARGET_DRIVE}1" \|\| true

	#
	## LUKS

	LUKS_PASSPHRASE=
	while [[ -z "${LUKS_PASSPHRASE}" ]]; do
	printf 'No key entered, here is one..\t[%s]\n' "$(openssl rand -hex 96)";
	read -rsp "Enter LUKS passphrase: " LUKS_PASSPHRASE;
	done
	read -rsp "Enter LUKS passphrase again: " _LUKS_PASSPHRASE
	[[ "${_LUKS_PASSPHRASE}" != "${LUKS_PASSPHRASE}" ]] && printf '\n\nYOU FUCKED UP!\n\n' && exit 2
	export LUKS_PASSPHRASE
	unset _LUKS_PASSPHRASE

	_x() { x="${LUKS_PASSPHRASE}" printenv x; }

	cryptsetup -q luksFormat "${TARGET_DRIVE}2" - <(_x)

	CRYPTROOT="cryptroot-$(openssl rand -hex 8)"
	export CRYPTROOT
	cryptsetup luksOpen "${TARGET_DRIVE}2" "${CRYPTROOT}" -d - <(_x)

	unset _x
	unset LUKS_PASSPHRASE

	#
	## LVM2

	pvcreate "/dev/mapper/${CRYPTROOT}"

	vgcreate vg0 "/dev/mapper/${CRYPTROOT}"

	SWAP_SIZE="${SWAP_SIZE}"
	[[ -z "${SWAP_SIZE}" ]] && read -rp "Enter swap partition size (RAM *2)M: " SWAP_SIZE;
	[[ -z "${SWAP_SIZE}" ]] && export SWAP_SIZE="$(($(free -m \| awk '/Mem/ {print $2}') * 2))M"
	lvcreate -L "${SWAP_SIZE}" -n swap vg0
	mkswap /dev/vg0/swap

	lvcreate -l 99%FREE -n root vg0
	mkfs.ext4 /dev/vg0/root

	#
	## debootstrap

	mount /dev/vg0/root /mnt

	debootstrap --arch amd64 buster /mnt http://deb.debian.org/debian

	cat <<EOCMDLINE \| LANG=C.UTF-8 TERM=xterm-color DEBIAN_FRONTEND=noninteractive chroot /mnt
	apt-get update;
	apt-get dist-upgrade -y;
	apt-get install -y makedev;
	mount -t proc none /proc;
	cd /dev;
	MAKEDEV generic;
	EOCMDLINE
	unset EOCMDLINE


	## TODO by-uuid
	# fstab
	{
	printf '%s1\t/boot\text3\tdefaults\t0\t2\n' "${TARGET_DRIVE}";
	printf '/dev/vg0/root\t/\text4\tdefaults\t0\t1\n';
	printf '/dev/vg0/swap\tnone\tswap\tsw\t0\t0\n';
	printf 'proc\t/proc\tproc\tdefaults\t0\t0\n';
	} \| tee /mnt/etc/fstab

	# crypttab
	#printf '%s\t%s2\tnone\tluks\n' "${CRYPTROOT}" "${TARGET_DRIVE}" \| tee /mnt/etc/crypttab
	printf '%s %s2 none luks,discard\n' "${CRYPTROOT}" "${TARGET_DRIVE}" \| tee /mnt/etc/crypttab

	mount "${TARGET_DRIVE}1" /mnt/boot
	mount --bind /dev /mnt/dev
	mount -t devpts none /mnt/dev/pts
	mount --bind /sys /mnt/sys
	mount --bind /run /mnt/run
	mount --bind /proc /mnt/proc

	mkdir -vp /mnt/etc/dropbear-initramfs
	cp -av "${RSA_PUBKEY}" /mnt/etc/dropbear-initramfs/authorized_keys
	printf 'DROPBEAR_OPTIONS="-s -j -k -I 60 -p 60022"\n' \| tee /mnt/etc/dropbear-initramfs/config
	cat <<EOCMDLINE \| LANG=C.UTF-8 TERM=xterm-color DEBIAN_FRONTEND=noninteractive chroot /mnt
	apt-get update;
	apt-get dist-upgrade -y;
	apt-get install -y cryptsetup grub-pc linux-image-amd64 locales lvm2 openssh-server;
	yes N \| apt-get install -y dropbear-initramfs;
	apt-get clean;
	apt-get autoclean;
	update-grub2;
	grub-install --force "${TARGET_DRIVE}";
	EOCMDLINE
	unset EOCMDLINE

	read -rp "Do you want to make further customizations (setup /etc/network/interfaces, initramfs dhcp /etc/defautl/grub, etc..)? Answering no will unmount everything and reboot(Y/n)" ANSWER
	if [[ "${ANSWER}" == "n" ]]; then
	umount /mnt/boot /mnt/proc /mnt/sys /mnt/dev;
	umount /mnt;
	vgchange -an vg0;
	cryptsetup -q luksClose "${CRYPTROOT}";
	sync;
	shutdown -r now;
	fi