kevinveenbirkenbach/hetzner-arch-luks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f79bac29274a20aa294abedcc70bc54038f048e5
hetzner-arch-luks/src/hetzner_arch_luks/resources/setup/dropbear.sh

60 lines
2.0 KiB
Bash
Raw Normal View History

Reorganized hal CLI into subcommand groups + MIT licensed CLI structure now: hal {status,diagnose,unlock,forget} HOST hal connect {rescue,chroot,server} HOST [CMD] hal setup {image,dropbear,grub,encrypt-root} HOST hal fix {boot,network,grub,kernel,static-ip,upgrade,expand-fs} HOST Added subcommands cover the previously-manual sections of the README: setup image — upload autosetup + run installimage setup dropbear — install dropbear + mkinitcpio plugins + patch HOOKS setup grub — initial grub install for LUKS boot setup encrypt-root — full LUKS conversion of installed root connect server — SSH to booted Arch (vs rescue/chroot) unlock — cryptroot-unlock via dropbear with passphrase from keyring fix expand-fs — lvresize + btrfs resize Renames (breaking): upgrade-system -> fix upgrade expand-fs -> fix expand-fs forget-passphrase -> forget reinstall-grub -> fix grub downgrade-kernel -> fix kernel use-static-ip -> fix static-ip fix-{boot,network} -> fix {boot,network} install-{image,grub} -> setup {image,grub} setup-dropbear -> setup dropbear encrypt-root -> setup encrypt-root Removed downgrade-initramfs (never verified, narrow use case). README rewritten to reference only hal commands; raw bash blocks for pacman/cryptsetup/grub-install/mount/chroot are gone. Added autosetup.example as a template for `hal setup image --autosetup PATH`. Licensed under MIT (LICENSE file added). Author and homepage shown in hal --version, hal --help, pyproject.toml, and README. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:10:06 +02:00
#!/bin/bash
# Runs on the BOOTED Arch system (post-installimage, pre-encryption).
# Wires up dropbear + encryptssh + netconf for later remote-LUKS-unlock.
#
# Performs sections 3.13.5 of the README:
# - install busybox / mkinitcpio-{dropbear,utils,netconf}
# - copy authorized_keys to /etc/dropbear/root_key
# - regenerate OpenSSH host keys in PEM format
# - convert RSA host key to dropbear format
# - replace the HOOKS line in /etc/mkinitcpio.conf
#
# Idempotent: re-running is safe. A backup of /etc/mkinitcpio.conf is taken
# at first patch as /etc/mkinitcpio.conf.hal-backup.
set -e
banner() { printf "\n========== %s ==========\n" "$1"; }
banner "installing dropbear + mkinitcpio plugins"
pacman -S --noconfirm --needed \
busybox mkinitcpio-dropbear mkinitcpio-utils mkinitcpio-netconf
banner "copying authorized_keys to /etc/dropbear/root_key"
install -d -m 0755 /etc/dropbear
install -m 0600 /root/.ssh/authorized_keys /etc/dropbear/root_key
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
banner "enabling sshd"
systemctl enable sshd
banner "regenerating OpenSSH host keys (PEM format)"
rm -f /etc/ssh/ssh_host_*
ssh-keygen -A -m PEM
banner "importing RSA host key into dropbear"
dropbearconvert openssh dropbear \
/etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key
banner "patching HOOKS in /etc/mkinitcpio.conf"
[ -f /etc/mkinitcpio.conf.hal-backup ] \
|| cp -a /etc/mkinitcpio.conf /etc/mkinitcpio.conf.hal-backup
# Replace any existing HOOKS=(...) line with the encryptssh-enabled set.
sed -i -E \
's|^HOOKS=.*|HOOKS=(base udev autodetect modconf block mdadm_udev lvm2 netconf dropbear encryptssh filesystems keyboard fsck)|' \
/etc/mkinitcpio.conf
echo "HOOKS line is now:"
grep '^HOOKS=' /etc/mkinitcpio.conf
banner "done"
cat <<EOF
Next steps:
1. Activate Hetzner Rescue in the Robot, then reboot the server.
2. From your client: hal connect rescue <host>
3. Inside rescue: hal encrypt-root <host>
4. After that: hal install-grub <host>
EOF
Reference in New Issue Copy Permalink