Reorganized hal CLI into subcommand groups + MIT licensed

CLI structure now: hal {status,diagnose,unlock,forget} HOST hal connect {rescue,chroot,server} HOST [CMD] hal setup {image,dropbear,grub,encrypt-root} HOST hal fix {boot,network,grub,kernel,static-ip,upgrade,expand-fs} HOST Added subcommands cover the previously-manual sections of the README: setup image — upload autosetup + run installimage setup dropbear — install dropbear + mkinitcpio plugins + patch HOOKS setup grub — initial grub install for LUKS boot setup encrypt-root — full LUKS conversion of installed root connect server — SSH to booted Arch (vs rescue/chroot) unlock — cryptroot-unlock via dropbear with passphrase from keyring fix expand-fs — lvresize + btrfs resize Renames (breaking): upgrade-system -> fix upgrade expand-fs -> fix expand-fs forget-passphrase -> forget reinstall-grub -> fix grub downgrade-kernel -> fix kernel use-static-ip -> fix static-ip fix-{boot,network} -> fix {boot,network} install-{image,grub} -> setup {image,grub} setup-dropbear -> setup dropbear encrypt-root -> setup encrypt-root Removed downgrade-initramfs (never verified, narrow use case). README rewritten to reference only hal commands; raw bash blocks for pacman/cryptsetup/grub-install/mount/chroot are gone. Added autosetup.example as a template for `hal setup image --autosetup PATH`. Licensed under MIT (LICENSE file added). Author and homepage shown in hal --version, hal --help, pyproject.toml, and README. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:10:06 +02:00
parent 181240eae7
commit 3cf66640b5
10 changed files with 755 additions and 603 deletions
--- a/src/hetzner_arch_luks/resources/setup/dropbear.sh
+++ b/src/hetzner_arch_luks/resources/setup/dropbear.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# Runs on the BOOTED Arch system (post-installimage, pre-encryption).
+# Wires up dropbear + encryptssh + netconf for later remote-LUKS-unlock.
+#
+# Performs sections 3.1–3.5 of the README:
+#   - install busybox / mkinitcpio-{dropbear,utils,netconf}
+#   - copy authorized_keys to /etc/dropbear/root_key
+#   - regenerate OpenSSH host keys in PEM format
+#   - convert RSA host key to dropbear format
+#   - replace the HOOKS line in /etc/mkinitcpio.conf
+#
+# Idempotent: re-running is safe. A backup of /etc/mkinitcpio.conf is taken
+# at first patch as /etc/mkinitcpio.conf.hal-backup.
+
+set -e
+
+banner() { printf "\n========== %s ==========\n" "$1"; }
+
+banner "installing dropbear + mkinitcpio plugins"
+pacman -S --noconfirm --needed \
+  busybox mkinitcpio-dropbear mkinitcpio-utils mkinitcpio-netconf
+
+banner "copying authorized_keys to /etc/dropbear/root_key"
+install -d -m 0755 /etc/dropbear
+install -m 0600 /root/.ssh/authorized_keys /etc/dropbear/root_key
+chmod 700 /root/.ssh
+chmod 600 /root/.ssh/authorized_keys
+
+banner "enabling sshd"
+systemctl enable sshd
+
+banner "regenerating OpenSSH host keys (PEM format)"
+rm -f /etc/ssh/ssh_host_*
+ssh-keygen -A -m PEM
+
+banner "importing RSA host key into dropbear"
+dropbearconvert openssh dropbear \
+  /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key
+
+banner "patching HOOKS in /etc/mkinitcpio.conf"
+[ -f /etc/mkinitcpio.conf.hal-backup ] \
+  || cp -a /etc/mkinitcpio.conf /etc/mkinitcpio.conf.hal-backup
+
+# Replace any existing HOOKS=(...) line with the encryptssh-enabled set.
+sed -i -E \
+  's|^HOOKS=.*|HOOKS=(base udev autodetect modconf block mdadm_udev lvm2 netconf dropbear encryptssh filesystems keyboard fsck)|' \
+  /etc/mkinitcpio.conf
+
+echo "HOOKS line is now:"
+grep '^HOOKS=' /etc/mkinitcpio.conf
+
+banner "done"
+cat <<EOF
+Next steps:
+  1. Activate Hetzner Rescue in the Robot, then reboot the server.
+  2. From your client:  hal connect rescue <host>
+  3. Inside rescue:     hal encrypt-root <host>
+  4. After that:        hal install-grub <host>
+EOF