3cf66640b5
CLI structure now:
hal {status,diagnose,unlock,forget} HOST
hal connect {rescue,chroot,server} HOST [CMD]
hal setup {image,dropbear,grub,encrypt-root} HOST
hal fix {boot,network,grub,kernel,static-ip,upgrade,expand-fs} HOST
Added subcommands cover the previously-manual sections of the README:
setup image — upload autosetup + run installimage
setup dropbear — install dropbear + mkinitcpio plugins + patch HOOKS
setup grub — initial grub install for LUKS boot
setup encrypt-root — full LUKS conversion of installed root
connect server — SSH to booted Arch (vs rescue/chroot)
unlock — cryptroot-unlock via dropbear with passphrase from keyring
fix expand-fs — lvresize + btrfs resize
Renames (breaking):
upgrade-system -> fix upgrade
expand-fs -> fix expand-fs
forget-passphrase -> forget
reinstall-grub -> fix grub
downgrade-kernel -> fix kernel
use-static-ip -> fix static-ip
fix-{boot,network} -> fix {boot,network}
install-{image,grub} -> setup {image,grub}
setup-dropbear -> setup dropbear
encrypt-root -> setup encrypt-root
Removed downgrade-initramfs (never verified, narrow use case).
README rewritten to reference only hal commands; raw bash blocks for
pacman/cryptsetup/grub-install/mount/chroot are gone. Added autosetup.example
as a template for `hal setup image --autosetup PATH`.
Licensed under MIT (LICENSE file added). Author and homepage shown in
hal --version, hal --help, pyproject.toml, and README.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
60 lines
2.0 KiB
Bash
60 lines
2.0 KiB
Bash
#!/bin/bash
|
||
# Runs on the BOOTED Arch system (post-installimage, pre-encryption).
|
||
# Wires up dropbear + encryptssh + netconf for later remote-LUKS-unlock.
|
||
#
|
||
# Performs sections 3.1–3.5 of the README:
|
||
# - install busybox / mkinitcpio-{dropbear,utils,netconf}
|
||
# - copy authorized_keys to /etc/dropbear/root_key
|
||
# - regenerate OpenSSH host keys in PEM format
|
||
# - convert RSA host key to dropbear format
|
||
# - replace the HOOKS line in /etc/mkinitcpio.conf
|
||
#
|
||
# Idempotent: re-running is safe. A backup of /etc/mkinitcpio.conf is taken
|
||
# at first patch as /etc/mkinitcpio.conf.hal-backup.
|
||
|
||
set -e
|
||
|
||
banner() { printf "\n========== %s ==========\n" "$1"; }
|
||
|
||
banner "installing dropbear + mkinitcpio plugins"
|
||
pacman -S --noconfirm --needed \
|
||
busybox mkinitcpio-dropbear mkinitcpio-utils mkinitcpio-netconf
|
||
|
||
banner "copying authorized_keys to /etc/dropbear/root_key"
|
||
install -d -m 0755 /etc/dropbear
|
||
install -m 0600 /root/.ssh/authorized_keys /etc/dropbear/root_key
|
||
chmod 700 /root/.ssh
|
||
chmod 600 /root/.ssh/authorized_keys
|
||
|
||
banner "enabling sshd"
|
||
systemctl enable sshd
|
||
|
||
banner "regenerating OpenSSH host keys (PEM format)"
|
||
rm -f /etc/ssh/ssh_host_*
|
||
ssh-keygen -A -m PEM
|
||
|
||
banner "importing RSA host key into dropbear"
|
||
dropbearconvert openssh dropbear \
|
||
/etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key
|
||
|
||
banner "patching HOOKS in /etc/mkinitcpio.conf"
|
||
[ -f /etc/mkinitcpio.conf.hal-backup ] \
|
||
|| cp -a /etc/mkinitcpio.conf /etc/mkinitcpio.conf.hal-backup
|
||
|
||
# Replace any existing HOOKS=(...) line with the encryptssh-enabled set.
|
||
sed -i -E \
|
||
's|^HOOKS=.*|HOOKS=(base udev autodetect modconf block mdadm_udev lvm2 netconf dropbear encryptssh filesystems keyboard fsck)|' \
|
||
/etc/mkinitcpio.conf
|
||
|
||
echo "HOOKS line is now:"
|
||
grep '^HOOKS=' /etc/mkinitcpio.conf
|
||
|
||
banner "done"
|
||
cat <<EOF
|
||
Next steps:
|
||
1. Activate Hetzner Rescue in the Robot, then reboot the server.
|
||
2. From your client: hal connect rescue <host>
|
||
3. Inside rescue: hal encrypt-root <host>
|
||
4. After that: hal install-grub <host>
|
||
EOF
|