dtrfs/scripts/install_os.sh

#!/bin/bash

# SPDX-License-Identifier: Unlicense

# This script is called by dtrfs_api to install an OS.

[[ -z "$INSTALL_URL" ]] && {
  echo "Did not find INSTALL_URL env variable".
  exit 1
}

[[ -z "$INSTALL_SHA" ]] && {
  echo "Did not find INSTALL_SHA env variable".
  exit 2
}

[[ -z "$VM_HOSTNAME" ]] && {
  echo "Did not find VM_HOSTNAME env variable".
  exit 2
}

[[ -f "$ROOT_KEYFILE" ]] || {
  echo "Did not find keyfile at the following location: $ROOT_KEYFILE"
  exit 3
}

# mount root if it exists
blkid | grep vda1 | grep LUKS && {
  echo "/dev/vda1 already has a LUKS partition"
  exit 4
}

echo === Creating partition /dev/vda1
(
  echo n
  echo p
  echo 
  echo 
  echo 
  echo w
) | fdisk /dev/vda
echo "=== Formatting /dev/vda1 using cryptsetup luksFormat and opening as root"
cryptsetup luksFormat --batch-mode -d $ROOT_KEYFILE /dev/vda1 || exit 5
[[ -f "$SNP_KEY_FILE" ]] && {
  echo "Adding LUKS slot via SNP KDF key found at $SNP_KEY_FILE"
  cryptsetup luksAddKey \
    --key-file $ROOT_KEYFILE \
    --new-keyfile $SNP_KEY_FILE /dev/vda1
}
cryptsetup open -d $ROOT_KEYFILE /dev/vda1 root || exit 6
echo "=== Formatting /dev/mapper/root as ext4 and mounting at /mnt"
mkfs.ext4 /dev/mapper/root || exit 7
mount /dev/mapper/root /mnt || exit 8
echo "=== Downloading OS template from $INSTALL_URL and verifying hash"
wget -O /mnt/template.fsa "$INSTALL_URL" || {
  echo "Failed to download $INSTALL_URL"
  exit 9
}
sha256sum /mnt/template.fsa | grep "${INSTALL_SHA}" || exit 1
echo "=== Installing OS template"
fsarchiver restdir /mnt/template.fsa /
rm /mnt/template.fsa
# TODO: decide for UX if maybe we should allow user to inject fstab
echo "" > /mnt/etc/fstab
echo "=== Setting up guest hostname as $VM_HOSTNAME"
echo $VM_HOSTNAME > /mnt/etc/hostname

echo "=== Generating SSH public keys"
echo "root:x:0:0:root:/root:/bin/sh" > /etc/passwd
[[ -f "/mnt/etc/ssh/ssh_host_rsa_key" ]] ||
  ssh-keygen -t rsa -f /mnt/etc/ssh/ssh_host_rsa_key -N '' > /dev/null
[[ -f "/mnt/etc/ssh/ssh_host_ecdsa_key" ]] ||
  ssh-keygen -t ecdsa -f /mnt/etc/ssh/ssh_host_ecdsa_key -N '' > /dev/null
[[ -f "/mnt/etc/ssh/ssh_host_ed25519_key" ]] ||
  ssh-keygen -t ed25519 -f /mnt/etc/ssh/ssh_host_ed25519_key -N '' > /dev/null
echo "=== Done! Download keys from /server_pubkeys"