fic/server
1
0
Fork 0
Code Issues Pull Requests 4 Releases Wiki Activity

fickit: Use dm-crypt key is not changed during updates

Browse Source
This commit is contained in:
nemunaire 2023-10-23 17:32:40 +02:00
parent e8c5b540d1
commit a80dd34d1b
4 changed files with 30 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
configs/gen_metadata.sh
View File

@ -22,10 +22,10 @@ then
FNAME="user-data" FNAME="user-data"
fi fi
export DM_CRYPT=$(jq -r '."dm-crypt".entries.key.content' USER_DAT.\;1) export DM_CRYPT=$(jq -r '."dm-crypt".entries.key.content' "${FNAME}")
export DHPARAM=$(jq -r '."tls_config".entries."dhparams-4096.pem".content' USER_DAT.\;1) export DHPARAM=$(jq -r '."tls_config".entries."dhparams-4096.pem".content' "${FNAME}")
export SYNCRO_PRIVATE_KEY=$(jq -r '.synchro.entries.id_ed25519.content' USER_DAT.\;1) export SYNCRO_PRIVATE_KEY=$(jq -r '.synchro.entries.id_ed25519.content' "${FNAME}")
export SYNCRO_PUBLIC_KEY=$(jq -r '.synchro.entries."id_ed25519.pub".content' USER_DAT.\;1) export SYNCRO_PUBLIC_KEY=$(jq -r '.synchro.entries."id_ed25519.pub".content' "${FNAME}")
fi fi
which vault > /dev/null 2> /dev/null || { echo "Please install vault" >&2; exit 1; } which vault > /dev/null 2> /dev/null || { echo "Please install vault" >&2; exit 1; }

22
configs/update_imgs.sh
View File

@ -2,7 +2,29 @@
mkdir -p /boot/imgs mkdir -p /boot/imgs
# Backup the previous metadata
mv fickit-metadata.iso fickit-metadata.iso.bak
for img in fickit-boot-kernel fickit-metadata.iso fickit-boot-initrd.img fickit-prepare-initrd.img fickit-frontend-squashfs.img fickit-backend-squashfs.img fickit-update-initrd.img for img in fickit-boot-kernel fickit-metadata.iso fickit-boot-initrd.img fickit-prepare-initrd.img fickit-frontend-squashfs.img fickit-backend-squashfs.img fickit-update-initrd.img
do do
wget -O "/boot/imgs/${img}" "$1/${img}" wget -O "/boot/imgs/${img}" "$1/${img}"
done done
# Check dm-crypt key not changed
ISO=$(mktemp -d)
mount /boot/imgs/fickit-metadata.iso "${ISO}"
NEW_KEY=$(sed -rn 's/.*"content": "([^"]+)"$/\1/p' "${ISO}/user-data" | head -n 1)
OLD_KEY=$(cat /run/config/dm-crypt/key)
[ "${NEW_KEY}" != "${OLD_KEY}" ] && {
read -p "DM-CRYPT key changed in metadata, are you sure you want to erase it? (y/N) " V
echo
echo "Metadata drive not erased"
echo
[ "$V" != "n" ] && [ "$V" != "N" ] && while true; do
/bin/ash
done
}
dd if=/boot/imgs/fickit-metadata.iso of="$2"

3
fickit-prepare.yml
View File

@ -141,8 +141,7 @@ files:
do do
/root/install_grub ${DEFAULT_BOOT} "${DISK}" /root/install_grub ${DEFAULT_BOOT} "${DISK}"
done done
/root/update_imgs "$(ip r | grep default | awk '{ print $3 }')" /root/update_imgs "$(ip r | grep default | awk '{ print $3 }')" "${META_PART}"
dd if=/boot/imgs/fickit-metadata.iso of=${META_PART}
} || } ||
/bin/ash /bin/ash

4
fickit-update.yml
View File

@ -34,8 +34,10 @@ files:
mdadm --auto-detect mdadm --auto-detect
mdadm --assemble /dev/md2 /dev/sd*1 mdadm --assemble /dev/md2 /dev/sd*1
BOOT_PART=/dev/md2 BOOT_PART=/dev/md2
META_PART=/dev/md3
else else
BOOT_PART=/dev/sda1 BOOT_PART=/dev/sda1
META_PART=/dev/sda2
fi fi
ip link set eth0 up ip link set eth0 up
@ -59,7 +61,7 @@ files:
done done
mount "${BOOT_PART}" /boot/ && mount "${BOOT_PART}" /boot/ &&
/root/update_imgs "${GW}" || /root/update_imgs "${GW}" "${META_PART}" ||
/bin/ash /bin/ash
umount /boot && umount /boot &&