feat: make bootstrapper more secure (confirm pw)

SwarselSystems.org

@@ -2959,6 +2959,13 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
       red "Swap: X"
   fi
 
+  SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
+  if [[ $SECUREBOOT == "true" ]]; then
+      green "Secure Boot: ✓"
+  else
+      red "Secure Boot: X"
+  fi
+
   ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination"
   # ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value
   ssh_root_cmd=${ssh_cmd/${target_user}@/root@}
@@ -2994,23 +3001,27 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
   # when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later
   # via the config
   if [ "$disk_encryption" -eq 1 ]; then
-      green "--encryption set: Preparing a temporary password for disko."
-      green "[Optional] Set disk encryption passphrase:"
+      while true; do
+          green "Set disk encryption passphrase:"
           read -rs luks_passphrase
-      if [ -n "$luks_passphrase" ]; then
+          green "Please confirm passphrase:"
+          read -rs luks_passphrase_confirm
+          if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
               $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
+              break
           else
-          $ssh_root_cmd "/bin/sh -c 'echo passphrase > /tmp/disko-password'"
+              red "Passwords do not match"
           fi
-  else
-      green "--encryption not set: Not using disk encryption.."
+      done
   fi
   # ------------------------
   green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
   $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
 
+  if [[ $SECUREBOOT == "true" ]]; then
       green "Injecting initialSetup"
       $ssh_root_cmd "sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
+  fi
 
   mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
   $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
@@ -3034,6 +3045,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
   done
 
   # ------------------------
+
+  if [[ $SECUREBOOT == "true" ]]; then
       green "Setting up secure boot keys"
       $ssh_root_cmd "mkdir -p /var/lib/sbctl"
       read -ra scp_call <<< "${scp_cmd}"
@@ -3042,6 +3055,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
       # ------------------------
       green "restoring hardware-configuration"
       sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
+  fi
 
   if [ -n "$persist_dir" ]; then
       $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
@@ -3121,11 +3135,6 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
       echo
   fi
 
-  # # ------------------------
-  # green "Enrolling secure boot keys"
-  # $ssh_root_cmd "sbctl enroll-keys --microsoft"
-  # ------------------------
-
   if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
       cd "${git_root}"
       deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe

scripts/bootstrap.sh

@@ -151,6 +151,13 @@ else
     red "Swap: X"
 fi
 
+SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
+if [[ $SECUREBOOT == "true" ]]; then
+    green "Secure Boot: ✓"
+else
+    red "Secure Boot: X"
+fi
+
 ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination"
 # ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value
 ssh_root_cmd=${ssh_cmd/${target_user}@/root@}
@@ -186,23 +193,27 @@ ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
 # when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later
 # via the config
 if [ "$disk_encryption" -eq 1 ]; then
-    green "--encryption set: Preparing a temporary password for disko."
-    green "[Optional] Set disk encryption passphrase:"
+    while true; do
+        green "Set disk encryption passphrase:"
         read -rs luks_passphrase
-    if [ -n "$luks_passphrase" ]; then
+        green "Please confirm passphrase:"
+        read -rs luks_passphrase_confirm
+        if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
             $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
+            break
         else
-        $ssh_root_cmd "/bin/sh -c 'echo passphrase > /tmp/disko-password'"
+            red "Passwords do not match"
         fi
-else
-    green "--encryption not set: Not using disk encryption.."
+    done
 fi
 # ------------------------
 green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
 $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
 
-green "Injecting initialSetup"
-$ssh_root_cmd "sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
+if [[ $SECUREBOOT == "true" ]]; then
+    green "Injecting initialSetup"
+    $ssh_root_cmd "sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
+fi
 
 mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
 $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
@@ -226,14 +237,17 @@ while true; do
 done
 
 # ------------------------
-green "Setting up secure boot keys"
-$ssh_root_cmd "mkdir -p /var/lib/sbctl"
-read -ra scp_call <<< "${scp_cmd}"
-sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
-$ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
-# ------------------------
-green "restoring hardware-configuration"
-sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
+
+if [[ $SECUREBOOT == "true" ]]; then
+    green "Setting up secure boot keys"
+    $ssh_root_cmd "mkdir -p /var/lib/sbctl"
+    read -ra scp_call <<< "${scp_cmd}"
+    sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
+    $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
+    # ------------------------
+    green "restoring hardware-configuration"
+    sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
+fi
 
 if [ -n "$persist_dir" ]; then
     $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
@@ -313,11 +327,6 @@ else
     echo
 fi
 
-# # ------------------------
-# green "Enrolling secure boot keys"
-# $ssh_root_cmd "sbctl enroll-keys --microsoft"
-# ------------------------
-
 if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
     cd "${git_root}"
     deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe