phg/packer
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Configure LUKS and root password via kernel boot options

Browse source
This commit is contained in:
Philip Henning 2026-02-07 10:11:53 +01:00
parent 9d6ce38c8e
commit cea8812dbd
4 changed files with 38 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

14
_scripts/unlock-luks-after-install.py
View file

@ -73,10 +73,18 @@ def main() -> int:
proxmox_skip_tls_verify = ( proxmox_skip_tls_verify = (
get_variable_default(variables_common, "proxmox_skip_tls_verify") or False get_variable_default(variables_common, "proxmox_skip_tls_verify") or False
) )
default_luks_passphrase = get_variable_default(
variables_common, "default_luks_passphrase"
)
proxmox_node = get_variable_default(variables, "proxmox_node") proxmox_node = get_variable_default(variables, "proxmox_node")
template_vm_id = get_variable_default(variables, "template_vm_id") template_vm_id = get_variable_default(variables, "template_vm_id")
_ = proxmox_api_url, proxmox_node, template_vm_id, credentials _ = (
proxmox_api_url,
proxmox_node,
template_vm_id,
credentials,
)
server_event = threading.Event() server_event = threading.Event()
@ -232,7 +240,9 @@ def main() -> int:
) )
if remaining: if remaining:
time.sleep(1) time.sleep(1)
for char in "packer": if not default_luks_passphrase:
raise RuntimeError("default_luks_passphrase not set")
for char in default_luks_passphrase:
send_key(char) send_key(char)
time.sleep(0.1) time.sleep(0.1)
send_key("ret") send_key("ret")

11
debian/13-trixie-luks/debian-trixie.pkr.hcl vendored
View file

@ -74,8 +74,13 @@ source "proxmox-iso" "debian-13-trixie-luks" {
boot_command = [ boot_command = [
"<wait3>c<wait3>", "<wait3>c<wait3>",
"linux /install.amd/vmlinuz auto-install/enable=true priority=critical ", "linux /install.amd/vmlinuz auto-install/enable=true priority=critical ",
"DEBIAN_FRONTEND=text ",
"passwd/root-password='${var.default_root_passphrase}' ",
"passwd/root-password-again='${var.default_root_passphrase}' ",
"partman-crypto/passphrase='${var.default_luks_passphrase}' ",
"partman-crypto/passphrase-again='${var.default_luks_passphrase}' ",
"INSTALL_FINISHED_INFORM_URL='http://{{ .HTTPIP }}:${var.install_finished_inform_port}/install_finished' ", "INSTALL_FINISHED_INFORM_URL='http://{{ .HTTPIP }}:${var.install_finished_inform_port}/install_finished' ",
"DEBIAN_FRONTEND=text preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg noprompt<enter>", "preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg noprompt<enter>",
"initrd /install.amd/initrd.gz<enter>", "initrd /install.amd/initrd.gz<enter>",
"DEBCONF_DEBUG=5<enter>", "DEBCONF_DEBUG=5<enter>",
"boot<enter>" "boot<enter>"
@ -87,7 +92,7 @@ source "proxmox-iso" "debian-13-trixie-luks" {
# SSH Settings # SSH Settings
ssh_username = "root" ssh_username = "root"
ssh_password = "packer" ssh_password = "${var.default_root_passphrase}"
ssh_timeout = "20m" ssh_timeout = "20m"
ssh_pty = true ssh_pty = true
} }
@ -104,9 +109,9 @@ build {
"apt -y autoremove --purge 2> /dev/null", "apt -y autoremove --purge 2> /dev/null",
"apt -y clean 2> /dev/null", "apt -y clean 2> /dev/null",
"apt -y autoclean 2> /dev/null", "apt -y autoclean 2> /dev/null",
"rm -rf /var/cache/apt/archives /var/lib/apt/lists/*",
"cloud-init clean", "cloud-init clean",
"rm -f /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg", "rm -f /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg",
"rm -rf /var/cache/apt/archives /var/lib/apt/lists/*",
"sync" "sync"
] ]
} }

10
debian/13-trixie-luks/http/preseed.cfg vendored
View file

@ -18,8 +18,9 @@ d-i netcfg/disable_dhcp boolean false
### Root Password (no user) ### Root Password (no user)
d-i passwd/make-user boolean false d-i passwd/make-user boolean false
d-i passwd/root-password password packer # Root password is set via kernel cmdline in debian-trixie.pkr.hcl; these lines are ignored but left here for reference:
d-i passwd/root-password-again password packer # d-i passwd/root-password password "$PACKER_ROOT_PASS"
# d-i passwd/root-password-again password "$PACKER_ROOT_PASS"
### Mirror / APT ### Mirror / APT
d-i apt-setup/cdrom/set-first boolean false d-i apt-setup/cdrom/set-first boolean false
@ -71,8 +72,9 @@ d-i partman-md/confirm boolean true
d-i partman-md/confirm_nooverwrite boolean true d-i partman-md/confirm_nooverwrite boolean true
# LUKS password # LUKS password
d-i partman-crypto/passphrase password packer # LUKS passphrase is set via kernel cmdline in debian-trixie.pkr.hcl; these lines are ignored but left here for reference:
d-i partman-crypto/passphrase-again password packer # d-i partman-crypto/passphrase password "$PACKER_LUKS_PASS"
# d-i partman-crypto/passphrase-again password "$PACKER_LUKS_PASS"
d-i partman-crypto/weak_passphrase boolean true d-i partman-crypto/weak_passphrase boolean true
d-i partman-crypto/confirm boolean true d-i partman-crypto/confirm boolean true
d-i partman-auto-crypto/erase_disks boolean false d-i partman-auto-crypto/erase_disks boolean false

12
variables-common.pkr.hcl
View file

@ -15,3 +15,15 @@ variable "source_proxmox_http_interface" {
default = "en18" default = "en18"
description = "The network interface to use for the Proxmox HTTP source" description = "The network interface to use for the Proxmox HTTP source"
} }
variable "default_luks_passphrase" {
type = string
default = "packer"
description = "Default passphrase for LUKS encryption (will be removed, when setup is completed via cloudinit)"
}
variable "default_root_passphrase" {
type = string
default = "packer"
description = "Default passphrase for root user (will be removed, when setup is completed via cloudinit)"
}