Configure LUKS and root password via kernel boot options

2026-02-07 10:11:53 +01:00 · 2026-02-07 10:11:53 +01:00 · cea8812dbd
commit cea8812dbd
parent 9d6ce38c8e
4 changed files with 38 additions and 9 deletions
--- a/_scripts/unlock-luks-after-install.py
+++ b/_scripts/unlock-luks-after-install.py
@ -73,10 +73,18 @@ def main() -> int:
    proxmox_skip_tls_verify = (
        get_variable_default(variables_common, "proxmox_skip_tls_verify") or False
    )
+    default_luks_passphrase = get_variable_default(
+        variables_common, "default_luks_passphrase"
+    )
    proxmox_node = get_variable_default(variables, "proxmox_node")
    template_vm_id = get_variable_default(variables, "template_vm_id")

-    _ = proxmox_api_url, proxmox_node, template_vm_id, credentials
+    _ = (
+        proxmox_api_url,
+        proxmox_node,
+        template_vm_id,
+        credentials,
+    )

    server_event = threading.Event()

@ -232,7 +240,9 @@ def main() -> int:
                )
                if remaining:
                    time.sleep(1)
-            for char in "packer":
+            if not default_luks_passphrase:
+                raise RuntimeError("default_luks_passphrase not set")
+            for char in default_luks_passphrase:
                send_key(char)
                time.sleep(0.1)
            send_key("ret")
--- a/debian/13-trixie-luks/debian-trixie.pkr.hcl
+++ b/debian/13-trixie-luks/debian-trixie.pkr.hcl
@ -74,8 +74,13 @@ source "proxmox-iso" "debian-13-trixie-luks" {
  boot_command = [
    "<wait3>c<wait3>",
    "linux /install.amd/vmlinuz auto-install/enable=true priority=critical ",
+    "DEBIAN_FRONTEND=text ",
+    "passwd/root-password='${var.default_root_passphrase}' ",
+    "passwd/root-password-again='${var.default_root_passphrase}' ",
+    "partman-crypto/passphrase='${var.default_luks_passphrase}' ",
+    "partman-crypto/passphrase-again='${var.default_luks_passphrase}' ",
    "INSTALL_FINISHED_INFORM_URL='http://{{ .HTTPIP }}:${var.install_finished_inform_port}/install_finished' ",
-    "DEBIAN_FRONTEND=text preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg noprompt<enter>",
+    "preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg noprompt<enter>",
    "initrd /install.amd/initrd.gz<enter>",
    "DEBCONF_DEBUG=5<enter>",
    "boot<enter>"
@ -87,7 +92,7 @@ source "proxmox-iso" "debian-13-trixie-luks" {

  # SSH Settings
  ssh_username = "root"
-  ssh_password = "packer"
+  ssh_password = "${var.default_root_passphrase}"
  ssh_timeout  = "20m"
  ssh_pty      = true
 }
@ -104,9 +109,9 @@ build {
      "apt -y autoremove --purge 2> /dev/null",
      "apt -y clean 2> /dev/null",
      "apt -y autoclean 2> /dev/null",
+      "rm -rf /var/cache/apt/archives /var/lib/apt/lists/*",
      "cloud-init clean",
      "rm -f /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg",
-      "rm -rf /var/cache/apt/archives /var/lib/apt/lists/*",
      "sync"
    ]
  }
--- a/debian/13-trixie-luks/http/preseed.cfg
+++ b/debian/13-trixie-luks/http/preseed.cfg
@ -18,8 +18,9 @@ d-i netcfg/disable_dhcp boolean false

 ### Root Password (no user)
 d-i passwd/make-user boolean false
-d-i passwd/root-password password packer
-d-i passwd/root-password-again password packer
+# Root password is set via kernel cmdline in debian-trixie.pkr.hcl; these lines are ignored but left here for reference:
+# d-i passwd/root-password password "$PACKER_ROOT_PASS"
+# d-i passwd/root-password-again password "$PACKER_ROOT_PASS"

 ### Mirror / APT
 d-i apt-setup/cdrom/set-first boolean false
@ -71,8 +72,9 @@ d-i partman-md/confirm boolean true
 d-i partman-md/confirm_nooverwrite boolean true

 # LUKS password
-d-i partman-crypto/passphrase password packer
-d-i partman-crypto/passphrase-again password packer
+# LUKS passphrase is set via kernel cmdline in debian-trixie.pkr.hcl; these lines are ignored but left here for reference:
+# d-i partman-crypto/passphrase password "$PACKER_LUKS_PASS"
+# d-i partman-crypto/passphrase-again password "$PACKER_LUKS_PASS"
 d-i partman-crypto/weak_passphrase boolean true
 d-i partman-crypto/confirm boolean true
 d-i partman-auto-crypto/erase_disks boolean false
--- a/variables-common.pkr.hcl
+++ b/variables-common.pkr.hcl
@ -15,3 +15,15 @@ variable "source_proxmox_http_interface" {
  default     = "en18"
  description = "The network interface to use for the Proxmox HTTP source"
 }
+
+variable "default_luks_passphrase" {
+  type        = string
+  default     = "packer"
+  description = "Default passphrase for LUKS encryption (will be removed, when setup is completed via cloudinit)"
+}
+
+variable "default_root_passphrase" {
+  type        = string
+  default     = "packer"
+  description = "Default passphrase for root user (will be removed, when setup is completed via cloudinit)"
+}