From cb4029b04932610e447e831b2158750221e50f1b Mon Sep 17 00:00:00 2001
From: Eric Renfro <psi-jack@linux-help.org>
Date: Tue, 2 Jul 2024 20:16:20 -0400
Subject: [PATCH] Add Encryption to linuxmint-postsetup

---
 linuxmint-postsetup.sh | 104 +++++++++++++++++++++++++++++++----------
 1 file changed, 80 insertions(+), 24 deletions(-)

diff --git a/linuxmint-postsetup.sh b/linuxmint-postsetup.sh
index 2f5202b..118b072 100755
--- a/linuxmint-postsetup.sh
+++ b/linuxmint-postsetup.sh
@@ -32,6 +32,7 @@ function show_help() {
 	echo ""
 	echo "Options:"
 	echo "-h, --help        Help on this tool."
+    echo "-e, --encryption  Enable LUKS encryption."
 	echo "-s, --swap        Enable Swap/Hibernation support."
 	echo "-d, --debug       Enable DEBUG mode for testing."
 	exit 0
@@ -48,7 +49,12 @@ function create_subvolumes() {
 
 	subvols+=("${!SUBVOLS_DEFAULT[@]}")
 
-	${cmd} mount "$RootPart" /mnt
+	if [[ "$ENCRYPTION" ]]; then
+        ${cmd} cryptsetup luksOpen "$RootPart" luksvol
+		${cmd} mount -o noatime,space_cache=v2,ssd "/dev/mapper/luksvol" /mnt
+	else
+		${cmd} mount -o noatime,space_cache=v2,ssd "$RootPart" /mnt
+	fi
 
 	if [[ "$BootPart" == "@boot" ]]; then
         ${cmd} btrfs subvolume create /mnt/@boot
@@ -62,7 +68,7 @@ function create_subvolumes() {
 	for subvol in "${subvols[@]}"
 	do
 		${cmd} btrfs subvolume create /mnt/"$subvol"
-        if [[ -d "/mnt/@/${SUBVOLS_DEFAULT[$subvol]}" || "DEBUG" ]]; then
+        if [[ -d "/mnt/@/${SUBVOLS_DEFAULT[$subvol]}" || "$DEBUG" ]]; then
             ${cmd} rsync -avhHi --delete-after "/mnt/@/${SUBVOLS_DEFAULT[$subvol]}/" "/mnt/$subvol/"
         fi
 	done
@@ -70,6 +76,33 @@ function create_subvolumes() {
 	${cmd} umount /mnt
 }
 
+function unmount_target() {
+    local subvol
+
+	if [[ "$DEBUG" ]]; then
+		local cmd="echo"
+	else
+		local cmd=""
+	fi
+
+    for subvol in "${!SUBVOLS_DEFAULT[@]}"
+    do
+        ${cmd} umount /target/"${SUBVOLS_DEFAULT[$subvol]}"
+    done
+
+    if [[ "$SWAP" ]]; then
+        ${cmd} umount /target/swap
+    fi
+
+    ${cmd} umount /target/boot/efi
+    ${cmd} umount /target/boot
+    ${cmd} umount /target
+
+    if [[ "$ENCRYPTION" ]]; then
+        ${cmd} cryptsetup luksClose luksvol
+    fi
+}
+
 function get_hibernate_size() {
 	free --giga | awk '/^Mem:/{print $2}'
 }
@@ -87,6 +120,9 @@ function prepare_target() {
 	${cmd} mkdir /target
 
 	rootmount="$RootPart"
+	if [[ "$ENCRYPTION" ]]; then
+        rootmount="/dev/mapper/luksvol"
+	fi
 
 	${cmd} mount -o noatime,space_cache=v2,ssd,subvol=@ "$rootmount" /target
 
@@ -128,18 +164,29 @@ function prepare_target() {
         ${cmd} arch-chroot /target update-grub2
     fi
 
-    for subvol in "${!SUBVOLS_DEFAULT[@]}"
-    do
-        ${cmd} umount /target/"${SUBVOLS_DEFAULT[$subvol]}"
-    done
+	${cmd} apt install -y arch-install-scripts
+
+	if [[ "$DEBUG" ]]; then
+		echo "genfstab -U /target > /target/etc/fstab"
+        echo
+	else
+		genfstab -U /target > /target/etc/fstab
+	fi
+
+	if [[ "$SWAP" ]]; then
+		if [[ "$DEBUG" ]]; then
+			echo "echo \"/swap/hibernate.swp none swap defaults 0 0\" >> /target/etc/fstab"
+		else
+			echo "/swap/hibernate.swp none swap defaults 0 0" >> /target/etc/fstab
+		fi
+		SwapUUID=$(grep btrfs /target/etc/fstab | head -n1 | cut -f1)
+		SwapOffset=$(btrfs inspect-internal map-swapfile -r /target/swap/hibernate.swp)
+		${cmd} sed -i "/^GRUB_CMDLINE_LINUX_DEFAULT=/ s/\(\"[^\"]*\)$/ resume=${SwapUUID} resume_offset=${SwapOffset}&/" /target/etc/default/grub
+	fi
+
+    if [[ "$ENCRYPTION" ]]; then
 
-    if [[ "$SWAP" ]]; then
-        ${cmd} umount /target/swap
     fi
-
-    ${cmd} umount /target/boot/efi
-    ${cmd} umount /target/boot
-    ${cmd} umount /target
 }
 
 function expert_step() {
@@ -181,6 +228,12 @@ function show_options() {
 	echo "Boot Partition: $BootPart"
 	echo "EFI Partition:  $EFIPart"
 
+	if [[ "$ENCRYPTION" ]]; then
+		echo "Encryption:     Enabled"
+	else
+		echo "Encryption:     Disabled"
+	fi
+
 	if [[ "$SWAP" ]]; then
 		echo "Swap:           Enabled"
 	else
@@ -214,16 +267,14 @@ function install_normal() {
 	prepare_target
 
 	echo
-	echo "Ready for installation! Run a terminal and start the following:"
-	echo "sudo live-installer-expert-mode"
-	echo
-	echo "Once it's at the expert mode step, re-run this command with --expert"
+	echo "Post-Setup Preparations Complete. You can verify things in /target or you can"
+    echo "re-run this script with --unmount to unmount and reboot."
 }
 
-function install_expert() {
+function install_unmount() {
 	show_options
 
-	read -rsn1 -p"Expert-Installation: To proceed, press enter to continue." proceed
+	read -rsn1 -p"Post-Install Unmount and Reboot: To proceed, press enter to continue." proceed
 	echo
 
 	if [[ "$proceed" != "" ]]; then
@@ -233,7 +284,8 @@ function install_expert() {
 
 	echo
 	echo "Running Expert-Mode Installation Steps..."
-	expert_step
+	unmount_target
+    reboot
 }
 
 function install_cleanup() {
@@ -276,6 +328,10 @@ while [[ $# -gt 0 ]]; do
 		-h|--help)
 			show_help
 			;;
+        -e|--encryption)
+            ENCRYPTION=true
+            shift
+            ;;
 		-s|--swap)
 			SWAP=true
 			shift
@@ -284,8 +340,8 @@ while [[ $# -gt 0 ]]; do
 			DEBUG=true
 			shift
 			;;
-		--expert)
-			INSTALL_MODE=expert
+		--unmount)
+			INSTALL_MODE=unmount
 			shift
 			;;
 		--clean)
@@ -316,9 +372,9 @@ else
 	fi
 
 	case "$INSTALL_MODE" in
-		normal) install_normal;;
-		expert)	install_expert;;
-		clean)  install_cleanup;;
+		normal)     install_normal;;
+		unmount)	install_unmount;;
+		clean)      install_cleanup;;
 		*)
 			echo "Error, unknown installation mode detected."
 			exit 3