#!/bin/sh
mdadm --stop /dev/md125
mdadm --stop /dev/md126
mdadm --stop /dev/md127
mdadm --zero-superblock /dev/nvme0n1p1
mdadm --zero-superblock /dev/nvme0n1p2
mdadm --zero-superblock /dev/nvme1n1p1
mdadm --zero-superblock /dev/nvme1n1p2
sgdisk -Z /dev/nvme0n1
sgdisk -n 1::1024MiB /dev/nvme0n1
sgdisk -n 2:: /dev/nvme0n1
sgdisk -Z /dev/nvme1n1
sleep 5
for i in {1..5};do
partprobe /dev/nvme0n1
partprobe /dev/nvme1n1
sleep 1
done
cat << EOF >/etc/yum.repos.d/local.repo
[BaseOS]
name=BaseOS
enabled=1
gpgcheck=0
baseurl=file:///run/install/repo/BaseOS
[AppStream]
enabled=1
gpgcheck=0
baseurl=file:///run/install/repo/AppStream
EOF
dnf install -y clevis clevis-dracut clevis-luks clevis-systemd clevis-udisks2 tpm-tools tpm2-tools >/dev/null 2>&1
mkfs.vfat -i 72D5B376 -n boot /dev/nvme0n1p1
echo "callmedaddy"|cryptsetup -q luksFormat /dev/nvme0n1p2 --uuid=2503da23-fdce-47c1-8f55-d1608edfb532
cryptsetup luksOpen /dev/nvme0n1p2 root <<< 'callmedaddy'
mkfs.xfs -f -m uuid=ced49972-bd15-400b-b130-babc43008ec0 -L rootfs /dev/mapper/root
sleep 5
mkdir /dev/shm/boot
mkdir /dev/shm/root
umount /dev/shm/boot
umount /dev/shm/root
mount -L boot /dev/shm/boot
mount -L rootfs /dev/shm/root
curl http://deploy.kido.idv.tw/encryt_disk/boot.tar.gz|tar zxf - -C /dev/shm/boot
curl http://deploy.kido.idv.tw/encryt_disk/root.tar.gz|tar zxf - -C /dev/shm/root
sync
tpm2_dictionarylockout -c
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"pcr_bank":"sha1","pcr_ids":"0,7"}' <<< 'callmedaddy'
