RH Linux Clevis/Tang setup script

#!/bin/bash
#####
# This script configures Clevis/Tang binding for network bound disk encryption.
# When properly configured, a LUKS encrypted drive will be decrypted on boot via key exchange with a Tang server.
# The Tang server should be defined below in place of tang.example.com.

#####
# Verify there is an encrypted drive. (Because otherwise what's the point?)
verify_encryption(){
# On a UEFI system there should be a boot/efi partition.  The first 3 letters of the block device indicate if it is NVME or SD drive.
DTYPE=`lsblk -fs|egrep -w boot/efi|awk '{print $1}'|cut -c 1,2,3`

# Find a LUKS encrypted partition on the drive containing the boot/efi partition.
# Of course this assumes the efi partition is not on a separate drive.
CDEVICE=`lsblk --fs|egrep $DTYPE|grep LUKS|awk '{print $1}'|tr -cd "[:alnum:]"`

if [ -z "$CDEVICE" ]
   then
      echo "Found no encrypted device."
      exit 1
   else
      set_requires
fi
}

#####
# RH7 & RH8 have different package requirements for clevis/tang setup.
# This module sets up the list for each version.
set_requires(){
if grep Ootpa /etc/redhat-release &>/dev/null
   then
       #RHEL8
       requires_array=("clevis"
       "clevis-dracut"
       "clevis-luks"
       "clevis-systemd"
       "ipcalc")
   elif grep Maipo /etc/redhat-release &>/dev/null
   then
      #RHEL7
      requires_array=("clevis"
      "clevis-dracut"
      "clevis-luks"
      "dnf"
      "initscripts")
   else
   echo "Unexpected RHEL version.  Exiting."
   exit 1
fi
}

#####
# Use the list of required packages based on the RHEL release major version;
# See if we have them installed.  Install them if we don't.
check_requires(){
if  [ $LOOP -lt 2 ]
   then
      do
         for PKG in "${requires_array[@]}"
            do
                if ! rpm -qa|grep "$PKG" &>/dev/null
                   then
                      echo "Installing required package $PKG."
                      dnf install -y $PKG
                      ((LOOP++))
                      check_requires
                fi
            done
    else
        echo "Too many attempts to install packages.  Exiting."
        exit 1
fi
}

#####
# Make sure our DNS IP address is assigned to some interface on this box.
# Also determine values for various network parameters needed to build a static_ip.conf file.
find_iface(){
DNSIP=`host $HOSTNAME|awk '{print $4}'`
MATCH=`ip -4 -o address|awk '{print $2,$4}'|egrep -v lo|grep $DNSIP`

if [ ! -z "$MATCH" ]
    then
        # Public IP
        MYIP=$DNSIP
        # Interface
        MYIF=`echo $MATCH|awk '{print $1}'`
        # Subnet Mask
        MYSN=`echo $MATH|awk '{print $2}'`
        # Netmask
        MYNM=`ipcalc -m $MYSN|awk -F= '{print $2}'`
        # Gateway
        MYGW=`ip route show dev $MYIF|grep default|awk '{print $3}'`
        # MTU
        MYMTU=ip address show $MYIF|head -1|awk '{print $5}'`
        # Nameserver
        MYNS=`cat /etc/resolv.conf|grep nameserver|sed -s/ /=/'|tr '\n' ' '`
        MYNS=${MYNS%%}
        echo Verified DNS for IF:$MYIF IP:$MYIP NM:$MYNM GW:$MYGW NS:$MYNS
        setup_conf
    else
        echo "Found IP Address Mismatch."
        echo "Please fix."
        exit 1
fi

#####
# Provided that none of the values we found in find_iface are blank, build the static_ip.conf file.
setup_conf(){
if [ -z "$MYIP" ] || [ -z "$MYIF" ] || [ -z "$MYNM" ] || [ -z "$MYGW"] || [ -z "$MYMTU" ] || [ -z "$MYNS" ]
    then
        echo "One or more parameters are empty."
        echo "Exiting."
        exit 1
    else
        echo "Building static_ip.conf file."
        echo "kernel_cmdline=\"ip=${MYIP}::${MYGW}:${MYNM}::${MYIF}:none:${MYMTU}: ${MYNS}\"" > /etc/dracut.conf.d/static_ip.conf
        echo "Starting Clevis Setup"
        LOOP=0
        setup_clevis
fi
}

#####
# Now actually try to bind to the Tang server.
setup_clevis(){
if grep Ootpa /etc/redhat-release &>/dev/null
    then
        if [ $LOOP -lt 2 ]
            then
                clevis luks bind -y -d /dev/$CDEVICE tang '{"url":"http://tang.example.com"}'
                ecode=$?
                    if [ $ecode -eq 0 ]
                        then
                        echo "Success."
                        LOOP=0
                        rebuild_initrd
                    else
                        echo "Fail."
                        ((LOOP++))
                        setup_clevis
                fi
            else
                echo ""
                echo "Error in module setup_clevis for RH8."
                echo "Too many attempts to bind to Tang."
                echo "Exiting."
                exit 1
        fi
elif grep Maipo /etc/redhat-release &>/dev/null
    then
        if [ $LOOP -lt 2 ]
            then
                clevis luks bind -f -d /dev/$CDEVICE tang '{"url":"http://tang.example.com"}'
                ecode=$?
                    if [ $ecode -eq 0 ]
                        then
                        echo "Success."
                        LOOP=0
                        rebuild_initrd
                    else
                        echo "Fail."
                        ((LOOP++))
                        setup_clevis
                fi
            else
                echo ""
                echo "Error in module setup_clevis for RH7."
                echo "Too many attempts to bind to Tang."
                echo "Exiting."
                exit 1
        fi
else
    echo ""
    echo "Error in module setup_clevis."
    echo "Unexpected RHEL version.  Exiting."
    exit 1
fi
}

#####
# rebuild initial ramdisk
rebuild_initrd(){
echo "Rebuilding initial ramdisk."
dracut -fv --regenerate-all
}

#####
# Set LOOP to 0 and launch modules in order.
LOOP=0
verify_encryption
set_requires
check_requires
find_iface

# Once you've pulled out the pin, Mr. Grenade is no longer your friend.