From 03517b77696ea7c2bbebf2782bead470ea5c63f5 Mon Sep 17 00:00:00 2001
From: Leopold Johannes Meinel <leo@meinel.dev>
Date: Mon, 8 May 2023 05:19:05 +0200
Subject: [PATCH 1/5] Use, create & chmod $EFI_KEYS_DIR when not enrolling keys

- We are sourcing /etc/cryptboot.conf for EFI_KEYS_DIR so we don't run
  into trouble when the directory changes there
---
 post.sh | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/post.sh b/post.sh
index b9b10697..60085fc7 100644
--- a/post.sh
+++ b/post.sh
@@ -215,28 +215,29 @@ YES)
     doas cryptboot-efikeys create
     doas cryptboot-efikeys enroll
     doas cryptboot systemd-boot-sign
+    source "/etc/cryptboot.conf"
     doas sh -c "{
-        echo "uefi_secureboot_cert=\"/etc/secureboot/keys/db.crt\""
-        echo "uefi_secureboot_key=\"/etc/secureboot/keys/db.key\""
+        echo "uefi_secureboot_cert=\""$EFI_KEYS_DIR"/keys/db.crt\""
+        echo "uefi_secureboot_key=\""$EFI_KEYS_DIR"/keys/db.key\""
     } >/etc/dracut.conf.d/secureboot.conf"
     ;;
 *)
     {
         echo '#!/bin/bash'
         echo ''
-        echo 'EFI_KEYS_DIR="/etc/secureboot/keys"'
         echo 'source "/etc/cryptboot.conf"'
         echo 'read -rp "Have you transferred your keys to $EFI_KEYS_DIR? (Type '"'"'yes'"'"' in capital letters): " choice'
         echo 'case "$choice" in'
         echo 'YES)'
+        echo 'chmod 000 "$EFI_KEYS_DIR"/*'
         echo '    if mountpoint -q /efi; then'
         echo '        doas umount -AR /efi'
         echo '    fi'
         echo '    doas mount /efi'
         echo '    doas cryptboot systemd-boot-sign'
         echo '    doas sh -c "{'
-        echo '        echo "uefi_secureboot_cert=\"/etc/secureboot/keys/db.crt\""'
-        echo '        echo "uefi_secureboot_key=\"/etc/secureboot/keys/db.key\""'
+        echo '        echo "uefi_secureboot_cert=\""$EFI_KEYS_DIR"/db.crt\""'
+        echo '        echo "uefi_secureboot_key=\""$EFI_KEYS_DIR"/db.key\""'
         echo '    } >/etc/dracut.conf.d/secureboot.conf"'
         echo '    ;;'
         echo '*)'
@@ -245,10 +246,10 @@ YES)
         echo '    ;;'
         echo 'esac'
     } >~/secureboot.sh
+    mkdir -p "$EFI_KEYS_DIR"
+    chmod 700 "$EFI_KEYS_DIR"
     chmod 700 ~/secureboot.sh
     echo "WARNING: User aborted enrolling secureboot keys"
-    EFI_KEYS_DIR="/etc/secureboot/keys"
-    source "/etc/cryptboot.conf"
     echo "         Deploy your own keys in $EFI_KEYS_DIR and run ~/secureboot.sh to sign your bootloader"
     ;;
 esac

From a5f9b893bfb71a377a52c70369de284d4269d4a4 Mon Sep 17 00:00:00 2001
From: Leopold Johannes Meinel <leo@meinel.dev>
Date: Mon, 8 May 2023 05:22:46 +0200
Subject: [PATCH 2/5] Create backups directory

- Meant for mounting external drives for backups
  (either remote backupsover rsync for server or local)
---
 sysuser.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysuser.sh b/sysuser.sh
index 0ef0774a..14300ab0 100644
--- a/sysuser.sh
+++ b/sysuser.sh
@@ -21,5 +21,8 @@ cp "$SCRIPT_DIR/post.sh" ~/
 cp "$SCRIPT_DIR/install.conf" ~/
 chmod +x ~/post.sh
 
+# Create backups directory
+mkdir ~/backups
+
 # Remove repo
 rm -rf ~/git

From 2fcbec418a9369b5d72a8c8c23bf95b2b1593909 Mon Sep 17 00:00:00 2001
From: Leopold Johannes Meinel <leo@meinel.dev>
Date: Mon, 8 May 2023 05:24:59 +0200
Subject: [PATCH 3/5] Use mkdir -p (unnecessary but why not)

---
 sysuser.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysuser.sh b/sysuser.sh
index 14300ab0..b741ee4b 100644
--- a/sysuser.sh
+++ b/sysuser.sh
@@ -22,7 +22,7 @@ cp "$SCRIPT_DIR/install.conf" ~/
 chmod +x ~/post.sh
 
 # Create backups directory
-mkdir ~/backups
+mkdir -p ~/backups
 
 # Remove repo
 rm -rf ~/git

From 6e3f176100f7357c098bc9b5c45bfdf59dbc448c Mon Sep 17 00:00:00 2001
From: Leopold Johannes Meinel <leo@meinel.dev>
Date: Mon, 8 May 2023 05:26:23 +0200
Subject: [PATCH 4/5] Use mkdir -p everywhere

---
 prepare.sh | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/prepare.sh b/prepare.sh
index 5037daab..b83fe978 100644
--- a/prepare.sh
+++ b/prepare.sh
@@ -176,22 +176,22 @@ OPTIONS1="nodev,noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvol=/@
 OPTIONS2="nodev,nosuid,noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvol=/@"
 OPTIONS3="noexec,nodev,nosuid,noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvol=/@"
 mount_subs0() {
-    mkdir "/mnt$1"
+    mkdir -p "/mnt$1"
     mount -o "$3$2" "$4" "/mnt$1"
-    mkdir "/mnt$1.snapshots"
+    mkdir -p "/mnt$1.snapshots"
     mount -o "$OPTIONS3${2}_snapshots" "$4" "/mnt${SUBVOLUMES[$i]}.snapshots"
     mount_subs1 "$1" "$3" "$4"
 }
 mount_subs1() {
     for ((a = 0; a < SUBVOLUMES_LENGTH; a++)); do
         if [[ "${SUBVOLUMES[$a]}" != "$1" ]] && grep -nq "^$1" <<<"${SUBVOLUMES[$a]}"; then
-            mkdir "/mnt${SUBVOLUMES[$a]}"
+            mkdir -p "/mnt${SUBVOLUMES[$a]}"
             if grep -nq "^${1}lib/" <<<"${SUBVOLUMES[$a]}"; then
                 mount -o "$OPTIONS3${CONFIGS[$a]}" "$3" "/mnt${SUBVOLUMES[$a]}"
             else
                 mount -o "$2${CONFIGS[$a]}" "$3" "/mnt${SUBVOLUMES[$a]}"
             fi
-            mkdir "/mnt${SUBVOLUMES[$a]}.snapshots"
+            mkdir -p "/mnt${SUBVOLUMES[$a]}.snapshots"
             mount -o "$OPTIONS3${CONFIGS[$a]}_snapshots" "$3" "/mnt${SUBVOLUMES[$a]}.snapshots"
         fi
     done
@@ -200,7 +200,7 @@ for ((i = 0; i < SUBVOLUMES_LENGTH; i++)); do
     case "${SUBVOLUMES[$i]}" in
     "/")
         mount -o "$OPTIONS0" /dev/mapper/vg0-lv0 "/mnt${SUBVOLUMES[$i]}"
-        mkdir "/mnt${SUBVOLUMES[$i]}.snapshots"
+        mkdir -p "/mnt${SUBVOLUMES[$i]}.snapshots"
         mount -o "${OPTIONS3}snapshots" /dev/mapper/vg0-lv0 "/mnt${SUBVOLUMES[$i]}.snapshots"
         ;;
     "/usr/")
@@ -216,12 +216,12 @@ for ((i = 0; i < SUBVOLUMES_LENGTH; i++)); do
 done
 chmod 775 /mnt/var/games
 ## /efi
-mkdir /mnt/efi
+mkdir -p /mnt/efi
 mount -o noexec,nodev,nosuid "$DISK1P1" /mnt/efi
-mkdir /mnt/.efi.bak
+mkdir -p /mnt/.efi.bak
 mount -o noexec,nodev,nosuid "$DISK2P1" /mnt/.efi.bak
 ## /boot
-mkdir /mnt/boot
+mkdir -p /mnt/boot
 
 # Set SSD state to "frozen" after sleep
 for link in /dev/disk/by-id/*; do
@@ -303,6 +303,6 @@ sed -i "/$STRING0/s/$STRING1/$STRING1,noauto/" "$FILE"
 ## END sed
 
 # Prepare /mnt/git/arch-install
-mkdir /mnt/git
+mkdir -p /mnt/git
 mv "$SCRIPT_DIR" /mnt/git/
 chmod +x /mnt/git/arch-install/setup.sh

From c5f70e5a84fe175a28e3f8f79307d2234f936e5b Mon Sep 17 00:00:00 2001
From: Leopold Johannes Meinel <leo@meinel.dev>
Date: Mon, 8 May 2023 05:29:41 +0200
Subject: [PATCH 5/5] Create /etc/encryption/keys directory

- This is a folder where keys to crypt-volumes are meant to be stored
- Uses (kind of the) same naming scheme as /etc/secureboot/keys
---
 setup.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/setup.sh b/setup.sh
index 905d1e39..11365e01 100644
--- a/setup.sh
+++ b/setup.sh
@@ -186,6 +186,9 @@ MD0UUID="$(blkid -s UUID -o value /dev/md/md0)"
 {
     echo "md0_crypt UUID=$MD0UUID none luks,key-slot=0"
 } >/etc/crypttab
+## Create /etc/encryption/keys directory
+mkdir -p /etc/encryption/keys
+chown 700 /etc/encryption/keys
 ## Configure /etc/localtime /etc/vconsole.conf /etc/hostname /etc/hosts
 ln -sf /usr/share/zoneinfo/"$TIMEZONE" /etc/localtime
 hwclock --systohc