feat(installer): implement deferred disk encryption trigger

This commit introduces an opt-in deferred disk encryption
mechanism for the installer.

The `ghaf-installer.sh` script now includes  `-e` flag, when used,
sets up the system for deferred encryption. It does this by creating
`.ghaf-installer-encrypt` marker file on the ESP partition after the
image is written to the disk.

The `deferred-disk-encryption.nix` module is updated to check
for this marker on boot. The encryption process will only
proceed if the marker is found, preventing encryption on
non-installer boots. Upon completion or failure of the
encryption process, the marker is removed to prevent the
process from running again on subsequent reboots.

Signed-off-by: Vunny Sodhi <[email protected]>

Author: vunnyso

modules/partitioning/deferred-disk-encryption.nix

@@ -50,8 +50,6 @@ let
       pkgs.util-linux
     ];
     text = ''
-      set -euo pipefail
-
       DEVICE="${lvmPartition}"
 
       echo "Checking device $DEVICE for LUKS header..." > /dev/console
@@ -104,8 +102,6 @@ let
       pkgs.kmod
     ];
     text = ''
-      set -euo pipefail
-
       LVM_PV="${lvmPartition}"
 
       # Wait for device to appear
@@ -161,6 +157,32 @@ let
         exit 1
       fi
 
+      # Check for installer/completion markers on the ESP partition.
+        ESP_DEVICE=""
+        for i in {1..10}; do
+            ESP_DEVICE="$(lsblk -pn -o PATH,PARTLABEL | awk 'tolower($2) ~ /esp/ { print $1; exit }')"
+            [ -n "$ESP_DEVICE" ] && break
+            sleep 1
+        done
+
+        if [ -z "$ESP_DEVICE" ]; then
+            echo "ESP partition not found, cannot check for markers. Skipping deferred encryption."
+            exit 0
+        fi
+
+        mkdir -p /mnt/esp
+        if ! mount "$ESP_DEVICE" /mnt/esp; then
+          echo "Failed to mount ESP to check for markers. Skipping deferred encryption."
+          exit 0
+        fi
+
+        # If it's not an installer-based boot, we also do nothing.
+        if [ ! -f "/mnt/esp/.ghaf-installer-encrypt" ]; then
+          echo "Not an installer-based installation (marker not found on ESP). Skipping deferred encryption."
+          umount /mnt/esp
+          exit 0
+        fi
+
       # Stop Plymouth to show encryption progress
       if command -v plymouth >/dev/null 2>&1; then
         plymouth quit || true
@@ -331,6 +353,8 @@ let
         --pbkdf argon2id \
         --pbkdf-memory 1048576 \
         --pbkdf-parallel 4 \
+        --progress-frequency 5 \
+        --verbose \
         "$LVM_PV" \
         --key-file=- || {
           echo "! Encryption failed!"
@@ -560,6 +584,11 @@ let
       echo "The system will reboot to complete the setup."
       echo ""
 
+      # Remove the installer marker so we don't run again if this fails.
+      rm -f /mnt/esp/.ghaf-installer-encrypt
+      umount /mnt/esp
+      rmdir /mnt/esp
+
       ${
         if config.ghaf.profiles.debug.enable then
           ''

packages/pkgs-by-name/ghaf-installer/ghaf-installer.sh

@@ -1,7 +1,6 @@
 #!/usr/bin/env bash
 # SPDX-FileCopyrightText: 2022-2026 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
-
 if [ "$EUID" -ne 0 ]; then
   echo "Please run as root"
   exit
@@ -15,18 +14,23 @@ fi
 
 usage() {
   echo " "
-  echo "Usage: $(basename "$0") [-w]"
+  echo "Usage: $(basename "$0") [-w] [-e]"
   echo "  -w  Wipe only"
+  echo "  -e  Install with disk encryption"
   exit 1
 }
 
 WIPE_ONLY=false
+ENCRYPTED_INSTALL=false
 
-while getopts "w" opt; do
+while getopts "we" opt; do
   case $opt in
   w)
     WIPE_ONLY=true
     ;;
+  e)
+    ENCRYPTED_INSTALL=true
+    ;;
   ?)
     usage
     ;;
@@ -152,4 +156,43 @@ raw_file=("$IMG_PATH"/*.raw.zst)
 
 zstdcat "${raw_file[0]}" | dd of="$DEVICE_NAME" bs=32M status=progress
 
+if [ "$ENCRYPTED_INSTALL" = true ]; then
+  echo "Setting up deferred encryption..."
+
+  # Give udev time to process new partitions
+  udevadm settle
+  sleep 2
+
+  ESP_DEVICE=""
+  for i in {1..5}; do
+    echo "Attempt $i: Listing partitions for ${DEVICE_NAME}..."
+
+    # Find ESP partition by its partition label (case-insensitive)
+    ESP_DEVICE="$(lsblk -pn -o PATH,PARTLABEL "${DEVICE_NAME}" | awk 'tolower($2) ~ /esp/ { print $1; exit }')"
+
+    if [ -n "$ESP_DEVICE" ]; then
+      echo "Found ESP partition: $ESP_DEVICE"
+      break
+    fi
+
+    echo "Waiting for partitions to appear..."
+    partprobe "${DEVICE_NAME}"
+    sleep 2
+  done
+
+  if [ -z "$ESP_DEVICE" ]; then
+    echo "Error: Could not find ESP partition by label to create installer marker."
+    exit 1
+  fi
+
+  mkdir -p /mnt/esp
+  mount "$ESP_DEVICE" /mnt/esp || {
+    echo "Failed to mount ESP partition"
+    exit 1
+  }
+  touch /mnt/esp/.ghaf-installer-encrypt
+  umount /mnt/esp
+  echo "Deferred encryption setup complete."
+fi
+
 echo "Installation done. Please remove the installation media and reboot"

packages/pkgs-by-name/ghaf-installer/package.nix

@@ -1,7 +1,6 @@
 # SPDX-FileCopyrightText: 2022-2026 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
 {
-  lib,
   coreutils,
   util-linux,
   hwinfo,
@@ -22,13 +21,7 @@ writeShellApplication {
     lvm2 # Needed for vgchange, pvremove
     parted # Needed for partprobe
   ];
-  text = builtins.readFile (
-    lib.fileset.toSource {
-      root = ./.;
-      fileset = ./ghaf-installer.sh;
-    }
-    + "/ghaf-installer.sh"
-  );
+  text = builtins.readFile ./ghaf-installer.sh;
   meta = {
     description = "Installer script for the Ghaf project";
     platforms = [