From 8e2b8c3079220dbeae8a64d0370004da08a346c2 Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Sun, 18 Jan 2026 00:23:49 -0600
Subject: feat(archsetup): add automatic console login for encrypted systems

- Add --autologin and --no-autologin CLI flags
- Add is_encrypted_root() to detect LUKS and ZFS encryption
- Prompt user on encrypted systems (default yes)
- Configure getty@tty1 drop-in for passwordless login after decryption
---
 archsetup | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 87 insertions(+), 8 deletions(-)

(limited to 'archsetup')

diff --git a/archsetup b/archsetup
index 5133337..9133dd5 100755
--- a/archsetup
+++ b/archsetup
@@ -33,6 +33,7 @@ skip_slow_packages=false
 fresh_install=false
 show_status_only=false
 skip_gpu_drivers=false
+enable_autologin=""  # empty=auto-detect, true=force enable, false=skip
 
 while [ $# -gt 0 ]; do
     case "$1" in
@@ -52,6 +53,14 @@ while [ $# -gt 0 ]; do
             skip_gpu_drivers=true
             shift
             ;;
+        --autologin)
+            enable_autologin=true
+            shift
+            ;;
+        --no-autologin)
+            enable_autologin=false
+            shift
+            ;;
         --help|-h)
             echo "Usage: $0 [OPTIONS]"
             echo ""
@@ -60,12 +69,14 @@ while [ $# -gt 0 ]; do
             echo "  --fresh               Start fresh, ignore previous progress"
             echo "  --status              Show installation progress and exit"
             echo "  --no-gpu-drivers      Skip GPU driver detection/installation"
+            echo "  --autologin           Enable automatic console login"
+            echo "  --no-autologin        Disable automatic console login"
             echo "  --help, -h            Show this help message"
             exit 0
             ;;
         *)
             echo "Unknown option: $1"
-            echo "Usage: $0 [--skip-slow-packages] [--fresh] [--status] [--no-gpu-drivers]"
+            echo "Usage: $0 [--skip-slow-packages] [--fresh] [--status] [--no-gpu-drivers] [--autologin]"
             exit 1
             ;;
     esac
@@ -347,6 +358,79 @@ is_zfs_root() {
     [ "$(findmnt -n -o FSTYPE /)" = "zfs" ]
 }
 
+# Encryption Detection
+is_encrypted_root() {
+    # Returns 0 (true) if root filesystem is on an encrypted volume
+    # Detects both LUKS (dm-crypt) and ZFS native encryption
+
+    # Check for LUKS/dm-crypt: root device path contains dm- and backing device is crypt type
+    local root_dev
+    root_dev=$(findmnt -n -o SOURCE /)
+    if lsblk -nlo TYPE "$root_dev" 2>/dev/null | grep -q "crypt"; then
+        return 0
+    fi
+
+    # Check for ZFS native encryption
+    if is_zfs_root; then
+        local root_dataset
+        root_dataset=$(findmnt -n -o SOURCE /)
+        local encryption
+        encryption=$(zfs get -H -o value encryption "$root_dataset" 2>/dev/null)
+        if [ -n "$encryption" ] && [ "$encryption" != "off" ]; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
+# Automatic Login Configuration
+configure_autologin() {
+    local do_autologin=false
+
+    # Determine whether to enable autologin
+    if [ "$enable_autologin" = "true" ]; then
+        do_autologin=true
+    elif [ "$enable_autologin" = "false" ]; then
+        do_autologin=false
+    else
+        # Auto-detect: only prompt if root is encrypted
+        if is_encrypted_root; then
+            display "task" "Encrypted root detected"
+            echo ""
+            echo "Since the disk is encrypted, you already authenticate at boot."
+            echo "Automatic login skips the redundant login prompt after decryption."
+            echo ""
+            read -r -p "Enable automatic console login for $username? [Y/n] " response
+            case "$response" in
+                [nN][oO]|[nN])
+                    do_autologin=false
+                    ;;
+                *)
+                    do_autologin=true
+                    ;;
+            esac
+        else
+            # Not encrypted, skip autologin silently
+            return 0
+        fi
+    fi
+
+    if [ "$do_autologin" = "true" ]; then
+        action="configuring automatic console login" && display "task" "$action"
+        mkdir -p /etc/systemd/system/getty@tty1.service.d
+        cat << EOF > /etc/systemd/system/getty@tty1.service.d/autologin.conf
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty -o '-p -f -- \\\\u' --noclear --autologin $username %I \$TERM
+EOF
+    else
+        display "task" "Skipping automatic login configuration"
+    fi
+
+    return 0
+}
+
 # GPU Driver Installation
 install_gpu_drivers() {
     if $skip_gpu_drivers; then
@@ -1488,13 +1572,8 @@ StandardOutput=null
 StandardError=journal+console
 EOF
 
-    # action="removing hostname from login prompt" && display "task" "$action"
-    # sed -i "s/--noclear/--nohostname --noclear/g" /usr/lib/systemd/system/getty@.service  \
-        #     || error "error" "$action" "$?"
-    # sed -i "s/--noclear/--nohostname --noclear/g" /usr/lib/systemd/system/container-getty@.service  \
-        #     || error "error" "$action" "$?"
-    # sed -i "s/--noclear/--nohostname --noclear/g" /usr/lib/systemd/system/console-getty.service  \
-        #     || error "error" "$action" "$?"
+    # Automatic login for encrypted systems (prompts if no CLI flag and root is encrypted)
+    configure_autologin
 
     action="silencing the unneeded and chatty watchdog module" && display "task" "$action"
     echo "blacklist iTCO_wdt" >/etc/modprobe.d/nowatchdog.conf  || error "error" "$action" "$?"
-- 
cgit v1.2.3