#!/usr/bin/sudo -s 
# Eli Criffield <crytpoeli@criffield.net>
#
# 1164126401
# 
# boot ubuntu-6.06-desktop-i386.iso for dapper
# or ubuntu-6.10-desktop-i386.iso  for edgy
# Applicatioins -> Accessories -> Terminal
# open terminal
# wget http://eli.criffield.net/auto_cr_inst
# chmod 755 ./auto_cr_inst
# ./auto_cr_inst
#
# to rescue
# boot ubuntu-6.06-desktop-i386.iso for dapper
# or ubuntu-6.10-desktop-i386.iso  for edgy
# Applicatioins -> Accessories -> Terminal
# open terminal
# sudo mount -L boot /tmp
# cp /tmp/rescue-script .
# ./rescuse-script
#

# for debug please uncommnet the next line and run like this and mail me
# the log
# ./script 2>&1 |tee log
#set -x

ch='chroot /install sh -c'
DISK=`sfdisk -l 2>/dev/null |grep Disk |awk '{print $2}'|sed 's/://g' |grep -v '/dev/md' |head -1`
MEM=`free -m |grep Mem |awk '{print $2}'`
let MEM=MEM+128

# set if using local packages
local=false

#this sets
#DISTRIB_ID=
#DISTRIB_RELEASE=
#DISTRIB_CODENAME=
#DISTRIB_DESCRIPTION=
. /etc/lsb-release
export DISTRIB_ID DISTRIB_RELEASE DISTRIB_CODENAME DISTRIB_DESCRIPTION

if [ ${DISTRIB_CODENAME} == "edgy" ] ; then
  edgy=true
  dapper=false
elif [ ${DISTRIB_CODENAME} == "dapper" ] ; then
  dapper=true
  edgy=false
else
  echo UNSUPPORTED DISTRIB
  exit 1
fi

function errck {
  if [ $? -ne 0 ] ; then
    echo "SOMETHING WENT WRONG "
    echo
    echo $1
    exit 1;
  fi
}

function umountALL {
 swapoff -a
 umount /install/sys
 umount /install/proc
 umount /install/dev
 for i in `df |awk '{print $NF}' |grep install |sort -r` ; do
   umount $i
   errck
 done
}

function mountALL {
  mkdir /BOOTinstall 2>&1 > /dev/null
  mkdir /install 2>&1 > /dev/null
  
  umount ${DISK}1
  mount ${DISK}1 /BOOTinstall 
  errck
  
  dpkg -i /BOOTinstall/crypt/cryptsetup*.deb
  dpkg -i /BOOTinstall/crypt/mdadm*.deb
  dpkg -i /BOOTinstall/crypt/lvm-common*.deb 
  dpkg -i /BOOTinstall/crypt/lvm2*.deb
  
  depmod -a
  modprobe dm_mod
  modprobe dm_crypt 
  modprobe aes 
  modprobe sha256 
  cryptsetup luksOpen ${DISK}3 pvcrypt
  
  vgscan 
  vgchange -a y
  
  vg=`vgdisplay -s |awk '{print $1}' |sed -s 's/"//g' |head -1`
  
  cd /dev/${vg}/
  swapon /dev/${vg}/swap
  errck
  
  mount /dev/${vg}/root /install
  errck
  cd /install
  errck
  for mnt in home var tmp usr; do
    mount /dev/${vg}/$mnt /install/$mnt
    errck
  done
  
  mount --bind /BOOTinstall /install/boot
  errck
  
  
  for i in var/run var/lock sys proc dev ; do
    mount --bind /${i} /install/${i}
    errck
  done
  cp /etc/lvm/.cache /install/etc/lvm/
}
function chRoot {
   mountALL
cat <<XXXX > /install/etc/mtab
proc /proc proc rw 0 0
/sys /sys sysfs rw 0 0
varrun /var/run tmpfs rw 0 0
varlock /var/lock tmpfs rw 0 0
udev /dev tmpfs rw 0 0
${DISK} /boot reiserfs rw 0 0
/dev/mapper/${vg}-root / reiserfs rw 0 0
/dev/mapper/${vg}-home /home reiserfs rw 0 0
/dev/mapper/${vg}-var /var reiserfs rw 0 0
/dev/mapper/${vg}-tmp /tmp reiserfs rw 0 0
/dev/mapper/${vg}-usr /usr reiserfs rw 0 0
XXXX
  chroot /install
}

###################

function create_sources.list {
   outfile=${1:-/etc/apt/sources.list}
cat <<EOF > $outfile
# Eli Criffield <crytpoeli@criffield.net>
# setup by the cryptolvm install script
deb http://us.archive.ubuntu.com/ubuntu/ ${DISTRIB_CODENAME} main universe multiverse restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ ${DISTRIB_CODENAME} main universe multiverse restricted
deb http://us.archive.ubuntu.com/ubuntu/ ${DISTRIB_CODENAME}-updates main universe multiverse restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ ${DISTRIB_CODENAME}-updates main universe multiverse restricted
deb http://us.archive.ubuntu.com/ubuntu/ ${DISTRIB_CODENAME}-backports main universe multiverse restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ ${DISTRIB_CODENAME}-backports main universe multiverse restricted
deb http://security.ubuntu.com/ubuntu ${DISTRIB_CODENAME}-security main universe multiverse restricted
deb-src http://security.ubuntu.com/ubuntu ${DISTRIB_CODENAME}-security main universe multiverse restricted
EOF

errck "create_source.list"
}
function create_cryptroot {
   # 3 line change in cryptroot, hopefully it will get ptached
   # and this will be unessary
   #outfile=${1:-/usr/share/initramfs-tools/scripts/local-top/cryptroot}
   outfile=${1:-/BOOTinstall/crypt/cryptroot}
cat <<EOF > $outfile
#!/bin/sh

#
# Standard initramfs preamble
#
prereqs()
{
	# run cryptroot after everything but lvm
        # Eli Criffield <launchpad@zendo.net>
	for req in /scripts/local-top/*; do
		script=\$(basename \$req)
		[ \$script != cryptroot -a \$script != lvm ] && echo \$script
	done
}

case \$1 in
prereqs)
	prereqs
	exit 0
	;;
esac


#
# Helper functions
#
get_options()
{
	# Do we have any settings from the /conf/conf.d/cryptroot file?
	[ -r /conf/conf.d/cryptroot ] && . /conf/conf.d/cryptroot
	cryptopts="\${CRYPTOPTS}"

	# Does the kernel boot command line override them?
	for x in \$(cat /proc/cmdline); do
		case \$x in
		cryptopts=*)
			cryptopts=\${x#cryptopts=}
			;;
		esac
	done

	# Sanity check
	if [ -z "\$cryptopts" ]; then
		# Apparently the root partition isn't encrypted
		echo "No cryptroot configured, skipping"
		exit 0
	fi

	# There are two possible scenarios here:
	#
	# 1) The fstype of the root device has been identified as "luks"
	# 2) The fstype is not "luks" but cryptopts has been set
	#
	# The former means that we use the luks functionality of cryptsetup, the
	# latter means that we do it the old-fashioned way.
	#
	# Start by parsing some options, all options are relevant to regular cryptsetup
	# but only crypttarget and cryptsource is relevant to luks which picks up the 
	# rest of the parameters by reading the partition header
	cryptcipher=aes-cbc-essiv:sha256
	cryptsize=256
	crypthash=sha256
	crypttarget=cryptroot
	cryptsource=\$ROOT
	cryptlvm=""

	if [ -n "\$cryptopts" ]; then
		local IFS=" ,"
		for x in \$cryptopts; do
			case \$x in
			hash=*)
				crypthash=\${x#hash=}
				;;
			size=*)
				cryptsize=\${x#size=}
				;;
			cipher=*)
				cryptcipher=\${x#cipher=}
				;;
			target=*)
				crypttarget=\${x#target=}
				;;
			source=*)
				cryptsource=\${x#source=}
				;;
			lvm=*)
				cryptlvm=\${x#lvm=}
				;;
			esac
		done
	fi
}

activate_vg()
{
	local vg
	vg=\$1

	# Sanity checks
	if [ ! -x /sbin/lvm ]; then
		return 1
	fi

	if [ -z "\$vg" ]; then
		return 1
	fi

	# Make sure we're dealing with a lvm device
	vg=\${vg#/dev/mapper/}
	if [ "\$vg" = "\$1" ]; then
		return 1
	fi

	# Make sure that the device contains at least one dash
	if [ "\$(echo -n "\$vg" | tr -d -)" = "\$vg" ]; then
		return 1
	fi

	# Split volume group from logical volume.
	vg=\$(echo \${vg} | sed -e 's#\(.*\)\([^-]\)-[^-].*#\1\2#')
	# Reduce padded --'s to -'s
	vg=\$(echo \${vg} | sed -e 's#--#-#g')

	lvm vgchange -ay \${vg}
	return \$?
}

load_keymap()
{
	if [ -x /bin/loadkeys -a -r /etc/boottime.kmap.gz ]; then
		loadkeys -q /etc/boottime.kmap.gz
	fi
}

#
# Begin real processing
#

# define crypto variables
get_options

# make sure the cryptsource device is available
if [ ! -e \$cryptsource ]; then
	activate_vg \$cryptsource
fi
if [ ! -e \$cryptsource ]; then
	panic "\$0: source device \$cryptsource not found"
fi

# If possible, load the keymap so that the user can input non-en characters
load_keymap

# prepare commands
if /sbin/cryptsetup isLuks \$cryptsource > /dev/null 2>&1; then
	cryptcreate="/sbin/cryptsetup luksOpen \$cryptsource \$crypttarget"
else
	cryptcreate="/sbin/cryptsetup -c \$cryptcipher -s \$cryptsize -h \$crypthash create \$crypttarget \$cryptsource"
fi
cryptremove="/sbin/cryptsetup remove \$crypttarget"
NEWROOT="/dev/mapper/\$crypttarget"

# Loop until we have a satisfactory password
while [ 1 ]; do
	if [ -x "/sbin/cryptgetpw" ]; then
		/sbin/cryptgetpw < /dev/console | \$cryptcreate
	else
		\$cryptcreate < /dev/console
	fi

	FSTYPE=''
	if [ \$? -ne 0 ]; then
		echo "\$0: cryptsetup failed, bad password or options?"
	elif ! fstype < "\$NEWROOT" > /conf/param.conf; then
		echo "\$0: fstype not recognized, bad password or options?"
	else
		. /conf/param.conf

		# See if we need to setup lvm on the crypto device
		if [ "\$FSTYPE" = "lvm" ] || [ "\$FSTYPE" = "lvm2" ]; then
			NEWROOT="/dev/mapper/\$cryptlvm"
			activate_vg "\$NEWROOT" || panic "failed to setup lvm device"
			if ! fstype < "\$NEWROOT" > /conf/param.conf; then
				panic "failed to setup lvm device, fs not recognised"
			fi
			. /conf/param.conf
		fi
	fi

	if [ -n "\$FSTYPE" ] && [ "\$FSTYPE" != "unknown" ]; then
		break
	fi

	if [ -e "\$NEWROOT" ]; then
		\$cryptremove
	fi
	sleep 3
done

# init can now pick up new FSTYPE, FSSIZE and ROOT
echo "ROOT=\"\$NEWROOT\"" >> /conf/param.conf
exit 0
EOF
errck "create_cryptroot"
}
 
function create_crypttab {
   outfile=${1:-/install/etc/crypttab}
cat <<EOF > $outfile
# <target device> <source device> <key file> <options>
# Eli Criffield 
pvcrypt ${DISK}3 none luks
EOF
errck "create_crypttab"
}

function local_create_sources.list {
   outfile=${1:-/etc/apt/sources.list}
cat <<EOF > $outfile
# Eli Criffield <crytpoeli@criffield.net>
# setup by the cryptolvm install script
deb file:///media/cdrom ${DISTRIB_CODENAME} main restricted
EOF
errck "create_source.list"
}

#############
##############
function create_fstab {
   outfile=${1:-/install/etc/fstab}
cat <<EOF > $outfile
# Eli Criffield <crytpoeli@criffield.net>
# use only spaces, tabs work but are messy
# /etc/fstab: static file system information.
# 
# <file system>       <mount point>   <type>   <options>     <dump>  <pass>

proc                      /proc          proc     defaults       0       0
/dev/mapper/vgcrypt-root  /              reiserfs user_xattr     0       1
${DISK}1                 /boot          reiserfs notail         0       2
/dev/mapper/vgcrypt-home  /home          reiserfs user_xattr     0       2
/dev/mapper/vgcrypt-tmp   /tmp           reiserfs defaults       0       2
/dev/mapper/vgcrypt-usr   /usr           reiserfs user_xattr     0       2
/dev/mapper/vgcrypt-var   /var           reiserfs user_xattr     0       2
/dev/mapper/vgcrypt-swap  none           swap     sw             0       0
/dev/cdrom                /media/cdrom0  udf,iso9660 user,noauto 0       0
EOF
errck "create_fstab"
}
#############
function create_interfaces {
   outfile=${1:-/install/etc/network/interfaces}
cat <<EOF > $outfile
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
#
# Eli Criffield <cryptoeli@criffield.net>
#
auto lo eth0
iface lo inet loopback
iface eth0 inet dhcp
EOF
errck "create_interfaces"
}
#############
function create_mtab {
   outfile=${1:-/install/etc/mtab}
cat <<EOF > $outfile
proc /proc proc rw 0 0
/sys /sys sysfs rw 0 0
varrun /var/run tmpfs rw 0 0
varlock /var/lock tmpfs rw 0 0
udev /dev tmpfs rw 0 0
${DISK}1 /boot reiserfs rw 0 0
/dev/mapper/vgcrypt-root / reiserfs rw 0 0
/dev/mapper/vgcrypt-home /home reiserfs rw 0 0
/dev/mapper/vgcrypt-var /var reiserfs rw 0 0
/dev/mapper/vgcrypt-tmp /tmp reiserfs rw 0 0
/dev/mapper/vgcrypt-usr /usr reiserfs rw 0 0
EOF
errck "create_mtab"
}
#############
function create_kernel-img.conf {
   outfile=${1:-/install/etc/kernel-img.conf}
cat <<EOF > $outfile
do_symlinks = yes
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes
link_in_boot = no
postinst_hook = /sbin/update-grub
postrm_hook   = /sbin/update-grub
EOF
errck "create_kernel-img.conf"
}
###############
function create_sudoers {
   outfile=${1:-/install/etc/sudoers}
cat <<EOF >> $outfile
# Members of the admin group may gain root privileges
%admin  ALL=(ALL) ALL
EOF
errck "create_sudoers"
}
function create_hosts {
   outfile=${1:-/install/etc/hosts}
cat <<EOF > $outfile
# Eli Criffield <cryptoeli@criffield.net>
127.0.0.1 localhost localhost.localdomain ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
EOF
errck "create_sudoers"
}
###############
function create_cryptlvm-initramfs_1-1_i386.deb {
 outfile=${1:-/BOOTinstall/crypt/cryptlvm-initramfs_1-1_i386.deb}
 tmpfl=`mktemp`
cat <<EOFXXXXXXXXXXXX > $tmpfl
### cryptlvm-initramfs_1-1_i386.deb, not encrypted just stored
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.5 (GNU/Linux)

owFby6qbJJ9cVFlQklOWq5uZl1lSlJibVhxvqGsYn2lsYaaXkprk6nShWtEmsSg5
w44LyM1MzNNNysxLLKpUUFAwNDQzMjAwNTA3UlAwUAABCGloYGBmYqKgYKIAAwlc
RnoGXMn5eSVF+Tl6JYlFeulVhPUbG1jC9ct3czCAAfPbi47ZhwxE2D/M+6z5ifXK
sShRf76ym4kKHLunfwmVv7ZE5aXZ95ff18SZ3Sgr2vDxv2PlQ9W/k7/1qt88+zQp
cJqz6PzXG8wqLc+ejsxc9vxf0kTxmXqb4y8cD2Fdu/lB7a93d/x/11+pSNrrfXC7
+bz/NWa/i/4d3fPDoj6Za3K61fE/+XnBN523Lp667eGVpd9+WiQd1ww5rrbKN0He
Ym7YrLilS7elCFerp39P4X/z5PzWtVU7Qla5R9dNXrC0as0N1UqNmGTbrXu2Nc5u
W7n2eN+kXdxl5z2Zfiu8L9g4Z7U6V2GHufLidyuVw49nOyy5Un6pW+hS7LsNstMC
ze1eJKtuv/ny9dnSsx8Fvp6eN+fd48rmOxOctk7jD5FkQAMH6j/ytXqkrGTQYGDg
SkksSYQHNxExZm5hhi3Ew2PzbxmIPL25/9G0sNdRnJMYGj2vyi1r3LIvR3e1mu/l
lp7iTJ1JFptlo8K+7j/Pd4Hf6/babO/lPz00Nr63Fb/9fJLMq7inJx9KlxzasEdK
J/707wP80nU3uJj3Jz6zlt0f2bjhE4/GlGVCC5RaL5Q/vSv+3z3we4Dx+9aX8j/W
bnj7pd7u72XD8zummchqvld9cf/L2aMv94v9TVY81n+btX5dvXZGi9//0lfnn5hc
V5q5xH/9/ol2EZf2y/6Yy/XD77/68Wdt5k9mLk9y4vu1t+79h9ytXh56gY/4v1a1
zxGcwRyps2CX6elVk4qdJEI5ohk/5Dje2Hlinn/MJv+dbP+Tdmx3Dwh045A/aH6j
4ZZmxSm9JW+sW3edePhb7oXE5qdCyn4esnucPDdnaV3cnXF3lpjSTNOC3JAUn+KJ
mk6XCo+o5swtrZ7fv+v338+bHs/k7GQJZ/e9Xd3ytMD0svQstgs2R39ZLK38++N5
rqi4TfSRmldpdVt+cbvYyT7QNNJQ9WDpPWYR+vRF1oV3W2xmVSzKZ5nOv3aOguZZ
rlk8GSK8QYKinFoLVmTZ1FyOEzV+foMj3G1RSYCY+pJHAT/15/3v8szb9VJQ9gDz
vf9r/R7c+//6qr1gj9qzibOqz6+v332z7P//+J5/9a9Z33+uP5vg+b/tfo7p3P/R
k/9rK82xOcKcd8gwK/tPVlt4wVHTVe3Sh1X9S6YLKx9b+ySIRzCr3Tk78syMFSyG
7W2mM45funO1ruGU8KqkDz7rNKe5cZ7/0HV8j0lko+lMHUctz52P395VdXj/+Pe/
682L48Tt9rwuX3j7/v9LzXejN8SGzZy66tUM7QSls9y9QlypayPZZky1N+o5EHGL
Q+mkesRc42WLGq5s0Ux5dEQlalak8ZOQlcKJk7Y2cHhbFexVmJkbHaeyKZc3+fSe
Yxs3zvC7cKVF2MrUVMyleofCkrVeks6p081bO7K4vLgzwzSMdmzrlJx8Z8MiT8Ow
+UVnDhjzPj0qmOtkN3PnyfviR18Fiek96zRlWy82ceaxpVHnTlpaoII1x/Stn+26
C8pOAA==
=jZbu
-----END PGP MESSAGE-----
EOFXXXXXXXXXXXX
errck "create_cryptlvm-initramfs_1-1_i386.deb"
rm -f $outfile
gpg --output $outfile $tmpfl
errck "create_cryptlvm-initramfs_1-1_i386.deb"
}
###############
function umountDISK {
   DISK=${1:-$DISK}
   # CATION DOESN't work if there are lvm's mounted or 
   # fs is in use
   for i in `df |awk '{print $1}' |grep $DISK` ; do
    umount $i
    errck "umount $i"
   done
}

function partition_disk {
   DISK=${1:-$DISK}
   umountDISK $DISK
   echo "Are you SURE you want to destroy all data on $DISK"
   echo "type YES now to continue "
   echo
   echo -n "anything else will exit:"
   read an
   if [ $an == "YES" -o $an == "yes" ]; then 
      echo partition disk now
   else
     echo bailing out
     exit
   fi

   echo
   echo "Has this disk ever had any sensitive data on it"
   echo "If so we can securely delete it now (by using shred)"
   echo "type YES will shred, this will take hours "
   echo
   echo -n "anything else will continue without shreding:"
   read an
   if [ $an == "YES" -o $an == "yes" ]; then 
      # 5 times better be enough, if your paraonied make it 25
      shred -n 4 -z -v $DISK
   fi

   #  3 partitions
   #  1 512M for boot
   #  2 MEMSIZE for resume
   #  3 CRYPTED for LVM

sfdisk -uM -L $DISK <<EOF
0,512,L,-
,${MEM},S
,,8e
;
EOF
   errck "sfdisk error: reboot and try again"
}

function cryptDISK {
   DISK=${1:-$DISK}
   for i in 1 2 3 4 5; do  echo; done

   echo You need to chose a password for the disk
   echo 
   echo This password is the only thing needed to access everything on
   echo this computer
   echo 
   echo "I know its a pain but don't use a password "
   echo "you've used somewhere else, and never use this password"
   echo "anywhere else. If you did lose this computer and you use the password"
   echo "somewhere else they could obtain the password via some other method"
   echo '(keyloger, social engineering, ect...) and have access to this computer'
   echo
   depmod -a
   modprobe dm_mod
   modprobe dm_crypt 
   modprobe aes 
   modprobe sha256 
   # This requires a tty, so you can't pipe the script to sh or sudo -s
   cryptsetup -q -y luksFormat ${DISK}3
   errck "couldn't encrypt, did you screw up the password"

   echo
   echo You now need to unlock the disk you just encrypted
   echo please reenter the password you just made
   echo
   cryptsetup luksOpen ${DISK}3 pvcrypt
   errck "couldn't decrypt, did you screw up the password"
}

function install {
   
   # partition disk into 3 parts, /boot, resumedisk, crypted lvm
   partition_disk

   # make and mount the new /boot
   mkreiserfs -q --label boot ${DISK}1
   errck
   rm -rf /BOOTinstall /install
   mkdir /BOOTinstall
   mkdir /install
   mount ${DISK}1 /BOOTinstall 
   errck
   mkdir /BOOTinstall/crypt
   errck
   
   #extract a couple files 
   if $local ; then
      local_create_sources.list
   else
      create_sources.list
   fi
   if $dapper ; then
      create_cryptlvm-initramfs_1-1_i386.deb
   elif $edgy ; then
      create_cryptroot
      chmod 755 /BOOTinstall/crypt/cryptroot
   fi
   
   # get cryptsetup 

   if $local ; then
      if ! [ -r cryptsetup*.deb ] ; then
        wget http://mirrors.kernel.org/ubuntu/pool/universe/c/cryptsetup/cryptsetup_1.0.3-3ubuntu3_i386.deb
        errck "Can't download cryptsetup, get it somehow and place it in this directory and rerun"
      fi
      dpkg -i cryptsetup*.deb
      cp cryptsetup*.deb /BOOTinstall/crypt/
      cp /media/cdrom/pool/main/l/lvm2/lvm2_2.02.06-2ubuntu3_i386.deb /BOOTinstall/crypt/
      cp /media/cdrom/pool/main/l/lvm-common/lvm-common_1.5.20ubuntu7_i386.deb /BOOTinstall/crypt/
      cp /media/cdrom/pool/main/m/mdadm/mdadm_2.4.1-6ubuntu5_i386.deb /BOOTinstall/crypt/
      cp /media/cdrom/pool/main/r/reiserfsprogs/reiserfsprogs_3.6.19-3ubuntu1_i386.deb /BOOTinstall/crypt/
   fi

   apt-get update  
   apt-get -y  install cryptsetup debootstrap lvm2
   # save cryptsetup and rescue-script
   # with this a live cd is all you need for rescue
   cp  /var/cache/apt/archives/cryptsetup* /BOOTinstall/crypt/
   cp  /var/cache/apt/archives/mdadm* /BOOTinstall/crypt/
   cp  /var/cache/apt/archives/lvm-common* /BOOTinstall/crypt/
   cp  /var/cache/apt/archives/lvm2* /BOOTinstall/crypt/
   cp $0 /BOOTinstall/crypt/rescue-script
   cp $0 /BOOTinstall/stage_two
   errck
  
   # do the encryption 
   cryptDISK
  
   #create all the LVM Stuff 
   pvcreate /dev/mapper/pvcrypt
   errck 
   vgcreate vgcrypt /dev/mapper/pvcrypt
   errck 
   lvcreate -L64M -n home vgcrypt
   errck
   lvcreate -L192M -n root vgcrypt
   errck
   lvcreate -L750MB -n var vgcrypt
   errck
   lvcreate -L64M -n tmp vgcrypt
   errck
   lvcreate -L2G -n usr vgcrypt
   errck
   lvcreate -L${MEM}M -n swap vgcrypt
   errck
   
   #format and mount all fs
   cd /dev/vgcrypt/
   errck
   for dev in * ; do
    mkreiserfs --label $dev -q $dev
    errck
   done
   mkswap /dev/vgcrypt/swap
   errck
   swapon /dev/vgcrypt/swap
   errck
   mount /dev/vgcrypt/root /install
   errck
   cd /install
   errck
   for mnt in home var tmp usr; do
     mkdir $mnt
     mount /dev/vgcrypt/$mnt /install/$mnt
     errck
   done
   mkdir boot proc sys initrd
   chmod 1777 tmp
   mount --bind /BOOTinstall /install/boot
   errck
   
   #bind the not real file systems
   for i in var/run var/lock sys proc dev ; do
     mkdir -p $i
     mount --bind /${i} /install/${i}
     errck
   done
  
   if $local ; then
      mkdir -p /install/media/cdrom
      mount --bind /media/cdrom /install/media/cdrom
   fi

   # This is Going to take a long time
   # this installs the minmial packages
   if $local ; then
      debootstrap ${DISTRIB_CODENAME} /install file:///media/cdrom
   else
      debootstrap ${DISTRIB_CODENAME} /install http://archive.ubuntu.com/ubuntu
   fi
   errck 'package installs failed, network time out?'
   
   #these come umounted somehow
   for i in sys proc ; do
     mount --bind /${i} /install/${i}
     errck
   done
   # copy some config files
   cp /etc/resolv.conf /install/etc/resolv.conf
   cp /etc/apt/sources.list /install/etc/apt/
   create_fstab
   create_interfaces
   create_mtab
   if $edgy ; then
     create_crypttab
   fi

   # do some base setup
   $ch '/usr/share/locales/install-language-pack en_US'
   $ch '/usr/share/locales/install-language-pack en_US.UTF-8'
   $ch 'dpkg-reconfigure locales'
   # not on edgy
   if ! $edgy; then 
     $ch 'dpkg-reconfigure console-data'
   fi
   echo
   echo
   $ch 'tzconfig'
   $ch 'apt-get -y  update'
   $ch 'apt-get -y  install grub'
   $ch 'apt-get -y  install lvm2'
   $ch 'apt-get -y  install dmsetup'
   $ch 'dpkg -i /boot/crypt/*.deb'
   errck
   $ch "grub-install $DISK"
   errck
   $ch "/sbin/update-grub -y"
   errck
   if $edgy ; then
     # 3 line change in cryptroot, hopefully it will get ptached
     mkdir -p /install/root/inst_backup/usr/share/initramfs-tools/scripts/local-top/
     cp -a /install/usr/share/initramfs-tools/scripts/local-top/cryptroot /install/root/inst_backup/usr/share/initramfs-tools/scripts/local-top/cryptroot.original
     cp -a /BOOTinstall/crypt/cryptroot /install/usr/share/initramfs-tools/scripts/local-top/cryptroot
    # edgy's usplash doesn't allow any input so we 
    # can't use it with crypted root
    sed --in-place=.withsplash  's/splash//g' /install/boot/grub/menu.lst
   fi
   
   # so the kernel install doesn't ask so many questions
   create_kernel-img.conf
   create_sudoers
   create_hosts
   # get the kernel installed 
   #$ch 'apt-get -y install linux-686'
   $ch 'apt-get -y install linux-image-generic'
   errck
   
   #copy over some sane user files from the live cd
   #this should really check if where on the live cd or not 
   cp -a /etc/passwd /install/etc/
   cp -a /etc/shadow /install/etc/
   cp -a /etc/group /install/etc/
   sed -i '/ubuntu/d' /install/etc/passwd
   sed -i '/ubuntu/d' /install/etc/shadow
   sed -i 's/ubuntu//g' /install/etc/group
   
   # gota login with something when this thing boots 
   echo 
   echo "Please setup a user for the new system"
   echo
   echo -n "Enter user login:"
   read login
   $ch "adduser $login"
   errck
   
   # make sure he can sudo 
   $ch "addgroup --system admin"
   $ch "adduser $login admin"
   
   # make sure he can do desktop stuff
   $ch "adduser $login adm"
   $ch "adduser $login dialout"
   $ch "adduser $login cdrom"
   $ch "adduser $login floppy"
   $ch "adduser $login audio"
   $ch "adduser $login dip"
   $ch "adduser $login video"
   $ch "adduser $login plugdev"
   $ch "adduser $login lpadmin"
   $ch "adduser $login scanner"

   # lock root, you must use sudo
   $ch "passwd -l root"
   echo reboot and run /boot/stage_two
}

function stage_two {
   # install all the desktop stuff , try a couple times before giving up
   setupcon
   apt-get update
   apt-get install reiserfsprogs
   apt-get -y  install ubuntu-desktop
   apt-get -y  install ubuntu-desktop
   apt-get -y  install ubuntu-desktop
   apt-get -y -f  install
   apt-get -y -f  install
   apt-get -y -f  install

   # add dbus to startup
   dpkg-reconfigure dbus

   # sound?
   #dpkg-reconfigure linux-sound-base
   dpkg-reconfigure alsa-base
  
   # try to configure anything left
   dpkg --configure -a
   dpkg --configure -a

   # TODO:
   # install base desktop and compare
   # check if any packages are missing
   # compair startup scripts
  
   echo "SETUP NOW DOWN"
   echo
   echo "you can 'sudo rm /boot/stage_two'  now"
   echo
   echo "Please reboot 'sudo shutdown -r now'"
}

myname=`basename $0`
if [ $myname == "rescue-script" ] ; then
   case "$1" in
     mount)
        mountALL   
        ;;
     chroot)
        chRoot
        ;; 
     umount)
        umountALL
        ;;
     unmount)
        umountALL
        ;;
     reboot)
        umountALL
        reboot -f
        ;;
     halt)
       umountALL
       poweroff -f
       ;;
     *)
       echo "would you like to (mount|chroot|umount|reboot|halt)"
       read doit
       $0 $doit
   esac
   exit
elif [ $myname == "stage_two" ] ; then
   stage_two
else
   case "$1" in
     umount)
        umountALL
        ;;
     unmount)
        umountALL
        ;;
     donothing)
       exit
       ;;
     *)
       # install
       install
       echo
       echo 'Reboot to Disk now'
       echo 'login as the user you just created and run'
       echo
       echo 'sudo /boot/stage_two'
       ;;
   esac
   exit
fi