refactor: speed up fedora system by enabling auto unlock luks with tpm2 and reducing grub timeout to 1 second

Author: pixincreate

unix/fedora/config.json

@@ -61,7 +61,10 @@
       "redis.service",
       "tailscaled.service"
     ],
-    "disable": ["NetworkManager-wait-online.service"]
+    "disable": [
+      "cups.service",
+      "NetworkManager-wait-online.service"
+    ]
   },
   "hardware": {
     "asus": {
@@ -82,7 +85,10 @@
     "zram_size_mb": 24576,
     "disable_cpu_mitigations": false,
     "enable_fstrim": true,
-    "enable_oomd": true
+    "enable_oomd": true,
+    "grub_timeout": 1,
+    "auto_luks": true
+    
   },
   "git": {
     "user_name": "PiX",

unix/fedora/install/config/performance.sh

@@ -70,4 +70,51 @@ if [[ "$disable_mitigations" == "true" ]]; then
     fi
 fi
 
+# Reduce grub timeout
+grub_timeout=$(get_config '.performance.grub_timeout')
+
+# If grub_timeout is a valid integer
+if [[ -v grub_timeout && "$grub_timeout" =~ ^[0-9]+$ ]]; then
+    log_warning "Reducing GRUB timeout to 1 second"
+
+    if confirm "This will reduce GRUB timeout. Continue?"; then
+        if [ -f /etc/default/grub ] && sudo sed -i.bak "s/^GRUB_TIMEOUT=.*/GRUB_TIMEOUT=$grub_timeout/" /etc/default/grub; then
+            grub_cfg=$( [ -d /boot/grub2 ] && echo "/boot/grub2/grub.cfg" || echo "/boot/grub/grub.cfg" )
+
+            if [ -n "$grub_cfg" ] && sudo grub2-mkconfig -o "$grub_cfg"; then
+                log_success "GRUB timeout reduced to 1 second"
+            else
+                log_warning "Failed to update GRUB configuration"
+            fi
+        else
+            log_warning "Failed to modify /etc/default/grub or file not found"
+        fi
+    else
+        log_warning "Operation cancelled by user"
+    fi
+else
+    log_warning "grub_timeout is not set or not a valid integer"
+fi
+
+# Do not ask user to enter the LUKS password
+auto_luks=$(get_config '.performance.auto_luks')
+
+if [[ "$auto_luks" == "true" ]]; then
+    log_warning "Setting up TPM2 auto-unlock for LUKS"
+    
+    if confirm "This will reduce security. Continue?"; then
+        LUKS_DEVICE=$(lsblk -nlo NAME,FSTYPE | grep crypto_LUKS | awk '{print "/dev/"$1}')
+        
+        if [ -n "$LUKS_DEVICE" ]; then
+            log_info "TPM2 device found, enrolling..."
+            
+            sudo systemd-cryptenroll "$LUKS_DEVICE" --tpm2-device=auto --tpm2-pcrs=0+1+7
+            sudo dracut -f
+            
+            log_info "To rollback tpm2 auto-unlock, execute:\nsudo system-cryptenroll $LUKS_DEVICE --wipe-slot=tpm2\nsudo dracut -f"
+        fi
+    
+    fi
+fi
+
 log_success "Performance optimizations applied"

unix/fedora/migrations/1760812842.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+# Migration: Set up LUKS Auto Unlock and reduce GRUB timeout to 1 second
+
+echo "Running migration: Set up LUKS Auto Unlock and reduce GRUB timeout to 1 second"
+
+confirm() {
+    read -p "$1 [y/N]: " response
+    [[ "$response" =~ ^[Yy]$ ]]
+}
+
+echo ""
+echo "[1/3] Reducing GRUB timeout..."
+
+if [[ -f /etc/default/grub ]]; then
+    if confirm "This will reduce GRUB timeout to 1 second. Continue?"; then
+
+        sudo cp /etc/default/grub /etc/default/grub.bak
+        sudo sed -i 's/^GRUB_TIMEOUT=.*/GRUB_TIMEOUT=1/' /etc/default/grub
+        
+        if [[ -d /boot/grub2 ]]; then
+            grub_cfg="/boot/grub2/grub.cfg"
+        else
+            grub_cfg="/boot/grub/grub.cfg"
+        fi
+        
+        if sudo grub2-mkconfig -o "$grub_cfg"; then
+            echo "GRUB timeout reduced to 1 second"
+        else
+            echo "Failed to update GRUB configuration"
+        fi
+    else
+        echo "Skipped GRUB timeout modification"
+    fi
+else
+    echo "/etc/default/grub not found, skipping"
+fi
+
+echo ""
+echo "[2/3] Setting up TPM2 auto-unlock for LUKS..."
+
+LUKS_DEVICE=$(lsblk -nlo NAME,FSTYPE | grep crypto_LUKS | awk '{print "/dev/"$1}')
+
+if [[ -z "$LUKS_DEVICE" ]]; then
+    echo "No LUKS device found, skipping TPM2 setup"
+elif [[ ! -e /dev/tpm0 ]]; then
+    echo "TPM2 device not found, skipping"
+else
+    echo "Found LUKS device: $LUKS_DEVICE"
+    echo "⚠  WARNING: This reduces security by auto-unlocking your encrypted drive"
+    echo "   The drive will only unlock on this specific hardware with Secure Boot"
+    
+    if confirm "Continue with TPM2 enrollment?"; then
+        echo "You will be asked for your LUKS passphrase..."
+        
+        if sudo systemd-cryptenroll "$LUKS_DEVICE" --tpm2-device=auto --tpm2-pcrs=0+1+7; then
+            echo "TPM2 enrollment successful"
+            
+            echo "Rebuilding initramfs..."
+            if sudo dracut -f; then
+                echo "Initramfs rebuilt"
+            else
+                echo "Failed to rebuild initramfs"
+            fi
+            
+            echo ""
+            echo "To rollback TPM2 auto-unlock, run:"
+            echo "  sudo systemd-cryptenroll $LUKS_DEVICE --wipe-slot=tpm2"
+            echo "  sudo dracut -f"
+        else
+            echo "TPM2 enrollment failed"
+        fi
+    else
+        echo "Skipped TPM2 enrollment"
+    fi
+fi
+
+
+echo ""
+echo "[3/3] Disabling CUPS service..."
+
+service="cups.service"
+if ! systemctl list-unit-files "$service" &>/dev/null; then
+    echo "Service not available: $service"
+    continue
+fi
+
+if systemctl is-enabled "$service" &>/dev/null; then
+    echo "Disabling service: $service"
+    sudo systemctl disable "$service" 2>/dev/null || echo "Failed to disable: $service"
+else
+    echo "Service already disabled: $service"
+fi
+
+echo ""
+echo "Migration completed: LUKS Auto Unlock and GRUB timeout optimization"
+echo "Changes will take effect after reboot"