move luks keyfile config to hook

tsa/howto/new-machine-hetzner-robot.mdwn

@@ -123,38 +123,18 @@ which we'll use below.
             --defaultinterfaces &&
         umount /target/run/udev /target/run
 
- 7. setup dropbear-initramfs to unlock the filesystem on boot. this
-    should already have been done by the `tor-install-luks-setup` hook
-    deployed in the grml-debootstrap stage, but if not:
+ 5. setup dropbear-initramfs to unlock the filesystem on boot. this
+    should already have been done by the `50-tor-install-luks-setup` hook
+    deployed in the grml-debootstrap stage.
 
-        /root/tsa-misc/installer/tor-install-luks-setup /target
-
-    TODO: improve the way that script is deployed.
-
-    TODO: use the FAI keyfiles and set a LUKS passphrase for the first
-    disk. For example:
-
-        LUKS_PASSPHRASE=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 30) &&
-        echo $LUKS_PASSPHRASE | cryptsetup luksAddKey /dev/md1 --key-file=/tmp/fai/crypt_dev_md1 &&
-        echo $LUKS_PASSPHRASE | cryptsetup luksAddKey /dev/md2 --key-file=/tmp/fai/crypt_dev_md2 &&
-        cryptsetup luksRemoveKey /dev/md1 --key-file=/tmp/fai/crypt_dev_md1 &&
-        cryptsetup luksRemoveKey /dev/md2 --key-file=/tmp/fai/crypt_dev_md2
-
-    ... although that doesn't correctly setup the second disk to use a
-    keyfile. 
-    
-    TODO: Those keyfiles are precious: they could be used to bootstrap
-    mandos configuration. Maybe we don't want to `luksRemoveKey` the
-    darn thing.
-    
     TODO: in an install following the above procedure, a keyfile was
     left unprotected in `/etc`. Make sure we have strong mechanisms to
     avoid that ever happening again. For example:
     
         chmod 0 /etc/luks/
     
-    TODO: in any case, move all of the above in the
-    `tor-install-luks-setup` hook.
+    TODO: the keyfiles deployed there can be used to bootstrap
+    mandos. Document how to do this better.
 
  8. Review the crypto configuration: