diff --git a/ask-secret.go b/ask-secret.go
index 75c271f..a7cc29e 100644
--- a/ask-secret.go
+++ b/ask-secret.go
@@ -3,6 +3,7 @@ package main
 import (
 	"bufio"
 	"bytes"
+	"fmt"
 	"io"
 	"os"
 )
@@ -38,6 +39,8 @@ func askSecret(prompt string) []byte {
 		fatalf("failed to read from stdin: %v", err)
 	}
 
+	fmt.Println()
+
 	s = bytes.TrimRight(s, "\r\n")
 	return s
 }
diff --git a/go.mod b/go.mod
index 4ecb9d2..27f1bff 100644
--- a/go.mod
+++ b/go.mod
@@ -3,26 +3,26 @@ module novit.nc/direktil/initrd
 require (
 	github.com/kr/pty v1.1.8
 	github.com/pkg/term v1.1.0
-	golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064
-	golang.org/x/sys v0.0.0-20220209214540-3681064d5158
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	golang.org/x/crypto v0.5.0
+	golang.org/x/sys v0.4.0
+	golang.org/x/term v0.4.0
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb
 	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
-	novit.tech/direktil/pkg v0.0.0-20220331152412-40403eca850f
+	gopkg.in/yaml.v3 v3.0.1
+	novit.tech/direktil/pkg v0.0.0-20230201224712-5e39572dc50e
 )
 
 require (
 	github.com/cavaliergopher/cpio v1.0.1 // indirect
-	github.com/creack/pty v1.1.17 // indirect
-	github.com/google/go-cmp v0.5.7 // indirect
-	github.com/josharian/native v1.0.0 // indirect
-	github.com/mdlayher/genetlink v1.2.0 // indirect
-	github.com/mdlayher/netlink v1.6.0 // indirect
-	github.com/mdlayher/socket v0.1.1 // indirect
-	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.zx2c4.com/wireguard v0.0.0-20220202223031-3b95c81cc178 // indirect
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220330030906-9490840b0b01 // indirect
+	github.com/creack/pty v1.1.18 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/josharian/native v1.1.0 // indirect
+	github.com/mdlayher/genetlink v1.3.1 // indirect
+	github.com/mdlayher/netlink v1.7.1 // indirect
+	github.com/mdlayher/socket v0.4.0 // indirect
+	golang.org/x/net v0.5.0 // indirect
+	golang.org/x/sync v0.1.0 // indirect
+	golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c // indirect
 )
 
 go 1.18
diff --git a/go.sum b/go.sum
index b878c8e..3e48c37 100644
--- a/go.sum
+++ b/go.sum
@@ -1,13 +1,12 @@
 github.com/cavaliergopher/cpio v1.0.1 h1:KQFSeKmZhv0cr+kawA3a0xTQCU4QxXF1vhU7P7av2KM=
 github.com/cavaliergopher/cpio v1.0.1/go.mod h1:pBdaqQjnvXxdS/6CvNDwIANIFSP0xRKI16PX4xejRQc=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
-github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
-github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
-github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
-github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
+github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -15,73 +14,47 @@ github.com/kr/pty v1.1.8 h1:AkaSdXYQOWeaO3neb8EM634ahkXXe3jYbVh/F9lq+GI=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/mdlayher/genetlink v1.2.0 h1:4yrIkRV5Wfk1WfpWTcoOlGmsWgQj3OtQN9ZsbrE+XtU=
-github.com/mdlayher/genetlink v1.2.0/go.mod h1:ra5LDov2KrUCZJiAtEvXXZBxGMInICMXIwshlJ+qRxQ=
-github.com/mdlayher/netlink v1.6.0 h1:rOHX5yl7qnlpiVkFWoqccueppMtXzeziFjWAjLg6sz0=
-github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA=
-github.com/mdlayher/socket v0.1.1 h1:q3uOGirUPfAV2MUoaC7BavjQ154J7+JOkTWyiV+intI=
-github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs=
-github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
+github.com/mdlayher/genetlink v1.3.1 h1:roBiPnual+eqtRkKX2Jb8UQN5ZPWnhDCGj/wR6Jlz2w=
+github.com/mdlayher/genetlink v1.3.1/go.mod h1:uaIPxkWmGk753VVIzDtROxQ8+T+dkHqOI0vB1NA9S/Q=
+github.com/mdlayher/netlink v1.7.1 h1:FdUaT/e33HjEXagwELR8R3/KL1Fq5x3G5jgHLp/BTmg=
+github.com/mdlayher/netlink v1.7.1/go.mod h1:nKO5CSjE/DJjVhk/TNp6vCE1ktVxEA8VEh8drhZzxsQ=
+github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw=
+github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc=
+github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
 github.com/pkg/term v1.1.0 h1:xIAAdCMh3QIAy+5FrE8Ad8XoDhEU4ufwbaSozViP9kk=
 github.com/pkg/term v1.1.0/go.mod h1:E25nymQcrSllhX42Ok8MRm1+hyBdHY0dCeiKZ9jpNGw=
 github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220208050332-20e1d8d225ab/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064 h1:S25/rfnfsMVgORT4/J61MJ7rdyseOZOyvLIrZEZ7s6s=
 golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
+golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
+golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
+golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d/go.mod h1:5yyfuiqVIJ7t+3MqrpTQ+QqRkMWiESiyDvPNvKYCecg=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220202223031-3b95c81cc178 h1:Nrf94TOjrvW8nm6N3u2xtbnMZaZudNI9b8nIJH8p8qY=
-golang.zx2c4.com/wireguard v0.0.0-20220202223031-3b95c81cc178/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220330030906-9490840b0b01 h1:G30UzvXRxKoX1KgKOkts6f5qVE9cucifzg46J2s1Cmg=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220330030906-9490840b0b01/go.mod h1:8P32Ilp1kCpwB4ItaHyvSk4xAtnpQ+8gQVfg5WaO1TU=
+golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c h1:Okh6a1xpnJslG9Mn84pId1Mn+Q8cvpo4HCeeFWHo0cA=
+golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c/go.mod h1:enML0deDxY1ux+B6ANGiwtg0yAJi1rctkTpcHNAVPyg=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb h1:9aqVcYEDHmSNb0uOWukxV5lHV09WqiSiCuhEgWNETLY=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb/go.mod h1:mQqgjkW8GQQcJQsbBvK890TKqUK1DfKWkuBGbOkuMHQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 novit.nc/direktil/pkg v0.0.0-20220221171542-fd3ce3a1491b/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU=
-novit.tech/direktil/pkg v0.0.0-20220330123644-8a2398667238 h1:al1i3XBlSPaxlcWom0NGMR3gOh90PtPh8z944jAZg5g=
-novit.tech/direktil/pkg v0.0.0-20220330123644-8a2398667238/go.mod h1:2Mir5x1eT/e295WeFGzzXa4siunKX4z+rmNPfVsXS0k=
-novit.tech/direktil/pkg v0.0.0-20220331124929-ba878f31b8e0 h1:QGyQyvC+x9+CJxkFUOR2MqafiaokPSJkrUguocXpS7o=
-novit.tech/direktil/pkg v0.0.0-20220331124929-ba878f31b8e0/go.mod h1:2Mir5x1eT/e295WeFGzzXa4siunKX4z+rmNPfVsXS0k=
-novit.tech/direktil/pkg v0.0.0-20220331125853-8c51e2a555a6 h1:tvdL2ZxdGZP0EUf+a82aAmlhp/Wvngia9JlpJW+XiAA=
-novit.tech/direktil/pkg v0.0.0-20220331125853-8c51e2a555a6/go.mod h1:2Mir5x1eT/e295WeFGzzXa4siunKX4z+rmNPfVsXS0k=
-novit.tech/direktil/pkg v0.0.0-20220331135252-bf8427988ad7 h1:8LNQczE0Y7dRjvmeNgeMexHn1NiixEwqs5TVCdOoYds=
-novit.tech/direktil/pkg v0.0.0-20220331135252-bf8427988ad7/go.mod h1:2Mir5x1eT/e295WeFGzzXa4siunKX4z+rmNPfVsXS0k=
-novit.tech/direktil/pkg v0.0.0-20220331140020-b11c53b36ae8 h1:hWOk8M67kCXr/Er5fmts4OSblk2KdbfqRtKZ3rAtZt0=
-novit.tech/direktil/pkg v0.0.0-20220331140020-b11c53b36ae8/go.mod h1:2Mir5x1eT/e295WeFGzzXa4siunKX4z+rmNPfVsXS0k=
-novit.tech/direktil/pkg v0.0.0-20220331152412-40403eca850f h1:Ka7zFkP01l4TW9JSmQQzaYVOq0i+qf+JIWAfyoreoSk=
-novit.tech/direktil/pkg v0.0.0-20220331152412-40403eca850f/go.mod h1:2Mir5x1eT/e295WeFGzzXa4siunKX4z+rmNPfVsXS0k=
+novit.tech/direktil/pkg v0.0.0-20230201224712-5e39572dc50e h1:eQFbzcuB4wOSrnOhkcN30hFDCIack40VkIoqVRbWnWc=
+novit.tech/direktil/pkg v0.0.0-20230201224712-5e39572dc50e/go.mod h1:2Mir5x1eT/e295WeFGzzXa4siunKX4z+rmNPfVsXS0k=
diff --git a/lvm.go b/lvm.go
index f4db1f0..8f27821 100644
--- a/lvm.go
+++ b/lvm.go
@@ -7,18 +7,32 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"sort"
 	"strconv"
 
 	"novit.nc/direktil/initrd/lvm"
 	config "novit.tech/direktil/pkg/bootstrapconfig"
 )
 
+func sortedKeys[T any](m map[string]T) (keys []string) {
+	keys = make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	return
+}
+
 func setupLVM(cfg *config.Config) {
 	if len(cfg.LVM) == 0 {
 		log.Print("no LVM VG configured.")
 		return
 	}
 
+	// [dev] = filesystem
+	// eg: [/dev/sda1] = ext4
+	createdDevs := map[string]string{}
+
 	run("pvscan")
 	run("vgscan", "--mknodes")
 
@@ -27,17 +41,21 @@ func setupLVM(cfg *config.Config) {
 	}
 
 	for _, vg := range cfg.LVM {
-		setupLVs(vg)
+		setupLVs(vg, createdDevs)
 	}
 
 	run("vgchange", "--sysinit", "-a", "ly")
 
-	for _, vg := range cfg.LVM {
-		setupCrypt(vg)
-	}
+	setupCrypt(cfg.Crypt, createdDevs)
 
-	for _, vg := range cfg.LVM {
-		setupFS(vg)
+	devs := make([]string, 0, len(createdDevs))
+	for k := range createdDevs {
+		devs = append(devs, k)
+	}
+	sort.Strings(devs)
+
+	for _, dev := range devs {
+		setupFS(dev, createdDevs[dev])
 	}
 }
 
@@ -113,7 +131,7 @@ func setupVG(vg config.LvmVG) {
 	}
 }
 
-func setupLVs(vg config.LvmVG) {
+func setupLVs(vg config.LvmVG, createdDevs map[string]string) {
 	lvsRep := lvm.LVSReport{}
 	err := runJSON(&lvsRep, "lvs", "--reportformat", "json")
 	if err != nil {
@@ -171,6 +189,12 @@ func setupLVs(vg config.LvmVG) {
 
 		dev := "/dev/" + vg.VG + "/" + lv.Name
 		zeroDevStart(dev)
+
+		fs := lv.FS
+		if fs == "" {
+			fs = vg.Defaults.FS
+		}
+		createdDevs[dev] = fs
 	}
 }
 
@@ -188,21 +212,52 @@ func zeroDevStart(dev string) {
 	}
 }
 
-func setupCrypt(vg config.LvmVG) {
-	cryptDevs := map[string]bool{}
-
+func setupCrypt(devSpecs []config.CryptDev, createdDevs map[string]string) {
 	var password []byte
 	passwordVerified := false
 
-	for _, lv := range vg.LVs {
-		if lv.Crypt == "" {
+	// flat, expanded devices to open
+	devNames := make([]config.CryptDev, 0, len(devSpecs))
+
+	for _, devSpec := range devSpecs {
+		if devSpec.Dev == "" && devSpec.Prefix == "" {
+			fatalf("crypt: name %q: no dev or match set", devSpec.Name)
+		}
+		if devSpec.Dev != "" && devSpec.Prefix != "" {
+			fatalf("crypt: name %q: both dev (%q) and match (%q) are set", devSpec.Name, devSpec.Dev, devSpec.Prefix)
+		}
+
+		if devSpec.Dev != "" {
+			// already flat
+			devNames = append(devNames, devSpec)
 			continue
 		}
 
-		if cryptDevs[lv.Crypt] {
-			fatalf("duplicate crypt device name: %s", lv.Crypt)
+		matches, err := filepath.Glob(devSpec.Prefix + "*")
+		if err != nil {
+			fatalf("failed to search for device matches: %v", err)
 		}
-		cryptDevs[lv.Crypt] = true
+
+		for _, m := range matches {
+			suffix := m[len(devSpec.Prefix):]
+
+			devNames = append(devNames, config.CryptDev{Dev: m, Name: devSpec.Name + suffix})
+		}
+	}
+
+	cryptDevs := map[string]bool{}
+
+	for _, devName := range devNames {
+		name, dev := devName.Name, devName.Dev
+
+		if name == "" {
+			name = filepath.Base(dev)
+		}
+
+		if cryptDevs[name] {
+			fatalf("duplicate crypt device name: %s", name)
+		}
+		cryptDevs[name] = true
 
 	retryOpen:
 		if len(password) == 0 {
@@ -213,7 +268,10 @@ func setupCrypt(vg config.LvmVG) {
 			}
 		}
 
-		dev := "/dev/" + vg.VG + "/" + lv.Name
+		fs := createdDevs[dev]
+		delete(createdDevs, dev)
+
+		tgtDev := "/dev/mapper/" + name
 
 		needFormat := !devInitialized(dev)
 		if needFormat {
@@ -242,10 +300,20 @@ func setupCrypt(vg config.LvmVG) {
 			if err != nil {
 				fatalf("failed luksFormat: %v", err)
 			}
+
+			createdDevs[tgtDev] = fs
 		}
 
-		log.Print("openning encrypted device ", lv.Crypt, " from ", dev)
-		cmd := exec.Command("cryptsetup", "open", dev, lv.Crypt, "--key-file=-")
+		if len(password) == 0 {
+			password = askSecret("crypt password")
+
+			if len(password) == 0 {
+				fatalf("empty password given")
+			}
+		}
+
+		log.Print("openning encrypted device ", name, " from ", dev)
+		cmd := exec.Command("cryptsetup", "open", dev, name, "--key-file=-")
 		cmd.Stdin = bytes.NewBuffer(password)
 		cmd.Stdout = stdout
 		cmd.Stderr = stderr
@@ -261,7 +329,7 @@ func setupCrypt(vg config.LvmVG) {
 		}
 
 		if needFormat {
-			zeroDevStart("/dev/mapper/" + lv.Crypt)
+			zeroDevStart(tgtDev)
 		}
 
 		passwordVerified = true
@@ -294,33 +362,25 @@ func devInitialized(dev string) bool {
 	return false
 }
 
-func setupFS(vg config.LvmVG) {
-	for _, lv := range vg.LVs {
-		dev := "/dev/" + vg.VG + "/" + lv.Name
-
-		if lv.Crypt != "" {
-			dev = "/dev/mapper/" + lv.Crypt
-		}
-
-		if devInitialized(dev) {
-			log.Print("device ", dev, " already formatted")
-			continue
-		}
-
-		if lv.FS == "" {
-			lv.FS = vg.Defaults.FS
-		}
-
-		log.Print("formatting ", dev, " (", lv.FS, ")")
-		args := make([]string, 0)
-
-		switch lv.FS {
-		case "btrfs":
-			args = append(args, "-f")
-		case "ext4":
-			args = append(args, "-F")
-		}
-
-		run("mkfs."+lv.FS, append(args, dev)...)
+func setupFS(dev, fs string) {
+	if devInitialized(dev) {
+		log.Print("device ", dev, " already formatted")
+		return
 	}
+
+	if fs == "" {
+		fs = "ext4"
+	}
+
+	log.Print("formatting ", dev, " (", fs, ")")
+	args := make([]string, 0)
+
+	switch fs {
+	case "btrfs":
+		args = append(args, "-f")
+	case "ext4":
+		args = append(args, "-F")
+	}
+
+	run("mkfs."+fs, append(args, dev)...)
 }
diff --git a/test-initrd/config.yaml b/test-initrd/config.yaml
index d69fcbb..a579762 100644
--- a/test-initrd/config.yaml
+++ b/test-initrd/config.yaml
@@ -26,8 +26,9 @@ networks:
     - eno.*
     - enp.*
   script: |
+    ip a add 2001:41d0:306:168f::1337:2eed/64 dev $iface
     ip li set $iface up
-    udhcpc $iface
+    #udhcpc $iface
 
 lvm:
 - vg: storage
@@ -52,18 +53,28 @@ lvm:
 
   lvs:
   - name: bootstrap
-    crypt: bootstrap
     size: 2g
 
   - name: varlog
-    crypt: varlog
     extents: 10%FREE
+    # size: 10g
+
+  - name: podman
+    extents: 10%FREE
+    # size: 10g
 
   - name: dls
-    crypt: dls
     extents: 100%FREE
+    # size: 10g
+
+crypt:
+- dev: /dev/storage/bootstrap
+- dev: /dev/storage/dls
 
 bootstrap:
   dev: /dev/mapper/bootstrap
-  #seed: https://direktil.novit.io/bootstraps/dls
+  # TODO seed: https://direktil.novit.io/bootstraps/dls-crypt
+  seed: http://192.168.10.254:7606/hosts/m1/bootstrap.tar
+  # TODO seed_sign_key: "..."
+  # TODO load_and_close: true