Factory reset: Re-deploy last deployed software

I found this old discussion and am wondering if there are any updates in terms of out-of-the-box support for factory reset.

A couple of the hurdles to getting a fully working factory reset feature:

  • Preserving the auth key that has already been accepted. I’ve rolled my own solution by saving /var/lib/mender/mender-agent.pem to a U-boot env variable and restoring when booting up in a factory reseted state. Any better way I should be solving this problem?
  • Re-deploying all the same software and config that had been deployed to the device just prior to the factory reset. I don’t have solution for this. Does Mender provide anything to help?
  • Initiate a factory reset as a result of a config change. We use the Config Module and would like to able to start the factory reset when a certain config value changes (for example the org ID that the device is associated with)

Here is my factory-reset.sh for refrence:

#!/bin/sh

set -eo pipefail

SSD_DRIVE=/dev/nvme0n1
MENDER_AUTH_KEY_FILE=/var/lib/mender/mender-agent.pem

if [ "$1" != "--force" ]; then
    echo "This script will wipe the SSD drive ${SSD_DRIVE} and reboot the system."
    echo "Please ensure you have backed up any important data before proceeding."
    echo "To proceed, run this script with the --force option."
    exit 1
fi

if [ -e "${MENDER_AUTH_KEY_FILE}" ]; then
    echo "Preserving Mender auth key in U-Boot environment variable"
    fw_setenv -- mender_auth_key "$(cat ${MENDER_AUTH_KEY_FILE})"
fi

echo "Wiping SSD drive ${SSD_DRIVE}..."
wipefs --force --all ${SSD_DRIVE}
echo "Rebooting. SSD will be initialized on next boot."
reboot

And restore-mender-auth-key.sh:

#!/bin/sh

set -eo pipefail

MENDER_AUTH_KEY_FILE=/var/lib/mender/mender-agent.pem

if [ -e "${MENDER_AUTH_KEY_FILE}" ]; then
    echo "Mender auth key file already exists."
    exit
fi

mender_auth_key="$(fw_printenv --no-header mender_auth_key || true)"
if [ -z "${mender_auth_key}" ]; then
    echo "WARNING: No Mender auth key found in U-Boot environment. mender-client will generate a new one which must be accepted through the Mender Dashboard." >&2
    exit
fi

echo "Restoring Mender auth key from U-Boot environment"
echo "${mender_auth_key}" > "${MENDER_AUTH_KEY_FILE}"

And systemd oneshot service:

[Unit]
Description=Restore Mender Auth Key
Before=mender-client.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/restore-mender-auth-key.sh

[Install]
WantedBy=mender-client.service