getch 0.1.9 → 0.3.3

data/lib/luks.rb

@@ -0,0 +1,239 @@
+# frozen_string_literal: true
+
+require 'nito'
+require 'getch/log'
+require 'getch/command'
+
+module Luks
+  class Main
+    include Luks
+    include NiTo
+
+    Permission = Class.new(StandardError)
+
+    def initialize(disk, options)
+      @disk = disk
+      @format = options[:fs]
+      @mountpoint = options[:mountpoint]
+      @luks_type = nil
+      @key_dir = nil
+      @key_name = nil
+      @mount = nil
+      @bootloader = false
+      @log = Getch::Log.new
+      @bs = get_bs
+    end
+
+    def encrypt
+      args = @luks_type == 'luks2' ? "#{@command_args} --sector-size #{@bs}" : @command_args
+      @log.info "Encrypting #{@luks_name} > #{@disk}...\n"
+      cmd_crypt 'cryptsetup', 'luksFormat', args, "/dev/#{@disk}"
+    end
+
+    def encrypt_with_key
+      make_key
+      args = @luks_type == 'luks2' ?
+        "#{@command_args} -q --sector-size #{@bs} -d #{@full_key_path}" :
+        "#{@command_args} -q -d #{@full_key_path}"
+      @log.info "Encrypting #{@luks_name} with #{@full_key_path}...\n"
+      cmd_crypt 'cryptsetup', 'luksFormat', args, "/dev/#{@disk}"
+    end
+
+    def open
+      return if File.exist? "/dev/mapper/#{@luks_name}"
+
+      @log.info "Opening #{@luks_name} > #{@disk}...\n"
+      cmd_crypt 'cryptsetup', 'open', @command_args, "/dev/#{@disk}", @luks_name
+      unless File.exist? "/dev/mapper/#{@luks_name}"
+        raise "No dev /dev/mapper/#{@luks_name}, open it first..."
+      end
+    end
+
+    def open_with_key(file = nil)
+      return if File.exist? "/dev/mapper/#{@luks_name}"
+
+      @full_key_path = "#{@mountpoint}#{@key_path}"
+      key = file ? file : @full_key_path
+      @log.info "Opening #{@luks_name} disk #{@disk} with #{key}...\n"
+      cmd_crypt 'cryptsetup', 'open', @command_args, '-d', key, "/dev/#{@disk}", @luks_name
+    end
+
+    def format
+      case @format
+      when 'ext4'
+        format_ext4
+      when 'xfs'
+        format_xfs
+      when 'fat'
+        format_fat
+      else
+        @log.fatal "#{@format} not yet supported."
+      end
+    end
+
+    def external_key
+      make_key
+      @log.info "Adding key for #{@luks_name}...\n"
+      cmd_crypt 'cryptsetup', 'luksAddKey', "/dev/#{@disk}", @full_key_path
+    end
+
+    def write_config
+      config
+      perm
+    end
+
+    def mount
+      mountpoint = @luks_name =~ /^root/ ? @mountpoint : "#{@mountpoint}#{@mount}"
+      NiTo.mount "/dev/mapper/#{@luks_name}", mountpoint
+    end
+
+    def close
+      return unless File.exist? "/dev/mapper/#{@luks_name}"
+
+      @log.info "Closing #{@luks_name}...\n"
+      cmd_crypt 'cryptsetup', 'close', @luks_name
+    end
+
+    def gen_datas
+    end
+
+    protected
+
+    def make_key
+      @key_path = "#{@key_dir}/#{@key_name}"
+      @full_key_path = "#{@mountpoint}#{@key_path}"
+      @log.info "Generating key...\n"
+      mkdir "#{@mountpoint}#{@key_dir}"
+      sh 'dd', 'bs=512', 'count=8', 'iflag=fullblock', 'if=/dev/urandom', "of=#{@full_key_path}"
+    end
+
+    # https://wiki.archlinux.org/title/Advanced_Format#File_systems
+    def format_ext4
+      @log.info "Formating disk with #{@format}...\n"
+      sh 'mkfs.ext4', '-F', '-b', @bs, "/dev/mapper/#{@luks_name}"
+    end
+
+    # https://wiki.archlinux.org/title/Advanced_Format#File_systems
+    def format_xfs
+      @log.info "Formating disk with #{@format}...\n"
+      sh 'mkfs.xfs', '-f', '-s', "size=#{@bs}", "/dev/mapper/#{@luks_name}"
+    end
+
+    def config
+      @key_path = "#{@key_dir}/#{@key_name}"
+      uuid = Getch::Helpers.uuid @disk
+      @log.info "Writing configs for #{@luks_name}...\n"
+
+      @log.info " * Writing #{@mountpoint}/etc/crypttab..."
+      line = "#{@luks_name} UUID=#{uuid} #{@key_path} luks"
+      echo_a "#{@mountpoint}/etc/crypttab", line
+      @log.result_ok
+
+      config_openrc
+      config_grub
+    end
+
+    # https://wiki.gentoo.org/wiki/Dm-crypt#Configuring_dm-crypt
+    def config_openrc
+      Getch::Helpers.openrc? || return
+
+      conf = "#{@mountpoint}/etc/conf.d/dmcrypt"
+      uuid = Getch::Helpers.uuid @disk
+      echo_a conf, "target=#{@luks_name}"
+      echo_a conf, "source=UUID=\"#{uuid}\""
+      echo_a conf, "key=#{@key_path}"
+    end
+
+    def config_grub
+      return unless @bootloader
+
+      if Getch::Helpers.grub?
+        @log.info ' * Writing to /etc/default/grub...'
+        line = 'GRUB_ENABLE_CRYPTODISK=y'
+        echo_a "#{@mountpoint}/etc/default/grub", line
+        @log.result_ok
+      end
+    end
+
+    def perm
+      @key_path = "#{@key_dir}/#{@key_name}"
+      @full_key_path = "#{@mountpoint}#{@key_path}"
+      @log.info "Enforcing permission on #{@full_key_path}..."
+      File.chmod 0400, "#{@mountpoint}#{@key_dir}"
+      File.chmod 0000, @full_key_path
+      File.chown 0, 0, @full_key_path
+      @log.result_ok
+    end
+
+    private
+
+    def get_bs
+      @disk || @log.fatal("No disk for #{@luks_name}.")
+
+      sh 'blockdev', '--getpbsz', "/dev/#{@disk}"
+    end
+
+    def cmd_crypt_raw(*args)
+      system args.join(' ')
+      return if $?.exitstatus == 0
+
+      @log.dbg args.join(' ')
+      @log.dbg $?
+      @log.fatal 'die'
+    end
+
+    def cmd_crypt(*args)
+      cmd_crypt_raw args
+    rescue => e
+      @log.fatal e
+    end
+
+    def sh(*args)
+      Getch::Command.new(args)
+    end
+  end
+
+  # Boot can decrypt the root (/)
+  class Boot < Main
+    def initialize(disk, options)
+      super
+      @luks_type = 'luks1'
+      @key_dir = '/boot'
+      @key_name = 'boot.key'
+      @bootloader = true
+      @mount = '/boot'
+      @luks = options[:luks_name]
+      @luks_name = "boot-#{@luks}"
+      @command_args = "--type #{@luks_type}"
+    end
+  end
+
+  # Root can decrypt the /home or other devs
+  class Root < Main
+    def initialize(disk, options)
+      super
+      @luks_type = 'luks2'
+      @key_dir = '/boot'
+      @key_name = 'root.key'
+      @luks = options[:luks_name]
+      @luks_name = "root-#{@luks}"
+      @mount = '/'
+      @command_args = "--type #{@luks_type}"
+      @bootloader = false
+    end
+  end
+
+  class Home < Main
+    def initialize(disk, options)
+      super
+      @luks_type = 'luks2'
+      @key_dir = '/root/keys'
+      @key_name = 'home.key'
+      @mount = '/home'
+      @command_args = "--type #{@luks_type}"
+      @luks = options[:luks_name]
+      @luks_name = "home-#{@luks}"
+      @bootloader = false
+    end
+  end
+end

data/lib/lvm2.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require 'getch/command'
+
+module Lvm2
+  class Root
+    def initialize(devs, options)
+      @cache = options[:cache_disk] ||= nil
+      @root = devs[:root] ||= nil
+      @home = options[:home_disk] ||= nil
+      @vg = options[:vg_name] ||= 'vg1'
+    end
+
+    def x
+      load_datas
+      pv_create
+      vg_create
+      lv_setup
+      enable_lvs
+    end
+
+    protected
+
+    def load_datas
+      @path_root = "/dev/#{@root}"
+      @path_cache = "/dev/#{@cache}"
+      @path_home = "/dev/#{@home}"
+    end
+
+    def pv_create
+      devs = [ @path_root ]
+      @cache && devs << @path_cache
+      @home && devs << @path_home
+      devs.each { |d| d && add_pv(d) }
+    end
+
+    def vg_create
+      devs = [ @path_root ]
+      @cache && devs << @path_cache
+      @home && devs << @path_home
+      add_vg devs
+    end
+
+    def lv_setup
+      @cache ? add_swap(@path_cache) : add_swap
+      add_lv_root
+      @home ? add_home(@path_home) : add_home
+    end
+
+    def enable_lvs
+      lvchange_y 'home'
+      lvchange_y 'swap'
+      lvchange_y 'root'
+    end
+
+    private
+
+    def add_pv(dev)
+      File.exist? dev || @log.fatal("add_pv - no #{dev} exist.")
+
+      Getch::Command.new('pvcreate', '-f', dev)
+    end
+
+    def add_vg(*devs)
+      Getch::Command.new('vgcreate', '-f', @vg, devs.join(' '))
+    end
+
+    def add_swap(dev = nil)
+      mem = Getch::Helpers.get_memory
+      lvcreate('-L', mem, '-n', 'swap', @vg, dev)
+    end
+
+    # if home is available, we use the whole space.
+    def add_lv_root
+      @home ?
+        @root.match?(/[0-9]/) ? add_root : add_root(nil, @path_root) :
+        @root.match?(/[0-9]/) ? add_root('16G') : add_root('16G', @path_root)
+    end
+
+    def add_root(size = nil, dev = nil)
+      arg_size = size ? "-L #{size}" : '-l 100%FREE'
+      lvcreate(arg_size, '-n', 'root', @vg, dev)
+    end
+
+    def add_home(dev = nil)
+      lvcreate('-l', '100%FREE', '-n', 'home', @vg, dev)
+    end
+
+    def lvcreate(*args)
+      Getch::Command.new('lvcreate', '-y', '-Wy', '-Zy', args)
+    end
+
+    def lvchange_y(name)
+      return if File.exist? "/dev/#{@vg}/#{name}"
+
+      Getch::Command.new('lvchange', '-ay', "/dev/#{@vg}/#{name}")
+    end
+  end
+
+  class Hybrid < Root
+    def initialize(devs, options)
+      super
+      @luks = options[:luks_name]
+    end
+
+    def load_datas
+      @path_root = "/dev/mapper/root-#{@luks}"
+      @path_cache = "/dev/mapper/cache-#{@luks}"
+      @path_home = "/dev/mapper/home-#{@luks}"
+    end
+  end
+end

data/lib/mkfs/zfs.rb

@@ -0,0 +1,167 @@
+require 'getch/log'
+
+module Mkfs
+  class Zfs < Root
+    def initialize(devs, options)
+      @mountpoint = options[:mountpoint]
+      @zfs = options[:zfs_name] ||= 'pool'
+      @os = options[:os]
+      @encrypt = options[:encrypt]
+      @zlog = devs[:zlog] ||= nil
+      @zcache = devs[:zcache] ||= nil
+      @rpool = "r#{@zfs}"
+      @bpool = "b#{@zfs}"
+      @hpool = "h#{@zfs}"
+      @log = Getch::Log.new
+      super
+    end
+
+    # reorder process, root should be formatted first
+    def x
+      format_efi
+      format_root
+      format_boot
+      format_swap
+      format_home
+      add_dataset
+    end
+
+    # https://openzfs.github.io/openzfs-docs/Getting%20Started/Ubuntu/Ubuntu%2020.04%20Root%20on%20ZFS.html#id13
+    def format_boot
+      @boot || return
+
+      id = Getch::Helpers.get_id(@boot)
+      ashift = get_ashift @boot
+      args = "-f -o ashift=#{ashift} -o autotrim=on"
+      args << ' -o feature@async_destroy=enabled'
+      args << ' -o feature@bookmarks=enabled'
+      args << ' -o feature@embedded_data=enabled'
+      args << ' -o feature@empty_bpobj=enabled'
+      args << ' -o feature@enabled_txg=enabled'
+      args << ' -o feature@extensible_dataset=enabled'
+      args << ' -o feature@filesystem_limits=enabled'
+      args << ' -o feature@hole_birth=enabled'
+      args << ' -o feature@large_blocks=enabled'
+      args << ' -o feature@lz4_compress=enabled'
+      args << ' -o feature@spacemap_histogram=enabled'
+      args << ' -O acltype=posixacl -O canmount=off -O compression=lz4'
+      args << ' -O devices=off -O normalization=formD -O atime=off -O xattr=sa'
+      args << ' -O mountpoint=/boot'
+      args << " -R #{@mountpoint} #{@bpool} #{id}"
+      sh 'zpool', 'create', args
+    end
+
+    def format_swap
+      mk_swap "/dev/#{@swap}"
+      add_zlog
+      add_zcache
+    end
+
+    def add_zlog
+      @zlog || return
+
+      id = Getch::Helpers.get_id(@zlog)
+      sh 'zpool', 'add', @rpool, 'log', id
+    end
+
+    def add_zcache
+      @zcache || return
+
+      id = Getch::Helpers.get_id(@zcache)
+      sh 'zpool', 'add', @rpool, 'cache', id
+    end
+
+    def format_root
+      id = Getch::Helpers.get_id(@root)
+      ashift = get_ashift @root
+      args = "-f -o ashift=#{ashift} -o autotrim=on"
+      @encrypt && args << ' -O encryption=aes-256-gcm'
+      @encrypt && args << ' -O keylocation=prompt -O keyformat=passphrase'
+      args << ' -O acltype=posixacl -O canmount=off -O compression=lz4'
+      args << ' -O xattr=sa -O mountpoint=/'
+      args << " -R #{@mountpoint} #{@rpool} #{id}"
+      sh 'zpool', 'create', args
+    end
+
+    def format_home
+      @home || return
+
+      id = Getch::Helpers.get_id(@home)
+      ashift = get_ashift @home
+      args = "-f -o ashift=#{ashift} -o autotrim=on"
+      @encrypt && args << ' -O encryption=aes-256-gcm'
+      @encrypt && args << ' -O keylocation=prompt -O keyformat=passphrase'
+      args << ' -O acltype=posixacl -O canmount=off -O compression=lz4'
+      args << ' -O xattr=sa -O mountpoint=/home'
+      args << " -R #{@mountpoint} #{@hpool} #{id}"
+      sh 'zpool', 'create', args
+    end
+
+    def add_dataset
+      zfs_create "-o canmount=off -o mountpoint=none #{@rpool}/ROOT"
+      zfs_create "-o canmount=noauto -o mountpoint=/ #{@rpool}/ROOT/#{@os}"
+      Getch::Command.new("zfs mount #{@rpool}/ROOT/#{@os}")
+
+      zfs_create "-o canmount=off #{@rpool}/ROOT/#{@os}/usr"
+      zfs_create "#{@rpool}/ROOT/#{@os}/usr/src"
+
+      zfs_create "-o canmount=off #{@rpool}/ROOT/#{@os}/var"
+      zfs_create "#{@rpool}/ROOT/#{@os}/var/log"
+      zfs_create "#{@rpool}/ROOT/#{@os}/var/db"
+      zfs_create "#{@rpool}/ROOT/#{@os}/var/tmp"
+      zfs_create "#{@rpool}/ROOT/#{@os}/var/lib"
+      zfs_create "#{@rpool}/ROOT/#{@os}/var/lib/docker"
+
+      boot_dataset
+      user_dataset
+    end
+
+    def boot_dataset
+      @boot || return
+
+      zfs_create "-o canmount=off -o mountpoint=none #{@bpool}/BOOT"
+      zfs_create "-o canmount=noauto -o mountpoint=/boot #{@bpool}/BOOT/#{@os}"
+    end
+
+    def user_dataset
+      if @home
+        zfs_create "-o canmount=off -o mountpoint=/ #{@hpool}/USERDATA"
+        zfs_create "-o canmount=on -o mountpoint=/root #{@hpool}/USERDATA/root"
+        zfs_create "-o canmount=on -o mountpoint=/home #{@hpool}/USERDATA/home"
+      else
+        zfs_create "-o canmount=off -o mountpoint=/ #{@rpool}/USERDATA"
+        zfs_create "-o canmount=on -o mountpoint=/root #{@rpool}/USERDATA/root"
+        zfs_create "-o canmount=on -o mountpoint=/home #{@rpool}/USERDATA/home"
+      end
+    end
+
+    private
+
+    def get_ashift(dev)
+      bs = Getch::Helpers.get_bs("/dev/#{dev}")
+      case bs
+      when /8096/ then 13
+      when /4096/ then 12
+      else 9
+      end
+    end
+
+    def zfs_create(*args)
+      Getch::Command.new('zfs', 'create', args)
+    end
+
+    def sh(*args)
+      @encrypt ?
+        cmd_crypt(args) :
+        Getch::Command.new(args)
+    end
+
+    def cmd_crypt(*args)
+      system args.join(' ')
+      return if $?.exitstatus == 0
+
+      @log.dbg $?
+      @log.fatal 'die'
+    end
+  end
+end

data/lib/mkfs.rb

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+require 'getch/command'
+require 'getch/helpers'
+
+module Mkfs
+  class Root
+    def initialize(devs, options)
+      @efi = devs[:efi] ||= nil
+      @boot = devs[:boot] ||= nil
+      @swap = devs[:swap] ||= nil
+      @root = devs[:root] ||= nil
+      @home = devs[:home] ||= nil
+      @fs = options[:fs]
+      x
+    end
+
+    protected
+
+    def x
+      format_efi
+      format_boot
+      format_swap
+      format_root
+      format_home
+    end
+
+    def format_efi
+      @efi || return
+
+      mkfs_vfat "/dev/#{@efi}"
+    end
+
+    def format_boot
+      @boot || return
+
+      mkfs "/dev/#{@boot}"
+    end
+
+    def format_swap
+      @swap || return
+
+      mk_swap "/dev/#{@swap}"
+    end
+
+    def format_root
+      @root || return
+
+      mkfs "/dev/#{@root}"
+    end
+
+    def format_home
+      @home || return
+
+      mkfs "/dev/#{@home}"
+    end
+
+    private
+
+    def mkfs(path)
+      case @fs
+      when 'ext4' then mkfs_ext4 path
+      when 'xfs' then mkfs_xfs path
+      end
+    end
+
+    def mkfs_vfat(path)
+      Getch::Command.new('mkfs.fat', '-F32', path)
+    end
+
+    def mk_swap(path)
+      Getch::Command.new('mkswap', '-f', path)
+    end
+
+    def mkfs_ext4(path)
+      bs = Getch::Helpers.get_bs(path)
+      if bs == '512'
+        Getch::Command.new('mkfs.ext4', '-F', path)
+      else
+        Getch::Command.new('mkfs.ext4', '-F', '-b', bs, path)
+      end
+    end
+
+    def mkfs_xfs(path)
+      bs = Getch::Helpers.get_bs(path)
+      Getch::Command.new('mkfs.xfs', '-f', '-s', "size=#{bs}", path)
+    end
+  end
+
+  class Lvm < Root
+    def initialize(devs, options)
+      @vg = options[:vg_name]
+      super
+    end
+
+    def format_swap
+      mk_swap "/dev/#{@vg}/swap"
+    end
+
+    def format_root
+      mkfs "/dev/#{@vg}/root"
+    end
+
+    def format_home
+      mkfs "/dev/#{@vg}/home"
+    end
+  end
+
+  class Encrypt < Root
+    def initialize(devs, options)
+      @luks = options[:luks_name]
+      super
+    end
+
+    # Boot is alrealy formatted
+    def format_boot
+    end
+
+    # Swap will be encrypted after the reboot
+    def format_swap
+    end
+
+    def format_root
+      File.exist? "/dev/mapper/root-#{@luks}" || abort("No root-#{@luks} found")
+
+      mkfs "/dev/mapper/root-#{@luks}"
+    end
+
+    def format_home
+      @home || return
+
+      mkfs "/dev/mapper/home-#{@luks}"
+    end
+  end
+
+  class Hybrid < Lvm
+
+    # Boot is alrealy formatted
+    def format_boot
+    end
+  end
+end
+
+require_relative 'mkfs/zfs'