penguins-eggs 25.10.28 → 25.10.30

package/dist/classes/ovary.d/luks-helpers.d.ts

@@ -0,0 +1,19 @@
+/**
+ * ./src/classes/ovary.d/luks-helpers.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import Ovary from '../ovary.js';
+import { type CryptoConfig } from './luks-interactive-crypto-config.js';
+/**
+ * Funzione helper per eseguire comandi esterni in modo asincrono,
+ * gestendo lo standard input per passare le password.
+ * Restituisce una Promise che si risolve al successo o si rigetta in caso di errore.
+ */
+export declare function luksExecuteCommand(this: Ovary, command: string, args: string[], stdinData?: string): Promise<void>;
+/**
+ * buildLuksFormatArgs
+ */
+export declare function buildLuksFormatArgs(this: Ovary, config: CryptoConfig, luksFile: string): string[];

package/dist/classes/ovary.d/luks-helpers.js

@@ -0,0 +1,73 @@
+/**
+ * ./src/classes/ovary.d/luks-helpers.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import { spawn } from 'node:child_process';
+import Utils from '../utils.js';
+const noop = () => { };
+/**
+ * Funzione helper per eseguire comandi esterni in modo asincrono,
+ * gestendo lo standard input per passare le password.
+ * Restituisce una Promise che si risolve al successo o si rigetta in caso di errore.
+ */
+export function luksExecuteCommand(command, args, stdinData) {
+    if (!this.hidden) {
+        Utils.info(`${command} ${args.join(' ')}`);
+    }
+    return new Promise((resolve, reject) => {
+        // Se passiamo dati a stdin, dobbiamo usare 'pipe'. Altrimenti, 'inherit'.
+        const stdioConfig = stdinData ? ['pipe', 'inherit', 'inherit'] : 'inherit';
+        const process = spawn(command, args, { stdio: stdioConfig });
+        // Se fornito, scriviamo i dati (es. la password) nello stdin del processo.
+        if (stdinData && process.stdin) {
+            process.stdin.write(stdinData);
+            process.stdin.end();
+        }
+        process.on('error', (err) => {
+            reject(new Error(`Error starting command "${command}": ${err.message}`));
+        });
+        process.on('close', (code) => {
+            if (code === 0) {
+                resolve(); // Success
+            }
+            else {
+                reject(new Error(`Command "${command} ${args.join(' ')}" ended with error code ${code}`));
+            }
+        });
+    });
+}
+/**
+ * buildLuksFormatArgs
+ */
+export function buildLuksFormatArgs(config, luksFile) {
+    const args = [
+        '--batch-mode', // Per saltare la conferma "YES"
+        'luksFormat',
+        '--type', 'luks2',
+        // Parametri base
+        '--cipher', config.cipher,
+        '--key-size', config['key-size'].toString(),
+        '--hash', config.hash,
+        '--sector-size', config['sector-size'].toString(),
+        '--pbkdf', config.pbkdf,
+    ];
+    // Aggiungi i parametri condizionali del PBKDF
+    switch (config.pbkdf) {
+        case 'argon2id':
+        case 'argon2i':
+            const argonConfig = config;
+            args.push('--pbkdf-memory', argonConfig['pbkdf-memory (KiB)'].toString());
+            args.push('--pbkdf-parallel', argonConfig['pbkdf-parallel (threads)'].toString());
+            break;
+        case 'pbkdf2':
+            const pbkdf2Config = config;
+            args.push('--iter-time', pbkdf2Config['iter-time (ms)'].toString());
+            break;
+    }
+    // Aggiungi il file di destinazione
+    args.push(luksFile);
+    return args;
+}

package/dist/classes/ovary.d/luks-home-support.d.ts

@@ -0,0 +1,12 @@
+/**
+ * ./src/classes/ovary.d/luks-home-support.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import Ovary from '../ovary.js';
+/**
+ * Installa i file necessari per sbloccare home.img LUKS durante il boot
+ */
+export declare function installHomecryptSupport(this: Ovary, squashfsRoot: string, homeImgPath: string): void;

package/dist/classes/ovary.d/luks-home-support.js

@@ -0,0 +1,70 @@
+/**
+ * ./src/classes/ovary.d/luks-home-support.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+// packages
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { dirname } from 'path';
+import Utils from '../utils.js';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+/**
+ * Installa i file necessari per sbloccare home.img LUKS durante il boot
+ */
+export function installHomecryptSupport(squashfsRoot, homeImgPath) {
+    Utils.warning('installing encrypted home support...');
+    // console.log("squashfsRoot:", squashfsRoot)
+    // console.log("homeImgPath:", homeImgPath)
+    // Leggi il template bash
+    const templatePath = path.join(__dirname, '../../../scripts/mount-encrypted-home.sh');
+    let bashScript = fs.readFileSync(templatePath, 'utf8');
+    // Sostituisci il placeholder con il path reale
+    bashScript = bashScript.replace('__HOME_IMG_PATH__', homeImgPath);
+    // Systemd service
+    const systemdService = `[Unit]
+Description=Unlock and mount encrypted home.img
+DefaultDependencies=no
+After=systemd-udev-settle.service local-fs-pre.target
+Before=local-fs.target display-manager.service
+ConditionPathExists=${homeImgPath}
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+StandardInput=tty
+StandardOutput=journal+console
+StandardError=journal+console
+TTYPath=/dev/console
+TTYReset=yes
+TTYVHangup=yes
+ExecStart=/usr/local/bin/mount-encrypted-home.sh
+ExecStop=/bin/bash -c 'umount /home && cryptsetup close live-home'
+
+[Install]
+WantedBy=local-fs.target
+`;
+    // Percorsi di destinazione
+    const scriptPath = path.join(squashfsRoot, 'usr/local/bin/mount-encrypted-home.sh');
+    const servicePath = path.join(squashfsRoot, 'etc/systemd/system/mount-encrypted-home.service');
+    const symlinkDir = path.join(squashfsRoot, 'etc/systemd/system/local-fs.target.wants');
+    const symlinkPath = path.join(symlinkDir, 'mount-encrypted-home.service');
+    // Create dirs
+    fs.mkdirSync(path.dirname(scriptPath), { recursive: true });
+    fs.mkdirSync(path.dirname(servicePath), { recursive: true });
+    fs.mkdirSync(symlinkDir, { recursive: true });
+    // Scrivi lo script
+    fs.writeFileSync(scriptPath, bashScript);
+    fs.chmodSync(scriptPath, 0o755);
+    // Scrivi il service
+    fs.writeFileSync(servicePath, systemdService);
+    // Crea il symlink per abilitare il service
+    if (fs.existsSync(symlinkPath)) {
+        fs.unlinkSync(symlinkPath);
+    }
+    fs.symlinkSync('../mount-encrypted-home.service', symlinkPath);
+}

package/dist/classes/ovary.d/luks-home.d.ts

@@ -0,0 +1,15 @@
+/**
+ * ./src/classes/ovary.d/luks-home.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import Ovary from '../ovary.js';
+/**
+ * luksHome()
+ *
+ * create a container LUKS with the entire
+ * filesystem.squashfs
+ */
+export declare function luksHome(this: Ovary, clone?: boolean, homecrypt?: boolean): Promise<void>;

package/dist/classes/ovary.d/luks-home.js

@@ -0,0 +1,132 @@
+/**
+ * ./src/classes/ovary.d/luks-home.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+// packages
+import fs from 'fs';
+import Utils from '../utils.js';
+import { exec } from '../../lib/utils.js';
+const noop = () => { };
+/**
+ * luksHome()
+ *
+ * create a container LUKS with the entire
+ * filesystem.squashfs
+ */
+export async function luksHome(clone = false, homecrypt = false) {
+    const loggers = {
+        log: this.hidden ? noop : console.log,
+        warning: this.hidden ? noop : Utils.warning,
+        success: this.hidden ? noop : Utils.success,
+        info: this.hidden ? noop : Utils.info,
+    };
+    const { log, warning, success, info } = loggers;
+    try {
+        /**
+         * this.luksMappedName = 'home.img';
+         * this.luksFile = `/tmp/${luksMappedName}`
+         * this.luksDevice = `/dev/mapper/${luksMappedName}`
+         * this.luksMountpoint = `/tmp/mnt/${luksMappedName}`
+         * this.luksPassword = '0'
+         */
+        if (this.hidden) {
+            Utils.warning("intentionally blank. System is working, please wait");
+        }
+        log();
+        log('====================================');
+        log(` Creating ${this.luksMappedName}`);
+        log('====================================');
+        // Utils.warning('1. Calculation of space requirements...')
+        let sizeString = (await exec('du -sb --exclude=/home/eggs /home', { capture: true })).data.trim().split(/\s+/)[0];
+        let size = Number.parseInt(sizeString, 10);
+        const luksSize = Math.ceil(size * 2);
+        /**
+         * E' più precisa ma equivalente grazie
+         * al truncate
+         */
+        // const fsOverhead = Math.max(size * 0.1, 100 * 1024 * 1024)
+        // const luksSize = size * 1.25 + fsOverhead // +25% 
+        warning(`homes size: ${bytesToGB(size)}`);
+        warning(`partition LUKS ${this.luksFile} size: ${bytesToGB(luksSize)}`);
+        warning(`creating partition LUKS: ${this.luksFile}`);
+        await this.luksExecuteCommand('truncate', ['--size', `${luksSize}`, this.luksFile]);
+        warning(`formatting ${this.luksFile} as a LUKS volume...`);
+        //await this.luksExecuteCommand('cryptsetup', ['--batch-mode', 'luksFormat', this.luksFile], `${this.luksPassword}\n`);
+        const luksFormatArgs = this.buildLuksFormatArgs(this.luksConfig, this.luksFile);
+        await this.luksExecuteCommand('cryptsetup', luksFormatArgs, `${this.luksPassword}\n`);
+        warning(`opening the LUKS volume. It will be mapped to ${this.luksDevice}`);
+        await this.luksExecuteCommand('cryptsetup', ['luksOpen', this.luksFile, this.luksMappedName], `${this.luksPassword}\n`);
+        warning(`formatting c ext4 `);
+        await exec(`mkfs.ext4 -L live-home ${this.luksDevice}`, this.echo);
+        warning(`mounting ${this.luksDevice} on ${this.luksMountpoint}`);
+        if (fs.existsSync(this.luksMountpoint)) {
+            if (!Utils.isMountpoint(this.luksMountpoint)) {
+                await exec(`rm -rf ${this.luksMountpoint}`, this.echo);
+            }
+            else {
+                throw new Error(`${this.luksMountpoint} is already mounted, process will abort!`);
+            }
+        }
+        await exec(`mkdir -p ${this.luksMountpoint}`, this.echo);
+        await exec(`mount /dev/mapper/${this.luksMappedName} ${this.luksMountpoint}`, this.echo);
+        warning(`copying /home on  ${this.luksMountpoint}`);
+        await exec(`rsync -ah --exclude='eggs' /home/ ${this.luksMountpoint}`, this.echo);
+        warning(`saving user accounts info...`);
+        // Crea directory per backup system files
+        await exec(`mkdir -p ${this.luksMountpoint}/.system-backup`, this.echo);
+        // Filtra solo utenti con UID >= 1000
+        await exec(`awk -F: '$3 >= 1000 {print}' /etc/passwd > ${this.luksMountpoint}/.system-backup/passwd`, this.echo);
+        await exec(`awk -F: '$3 >= 1000 {print}' /etc/shadow > ${this.luksMountpoint}/.system-backup/shadow`, this.echo);
+        // Per i gruppi: salva TUTTI (non filtrare per GID)
+        // Gli utenti possono appartenere a gruppi di sistema (sudo, audio, video, etc.)
+        await exec(`cp /etc/group ${this.luksMountpoint}/.system-backup/group`, this.echo);
+        await exec(`cp /etc/gshadow ${this.luksMountpoint}/.system-backup/gshadow`, this.echo);
+        // saving display manager (autologin) configs...
+        warning(`saving display manager configuration...`);
+        // GDM (gdm3 è comune su Debian/Ubuntu)
+        await exec(`[ -e /etc/gdm3 ] && cp -a /etc/gdm3 ${this.luksMountpoint}/.system-backup/`, this.echo);
+        // GDM (altre distro)
+        await exec(`[ -e /etc/gdm ] && cp -a /etc/gdm ${this.luksMountpoint}/.system-backup/`, this.echo);
+        // LightDM
+        await exec(`[ -e /etc/lightdm ] && cp -a /etc/lightdm ${this.luksMountpoint}/.system-backup/`, this.echo);
+        // SDDM (sia file .conf che directory .conf.d)
+        await exec(`[ -e /etc/sddm.conf ] && cp -a /etc/sddm.conf ${this.luksMountpoint}/.system-backup/`, this.echo);
+        await exec(`[ -e /etc/sddm.conf.d ] && cp -a /etc/sddm.conf.d ${this.luksMountpoint}/.system-backup/`, this.echo);
+        warning(`unmount ${this.luksDevice}`);
+        await exec(`umount ${this.luksMountpoint}`, this.echo);
+        warning(`closing LUKS volume ${this.luksMappedName}.`);
+        await this.luksExecuteCommand('cryptsetup', ['close', this.luksMappedName]);
+        warning(`moving ${this.luksMappedName}  to (ISO)/live/.`);
+        await exec(`mv ${this.luksFile} ${this.settings.iso_work}/live`, this.echo);
+        warning('encryption process successfully completed!');
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            Utils.error(`ERROR: ${error.message}`);
+        }
+        else {
+            Utils.error(`An unknown error has occurred.`);
+        }
+        Utils.warning('Cleaning performed following the error...');
+        if (fs.existsSync(this.luksMountpoint)) {
+            await exec(`umount -lf ${this.luksMountpoint}`).catch(() => { });
+        }
+        if (fs.existsSync(this.luksDevice)) {
+            await this.luksExecuteCommand('cryptsetup', ['close', this.luksMappedName]).catch(() => { });
+        }
+        await Utils.pressKeyToExit();
+        process.exit(1);
+    }
+}
+/**
+ * Converte bytes in gigabytes per la visualizzazione.
+ */
+function bytesToGB(bytes) {
+    if (bytes === 0)
+        return '0.00 GB';
+    const gigabytes = bytes / (1024 * 1024 * 1024);
+    return gigabytes.toFixed(2) + ' GB';
+}

package/dist/classes/ovary.d/luks-interactive-crypto-config.d.ts

@@ -0,0 +1,47 @@
+/**
+ * ./src/classe/ovary.d/luks-interactive-crypto-config.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import Ovary from '../ovary.js';
+declare const CIPHER_OPTIONS: readonly ["aes-xts-plain64", "serpent-xts-plain64", "twofish-xts-plain64"];
+declare const KEY_SIZE_OPTIONS: readonly [512, 256];
+declare const HASH_OPTIONS: readonly ["sha512", "sha256"];
+declare const SECTOR_SIZE_OPTIONS: readonly [4096, 512];
+declare const ARGON_MEMORY_OPTIONS: readonly [524288, 1048576, 2097152];
+declare const ARGON_PARALLEL_OPTIONS: readonly [1, 2, 4, 8];
+declare const PBKDF2_ITER_TIME_OPTIONS: readonly [2000, 5000, 10000];
+type Cipher = typeof CIPHER_OPTIONS[number];
+type KeySize = typeof KEY_SIZE_OPTIONS[number];
+type Hash = typeof HASH_OPTIONS[number];
+type SectorSize = typeof SECTOR_SIZE_OPTIONS[number];
+type ArgonPbkdf = "argon2id" | "argon2i";
+type Pbkdf2Pbkdf = "pbkdf2";
+type ArgonMemory = typeof ARGON_MEMORY_OPTIONS[number];
+type ArgonParallel = typeof ARGON_PARALLEL_OPTIONS[number];
+type Pbkdf2IterTime = typeof PBKDF2_ITER_TIME_OPTIONS[number];
+export interface BaseCryptoConfig {
+    cipher: Cipher;
+    'key-size': KeySize;
+    hash: Hash;
+    'sector-size': SectorSize;
+    pbkdf: ArgonPbkdf | Pbkdf2Pbkdf;
+}
+export interface ArgonCryptoConfig extends BaseCryptoConfig {
+    pbkdf: ArgonPbkdf;
+    'pbkdf-memory (KiB)': ArgonMemory;
+    'pbkdf-parallel (threads)': ArgonParallel;
+}
+export interface Pbkdf2CryptoConfig extends BaseCryptoConfig {
+    pbkdf: Pbkdf2Pbkdf;
+    'iter-time (ms)': Pbkdf2IterTime;
+}
+export type CryptoConfig = ArgonCryptoConfig | Pbkdf2CryptoConfig;
+/**
+ * Runs the interactive prompt to configure LUKS encryption settings.
+ * @returns A Promise that resolves to the CryptoConfig object.
+ */
+export declare function interactiveCryptoConfig(this: Ovary): Promise<CryptoConfig>;
+export {};

package/dist/classes/ovary.d/luks-interactive-crypto-config.js

@@ -0,0 +1,139 @@
+/**
+ * ./src/classe/ovary.d/luks-interactive-crypto-config.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import Utils from '../utils.js';
+// --- 1. CONSTANT VALUES ---
+const CIPHER_OPTIONS = [
+    "aes-xts-plain64",
+    "serpent-xts-plain64",
+    "twofish-xts-plain64",
+];
+const KEY_SIZE_OPTIONS = [512, 256];
+const HASH_OPTIONS = ["sha512", "sha256"];
+const SECTOR_SIZE_OPTIONS = [4096, 512];
+const ARGON_MEMORY_OPTIONS = [524288, 1048576, 2097152];
+const ARGON_PARALLEL_OPTIONS = [1, 2, 4, 8];
+const PBKDF2_ITER_TIME_OPTIONS = [2000, 5000, 10000];
+// --- 4. INTERACTIVE QUESTIONS (Internal) ---
+// This array is not exported.
+const questions = [
+    {
+        type: 'list',
+        name: 'cipher',
+        message: 'Choose the cipher algorithm:',
+        choices: CIPHER_OPTIONS,
+        default: 'aes-xts-plain64',
+    },
+    {
+        type: 'list',
+        name: 'key-size',
+        message: 'Choose the key size:',
+        choices: KEY_SIZE_OPTIONS.map(size => ({
+            name: `${size} bits ${size === 512 ? '(Standard for AES-256/XTS)' : '(Standard for AES-128/XTS)'}`,
+            value: size,
+        })),
+        default: 512,
+    },
+    {
+        type: 'list',
+        name: 'hash',
+        message: 'Choose the hash algorithm:',
+        choices: HASH_OPTIONS,
+        default: 'sha256',
+    },
+    {
+        type: 'list',
+        name: 'sector-size',
+        message: 'Choose the sector size:',
+        choices: SECTOR_SIZE_OPTIONS.map(size => ({
+            name: `${size} bytes ${size === 4096 ? '(Modern SSDs/NVMe)' : '(Legacy default/Loop devices'}`,
+            value: size,
+        })),
+        default: 512,
+    },
+    {
+        type: 'list',
+        name: 'pbkdf',
+        message: 'Choose the key derivation function (PBKDF):',
+        choices: [
+            { name: 'argon2id (Recommended, LUKS2 default)', value: 'argon2id' },
+            { name: 'argon2i', value: 'argon2i' },
+            { name: 'pbkdf2 (LUKS1 standard)', value: 'pbkdf2' },
+        ],
+        default: 'argon2id',
+    },
+    {
+        type: 'list',
+        name: 'pbkdf-memory (KiB)',
+        message: 'Choose the memory cost for Argon2 (KiB):',
+        choices: ARGON_MEMORY_OPTIONS.map(mem => ({
+            name: `${mem / 1024 / 1024} GiB (${mem} KiB)`,
+            value: mem,
+        })),
+        default: 524288,
+        when: (answers) => answers.pbkdf === 'argon2id' || answers.pbkdf === 'argon2i',
+    },
+    {
+        type: 'list',
+        name: 'pbkdf-parallel (threads)',
+        message: 'Choose parallel threads for Argon2:',
+        choices: ARGON_PARALLEL_OPTIONS.map(threads => ({
+            name: `${threads} threads`,
+            value: threads,
+        })),
+        default: 4,
+        when: (answers) => answers.pbkdf === 'argon2id' || answers.pbkdf === 'argon2i',
+    },
+    {
+        type: 'list',
+        name: 'iter-time (ms)',
+        message: 'Choose the iteration time for PBKDF2 (ms):',
+        choices: PBKDF2_ITER_TIME_OPTIONS.map(time => ({
+            name: `${time / 1000} seconds (${time} ms)`,
+            value: time,
+        })),
+        default: 2000,
+        when: (answers) => answers.pbkdf === 'pbkdf2',
+    },
+];
+// --- 5. EXPORTED MAIN FUNCTION ---
+/**
+ * Runs the interactive prompt to configure LUKS encryption settings.
+ * @returns A Promise that resolves to the CryptoConfig object.
+ */
+export async function interactiveCryptoConfig() {
+    // Default luksConfig
+    const defaultLuksConfig = {
+        'cipher': 'aes-xts-plain64',
+        'key-size': 512,
+        'hash': 'sha256',
+        'sector-size': 512,
+        'pbkdf': 'argon2id',
+        'pbkdf-memory (KiB)': 524288,
+        'pbkdf-parallel (threads)': 4
+    };
+    const inquirer = (await import('inquirer')).default;
+    // Chiedi se usare la configurazione LUKS di default
+    const useDefault = await inquirer.prompt([{
+            type: 'confirm',
+            name: 'useDefault',
+            message: `Use default LUKS configuration`,
+            default: true
+        }]);
+    if (useDefault.useDefault) {
+        Utils.warning(`Using default LUKS configuration`);
+        return defaultLuksConfig;
+    }
+    const answers = await inquirer.prompt(questions);
+    // Use the double-cast fix to satisfy TypeScript
+    const finalConfig = answers;
+    if (finalConfig['sector-size'] === 4096) {
+        Utils.warning(`in a loop device - regardless of the hardware - the sector_size will be set to 512`);
+        finalConfig['sector-size'] = 512;
+    }
+    return finalConfig;
+}

package/dist/classes/ovary.d/luks-root-initrd.d.ts

@@ -0,0 +1,17 @@
+/**
+ * ./src/classes/ovary.d/luks-root-initrd.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import Ovary from '../ovary.js';
+/**
+ * Creates a streamlined initrd image for Debian/Ubuntu with LUKS support using mkinitramfs within a temporary chroot.
+ * Copies the necessary unlock script, ensures losetup is included via a hook, and wraps /scripts/live for debugging.
+ * Assumes live-boot and cryptsetup packages are installed in the chroot.
+ * No cleanup of /etc modifications is performed as the chroot is temporary.
+ * @param this - Ovary instance context
+ * @param verbose - Whether to show verbose output
+ */
+export declare function luksRootInitrd(this: Ovary, verbose?: boolean): Promise<void>;