penguins-eggs 25.11.29 → 25.12.7

package/dist/classes/ovary.d/edit-live-fs.js

@@ -1,6 +1,6 @@
 /**
  * ./src/classes/ovary.d/edit-live-fs.ts
- * penguins-eggs v.25.11.x / ecmascript 2020
+ * penguins-eggs v.25.12.5 / ecmascript 2020
  * author: Piero Proietti
  * email: piero.proietti@gmail.com
  * license: MIT
@@ -9,76 +9,45 @@
 import fs from 'fs';
 import os from 'os';
 import path from 'node:path';
-import shx from 'shelljs';
+import { shx } from '../../lib/utils.js';
 import Utils from '../utils.js';
 import Pacman from '../pacman.js';
 import Systemctl from '../systemctl.js';
 import { exec } from '../../lib/utils.js';
 // _dirname
 const __dirname = path.dirname(new URL(import.meta.url).pathname);
-/**
- * editLiveFs
- * - Mark if is_clone or is_clone_crypted
- * - Truncate logs, remove archived log
- * - Allow all fixed drives to be mounted with pmount
- * - Enable or disable password login trhough ssh for users (not root)
- * - Create an empty /etc/fstab
- * - Blanck /etc/machine-id
- * - Add some basic files to /dev
- * - Clear configs from /etc/network/interfaces, wicd and NetworkManager and netman
- */
 export async function editLiveFs(clone = false) {
-    if (this.verbose) {
+    if (this.verbose)
         console.log('Ovary: editLiveFs');
-    }
     const workDir = this.settings.work_dir.merged;
-    /**
-     * /etc/penguins-eggs.d/is_clone file created on live
-     */
     if (clone) {
         await exec(`touch ${workDir}/etc/penguins-eggs.d/is_clone`, this.echo);
     }
-    /**
-     * /etc/default/epoptes-client created on live
-     */
     if (Pacman.packageIsInstalled('epoptes')) {
         const file = `${workDir}/etc/default/epoptes-client`;
         const text = `SERVER=${os.hostname}.local\n`;
         fs.writeFileSync(file, text);
     }
     if (this.familyId === 'debian') {
-        // Aggiungo UMASK=0077 in /etc/initramfs-tools/conf.d/calamares-safe-initramfs.conf
         const text = 'UMASK=0077\n';
         const file = '/etc/initramfs-tools/conf.d/eggs-safe-initramfs.conf';
         Utils.write(file, text);
     }
-    // Truncate logs, remove archived logs.
+    // Truncate logs
     let cmd = `find ${workDir}/var/log -name "*gz" -print0 | xargs -0r rm -f`;
     await exec(cmd, this.echo);
     cmd = `find ${workDir}/var/log/ -type f -exec truncate -s 0 {} \\;`;
     await exec(cmd, this.echo);
     // =========================================================================
-    // FIX STRUTTURALE PER DEVUAN/DEBIAN (/var folders)
+    // FIX DEFINITIVO PER DEVUAN/SYSVINIT (Init Script Hardening)
     // =========================================================================
-    // Ricrea le directory essenziali che potrebbero essere state rimosse
-    // o che devono esistere vuote per il corretto avvio dei servizi.
-    const dirsToCreate = [
-        `${workDir}/var/lib/dbus`, // Fondamentale per dbus
-        `${workDir}/var/spool/rsyslog`, // Fondamentale per rsyslog
-        `${workDir}/var/spool/cron/crontabs` // Fondamentale per cron
-    ];
-    for (const dir of dirsToCreate) {
-        if (!fs.existsSync(dir)) {
-            await exec(`mkdir -p ${dir}`, this.echo);
-            // Assicuriamo permessi corretti (dbus vuole 755 root:root di base)
-            await exec(`chmod 755 ${dir}`, this.echo);
-        }
+    if (Utils.isSysvinit()) {
+        if (this.verbose)
+            console.log('SysVinit detected: Hardening init scripts...');
+        await patchInitScripts(workDir, this.verbose);
     }
     // =========================================================================
-    // FIX CRITICO PER /var/run e /var/lock
-    // =========================================================================
-    // Su Debian/Devuan moderni, /var/run DEVE essere un symlink a /run.
-    // Se rsync lo ha copiato come directory, D-Bus e altri servizi falliscono.
+    // Fix Symlinks /var/run e /var/lock
     const varRun = `${workDir}/var/run`;
     if (fs.existsSync(varRun) && !fs.lstatSync(varRun).isSymbolicLink()) {
         if (this.verbose)
@@ -93,20 +62,14 @@ export async function editLiveFs(clone = false) {
         await exec(`rm -rf ${varLock}`, this.echo);
         await exec(`ln -s /run/lock ${varLock}`, this.echo);
     }
-    // =========================================================================
-    // Allow all fixed drives to be mounted with pmount
+    // Altri fix standard
     if (this.settings.config.pmount_fixed && fs.existsSync(`${workDir}/etc/pmount.allow`)) {
-        // MX aggiunto /etc
         await exec(`sed -i 's:#/dev/sd\[a-z\]:/dev/sd\[a-z\]:' ${workDir}/etc/pmount.allow`, this.echo);
     }
-    // Remove obsolete live-config file
     if (fs.existsSync(`${workDir}lib/live/config/1161-openssh-server`)) {
         await exec(`rm -f ${workDir}/lib/live/config/1161-openssh-server`, this.echo);
     }
     if (fs.existsSync(`${workDir}/etc/ssh/sshd_config`)) {
-        /**
-         * enable/disable SSH root/users password login
-         */
         await exec(`sed -i '/PermitRootLogin/d' ${workDir}/etc/ssh/sshd_config`);
         await exec(`sed -i '/PasswordAuthentication/d' ${workDir}/etc/ssh/sshd_config`);
         if (this.settings.config.ssh_pass) {
@@ -117,111 +80,53 @@ export async function editLiveFs(clone = false) {
             await exec(`echo 'PasswordAuthentication no' | tee -a ${workDir}/etc/ssh/sshd_config`, this.echo);
         }
     }
-    /**
-     * /etc/fstab should exist, even if it's empty,
-     * to prevent error messages at boot
-     */
     await exec(`rm ${workDir}/etc/fstab`, this.echo);
     await exec(`touch ${workDir}/etc/fstab`, this.echo);
-    /**
-     * Remove crypttab if exists
-     * this is crucial for tpm systems.
-     */
     if (fs.existsSync(`${workDir}/etc/crypttab`)) {
         await exec(`rm ${workDir}/etc/crypttab`, this.echo);
     }
-    // =========================================================================
-    // FIX MACHINE-ID (Il colpevole del blocco SysVinit)
-    // =========================================================================
-    /**
-     * Blank out systemd machine id.
-     * SU SYSTEMD: File vuoto = rigenerazione.
-     * SU SYSVINIT (Devuan): File NON deve esistere o deve essere 0 bytes.
-     */
-    // 1. Pulisci /etc/machine-id
+    // 🔧 [MODIFICA 1] Machine ID cleanup
+    // Cancelliamo SEMPRE il machine-id, anche su SysVinit.
+    // Questo garantisce che lo script patchato (dbus) trovi il file mancante e lo rigeneri.
     if (fs.existsSync(`${workDir}/etc/machine-id`)) {
         await exec(`rm ${workDir}/etc/machine-id`, this.echo);
-        // Per Systemd serve il file vuoto per fare il bind mount
-        // Per Devuan va bene vuoto (lo riempie dbus-uuidgen)
-        await exec(`touch ${workDir}/etc/machine-id`, this.echo);
+        await exec(`touch ${workDir}/etc/machine-id`, this.echo); // Lo ricreiamo vuoto
     }
-    // 2. Rimuovi /var/lib/dbus/machine-id
-    // Questo è il file "vero" per dbus su sistemi non-systemd.
-    // Deve sparire per essere rigenerato al boot.
+    // Rimuoviamo anche quello in /var/lib/dbus per forzare la rigenerazione
     if (fs.existsSync(`${workDir}/var/lib/dbus/machine-id`)) {
         await exec(`rm ${workDir}/var/lib/dbus/machine-id`, this.echo);
     }
-    // =========================================================================
-    /**
-     * LMDE4: utilizza UbuntuMono16.pf2
-     * aggiungo un link a /boot/grub/fonts/UbuntuMono16.pf2
-     */
     if (fs.existsSync(`${workDir}/boot/grub/fonts/unicode.pf2`)) {
         shx.cp(`${workDir}/boot/grub/fonts/unicode.pf2`, `${workDir}/boot/grub/fonts/UbuntuMono16.pf2`);
     }
-    /**
-     * cleaning /etc/resolv.conf
-     */
-    const resolvFile = `${workDir}/etc/resolv.conf`;
-    shx.rm(resolvFile);
-    /**
-     * Per tutte le distro systemd
-     */
+    shx.rm(`${workDir}/etc/resolv.conf`);
+    // Systemd cleanup
     if (Utils.isSystemd()) {
         const systemdctl = new Systemctl(this.verbose);
-        /*
-        * Arch: /ci/minimal/arch-minimal.sh:
-        * systemctl set-default multi-user.target
-        * systemctl enable getty@tty1.service
-        * systemctl enable systemd-networkd.service
-        * systemctl enable 'systemd-resolved.service
-        */
-        if (await systemdctl.isEnabled('remote-cryptsetup.target')) {
+        if (await systemdctl.isEnabled('remote-cryptsetup.target'))
             await systemdctl.disable('remote-cryptsetup.target', workDir, true);
-        }
-        if (await systemdctl.isEnabled('speech-dispatcherd.service')) {
+        if (await systemdctl.isEnabled('speech-dispatcherd.service'))
             await systemdctl.disable('speech-dispatcherd.service', workDir, true);
-        }
-        if (await systemdctl.isEnabled('wpa_supplicant-nl80211@.service')) {
+        if (await systemdctl.isEnabled('wpa_supplicant-nl80211@.service'))
             await systemdctl.disable('wpa_supplicant-nl80211@.service', workDir, true);
-        }
-        if (await systemdctl.isEnabled('wpa_supplicant@.service')) {
+        if (await systemdctl.isEnabled('wpa_supplicant@.service'))
             await systemdctl.disable('wpa_supplicant@.service', workDir, true);
-        }
-        if (await systemdctl.isEnabled('wpa_supplicant-wired@.service')) {
+        if (await systemdctl.isEnabled('wpa_supplicant-wired@.service'))
             await systemdctl.disable('wpa_supplicant-wired@.service', workDir, true);
-        }
-        /**
-         * All systemd distros
-         */
         await exec(`rm -f ${workDir}/var/lib/wicd/configurations/*`, this.echo);
         await exec(`rm -f ${workDir}/etc/wicd/wireless-settings.conf`, this.echo);
         await exec(`rm -f ${workDir}/etc/NetworkManager/system-connections/*`, this.echo);
         await exec(`rm -f ${workDir}/etc/network/wifi/*`, this.echo);
-        /**
-         * removing from /etc/network/:
-         * if-down.d if-post-down.d if-pre-up.d if-up.d interfaces interfaces.d
-         */
         const cleanDirs = ['if-down.d', 'if-post-down.d', 'if-pre-up.d', 'if-up.d', 'interfaces.d'];
-        let cleanDir = '';
-        for (cleanDir of cleanDirs) {
+        for (const cleanDir of cleanDirs) {
             await exec(`rm -f ${workDir}/etc/network/${cleanDir}/wpasupplicant`, this.echo);
         }
     }
-    /**
-     * Clear configs from /etc/network/interfaces, wicd and NetworkManager
-     * and netman, so they aren't stealthily included in the snapshot.
-     */
     if (this.familyId === 'debian') {
         if (fs.existsSync(`${workDir}/etc/network/interfaces`)) {
             await exec(`rm -f ${workDir}/etc/network/interfaces`, this.echo);
             Utils.write(`${workDir}/etc/network/interfaces`, 'auto lo\niface lo inet loopback');
         }
-        /**
-         * add some basic files to /dev
-         */
-        // Ho condensato i controlli ripetitivi su mknod per leggibilità
-        // Nota: Questo è safe da eseguire, anche se devtmpfs solitamente gestisce tutto.
         const devNodes = [
             { path: 'console', m: '622', type: 'c', major: 5, minor: 1 },
             { path: 'null', m: '666', type: 'c', major: 1, minor: 3 },
@@ -236,10 +141,9 @@ export async function editLiveFs(clone = false) {
                 await exec(`mknod -m ${node.m} ${workDir}/dev/${node.path} ${node.type} ${node.major} ${node.minor}`, this.echo);
             }
         }
-        if (!fs.existsSync(`${workDir}/dev/{console,ptmx,tty}`)) {
+        if (!fs.existsSync(`${workDir}/dev/console`)) {
             await exec(`chown -v root:tty ${workDir}/dev/{console,ptmx,tty}`, this.echo);
         }
-        // Link simbolici standard
         const links = [
             { src: '/proc/self/fd', dest: 'fd' },
             { src: '/proc/self/fd/0', dest: 'stdin' },
@@ -252,24 +156,114 @@ export async function editLiveFs(clone = false) {
                 await exec(`ln -sv ${link.src} ${workDir}/dev/${link.dest}`, this.echo);
             }
         }
-        if (!fs.existsSync(`${workDir}/dev/shm`)) {
+        if (!fs.existsSync(`${workDir}/dev/shm`))
             await exec(`mkdir -v ${workDir}/dev/shm`, this.echo);
-        }
-        if (!fs.existsSync(`${workDir}/dev/pts`)) {
+        if (!fs.existsSync(`${workDir}/dev/pts`))
             await exec(`mkdir -v ${workDir}/dev/pts`, this.echo);
+        await exec(`chmod 1777 ${workDir}/dev/shm`, this.echo);
+        if (!fs.existsSync(`${workDir}/tmp`))
+            await exec(`mkdir ${workDir}/tmp`, this.echo);
+        await exec(`chmod 1777 ${workDir}/tmp`, this.echo);
+    }
+}
+/**
+ * Patcha direttamente gli script di init in /etc/init.d/
+ */
+async function patchInitScripts(workDir, verbose) {
+    // 1. PATCH DBUS (Il più importante)
+    const dbusScript = `${workDir}/etc/init.d/dbus`;
+    if (fs.existsSync(dbusScript)) {
+        if (verbose)
+            console.log(`Patching ${dbusScript} to fix missing directories and RO fs...`);
+        let content = fs.readFileSync(dbusScript, 'utf8');
+        let modified = false;
+        // PATCH A: Header con gestione Ramdisk Fallback e Mount Proc
+        // Questa intestazione viene inserita all'inizio e prova a montare tmpfs se non può scrivere
+        const dbusFix = `
+### EGGS-FIX-START
+# 1. Assicuriamoci che /proc sia montato (necessario per leggere uuid kernel)
+if ! mountpoint -q /proc/; then
+  mount -t proc proc /proc
+fi
+
+# 2. Gestione Filesystem Read-Only (RO)
+# Se non possiamo scrivere in /var/lib/dbus, montiamo un tmpfs (RAM) sopra.
+# Questo bypassa il blocco dell'overlayfs non ancora pronto tipico delle build AppImage.
+if ! mkdir -p /var/lib/dbus 2>/dev/null || ! touch /var/lib/dbus/.rw_check 2>/dev/null; then
+  echo "EGGS-DEBUG: Filesystem Read-Only detected! Mounting tmpfs on /var/lib/dbus" > /dev/console
+  mount -t tmpfs -o size=1m tmpfs /var/lib/dbus
+fi
+rm -f /var/lib/dbus/.rw_check
+
+# 3. Creazione Directory Runtime
+mkdir -p /var/run/dbus /var/lib/dbus
+chmod 755 /var/run/dbus /var/lib/dbus
+
+# 4. Generazione Machine ID (Non-Blocking Strategy)
+# Se il file non esiste (o è vuoto), lo creiamo.
+if [ ! -s /var/lib/dbus/machine-id ]; then
+  # Prova A: Usa UUID del kernel (Istantaneo, non blocca)
+  if [ -f /proc/sys/kernel/random/uuid ]; then
+    cat /proc/sys/kernel/random/uuid | tr -d '-' > /var/lib/dbus/machine-id
+  # Prova B: Fallback statico
+  else
+    echo "00000000000000000000000000000001" > /var/lib/dbus/machine-id
+  fi
+  chmod 644 /var/lib/dbus/machine-id
+fi
+
+# 5. Sync /etc/machine-id (Best effort, ignora errori se /etc è RO)
+if [ ! -s /etc/machine-id ] && [ -s /var/lib/dbus/machine-id ]; then
+  cp /var/lib/dbus/machine-id /etc/machine-id 2>/dev/null || true
+fi
+### EGGS-FIX-END
+`;
+        if (!content.includes('EGGS-FIX-START')) {
+            content = content.replace('#!/bin/sh', `#!/bin/sh\n${dbusFix}`);
+            modified = true;
         }
-        if (!fs.existsSync(`${workDir}/dev/shm`)) {
-            await exec(`chmod 1777 ${workDir}/dev/shm`, this.echo);
+        // PATCH B: SABOTAGE PREVENTION (Questa è quella che mancava!)
+        // Impediamo che create_machineid cancelli il file che abbiamo appena creato
+        // perché l'uptime è basso. 
+        if (content.includes('rm -f "${MACHINEID}"')) {
+            if (verbose)
+                console.log('Patching dbus: disabling auto-delete of machine-id on boot');
+            content = content.replace('rm -f "${MACHINEID}"', ': # EGGS-PATCH: Prevent deletion of valid machine-id');
+            modified = true;
         }
-        /**
-         * creo /tmp
-         */
-        if (!fs.existsSync(`${workDir}/tmp`)) {
-            await exec(`mkdir ${workDir}/tmp`, this.echo);
+        if (modified) {
+            fs.writeFileSync(dbusScript, content, 'utf8');
+        }
+    }
+    // 2. PATCH RSYSLOG
+    const rsyslogScript = `${workDir}/etc/init.d/rsyslog`;
+    if (fs.existsSync(rsyslogScript)) {
+        let content = fs.readFileSync(rsyslogScript, 'utf8');
+        const fix = `
+### EGGS-FIX-START
+mkdir -p /var/spool/rsyslog
+chmod 755 /var/spool/rsyslog
+### EGGS-FIX-END
+`;
+        if (!content.includes('EGGS-FIX-START')) {
+            content = content.replace('#!/bin/sh', `#!/bin/sh\n${fix}`);
+            fs.writeFileSync(rsyslogScript, content, 'utf8');
+        }
+    }
+    // 3. PATCH CRON
+    const cronScript = `${workDir}/etc/init.d/cron`;
+    if (fs.existsSync(cronScript)) {
+        let content = fs.readFileSync(cronScript, 'utf8');
+        const fix = `
+### EGGS-FIX-START
+mkdir -p /var/spool/cron/crontabs
+chmod 1730 /var/spool/cron/crontabs
+chown root:crontab /var/spool/cron/crontabs 2>/dev/null || true
+### EGGS-FIX-END
+`;
+        if (!content.includes('EGGS-FIX-START')) {
+            content = content.replace('#!/bin/sh', `#!/bin/sh\n${fix}`);
+            fs.writeFileSync(cronScript, content, 'utf8');
         }
-        /**
-         * Assegno 1777 a /tmp creava problemi con MXLINUX
-         */
-        await exec(`chmod 1777 ${workDir}/tmp`, this.echo);
     }
 }

package/dist/classes/ovary.d/make-dot-disk.js

@@ -7,7 +7,7 @@
  */
 // packages
 import fs from 'node:fs';
-import shx from 'shelljs';
+import { shx } from '../../lib/utils.js';
 import path from 'path';
 // interfaces
 // libraries

package/dist/classes/ovary.d/produce.js

@@ -9,7 +9,7 @@ import chalk from 'chalk';
 import mustache from 'mustache';
 // packages
 import fs from 'node:fs';
-import shx from 'shelljs';
+import { shx } from '../../lib/utils.js';
 import path from 'path';
 // libraries
 import { exec } from '../../lib/utils.js';

package/dist/classes/ovary.d/user-create-live.d.ts

@@ -1,14 +1,8 @@
 /**
- * ./src/classes/ovary.d/create-user-live.ts
+ * src/classes/ovary.d/user-create-live.ts
  * penguins-eggs v.25.7.x / ecmascript 2020
- * author: Piero Proietti
- * email: piero.proietti@gmail.com
- * license: MIT
+ * * REFACTORED: Uses "The SysUser Master" class.
+ * Creates the live user directly in the merged filesystem safely.
  */
 import Ovary from '../ovary.js';
-/**
-   * list degli utenti: grep -E 1[0-9]{3}  /etc/passwd | sed s/:/\ / | awk '{print $1}'
-   * create la home per user_opt
-   * @param verbose
-   */
-export declare function userCreateLive(this: Ovary): Promise<void>;
+export default function userCreateLive(this: Ovary): Promise<void>;

package/dist/classes/ovary.d/user-create-live.js

@@ -1,97 +1,95 @@
 /**
- * ./src/classes/ovary.d/create-user-live.ts
+ * src/classes/ovary.d/user-create-live.ts
  * penguins-eggs v.25.7.x / ecmascript 2020
- * author: Piero Proietti
- * email: piero.proietti@gmail.com
- * license: MIT
+ * * REFACTORED: Uses "The SysUser Master" class.
+ * Creates the live user directly in the merged filesystem safely.
  */
-// packages
 import fs from 'fs';
-import path from 'node:path';
-import yaml from 'js-yaml';
-// functions
+import path from 'path';
 import { exec } from '../../lib/utils.js';
-import rexec from './rexec.js';
-import Utils from '../utils.js';
-// _dirname
-const __dirname = path.dirname(new URL(import.meta.url).pathname);
-/**
-   * list degli utenti: grep -E 1[0-9]{3}  /etc/passwd | sed s/:/\ / | awk '{print $1}'
-   * create la home per user_opt
-   * @param verbose
-   */
-export async function userCreateLive() {
-    if (this.verbose) {
-        console.log('Ovary: userCreateLive');
+import SysUsers from '../sys-users.js';
+export default async function userCreateLive() {
+    // Target: la directory "merged" dell'overlayfs
+    let target = this.settings.work_dir.merged;
+    if (!target || !fs.existsSync(target)) {
+        console.error(`SysUsers Error: Target directory not found at: ${target}`);
+        return;
     }
-    const cmds = [];
-    cmds.push(await rexec('chroot ' + this.settings.work_dir.merged + ' rm /home/' + this.settings.config.user_opt + ' -rf', this.verbose));
-    cmds.push(await rexec('chroot ' + this.settings.work_dir.merged + ' mkdir /home/' + this.settings.config.user_opt, this.verbose));
-    // Create user using useradd
-    cmds.push(await rexec('chroot ' + this.settings.work_dir.merged + ' useradd ' + this.settings.config.user_opt + ' --home-dir /home/' + this.settings.config.user_opt + ' --shell /bin/bash ', this.verbose));
-    // live password 
-    cmds.push(await rexec('echo ' + this.settings.config.user_opt + ':' + this.settings.config.user_opt_passwd + ' | chroot ' + this.settings.work_dir.merged + ' /usr/sbin/chpasswd', this.verbose));
-    // root password
-    cmds.push(await rexec(' echo root:' + this.settings.config.root_passwd + ' | chroot ' + this.settings.work_dir.merged + ' /usr/sbin/chpasswd', this.verbose));
-    // Alpine naked don't have /etc/skel
-    if (fs.existsSync('/etc/skel')) {
-        cmds.push(await rexec('chroot  ' + this.settings.work_dir.merged + ' cp /etc/skel/. /home/' + this.settings.config.user_opt + ' -R', this.verbose));
+    const familyId = this.distro?.familyId || this.familyId;
+    console.log(`Creating LIVE user in snapshot at ${target} (Family: ${familyId})...`);
+    // 1. CARICAMENTO CONFIGURAZIONE ESISTENTE
+    const sysUsers = new SysUsers(target, familyId);
+    sysUsers.load();
+    // 2. DEFINIZIONE UTENTE LIVE
+    const username = this.settings.config.user_opt || 'live';
+    const password = 'evolution'; // Password default live
+    // Shell detection
+    let shell = '/bin/bash';
+    if (!fs.existsSync(path.join(target, 'bin/bash')) && fs.existsSync(path.join(target, 'bin/ash'))) {
+        shell = '/bin/ash';
     }
-    // da problemi con il mount sshfs
-    cmds.push(await rexec('chroot  ' + this.settings.work_dir.merged + ' chown ' + this.settings.config.user_opt + ':users' + ' /home/' + this.settings.config.user_opt + ' -R', this.verbose));
-    /**
-     *
-     */
-    switch (this.familyId) {
-        case 'alpine': {
-            cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} usermod -aG wheel ${this.settings.config.user_opt}`, this.verbose));
-            break;
-        }
-        case 'archlinux': {
-            cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} gpasswd -a ${this.settings.config.user_opt} wheel`, this.verbose));
-            // check or create group: autologin
-            cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} getent group autologin || chroot ${this.settings.work_dir.merged} groupadd autologin`, this.verbose));
-            cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} gpasswd -a ${this.settings.config.user_opt} autologin`, this.verbose));
-            break;
-        }
-        case 'debian': {
-            cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} usermod -aG sudo ${this.settings.config.user_opt}`, this.verbose));
-            break;
-        }
-        case 'fedora': {
-            cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} usermod -aG wheel ${this.settings.config.user_opt}`, this.verbose));
-            break;
-        }
-        case 'openmamba': {
-            cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} usermod -aG sysadmin ${this.settings.config.user_opt}`, this.verbose));
-            cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} usermod -aG autologin ${this.settings.config.user_opt}`, this.verbose));
-            break;
-        }
-        case 'opensuse': {
-            cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} usermod -aG wheel ${this.settings.config.user_opt}`, this.verbose));
-            break;
-        }
-        // No default
+    const liveUser = {
+        username: username,
+        password: 'x',
+        uid: '1000', // Live user è sempre 1000
+        gid: '1000',
+        gecos: 'Live User,,,',
+        home: `/home/${username}`,
+        shell: shell
+    };
+    // 3. CREAZIONE LOGICA (IN MEMORIA)
+    // Rimuove eventuali residui precedenti e aggiunge il nuovo
+    sysUsers.addUser(liveUser, password);
+    // Aggiungi ai gruppi amministrativi
+    let adminGroup = 'wheel';
+    if (['debian', 'ubuntu', 'linuxmint', 'pop', 'neon'].includes(familyId)) {
+        adminGroup = 'sudo';
     }
-    /**
-     * look to calamares/modules/users.conf for groups
-     */
-    let usersConf = '/etc/calamares/modules/users.conf';
-    if (!fs.existsSync(usersConf)) {
-        usersConf = '/etc/penguins-eggs.d/krill/modules/users.conf';
+    else if (familyId === 'openmamba') {
+        adminGroup = 'sysadmin';
     }
-    if (fs.existsSync(usersConf)) {
-        const o = yaml.load(fs.readFileSync(usersConf, 'utf8'));
-        for (const group of o.defaultGroups) {
-            const groupExists = await exec(`chroot ${this.settings.work_dir.merged} getent group ${group}`, { ignore: true });
-            if (groupExists.code == 0) {
-                cmds.push(await rexec(`chroot ${this.settings.work_dir.merged} usermod -aG ${group} ${this.settings.config.user_opt} ${this.toNull}`, this.verbose));
-                Utils.warning(`added ${this.settings.config.user_opt} to group ${group}`);
-            }
-        }
+    sysUsers.addUserToGroup(username, adminGroup);
+    // GRUPPO AUTOLOGIN (Fondamentale per la live!)
+    // Creiamo il gruppo se non esiste (logica semplificata: lo aggiungiamo a sysUsers se manca?)
+    // SysUsers.addUserToGroup fallisce silenziosamente se il gruppo non c'è. 
+    // Per sicurezza su Fedora/Arch, autologin di solito esiste o va creato.
+    // Proviamo ad aggiungerlo:
+    sysUsers.addUserToGroup(username, 'autologin'); // <--- PUNTO E VIRGOLA FONDAMENTALE QUI!
+    // Aggiungiamo anche ai gruppi standard audio/video/network se esistono
+    ['video', 'audio', 'network', 'input', 'lp', 'storage', 'optical'].forEach(grp => {
+        sysUsers.addUserToGroup(username, grp);
+    });
+    // 4. SALVATAGGIO ATOMICO SU DISCO
+    await sysUsers.save();
+    // 5. CREAZIONE FISICA HOME DIRECTORY
+    const homeDir = path.join(target, 'home', username);
+    // Cleanup
+    if (fs.existsSync(homeDir))
+        await exec(`rm -rf ${homeDir}`, this.echo);
+    // Scheletro (/etc/skel)
+    const skelPath = path.join(target, 'etc', 'skel');
+    if (fs.existsSync(skelPath)) {
+        await exec(`mkdir -p ${homeDir}`, this.echo);
+        await exec(`cp -rT ${skelPath} ${homeDir}`, this.echo);
     }
     else {
-        console.log(`il file ${usersConf} non esiste!`);
-        await Utils.pressKeyToExit();
+        await exec(`mkdir -p ${homeDir}`, this.echo);
+    }
+    // Permessi
+    await exec(`chown -R 1000:1000 ${homeDir}`, this.echo);
+    // Per la live va bene anche 755, ma 700 è più sicuro. Lasciamo standard.
+    await exec(`chmod 755 ${homeDir}`, this.echo);
+    // 6. FIX SELINUX SPECIFICO PER HOME LIVE
+    if (['fedora', 'rhel', 'centos', 'almalinux', 'rocky'].includes(familyId)) {
+        try {
+            await exec(`chcon -R -t user_home_t ${homeDir}`, { echo: false }).catch(() => { });
+            // Nota: .autorelabel nella root della live potrebbe rallentare il boot, 
+            // ma è meglio averlo se i contesti sono dubbi.
+            // await exec(`touch ${target}/.autorelabel`, { echo: false }) 
+        }
+        catch (e) {
+            console.error('SELinux home fix warning:', e);
+        }
     }
+    console.log(`Live user '${username}' created successfully via SysUser Master.`);
 }

package/dist/classes/ovary.d/users-remove.d.ts

@@ -1,9 +1,8 @@
 /**
- * ./src/classes/ovary.d/users-remove.ts
+ * src/classes/ovary.d/users-remove.ts
  * penguins-eggs v.25.7.x / ecmascript 2020
- * author: Piero Proietti
- * email: piero.proietti@gmail.com
- * license: MIT
+ * * REFACTORED: Uses "The SysUser Master" class.
+ * Cleans up host users from the ISO filesystem safely.
  */
-import Ovary from './../ovary.js';
-export declare function usersRemove(this: Ovary): Promise<void>;
+import Ovary from '../ovary.js';
+export default function usersRemove(this: Ovary): Promise<void>;