penguins-eggs 25.11.8 → 25.11.21

package/scripts/boot-encrypted-root.sh

@@ -1,220 +0,0 @@
-#!/bin/sh
-# /scripts/live-premount/boot-encrypted-root.sh
-#
-# This script is designed to Boot Encrypted Linux Live (BELL).
-#
-# Its main purpose is to find an encrypted root image file (root.img) 
-# on a live USB/DVD, ask the user for a passphrase to unlock it, 
-# and then copy the main system filesystem (filesystem.squashfs) 
-# from inside the encrypted image into RAM.
-# 
-# the process continue with standard live-boot 
-
-# enable echo
-# set -e
-
-echo "BELL: Boot Encrypted Linux Live"
-
-#################################################
-# 1. Setup and Find Media
-
-# 1.1 load modules
-echo "BELL: loading modules..."
-modprobe loop 2>/dev/null || true
-modprobe dm_mod 2>/dev/null || true
-modprobe dm_crypt 2>/dev/null || true
-modprobe overlay 2>/dev/null || true
-modprobe ext4 2>/dev/null || true
-modprobe squashfs 2>/dev/null || true
-sleep 2
-
-
-# 1.2 find BELL media drive
-echo "BELL: find BELL media drive..."
-mkdir -p /mnt/live-media /mnt/ext4
-BELL_MEDIA_MNT="/mnt/live-media"
-LIVE_DEV=""
-
-# find to max 20 devices
-MAX_WAIT_DEV=20; COUNT_DEV=0
-while [ -z "$LIVE_DEV" ] && [ $COUNT_DEV -lt $MAX_WAIT_DEV ]; do
-    ls /dev > /dev/null
-    for dev in /dev/sr* /dev/sd* /dev/vd* /dev/nvme*n*; do
-        if [ ! -b "$dev" ]; then continue; fi
-        if mount -o ro "$dev" "$BELL_MEDIA_MNT" 2>/dev/null; then
-            if [ -f "${BELL_MEDIA_MNT}/live/root.img" ]; then
-                echo "BELL: Found BELL media on $dev"
-                LIVE_DEV=$dev
-                break 2
-            else
-                umount "$BELL_MEDIA_MNT" 2>/dev/null || true
-            fi
-        fi
-    done
-    sleep 1
-    COUNT_DEV=$((COUNT_DEV+1))
-done
-
-if [ -z "$LIVE_DEV" ]; then
-    echo "BELL: Error: no live BELL drive found!"
-    ls /dev
-    exit 1
-fi
-
-ROOT_IMG_RO="${BELL_MEDIA_MNT}/live/root.img"
-RAM_MEDIA_MNT="/run/live/medium" # final destination in RAM
-
-
-#################################################
-# 2. Prepare Encrypted Image
-
-# 2.1 loop device
-echo "BELL: loop device association for $ROOT_IMG_RO..."
-LOOP_DEV_OUTPUT=$(/sbin/losetup -f --show "$ROOT_IMG_RO" 2>/dev/null); LOSETUP_EXIT_STATUS=$?
-if [ $LOSETUP_EXIT_STATUS -ne 0 ] || [ -z "$LOOP_DEV_OUTPUT" ] || ! [ -b "$LOOP_DEV_OUTPUT" ]; then
-    echo "BELL: Error: loop association failed!"
-    exit 1
-fi
-LOOP_DEV="$LOOP_DEV_OUTPUT"
-echo "BELL: loop device $ROOT_IMG_RO associated to: $LOOP_DEV"
-
-
-
-#################################################
-# 3. Unlock LUKS (User Interaction)
-
-# disable 'set -e' to let 3 tempts 
-#set +e
-MAX_ATTEMPTS=3
-ATTEMPT=1
-UNLOCKED=0
-
-while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
-
-    # check if plymouth is active
-    if plymouth --ping 2>/dev/null; then
-
-        # request the password in plymouth and pass it to cryptsetup via stdin (--key-file -)
-        if plymouth ask-for-password --prompt="Enter passphrase ($ATTEMPT/$MAX_ATTEMPTS)" | cryptsetup open --readonly --key-file - "$LOOP_DEV" live-root; then
-            UNLOCKED=1
-            break
-        else
-            if [ $ATTEMPT -lt $MAX_ATTEMPTS ]; then
-                plymouth display-message --text="Incorrect passphrase. Try again..."
-                sleep 2 # wait 2 seconds to read message
-            fi
-        fi
-    else
-        # Fallback: Plymouth not active
-        echo "Please enter passphrase for $LOOP_DEV ($ATTEMPT/$MAX_ATTEMPTS):"
-
-        if cryptsetup open --readonly "$LOOP_DEV" live-root; then
-            UNLOCKED=1
-            break
-        else
-            if [ $ATTEMPT -lt $MAX_ATTEMPTS ]; then
-                echo "Incorrect passphrase. Please try again."
-            fi
-        fi
-    fi
-
-    ATTEMPT=$((ATTEMPT + 1))
-    sleep 1
-done
-
-# Enable echo
-# set -e
-
-# check if all attempts have failed
-if [ $UNLOCKED -eq 0 ]; then
-    if plymouth --ping 2>/dev/null; then
-        plymouth display-message --text="LUKS Unlock Failed: Max attempts reached"
-        sleep 5
-    fi
-    /sbin/losetup -d "$LOOP_DEV" || true
-    exit 1
-fi
-
-echo "BELL: LUKS unlocked ($LOOP_DEV -> live-root) [readonly]. Waiting for mapper..."
-
-
-#################################################
-# 4. copy System to RAM
-
-# 4.1 waiting mapper
-MAX_WAIT_MAP=10; COUNT_MAP=0
-while [ ! -b /dev/mapper/live-root ] && [ $COUNT_MAP -lt $MAX_WAIT_MAP ]; do
-    sleep 1
-    COUNT_MAP=$((COUNT_MAP+1))
-done
-
-if [ ! -b /dev/mapper/live-root ]; then
-    echo "BELL: Error: mapper did not appear."
-    cryptsetup close live-root || true
-    /sbin/losetup -d "$LOOP_DEV" || true
-    exit 1
-fi
-
-# 4.2 mount ext4 filesystem
-echo "BELL: mounting ext4 filesystem..."
-mount -t ext4 -o ro /dev/mapper/live-root /mnt/ext4
-
-SQFS_SRC="/mnt/ext4/filesystem.squashfs"
-if [ ! -f "$SQFS_SRC" ]; then
-    echo "BELL: error: $SQFS_SRC not found!"
-    exit 1
-fi
-
-
-# 4.3. Prepare RAM destination /run
-echo "BELL: preparing RAM disk ${RAM_MEDIA_MNT}..."
-SQFS_SIZE_BYTES=$(stat -c%s "$SQFS_SRC")
-NEEDED_SIZE_MB=$(( $SQFS_SIZE_BYTES / 1024 / 1024 + 500 )) # add 500MB buffer
-echo "BELL: Estimated space required in /run: ${NEEDED_SIZE_MB} MB"
-echo "BELL: increase size /run (tmpfs)..."
-if ! mount -o remount,size=${NEEDED_SIZE_MB}M /run; then
-    echo "BELL: WARN: Remount /run failed, space may be insufficient."
-    df -h /run
-fi
-mkdir -p "${RAM_MEDIA_MNT}/live"
-
-# 4.4 copy ONLY filesystem.squashfs to RAM
-SQFS_DEST="${RAM_MEDIA_MNT}/live/filesystem.squashfs"
-echo "BELL: copying $SQFS_SRC -> $SQFS_DEST..."
-if command -v rsync >/dev/null; then
-    rsync -a --info=progress2 "$SQFS_SRC" "$SQFS_DEST"
-else
-    cp "$SQFS_SRC" "$SQFS_DEST"
-fi
-SQFS_SIZE=$(du -h "$SQFS_DEST" | cut -f1)
-echo "BELL: filesystem.squashfs ($SQFS_SIZE) copied to RAM."
-
-# 4.5 copy .disk
-if [ -d "${BELL_MEDIA_MNT}/.disk" ]; then
-    cp -a "${BELL_MEDIA_MNT}/.disk" "${RAM_MEDIA_MNT}/"
-    echo "BELL: .disk copied."
-else
-    echo "BELL: Warning: .disk not found."
-fi
-
-# 4.6 Copy vmlinuz and initrd (we need to install the system)
-cp -a "${BELL_MEDIA_MNT}/live/vmlinuz"* "${RAM_MEDIA_MNT}/live/" 2>/dev/null || true
-cp -a "${BELL_MEDIA_MNT}/live/initrd"* "${RAM_MEDIA_MNT}/live/" 2>/dev/null || true
-echo "BELL: Attempted kernel/initrd copy (any errors ignored)."
-
-
-#################################################
-# 6. Cleanup and Hand-off
-echo "BELL: cleaning used mounts and devices..."
-umount /mnt/ext4 || echo "BELL: WARN: umount /mnt/ext4 failed ($?)"
-cryptsetup close live-root || echo "BELL: WARN: cryptsetup close live-root failed ($?)"
-/sbin/losetup -d "$LOOP_DEV" || echo "BELL: WARN: losetup -d $LOOP_DEV failed ($?)"
-umount "$BELL_MEDIA_MNT" || echo "BELL: WARN: umount ${BELL_MEDIA_MNT} failed ($?)"
-echo "BELL: cleaning complete."
-
-
-# 6.1 switching to live boot
-echo "BELL: live ISO image built in RAM on ${RAM_MEDIA_MNT}"
-# ls -l "$RAM_MEDIA_MNT"
-# ls -l "${RAM_MEDIA_MNT}/live"
-exit 0

package/scripts/mount-encrypted-home.sh

@@ -1,324 +0,0 @@
-#!/bin/bash
-# This Bash script is used to unlock and mount a LUKS-encrypted home.img
-# file for use as a /home directory, typically in a “live”
-# operating system environment (booted from USB or DVD).
-# v1.4 - Fixed 3-attempt loop by checking PIPESTATUS instead of pipe exit code.
-#      - Replaced non-breaking spaces with regular spaces.
-
-# enable echo
-set -e
-
-# configuration
-HOME_IMG="__HOME_IMG_PATH__"
-LUKS_NAME="live-home"
-MOUNT_POINT="/home"
-
-# define path OverlayFS
-# we will use /run che è un tmpfs (in RAM)
-LOWER_DIR="/run/live-home-lower"
-UPPER_DIR="/run/live-home-upper"
-WORK_DIR="/run/live-home-work"
-
-LOG_FILE="/var/log/mount-encrypted-home.log"
-
-# logging
-log() {
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
-}
-
-log_error() {
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE" >&2
-}
-
-# Cleanup in caso di errore
-cleanup() {
-    log "Cleanup in progress..."
-    if mountpoint -q "$MOUNT_POINT" 2>/dev/null; then
-        umount "$MOUNT_POINT" 2>/dev/null || true
-    fi
-    if mountpoint -q "$LOWER_DIR" 2>/dev/null; then
-        umount "$LOWER_DIR" 2>/dev/null || true
-    fi
-    if [ -e "/dev/mapper/$LUKS_NAME" ]; then
-        cryptsetup close "$LUKS_NAME" 2>/dev/null || true
-    fi
-    rmdir "$LOWER_DIR" "$UPPER_DIR" "$WORK_DIR" 2>/dev/null || true
-}
-
-trap cleanup EXIT
-
-log "=== Starting encrypted home mount process (v1.4) ==="
-
-# Check available memory
-AVAILABLE_MEM=$(free -m | awk '/^Mem:/{print $7}')
-log "Available memory: ${AVAILABLE_MEM}MB"
-
-if [ "$AVAILABLE_MEM" -lt 1024 ]; then
-    log_error "Low memory warning: only ${AVAILABLE_MEM}MB available"
-    log "This might cause issues with LUKS operations"
-fi
-
-# Wait for the media to become available (max 30 seconds)
-log "Waiting for live media to be available..."
-COUNTER=0
-while [ ! -f "$HOME_IMG" ] && [ $COUNTER -lt 30 ]; do
-    sleep 1
-    COUNTER=$((COUNTER + 1))
-done
-
-if [ ! -f "$HOME_IMG" ]; then
-    log_error "home.img not found at $HOME_IMG after 30 seconds"
-    log "Available mounts:"
-    mount | grep live | tee -a "$LOG_FILE"
-    exit 0
-fi
-
-log "Found home.img at $HOME_IMG"
-
-# Check file size
-IMG_SIZE=$(stat -c %s "$HOME_IMG")
-log "home.img size: $((IMG_SIZE / 1024 / 1024))MB"
-
-# Check if it is a LUKS volume
-if ! cryptsetup isLuks "$HOME_IMG" 2>&1 | tee -a "$LOG_FILE"; then
-    log_error "$HOME_IMG is not a valid LUKS volume"
-    exit 1
-fi
-
-log "Verified: home.img is a valid LUKS volume"
-
-# Wait until the TTY is fully initialized
-sleep 2
-
-# Clean up any previous device mappers
-if [ -e "/dev/mapper/$LUKS_NAME" ]; then
-    log "LUKS device already exists, closing it first..."
-    cryptsetup close "$LUKS_NAME" 2>&1 | tee -a "$LOG_FILE" || true
-fi
-
-# PASSWORD REQUEST
-# disable 'set -e' to let 3 tempts
-set +e
-
-MAX_ATTEMPTS=3
-ATTEMPT=1
-UNLOCKED=0 # Flag per sapere se abbiamo sbloccato
-
-while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
-    log "Unlock attempt $ATTEMPT of $MAX_ATTEMPTS"
-    
-    # Check if Plymouth is active
-    if plymouth --ping 2>/dev/null; then
-        log "Plymouth active. Asking for password via Plymouth..."
-        
-        # Execute the command and check PIPESTATUS.
-        plymouth ask-for-password --prompt="Enter passphrase for /home ($ATTEMPT/$MAX_ATTEMPTS)" | cryptsetup open "$HOME_IMG" "$LUKS_NAME" --key-file - 2>&1 | tee -a "$LOG_FILE"
-        
-        # Check the status of cryptsetup (index 1), not tee (index 2)
-        # PIPESTATUS[0] = plymouth, [1] = cryptsetup, [2] = tee
-        if [ ${PIPESTATUS[1]} -eq 0 ]; then
-            log "LUKS volume unlocked successfully via Plymouth"
-            UNLOCKED=1
-            break
-        else
-            log_error "Failed to unlock LUKS volume via Plymouth (attempt $ATTEMPT)"
-            if [ $ATTEMPT -lt $MAX_ATTEMPTS ]; then
-                plymouth display-message --text="Incorrect passphrase. Try again..."
-                sleep 2 # Gives time to read the message
-            fi
-        fi
-    else
-        # Fallback: Plymouth not active. asking for password via console
-        log "Plymouth not active. Asking for password via console..."
-        
-        echo ""
-        echo "╔════════════════════════════════════════╗"
-        echo "║  Encrypted Home Directory Detected     ║"
-        echo "╚════════════════════════════════════════╝"
-        echo ""
-        echo "Please enter your passphrase to unlock your data ($ATTEMPT/$MAX_ATTEMPTS)"
-        echo "(Press Ctrl+C to skip and continue with temporary home)"
-        echo ""
-
-        # Run the command and check PIPESTATUS
-        cryptsetup open "$HOME_IMG" "$LUKS_NAME" 2>&1 | tee -a "$LOG_FILE"
-        
-        # Check the status of cryptsetup (index 0), not tee (index 1).
-        # PIPESTATUS[0] = cryptsetup, [1] = tee
-        if [ ${PIPESTATUS[0]} -eq 0 ]; then
-            log "LUKS volume unlocked successfully via console"
-            UNLOCKED=1
-            break
-        else
-            log_error "Failed to unlock LUKS volume (attempt $ATTEMPT)"
-            if [ $ATTEMPT -lt $MAX_ATTEMPTS ]; then
-                echo "Incorrect passphrase. Please try again."
-            fi
-        fi
-    fi
-
-    ATTEMPT=$((ATTEMPT + 1))
-done
-
-
-# Check if unlocking failed after all attempts
-# Enable echo
-set -e
-
-if [ $UNLOCKED -eq 0 ]; then
-    log_error "Maximum attempts reached. Continuing without encrypted home."
-    echo ""
-    echo "╔════════════════════════════════════════╗"
-    echo "║  Failed to unlock encrypted home       ║"
-    echo "║  System will continue with default     ║"
-    echo "╚════════════════════════════════════════╝"
-    echo ""
-    
-    if plymouth --ping 2>/dev/null; then
-        plymouth display-message --text="Failed to unlock. Continuing with temporary home..."
-        sleep 3
-        plymouth quit
-    fi
-    
-    sleep 3
-    exit 0 # Exits without error, allowing the system to continue
-fi
-
-
-# Verify that the device mapper exists
-if [ ! -e "/dev/mapper/$LUKS_NAME" ]; then
-    log_error "Device /dev/mapper/$LUKS_NAME not found after unlock"
-    exit 1
-fi
-
-log "LUKS device available at /dev/mapper/$LUKS_NAME"
-
-# Implementing OverlayFS
-# 1. Create all necessary mount points and directories
-log "Creating overlay directories..."
-mkdir -p "$LOWER_DIR" "$UPPER_DIR" "$WORK_DIR" "$MOUNT_POINT"
-
-# 2. Mount the decrypted volume as read-only as 'lowerdir'
-log "Mounting decrypted volume to $LOWER_DIR (read-only base)"
-if ! mount -o ro "/dev/mapper/$LUKS_NAME" "$LOWER_DIR" 2>&1 | tee -a "$LOG_FILE"; then
-    log_error "Failed to mount decrypted volume (read-only) to $LOWER_DIR"
-    exit 1
-fi
-log "Read-only base mounted successfully."
-
-# 3. create overlay read-write for /home
-log "Mounting overlay filesystem to $MOUNT_POINT"
-OVERLAY_OPTS="lowerdir=$LOWER_DIR,upperdir=$UPPER_DIR,workdir=$WORK_DIR"
-# Add “index=off” and “metacopy=off” for compatibility
-OVERLAY_OPTS="$OVERLAY_OPTS,index=off,metacopy=off"
-
-if ! mount -t overlay -o "$OVERLAY_OPTS" overlay "$MOUNT_POINT" 2>&1 | tee -a "$LOG_FILE"; then
-    log_error "Failed to mount overlay filesystem to $MOUNT_POINT"
-    # Try without extra options if it fails
-    OVERLAY_OPTS="lowerdir=$LOWER_DIR,upperdir=$UPPER_DIR,workdir=$WORK_DIR"
-    log "Retrying overlay mount with basic options..."
-    if ! mount -t overlay -o "$OVERLAY_OPTS" overlay "$MOUNT_POINT" 2>&1 | tee -a "$LOG_FILE"; then
-         log_error "Failed to mount overlay filesystem to $MOUNT_POINT (retry failed)"
-         exit 1
-    fi
-fi
-log "Writable overlay for /home mounted successfully."
-
-
-# Restore users if they exists
-if [ -d "$MOUNT_POINT/.system-backup" ]; then
-    log "Restoring user accounts..."
-    
-    # Remove temporary live user
-    if id live >/dev/null 2>&1; then
-        log "Removing temporary 'live' user"
-        userdel -r live 2>&1 | tee -a "$LOG_FILE" || true
-    fi
-    
-    # Restore users
-    if [ -f "$MOUNT_POINT/.system-backup/passwd" ]; then
-        cat "$MOUNT_POINT/.system-backup/passwd" >> /etc/passwd
-        log "Restored $(wc -l < "$MOUNT_POINT/.system-backup/passwd") user entries"
-    fi
-    
-    if [ -f "$MOUNT_POINT/.system-backup/shadow" ]; then
-        cat "$MOUNT_POINT/.system-backup/shadow" >> /etc/shadow
-    fi
-
-    # Restore groups (replace completely)
-    if [ -f "$MOUNT_POINT/.system-backup/group" ]; then
-        cp "$MOUNT_POINT/.system-backup/group" /etc/group
-        log "Restored group memberships"
-    fi
-
-    if [ -f "$MOUNT_POINT/.system-backup/gshadow" ]; then
-        cp "$MOUNT_POINT/.system-backup/gshadow" /etc/gshadow
-    fi
-
-    # Restore Display Manager configs for autologin
-    log "Restoring display manager configurations (for autologin)..."
-    
-    # GDM (gdm3)
-    if [ -d "$MOUNT_POINT/.system-backup/gdm3" ]; then
-        log "Restoring GDM3 config..."
-        # Remove the default live configuration before copying
-        rm -rf /etc/gdm3 2>/dev/null
-        cp -a "$MOUNT_POINT/.system-backup/gdm3" /etc/
-    fi
-
-    # GDM (gdm)
-    if [ -d "$MOUNT_POINT/.system-backup/gdm" ]; then
-        log "Restoring GDM config..."
-        rm -rf /etc/gdm 2>/dev/null
-        cp -a "$MOUNT_POINT/.system-backup/gdm" /etc/
-    fi
-
-    # LightDM
-    if [ -d "$MOUNT_POINT/.system-backup/lightdm" ]; then
-        log "Restoring LightDM config..."
-        rm -rf /etc/lightdm 2>/dev/null
-        cp -a "$MOUNT_POINT/.system-backup/lightdm" /etc/
-    fi
-
-    # SDDM
-    if [ -f "$MOUNT_POINT/.system-backup/sddm.conf" ]; then
-        log "Restoring SDDM config (sddm.conf)..."
-        cp -a "$MOUNT_POINT/.system-backup/sddm.conf" /etc/
-    fi
-    if [ -d "$MOUNT_POINT/.system-backup/sddm.conf.d" ]; then
-        log "Restoring SDDM config (sddm.conf.d)..."
-        rm -rf /etc/sddm.conf.d 2>/dev/null
-        cp -a "$MOUNT_POINT/.system-backup/sddm.conf.d" /etc/
-    fi
-    
-    log "User accounts and DM configs restored successfully"
-    
-    # Restart the display manager to reload users
-    log "Restarting display manager..."
-    if systemctl is-active --quiet gdm; then
-        systemctl restart gdm 2>&1 | tee -a "$LOG_FILE"
-        log "GDM restarted"
-    elif systemctl is-active --quiet lightdm; then
-        systemctl restart lightdm 2>&1 | tee -a "$LOG_FILE"
-        log "LightDM restarted"
-    elif systemctl is-active --quiet sddm; then
-        systemctl restart sddm 2>&1 | tee -a "$LOG_FILE"
-        log "SDDM restarted"
-    else
-        log "No active display manager found to restart"
-    fi
-else
-    log "No .system-backup directory found. Assuming /home is just data."
-fi
-
-log "=== Encrypted home mount completed successfully ==="
-
-# Notify Plymouth (if active) that we are done
-if plymouth --ping 2>/dev/null; then
-    plymouth quit
-fi
-
-# Don't clean up success
-trap - EXIT
-
-exit 0