penguins-eggs 25.12.7 → 25.12.15

package/dist/classes/ovary.d/edit-live-fs.js

@@ -5,7 +5,6 @@
  * email: piero.proietti@gmail.com
  * license: MIT
  */
-// packages
 import fs from 'fs';
 import os from 'os';
 import path from 'node:path';
@@ -16,11 +15,11 @@ import Systemctl from '../systemctl.js';
 import { exec } from '../../lib/utils.js';
 // _dirname
 const __dirname = path.dirname(new URL(import.meta.url).pathname);
-export async function editLiveFs(clone = false) {
+export async function editLiveFs() {
     if (this.verbose)
         console.log('Ovary: editLiveFs');
     const workDir = this.settings.work_dir.merged;
-    if (clone) {
+    if (this.clone || this.homecrypt || this.fullcrypt) {
         await exec(`touch ${workDir}/etc/penguins-eggs.d/is_clone`, this.echo);
     }
     if (Pacman.packageIsInstalled('epoptes')) {
@@ -38,15 +37,6 @@ export async function editLiveFs(clone = false) {
     await exec(cmd, this.echo);
     cmd = `find ${workDir}/var/log/ -type f -exec truncate -s 0 {} \\;`;
     await exec(cmd, this.echo);
-    // =========================================================================
-    // FIX DEFINITIVO PER DEVUAN/SYSVINIT (Init Script Hardening)
-    // =========================================================================
-    if (Utils.isSysvinit()) {
-        if (this.verbose)
-            console.log('SysVinit detected: Hardening init scripts...');
-        await patchInitScripts(workDir, this.verbose);
-    }
-    // =========================================================================
     // Fix Symlinks /var/run e /var/lock
     const varRun = `${workDir}/var/run`;
     if (fs.existsSync(varRun) && !fs.lstatSync(varRun).isSymbolicLink()) {
@@ -85,16 +75,20 @@ export async function editLiveFs(clone = false) {
     if (fs.existsSync(`${workDir}/etc/crypttab`)) {
         await exec(`rm ${workDir}/etc/crypttab`, this.echo);
     }
-    // 🔧 [MODIFICA 1] Machine ID cleanup
-    // Cancelliamo SEMPRE il machine-id, anche su SysVinit.
-    // Questo garantisce che lo script patchato (dbus) trovi il file mancante e lo rigeneri.
-    if (fs.existsSync(`${workDir}/etc/machine-id`)) {
-        await exec(`rm ${workDir}/etc/machine-id`, this.echo);
-        await exec(`touch ${workDir}/etc/machine-id`, this.echo); // Lo ricreiamo vuoto
+    /**
+     * machine-id
+     */
+    await exec(`rm -f ${workDir}/etc/machine-id`);
+    await exec(`rm -f ${workDir}/var/lib/dbus/machine-id`);
+    if (Utils.isSysvinit()) {
+        await exec(`chroot ${workDir} dbus-uuidgen --ensure=/etc/machine-id`);
+        await exec(`ln -sf /etc/machine-id ${workDir}/var/lib/dbus/machine-id`);
+        // const machineId = crypto.randomBytes(16).toString('hex')
+        // fs.writeFileSync(`${workDir}/etc/machine-id`, machineId + '\n')
+        // fs.writeFileSync(`${workDir}/var/lib/dbus/machine-id`, machineId + '\n')
     }
-    // Rimuoviamo anche quello in /var/lib/dbus per forzare la rigenerazione
-    if (fs.existsSync(`${workDir}/var/lib/dbus/machine-id`)) {
-        await exec(`rm ${workDir}/var/lib/dbus/machine-id`, this.echo);
+    else if (Utils.isSystemd()) {
+        await exec(`touch ${workDir}/etc/machine-id`);
     }
     if (fs.existsSync(`${workDir}/boot/grub/fonts/unicode.pf2`)) {
         shx.cp(`${workDir}/boot/grub/fonts/unicode.pf2`, `${workDir}/boot/grub/fonts/UbuntuMono16.pf2`);
@@ -166,104 +160,3 @@ export async function editLiveFs(clone = false) {
         await exec(`chmod 1777 ${workDir}/tmp`, this.echo);
     }
 }
-/**
- * Patcha direttamente gli script di init in /etc/init.d/
- */
-async function patchInitScripts(workDir, verbose) {
-    // 1. PATCH DBUS (Il più importante)
-    const dbusScript = `${workDir}/etc/init.d/dbus`;
-    if (fs.existsSync(dbusScript)) {
-        if (verbose)
-            console.log(`Patching ${dbusScript} to fix missing directories and RO fs...`);
-        let content = fs.readFileSync(dbusScript, 'utf8');
-        let modified = false;
-        // PATCH A: Header con gestione Ramdisk Fallback e Mount Proc
-        // Questa intestazione viene inserita all'inizio e prova a montare tmpfs se non può scrivere
-        const dbusFix = `
-### EGGS-FIX-START
-# 1. Assicuriamoci che /proc sia montato (necessario per leggere uuid kernel)
-if ! mountpoint -q /proc/; then
-  mount -t proc proc /proc
-fi
-
-# 2. Gestione Filesystem Read-Only (RO)
-# Se non possiamo scrivere in /var/lib/dbus, montiamo un tmpfs (RAM) sopra.
-# Questo bypassa il blocco dell'overlayfs non ancora pronto tipico delle build AppImage.
-if ! mkdir -p /var/lib/dbus 2>/dev/null || ! touch /var/lib/dbus/.rw_check 2>/dev/null; then
-  echo "EGGS-DEBUG: Filesystem Read-Only detected! Mounting tmpfs on /var/lib/dbus" > /dev/console
-  mount -t tmpfs -o size=1m tmpfs /var/lib/dbus
-fi
-rm -f /var/lib/dbus/.rw_check
-
-# 3. Creazione Directory Runtime
-mkdir -p /var/run/dbus /var/lib/dbus
-chmod 755 /var/run/dbus /var/lib/dbus
-
-# 4. Generazione Machine ID (Non-Blocking Strategy)
-# Se il file non esiste (o è vuoto), lo creiamo.
-if [ ! -s /var/lib/dbus/machine-id ]; then
-  # Prova A: Usa UUID del kernel (Istantaneo, non blocca)
-  if [ -f /proc/sys/kernel/random/uuid ]; then
-    cat /proc/sys/kernel/random/uuid | tr -d '-' > /var/lib/dbus/machine-id
-  # Prova B: Fallback statico
-  else
-    echo "00000000000000000000000000000001" > /var/lib/dbus/machine-id
-  fi
-  chmod 644 /var/lib/dbus/machine-id
-fi
-
-# 5. Sync /etc/machine-id (Best effort, ignora errori se /etc è RO)
-if [ ! -s /etc/machine-id ] && [ -s /var/lib/dbus/machine-id ]; then
-  cp /var/lib/dbus/machine-id /etc/machine-id 2>/dev/null || true
-fi
-### EGGS-FIX-END
-`;
-        if (!content.includes('EGGS-FIX-START')) {
-            content = content.replace('#!/bin/sh', `#!/bin/sh\n${dbusFix}`);
-            modified = true;
-        }
-        // PATCH B: SABOTAGE PREVENTION (Questa è quella che mancava!)
-        // Impediamo che create_machineid cancelli il file che abbiamo appena creato
-        // perché l'uptime è basso. 
-        if (content.includes('rm -f "${MACHINEID}"')) {
-            if (verbose)
-                console.log('Patching dbus: disabling auto-delete of machine-id on boot');
-            content = content.replace('rm -f "${MACHINEID}"', ': # EGGS-PATCH: Prevent deletion of valid machine-id');
-            modified = true;
-        }
-        if (modified) {
-            fs.writeFileSync(dbusScript, content, 'utf8');
-        }
-    }
-    // 2. PATCH RSYSLOG
-    const rsyslogScript = `${workDir}/etc/init.d/rsyslog`;
-    if (fs.existsSync(rsyslogScript)) {
-        let content = fs.readFileSync(rsyslogScript, 'utf8');
-        const fix = `
-### EGGS-FIX-START
-mkdir -p /var/spool/rsyslog
-chmod 755 /var/spool/rsyslog
-### EGGS-FIX-END
-`;
-        if (!content.includes('EGGS-FIX-START')) {
-            content = content.replace('#!/bin/sh', `#!/bin/sh\n${fix}`);
-            fs.writeFileSync(rsyslogScript, content, 'utf8');
-        }
-    }
-    // 3. PATCH CRON
-    const cronScript = `${workDir}/etc/init.d/cron`;
-    if (fs.existsSync(cronScript)) {
-        let content = fs.readFileSync(cronScript, 'utf8');
-        const fix = `
-### EGGS-FIX-START
-mkdir -p /var/spool/cron/crontabs
-chmod 1730 /var/spool/cron/crontabs
-chown root:crontab /var/spool/cron/crontabs 2>/dev/null || true
-### EGGS-FIX-END
-`;
-        if (!content.includes('EGGS-FIX-START')) {
-            content = content.replace('#!/bin/sh', `#!/bin/sh\n${fix}`);
-            fs.writeFileSync(cronScript, content, 'utf8');
-        }
-    }
-}

package/dist/classes/ovary.d/fertilization.js

@@ -21,7 +21,7 @@ export async function fertilization(snapshot_prefix = '', snapshot_basename = ''
     this.familyId = distro.familyId;
     this.distroId = distro.distroId;
     this.distroLike = distro.distroLike;
-    this.distroLliveMediumPath = distro.liveMediumPath;
+    this.distroLiveMediumPath = distro.liveMediumPath;
     this.settings = new Settings();
     if (await this.settings.load()) {
         await this.settings.loadRemix(this.theme);

package/dist/classes/ovary.d/luks-home.js

@@ -27,7 +27,7 @@ export async function luksHome(clone = false, homecrypt = false) {
     try {
         /**
          * this.luksMappedName = 'home.img';
-         * this.luksFile = `/tmp/${luksMappedName}`
+         * this.luksFile = `/var/tmp/${luksMappedName}`
          * this.luksDevice = `/dev/mapper/${luksMappedName}`
          * this.luksMountpoint = `/tmp/mnt/${luksMappedName}`
          * this.luksPassword = '0'
@@ -42,15 +42,21 @@ export async function luksHome(clone = false, homecrypt = false) {
         // Utils.warning('1. Calculation of space requirements...')
         let sizeString = (await exec('du -sb --exclude=/home/eggs /home', { capture: true })).data.trim().split(/\s+/)[0];
         let size = Number.parseInt(sizeString, 10);
-        const luksSize = Math.ceil(size * 2);
-        /**
-         * E' più precisa ma equivalente grazie
-         * al truncate
-         */
-        // const fsOverhead = Math.max(size * 0.1, 100 * 1024 * 1024)
-        // const luksSize = size * 1.25 + fsOverhead // +25% 
-        warning(`homes size: ${bytesToGB(size)}`);
-        warning(`partition LUKS ${this.luksFile} size: ${bytesToGB(luksSize)}`);
+        const fsOverhead = Math.ceil(size * 0.05);
+        const luksHeader = 32 * 1024 * 1024;
+        const safetyBuffer = 100 * 1024 * 1024;
+        let calculatedSize = size + fsOverhead + luksHeader + safetyBuffer;
+        const minSize = 64 * 1024 * 1024;
+        if (calculatedSize < minSize)
+            calculatedSize = minSize;
+        const alignment = 4 * 1024 * 1024;
+        const luksSize = Math.ceil(calculatedSize / alignment) * alignment;
+        warning(`------------------------------------------`);
+        warning(`HOME CRYPT CALCULATION (Read-Only):`);
+        warning(`  Data Payload:   ${bytesToGB(size)}`);
+        warning(`  Overhead+Buf:   ${bytesToGB(luksSize - size)}`);
+        warning(`  TOTAL SIZE:     ${bytesToGB(luksSize)}`);
+        warning(`------------------------------------------`);
         warning(`creating partition LUKS: ${this.luksFile}`);
         await this.luksExecuteCommand('truncate', ['--size', `${luksSize}`, this.luksFile]);
         warning(`formatting ${this.luksFile} as a LUKS volume...`);
@@ -59,7 +65,7 @@ export async function luksHome(clone = false, homecrypt = false) {
         await this.luksExecuteCommand('cryptsetup', luksFormatArgs, `${this.luksPassword}\n`);
         warning(`opening the LUKS volume. It will be mapped to ${this.luksDevice}`);
         await this.luksExecuteCommand('cryptsetup', ['luksOpen', this.luksFile, this.luksMappedName], `${this.luksPassword}\n`);
-        warning(`formatting c ext4 `);
+        warning(`formatting ext4 `);
         await exec(`mkfs.ext4 -L live-home ${this.luksDevice}`, this.echo);
         warning(`mounting ${this.luksDevice} on ${this.luksMountpoint}`);
         if (fs.existsSync(this.luksMountpoint)) {
@@ -74,17 +80,21 @@ export async function luksHome(clone = false, homecrypt = false) {
         await exec(`mount /dev/mapper/${this.luksMappedName} ${this.luksMountpoint}`, this.echo);
         warning(`copying /home on  ${this.luksMountpoint}`);
         await exec(`rsync -ah --exclude='eggs' /home/ ${this.luksMountpoint}`, this.echo);
+        /**
+         * utenti e gruppi in .system-backup
+         */
         warning(`saving user accounts info...`);
-        // Crea directory per backup system files
         await exec(`mkdir -p ${this.luksMountpoint}/.system-backup`, this.echo);
-        // Filtra solo utenti con UID >= 1000
+        // passwd/shadow: solo utenti con UID >= 1000
         await exec(`awk -F: '$3 >= 1000 {print}' /etc/passwd > ${this.luksMountpoint}/.system-backup/passwd`, this.echo);
         await exec(`awk -F: '$3 >= 1000 {print}' /etc/shadow > ${this.luksMountpoint}/.system-backup/shadow`, this.echo);
-        // Per i gruppi: salva TUTTI (non filtrare per GID)
+        // group/gshadow TUTTI
         // Gli utenti possono appartenere a gruppi di sistema (sudo, audio, video, etc.)
         await exec(`cp /etc/group ${this.luksMountpoint}/.system-backup/group`, this.echo);
         await exec(`cp /etc/gshadow ${this.luksMountpoint}/.system-backup/gshadow`, this.echo);
-        // saving display manager (autologin) configs...
+        /**
+         * saving display manager (autologin) configs...
+         */
         warning(`saving display manager configuration...`);
         // GDM (gdm3 è comune su Debian/Ubuntu)
         await exec(`[ -e /etc/gdm3 ] && cp -a /etc/gdm3 ${this.luksMountpoint}/.system-backup/`, this.echo);
@@ -95,10 +105,10 @@ export async function luksHome(clone = false, homecrypt = false) {
         // SDDM (sia file .conf che directory .conf.d)
         await exec(`[ -e /etc/sddm.conf ] && cp -a /etc/sddm.conf ${this.luksMountpoint}/.system-backup/`, this.echo);
         await exec(`[ -e /etc/sddm.conf.d ] && cp -a /etc/sddm.conf.d ${this.luksMountpoint}/.system-backup/`, this.echo);
-        warning(`unmount ${this.luksDevice}`);
-        await exec(`umount ${this.luksMountpoint}`, this.echo);
-        warning(`closing LUKS volume ${this.luksMappedName}.`);
-        await this.luksExecuteCommand('cryptsetup', ['close', this.luksMappedName]);
+        warning(`Syncing filesystem on ${this.luksMountpoint}...`);
+        await exec('sync', this.echo); // Forza scrittura dati su disco
+        // Shrink()
+        await this.luksShrink();
         warning(`moving ${this.luksMappedName}  to (ISO)/live/.`);
         await exec(`mv ${this.luksFile} ${this.settings.iso_work}/live`, this.echo);
         warning('encryption process successfully completed!');
@@ -117,6 +127,10 @@ export async function luksHome(clone = false, homecrypt = false) {
         if (fs.existsSync(this.luksDevice)) {
             await this.luksExecuteCommand('cryptsetup', ['close', this.luksMappedName]).catch(() => { });
         }
+        if (fs.existsSync(this.luksFile)) {
+            Utils.warning(`Removing temporary container: ${this.luksFile}`);
+            fs.unlinkSync(this.luksFile);
+        }
         await Utils.pressKeyToExit();
         process.exit(1);
     }

package/dist/classes/ovary.d/luks-root.d.ts

@@ -8,8 +8,7 @@
 import Ovary from '../ovary.js';
 /**
  * luksRoot()
- *
- * create a container LUKS with the entire
+ * * create a container LUKS with the entire
  * filesystem.squashfs
  */
 export declare function luksRoot(this: Ovary): Promise<void>;

package/dist/classes/ovary.d/luks-root.js

@@ -12,8 +12,7 @@ import { exec } from '../../lib/utils.js';
 const noop = () => { };
 /**
  * luksRoot()
- *
- * create a container LUKS with the entire
+ * * create a container LUKS with the entire
  * filesystem.squashfs
  */
 export async function luksRoot() {
@@ -29,7 +28,7 @@ export async function luksRoot() {
     try {
         /**
          * this.luksMappedName = 'root.img';
-         * this.luksFile = `/tmp/${luksMappedName}`
+         * this.luksFile = `/var/tmp/${luksMappedName}`
          * this.luksDevice = `/dev/mapper/${luksMappedName}`
          * this.luksMountpoint = `/tmp/mnt/${luksMappedName}`
          * this.luksPassword = '0'
@@ -45,11 +44,29 @@ export async function luksRoot() {
             throw new Error(`filesystem.squashfs not found at: ${live_fs}`);
         }
         const stats = fs.statSync(live_fs);
-        let size = stats.size; // Dimensione REALE del file in Byte
-        // Add overhead * 1.25 per più sicurezza con file grandi
-        const luksSize = Math.ceil(size * 1.25);
-        warning(`filesystem.squashfs size: ${bytesToGB(size)}`);
-        warning(`partition LUKS ${this.luksFile} size: ${bytesToGB(luksSize)}`);
+        const size = stats.size; // Dimensione REALE del file in Byte
+        // -------------------------------------------------------------
+        // CALCOLO DIMENSIONE OTTIMIZZATA (No shrink, safe allocation)
+        // -------------------------------------------------------------
+        // 1. Overhead Ext4: Inode, bitmap, superblocchi. ~3-4% è standard senza journal.
+        const fsOverhead = Math.ceil(size * 0.04);
+        // 2. Header LUKS: Solitamente 16MB per LUKS2, usiamo 32MB per sicurezza.
+        const luksHeader = 32 * 1024 * 1024;
+        // 3. Margine di sicurezza (Buffer): 120MB fissi.
+        // Questo spazio evita errori di "Disk full" durante la copia dei metadati.
+        // Viene compensato dall'uso di "-m 0" nella formattazione.
+        const safetyBuffer = 120 * 1024 * 1024;
+        // 4. Somma totale
+        let calculatedSize = size + fsOverhead + luksHeader + safetyBuffer;
+        // 5. Allineamento a 4MB (Performance storage)
+        const alignment = 4 * 1024 * 1024;
+        const luksSize = Math.ceil(calculatedSize / alignment) * alignment;
+        warning(`------------------------------------------`);
+        warning(`SAFE SIZE CALCULATION (No Shrink):`);
+        warning(`  Payload (SquashFS): ${bytesToGB(size)}`);
+        warning(`  Calc. Overhead:     ${bytesToGB(luksSize - size)}`);
+        warning(`  TOTAL CONTAINER:    ${bytesToGB(luksSize)}`);
+        warning(`------------------------------------------`);
         warning(`creating partition LUKS: ${this.luksFile}`);
         await this.luksExecuteCommand('truncate', ['--size', `${luksSize}`, this.luksFile]);
         warning(`formatting ${this.luksFile} as a LUKS volume...`);
@@ -57,8 +74,13 @@ export async function luksRoot() {
         await this.luksExecuteCommand('cryptsetup', luksFormatArgs, `${this.luksPassword}\n`);
         warning(`opening the LUKS volume. It will be mapped to ${this.luksDevice}`);
         await this.luksExecuteCommand('cryptsetup', ['luksOpen', this.luksFile, this.luksMappedName], `${this.luksPassword}\n`);
-        warning(`formatting ext4 (without journal)...`);
-        await exec(`mkfs.ext4 -O ^has_journal -L live-root ${this.luksDevice}`, this.echo);
+        // -------------------------------------------------------------
+        // FORMATTAZIONE EXT4
+        // -m 0 : Imposta i blocchi riservati a 0% (recupera spazio)
+        // -O ^has_journal : Disabilita il journal (risparmia spazio e scritture)
+        // -------------------------------------------------------------
+        warning(`formatting ext4 (without journal, 0% reserved)...`);
+        await exec(`mkfs.ext4 -m 0 -O ^has_journal -L live-root ${this.luksDevice}`, this.echo);
         warning(`mounting ${this.luksDevice} on ${this.luksMountpoint}`);
         if (fs.existsSync(this.luksMountpoint)) {
             if (!Utils.isMountpoint(this.luksMountpoint)) {
@@ -74,25 +96,18 @@ export async function luksRoot() {
         await exec(`mv ${live_fs} ${this.luksMountpoint}/filesystem.squashfs`, this.echo);
         warning(`Syncing filesystem on ${this.luksMountpoint}...`);
         await exec('sync', this.echo); // Forza scrittura dati su disco
-        warning(`Attempting unmount ${this.luksMountpoint}...`);
-        try {
-            await exec(`umount ${this.luksMountpoint}`, this.echo);
-            success(`Unmounted ${this.luksMountpoint} successfully.`);
-        }
-        catch (umountError) {
-            Utils.error(`Failed to unmount ${this.luksMountpoint}! Trying force unmount...`);
-            // Tenta un unmount forzato/lazy come ultima risorsa
-            await exec(`umount -lf ${this.luksMountpoint}`).catch((forceError) => {
-                Utils.error(`Force unmount also failed: ${forceError}`);
-                // Considera se lanciare un errore qui per fermare il processo
-            });
-            // Lancia comunque l'errore originale per segnalare il problema
-            throw umountError;
-        }
-        warning(`closing LUKS volume ${this.luksFile}.`);
+        /**
+         * SHRINK DISABILITATO
+         * Non eseguiamo this.luksShrink() per evitare corruzione dati.
+         * Abbiamo calcolato la dimensione corretta all'inizio.
+         */
+        // Procedura di chiusura manuale (sostituisce quella dentro shrink)
+        warning(`Unmounting ${this.luksMountpoint}...`);
+        await exec(`umount ${this.luksMountpoint}`, this.echo);
+        warning(`Closing LUKS volume ${this.luksMappedName}...`);
         await this.luksExecuteCommand('cryptsetup', ['close', this.luksMappedName]);
         warning(`moving ${this.luksMappedName} on (ISO)/live.`);
-        await exec(`mv ${this.luksFile} ${this.settings.iso_work}/live`, this.echo);
+        await exec(`mv ${this.luksFile} ${this.settings.iso_work}/live/root.img`, this.echo);
     }
     catch (error) {
         if (error instanceof Error) {
@@ -108,6 +123,10 @@ export async function luksRoot() {
         if (fs.existsSync(this.luksDevice)) {
             await this.luksExecuteCommand('cryptsetup', ['close', this.luksMappedName]).catch(() => { });
         }
+        if (fs.existsSync(this.luksFile)) {
+            Utils.warning(`Removing temporary container: ${this.luksFile}`);
+            fs.unlinkSync(this.luksFile);
+        }
         await Utils.pressKeyToExit();
         process.exit(1);
     }

package/dist/classes/ovary.d/luks-shrink.d.ts

@@ -0,0 +1,14 @@
+/**
+ * ./src/classes/ovary.d/luks-shrink.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import Ovary from '../ovary.js';
+/**
+ * luksShrink
+ * Riduce in sicurezza un volume LUKS (root o home) minimizzando lo spazio
+ * ma garantendo l'integrità dei dati e l'allineamento dei blocchi.
+ */
+export declare function luksShrink(this: Ovary): Promise<void>;

package/dist/classes/ovary.d/luks-shrink.js

@@ -0,0 +1,86 @@
+/**
+ * ./src/classes/ovary.d/luks-shrink.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import Utils from '../utils.js';
+import { exec } from '../../lib/utils.js';
+const noop = () => { };
+/**
+ * luksShrink
+ * Riduce in sicurezza un volume LUKS (root o home) minimizzando lo spazio
+ * ma garantendo l'integrità dei dati e l'allineamento dei blocchi.
+ */
+export async function luksShrink() {
+    const loggers = {
+        log: this.hidden ? noop : console.log,
+        warning: this.hidden ? noop : Utils.warning,
+        success: this.hidden ? noop : Utils.success,
+        info: this.hidden ? noop : Utils.info,
+    };
+    const { log, warning, success, info } = loggers;
+    warning(`Unmounting ${this.luksMountpoint} to perform shrinking...`);
+    // Usa -l (lazy) se necessario, ma meglio umount pulito
+    await exec(`umount ${this.luksMountpoint}`, this.echo);
+    // 1. Controllo integrità (CRUCIALE per homecrypt: ripara eventuali errori prima di ridimensionare)
+    warning(`Checking filesystem integrity...`);
+    await exec(`e2fsck -f -y ${this.luksDevice}`, this.echo);
+    // 2. Riduzione del filesystem al minimo
+    warning(`Shrinking filesystem to minimum size...`);
+    // resize2fs -M è sicuro se poi lasciamo margine nel contenitore
+    await exec(`resize2fs -M ${this.luksDevice}`, this.echo);
+    // 3. Calcolo della nuova dimensione del filesystem
+    warning(`Calculating new sizes...`);
+    const tuneOutput = (await exec(`tune2fs -l ${this.luksDevice}`, { capture: true })).data;
+    const blockSizeMatch = tuneOutput.match(/Block size:\s+(\d+)/);
+    const blockCountMatch = tuneOutput.match(/Block count:\s+(\d+)/);
+    if (!blockSizeMatch || !blockCountMatch) {
+        throw new Error("Could not determine filesystem size from tune2fs");
+    }
+    const blockSize = parseInt(blockSizeMatch[1], 10);
+    const blockCount = parseInt(blockCountMatch[1], 10);
+    const fsSizeBytes = blockSize * blockCount;
+    warning(`Actual Ext4 payload size: ${bytesToGB(fsSizeBytes)}`);
+    // 4. Calcolo dell'offset LUKS (Header size)
+    const statusOutput = (await exec(`cryptsetup status ${this.luksMappedName}`, { capture: true })).data;
+    const offsetMatch = statusOutput.match(/offset:\s+(\d+)\s+sectors/);
+    let luksHeaderBytes = 0;
+    if (offsetMatch && offsetMatch[1]) {
+        luksHeaderBytes = parseInt(offsetMatch[1], 10) * 512;
+        warning(`Detected LUKS header: ${bytesToGB(luksHeaderBytes)}`);
+    }
+    else {
+        luksHeaderBytes = 32 * 1024 * 1024; // Fallback 32MB
+        warning(`Could not detect LUKS offset, using safe fallback: 32MB`);
+    }
+    // 5. Calcolo dimensione finale SICURA
+    // Usiamo 200MB di margine. Su una ISO da 4GB è il 5%, un prezzo onesto per la stabilità.
+    // Questo spazio extra protegge sia lo squashfs (root) che i metadati sparsi (home).
+    const safetyMargin = 200 * 1024 * 1024;
+    let rawFinalSize = fsSizeBytes + luksHeaderBytes + safetyMargin;
+    // ALLINEAMENTO A 1MB: Fondamentale per evitare errori di I/O su device fisici o loop
+    const alignBlock = 1024 * 1024;
+    const finalFileSize = Math.ceil(rawFinalSize / alignBlock) * alignBlock;
+    warning(`------------------------------------------------`);
+    warning(`SAFE SHRINK CALCULATION:`);
+    warning(`  FS Payload:   ${bytesToGB(fsSizeBytes)}`);
+    warning(`  LUKS Header:  ${bytesToGB(luksHeaderBytes)}`);
+    warning(`  SafetyMargin: ${bytesToGB(safetyMargin)}`);
+    warning(`  Alignment:    1 MB`);
+    warning(`  FINAL SIZE:   ${bytesToGB(finalFileSize)}`);
+    warning(`------------------------------------------------`);
+    // 6. Chiusura volume
+    warning(`Closing LUKS volume ${this.luksMappedName}...`);
+    await this.luksExecuteCommand('cryptsetup', ['close', this.luksMappedName]);
+    // 7. Truncate finale
+    warning(`Truncating ${this.luksFile} to release unused space...`);
+    await exec(`truncate -s ${finalFileSize} ${this.luksFile}`, this.echo);
+}
+function bytesToGB(bytes) {
+    if (bytes === 0)
+        return '0.00 GB';
+    const gigabytes = bytes / (1024 * 1024 * 1024);
+    return gigabytes.toFixed(2) + ' GB';
+}

package/dist/classes/ovary.d/produce.js

@@ -58,7 +58,7 @@ export async function produce(kernel = '', clone = false, homecrypt = false, ful
         else if (this.fullcrypt) {
             this.luksMappedName = 'root.img';
         }
-        this.luksFile = `/tmp/${this.luksMappedName}`;
+        this.luksFile = `/var/tmp/${this.luksMappedName}`;
         this.luksMappedName = this.luksMappedName;
         this.luksMountpoint = `/tmp/mnt/${this.luksMappedName}`;
         this.luksDevice = `/dev/mapper/${this.luksMappedName}`;
@@ -131,8 +131,6 @@ export async function produce(kernel = '', clone = false, homecrypt = false, ful
          * homecrypt/fullcrypt/clone/standard
          */
         if (this.homecrypt) {
-            this.settings.config.user_opt = 'live'; // patch for humans
-            this.settings.config.user_opt_passwd = 'evolution';
             Utils.warning("eggs will SAVE users and users' data ENCRYPTED on the live (ISO)/live/home.img");
         }
         else if (this.fullcrypt) {
@@ -195,10 +193,10 @@ export async function produce(kernel = '', clone = false, homecrypt = false, ful
             /**
              * installer
              */
-            this.incubator = new Incubator(this.settings.remix, this.settings.distro, this.settings.config.user_opt, this.theme, this.clone || this.fullcrypt, verbose);
+            this.incubator = new Incubator(this.settings.remix, this.settings.distro, this.settings.config.user_opt, this.theme, this.clone || this.fullcrypt || this.homecrypt, verbose);
             await this.incubator.config(release);
-            // Qua inseriamo uno sleep di un minuto
-            await Utils.sleep(5000); // 5 secondo
+            // 5 secondi di sleep
+            await Utils.sleep(5000);
             await this.bindLiveFs();
             await this.bindVfs();
             /**
@@ -228,36 +226,80 @@ export async function produce(kernel = '', clone = false, homecrypt = false, ful
                     await this.initrdDracut();
                 }
             }
-            // We dont' need more
+            // We don't need more
             await this.ubindVfs();
-            const cleanSystem = !(this.clone || this.fullcrypt);
-            if (cleanSystem) {
-                /**
-                 * SOLO per homecrypt e standard
-                 */
+            // mistero della Fede
+            await this.editLiveFs();
+            /**
+             * Autologin solse per non clone
+             */
+            if (!(this.clone || this.homecrypt || this.fullcrypt)) {
                 await this.usersRemove();
                 await this.userCreateLive();
                 if (Pacman.isInstalledGui()) {
+                    // add GUI autologin
                     await this.createXdgAutostart(this.settings.config.theme, myAddons, myLinks, noicons);
-                    /**
-                     * GUI installed but NOT Desktop Manager: just create motd and issue
-                     */
-                    // if (displaymanager().length > 0) {
-                    //     this.cliAutologin.addIssue(this.settings.distro.distroId, this.settings.distro.codenameId, this.settings.config.user_opt, this.settings.config.user_opt_passwd, this.settings.config.root_passwd, this.settings.work_dir.merged)
-                    //     this.cliAutologin.addMotd(this.settings.distro.distroId, this.settings.distro.codenameId, this.settings.config.user_opt, this.settings.config.user_opt_passwd, this.settings.config.root_passwd, this.settings.work_dir.merged)
-                    // }
                 }
                 else {
+                    // add cli-autologin
                     this.cliAutologin.add(this.settings.distro.distroId, this.settings.distro.codenameId, this.settings.config.user_opt, this.settings.config.user_opt_passwd, this.settings.config.root_passwd, this.settings.work_dir.merged);
                 }
             }
-            await this.editLiveFs(clone);
+            /**
+             * configurazione homecrytp
+             */
             if (this.homecrypt) {
+                // Occorre forzare il login CLI
+                if (Utils.isSystemd()) {
+                    const systemdDir = `${this.settings.work_dir.merged}/etc/systemd/system`;
+                    // remove eventuali autologin
+                    if (fs.existsSync(`${systemdDir}/getty@tty1.service.d`)) {
+                        await exec(`rm -rf ${systemdDir}/getty@tty1.service.d/*`);
+                    }
+                    else {
+                        await exec(`mkdir -p ${systemdDir}/getty@tty1.service.d`);
+                    }
+                    let content = ``;
+                    content += `[Service]\n`;
+                    content += `ExecStart=\n`;
+                    content += `ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I \$TERM\n`;
+                    fs.writeFileSync(`${systemdDir}/getty@tty1.service.d/no-autologin.conf`, content);
+                }
+                else if (Utils.isSysvinit()) {
+                    const inittabPath = `${this.settings.work_dir.merged}/etc/inittab`;
+                    if (fs.existsSync(inittabPath)) {
+                        // Non funziona per Devuan
+                        let content = fs.readFileSync(inittabPath, 'utf-8');
+                        // La riga standard per Devuan/Debian SysVinit.
+                        // 1: ID
+                        // 2345: Runlevels in cui attivarlo (Nota che il tuo boot è in runlevel 2)
+                        // respawn: Riavvia getty se muore
+                        // /sbin/getty 38400 tty1: Il comando
+                        const tty1Line = '1:2345:respawn:/sbin/agetty --noclear tty1 linux';
+                        // Rimuoviamo vecchie definizioni di tty1 (anche se commentate o diverse)
+                        // Cerca righe che iniziano con "1:"
+                        const regex = /^1:.*$/gm;
+                        if (regex.test(content)) {
+                            // Sostituisce la riga esistente
+                            content = content.replace(regex, tty1Line);
+                            console.log('Fixed tty1 in inittab (replaced)');
+                        }
+                        else {
+                            // Se non c'è, la aggiunge in fondo (dopo i commenti iniziali)
+                            content += `\n${tty1Line}\n`;
+                            console.log('Fixed tty1 in inittab (appended)');
+                        }
+                        // FIX CRITICO PER --cryptedhome / LIVE:
+                        // A volte le live commentano tutte le tty per usare i propri hook.
+                        // Assicurati che non ci siano altre righe strane che confliggono.
+                        fs.writeFileSync(inittabPath, content);
+                    }
+                }
                 /**
                  * homecrypt: installa il supporto
                  */
                 const squashfsRoot = this.settings.work_dir.merged;
-                const homeImgPath = this.distroLliveMediumPath + 'live/home.img';
+                const homeImgPath = this.distroLiveMediumPath + 'live/home.img';
                 this.installHomecryptSupport(squashfsRoot, homeImgPath);
             }
             mksquashfsCmd = await this.makeSquashfs(scriptOnly, includeRootHome);