penguins-eggs 25.12.7 → 25.12.16

package/dist/classes/incubation/fisherman-helper/initcpio.js

@@ -8,31 +8,40 @@
 import { exec } from '../../../lib/utils.js';
 import { access } from 'fs/promises';
 /**
- *
- * @returns
+ * Cerca il file .preset per mkinitcpio appropriato per il kernel corrente.
+ * @returns Il percorso del file .preset trovato.
+ * @throws {Error} Se non è possibile trovare un file .preset valido.
  */
 export async function initcpio() {
     try {
-        const result = await exec('uname -r');
-        const kernelVersion = result.data;
+        const kernelVersion = (await exec('uname -r', { capture: true })).data;
         const version = kernelVersion.trim();
-        // Manjaro
+        // Logica Manjaro
         if (version.includes('MANJARO')) {
             try {
-                // Estrai major e minor version. Es: da "6.12.48-1-MANJARO" -> ["6", "12", "48-1-MANJARO"]
                 const parts = version.split('.');
-                // Costruisci il nome del preset come "linux" + "6" + "12" -> "linux612"
                 const kernelName = `linux${parts[0]}${parts[1]}`;
+                // Tentativo 1: Major/Minor (es. /etc/mkinitcpio.d/linux61.preset)
                 const manjaroPreset = `/etc/mkinitcpio.d/${kernelName}.preset`;
-                await access(manjaroPreset); // Verifica se esiste /etc/mkinitcpio.d/linux612.preset
-                return manjaroPreset; // Se esiste, lo restituisce e la funzione termina
+                await access(manjaroPreset);
+                return manjaroPreset;
             }
-            catch {
-                // Se anche questa logica fallisce, lascia che proceda al fallback per Arch
-                // console.warn('Logica Manjaro fallita, si tenta il fallback per Arch...');
+            catch (e) {
+                try {
+                    const parts = version.split('.');
+                    const kernelName = `linux${parts[0]}${parts[1]}`;
+                    // Tentativo 2: Major/Minor con Architettura (es. /etc/mkinitcpio.d/linux61-x86_64.preset)
+                    const manjaroPresetArch = `/etc/mkinitcpio.d/${kernelName}-x86_64.preset`;
+                    await access(manjaroPresetArch);
+                    return manjaroPresetArch;
+                }
+                catch (e) {
+                    // Fallito, si procede al FALLBACK ARCH
+                }
             }
         }
         else if (version.includes('cachyos')) {
+            // Logica CachyOS
             try {
                 let kernelType = 'linux-cachyos'; // default
                 if (version.includes('lts')) {
@@ -49,14 +58,10 @@ export async function initcpio() {
                 return cachyPreset;
             }
             catch {
-                // Se anche questa logica fallisce, lascia che proceda al fallback per Arch
-                // console.warn('Logica Manjaro fallita, si tenta il fallback per Arch...');
+                // Fallito, si procede al fallback Arch
             }
         }
-        /**
-         * FALLBACK ARCH
-         */
-        // Determina il tipo di kernel
+        // FALLBACK ARCH
         let kernelType = 'linux'; // default
         if (version.includes('lts')) {
             kernelType = 'linux-lts';
@@ -73,7 +78,7 @@ export async function initcpio() {
         return archPreset;
     }
     catch (error) {
-        // Rimuoviamo l'errore originale dalla stringa per un messaggio più pulito
-        throw new Error(`Impossibile trovare un file .preset valido in /etc/mkinitcpio.d/`);
+        // Lancia un errore se tutti i tentativi falliscono.
+        throw new Error(`Impossibile trovare un file .preset valido in /etc/mkinitcpio.d/.`);
     }
 }

package/dist/classes/incubation/incubator.d/manjaro.js

@@ -78,5 +78,6 @@ export class Manjaro {
         }
         await fisherman.buildModule('umount');
         await fisherman.buildModuleFinished();
+        console.log('manjaro created');
     }
 }

package/dist/classes/ovary.d/edit-live-fs.d.ts

@@ -6,4 +6,4 @@
  * license: MIT
  */
 import Ovary from '../ovary.js';
-export declare function editLiveFs(this: Ovary, clone?: boolean): Promise<void>;
+export declare function editLiveFs(this: Ovary): Promise<void>;

package/dist/classes/ovary.d/edit-live-fs.js

@@ -5,7 +5,6 @@
  * email: piero.proietti@gmail.com
  * license: MIT
  */
-// packages
 import fs from 'fs';
 import os from 'os';
 import path from 'node:path';
@@ -16,11 +15,11 @@ import Systemctl from '../systemctl.js';
 import { exec } from '../../lib/utils.js';
 // _dirname
 const __dirname = path.dirname(new URL(import.meta.url).pathname);
-export async function editLiveFs(clone = false) {
+export async function editLiveFs() {
     if (this.verbose)
         console.log('Ovary: editLiveFs');
     const workDir = this.settings.work_dir.merged;
-    if (clone) {
+    if (this.clone || this.homecrypt || this.fullcrypt) {
         await exec(`touch ${workDir}/etc/penguins-eggs.d/is_clone`, this.echo);
     }
     if (Pacman.packageIsInstalled('epoptes')) {
@@ -38,15 +37,6 @@ export async function editLiveFs(clone = false) {
     await exec(cmd, this.echo);
     cmd = `find ${workDir}/var/log/ -type f -exec truncate -s 0 {} \\;`;
     await exec(cmd, this.echo);
-    // =========================================================================
-    // FIX DEFINITIVO PER DEVUAN/SYSVINIT (Init Script Hardening)
-    // =========================================================================
-    if (Utils.isSysvinit()) {
-        if (this.verbose)
-            console.log('SysVinit detected: Hardening init scripts...');
-        await patchInitScripts(workDir, this.verbose);
-    }
-    // =========================================================================
     // Fix Symlinks /var/run e /var/lock
     const varRun = `${workDir}/var/run`;
     if (fs.existsSync(varRun) && !fs.lstatSync(varRun).isSymbolicLink()) {
@@ -85,16 +75,20 @@ export async function editLiveFs(clone = false) {
     if (fs.existsSync(`${workDir}/etc/crypttab`)) {
         await exec(`rm ${workDir}/etc/crypttab`, this.echo);
     }
-    // 🔧 [MODIFICA 1] Machine ID cleanup
-    // Cancelliamo SEMPRE il machine-id, anche su SysVinit.
-    // Questo garantisce che lo script patchato (dbus) trovi il file mancante e lo rigeneri.
-    if (fs.existsSync(`${workDir}/etc/machine-id`)) {
-        await exec(`rm ${workDir}/etc/machine-id`, this.echo);
-        await exec(`touch ${workDir}/etc/machine-id`, this.echo); // Lo ricreiamo vuoto
+    /**
+     * machine-id
+     */
+    await exec(`rm -f ${workDir}/etc/machine-id`);
+    await exec(`rm -f ${workDir}/var/lib/dbus/machine-id`);
+    if (Utils.isSysvinit()) {
+        await exec(`chroot ${workDir} dbus-uuidgen --ensure=/etc/machine-id`);
+        await exec(`ln -sf /etc/machine-id ${workDir}/var/lib/dbus/machine-id`);
+        // const machineId = crypto.randomBytes(16).toString('hex')
+        // fs.writeFileSync(`${workDir}/etc/machine-id`, machineId + '\n')
+        // fs.writeFileSync(`${workDir}/var/lib/dbus/machine-id`, machineId + '\n')
     }
-    // Rimuoviamo anche quello in /var/lib/dbus per forzare la rigenerazione
-    if (fs.existsSync(`${workDir}/var/lib/dbus/machine-id`)) {
-        await exec(`rm ${workDir}/var/lib/dbus/machine-id`, this.echo);
+    else if (Utils.isSystemd()) {
+        await exec(`touch ${workDir}/etc/machine-id`);
     }
     if (fs.existsSync(`${workDir}/boot/grub/fonts/unicode.pf2`)) {
         shx.cp(`${workDir}/boot/grub/fonts/unicode.pf2`, `${workDir}/boot/grub/fonts/UbuntuMono16.pf2`);
@@ -166,104 +160,3 @@ export async function editLiveFs(clone = false) {
         await exec(`chmod 1777 ${workDir}/tmp`, this.echo);
     }
 }
-/**
- * Patcha direttamente gli script di init in /etc/init.d/
- */
-async function patchInitScripts(workDir, verbose) {
-    // 1. PATCH DBUS (Il più importante)
-    const dbusScript = `${workDir}/etc/init.d/dbus`;
-    if (fs.existsSync(dbusScript)) {
-        if (verbose)
-            console.log(`Patching ${dbusScript} to fix missing directories and RO fs...`);
-        let content = fs.readFileSync(dbusScript, 'utf8');
-        let modified = false;
-        // PATCH A: Header con gestione Ramdisk Fallback e Mount Proc
-        // Questa intestazione viene inserita all'inizio e prova a montare tmpfs se non può scrivere
-        const dbusFix = `
-### EGGS-FIX-START
-# 1. Assicuriamoci che /proc sia montato (necessario per leggere uuid kernel)
-if ! mountpoint -q /proc/; then
-  mount -t proc proc /proc
-fi
-
-# 2. Gestione Filesystem Read-Only (RO)
-# Se non possiamo scrivere in /var/lib/dbus, montiamo un tmpfs (RAM) sopra.
-# Questo bypassa il blocco dell'overlayfs non ancora pronto tipico delle build AppImage.
-if ! mkdir -p /var/lib/dbus 2>/dev/null || ! touch /var/lib/dbus/.rw_check 2>/dev/null; then
-  echo "EGGS-DEBUG: Filesystem Read-Only detected! Mounting tmpfs on /var/lib/dbus" > /dev/console
-  mount -t tmpfs -o size=1m tmpfs /var/lib/dbus
-fi
-rm -f /var/lib/dbus/.rw_check
-
-# 3. Creazione Directory Runtime
-mkdir -p /var/run/dbus /var/lib/dbus
-chmod 755 /var/run/dbus /var/lib/dbus
-
-# 4. Generazione Machine ID (Non-Blocking Strategy)
-# Se il file non esiste (o è vuoto), lo creiamo.
-if [ ! -s /var/lib/dbus/machine-id ]; then
-  # Prova A: Usa UUID del kernel (Istantaneo, non blocca)
-  if [ -f /proc/sys/kernel/random/uuid ]; then
-    cat /proc/sys/kernel/random/uuid | tr -d '-' > /var/lib/dbus/machine-id
-  # Prova B: Fallback statico
-  else
-    echo "00000000000000000000000000000001" > /var/lib/dbus/machine-id
-  fi
-  chmod 644 /var/lib/dbus/machine-id
-fi
-
-# 5. Sync /etc/machine-id (Best effort, ignora errori se /etc è RO)
-if [ ! -s /etc/machine-id ] && [ -s /var/lib/dbus/machine-id ]; then
-  cp /var/lib/dbus/machine-id /etc/machine-id 2>/dev/null || true
-fi
-### EGGS-FIX-END
-`;
-        if (!content.includes('EGGS-FIX-START')) {
-            content = content.replace('#!/bin/sh', `#!/bin/sh\n${dbusFix}`);
-            modified = true;
-        }
-        // PATCH B: SABOTAGE PREVENTION (Questa è quella che mancava!)
-        // Impediamo che create_machineid cancelli il file che abbiamo appena creato
-        // perché l'uptime è basso. 
-        if (content.includes('rm -f "${MACHINEID}"')) {
-            if (verbose)
-                console.log('Patching dbus: disabling auto-delete of machine-id on boot');
-            content = content.replace('rm -f "${MACHINEID}"', ': # EGGS-PATCH: Prevent deletion of valid machine-id');
-            modified = true;
-        }
-        if (modified) {
-            fs.writeFileSync(dbusScript, content, 'utf8');
-        }
-    }
-    // 2. PATCH RSYSLOG
-    const rsyslogScript = `${workDir}/etc/init.d/rsyslog`;
-    if (fs.existsSync(rsyslogScript)) {
-        let content = fs.readFileSync(rsyslogScript, 'utf8');
-        const fix = `
-### EGGS-FIX-START
-mkdir -p /var/spool/rsyslog
-chmod 755 /var/spool/rsyslog
-### EGGS-FIX-END
-`;
-        if (!content.includes('EGGS-FIX-START')) {
-            content = content.replace('#!/bin/sh', `#!/bin/sh\n${fix}`);
-            fs.writeFileSync(rsyslogScript, content, 'utf8');
-        }
-    }
-    // 3. PATCH CRON
-    const cronScript = `${workDir}/etc/init.d/cron`;
-    if (fs.existsSync(cronScript)) {
-        let content = fs.readFileSync(cronScript, 'utf8');
-        const fix = `
-### EGGS-FIX-START
-mkdir -p /var/spool/cron/crontabs
-chmod 1730 /var/spool/cron/crontabs
-chown root:crontab /var/spool/cron/crontabs 2>/dev/null || true
-### EGGS-FIX-END
-`;
-        if (!content.includes('EGGS-FIX-START')) {
-            content = content.replace('#!/bin/sh', `#!/bin/sh\n${fix}`);
-            fs.writeFileSync(cronScript, content, 'utf8');
-        }
-    }
-}

package/dist/classes/ovary.d/fertilization.js

@@ -21,7 +21,7 @@ export async function fertilization(snapshot_prefix = '', snapshot_basename = ''
     this.familyId = distro.familyId;
     this.distroId = distro.distroId;
     this.distroLike = distro.distroLike;
-    this.distroLliveMediumPath = distro.liveMediumPath;
+    this.distroLiveMediumPath = distro.liveMediumPath;
     this.settings = new Settings();
     if (await this.settings.load()) {
         await this.settings.loadRemix(this.theme);

package/dist/classes/ovary.d/luks-home-support-systemd.d.ts

@@ -0,0 +1,12 @@
+/**
+ * ./src/classes/ovary.d/luks-home-support.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+import Ovary from '../ovary.js';
+/**
+ * Installa i file necessari per sbloccare home.img LUKS durante il boot
+ */
+export declare function installHomecryptSupport(this: Ovary, squashfsRoot: string, homeImgPath: string): void;

package/dist/classes/ovary.d/luks-home-support-systemd.js

@@ -0,0 +1,70 @@
+/**
+ * ./src/classes/ovary.d/luks-home-support.ts
+ * penguins-eggs v.25.10.x / ecmascript 2020
+ * author: Piero Proietti
+ * email: piero.proietti@gmail.com
+ * license: MIT
+ */
+// packages
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { dirname } from 'path';
+import Utils from '../utils.js';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+/**
+ * Installa i file necessari per sbloccare home.img LUKS durante il boot
+ */
+export function installHomecryptSupport(squashfsRoot, homeImgPath) {
+    Utils.warning('installing encrypted home support...');
+    // console.log("squashfsRoot:", squashfsRoot)
+    // console.log("homeImgPath:", homeImgPath)
+    // Leggi il template bash
+    const templatePath = path.join(__dirname, '../../../scripts/mount-encrypted-home.sh');
+    let bashScript = fs.readFileSync(templatePath, 'utf8');
+    // Sostituisci il placeholder con il path reale
+    bashScript = bashScript.replace('__HOME_IMG_PATH__', homeImgPath);
+    // Systemd service
+    const systemdService = `[Unit]
+Description=Unlock and mount encrypted home.img
+DefaultDependencies=no
+After=systemd-udev-settle.service local-fs-pre.target
+Before=local-fs.target display-manager.service
+ConditionPathExists=${homeImgPath}
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+StandardInput=tty
+StandardOutput=journal+console
+StandardError=journal+console
+TTYPath=/dev/console
+TTYReset=yes
+TTYVHangup=yes
+ExecStart=/usr/local/bin/mount-encrypted-home.sh
+ExecStop=/bin/bash -c 'umount /home && cryptsetup close live-home'
+
+[Install]
+WantedBy=local-fs.target
+`;
+    // Percorsi di destinazione
+    const scriptPath = path.join(squashfsRoot, 'usr/local/bin/mount-encrypted-home.sh');
+    const servicePath = path.join(squashfsRoot, 'etc/systemd/system/mount-encrypted-home.service');
+    const symlinkDir = path.join(squashfsRoot, 'etc/systemd/system/local-fs.target.wants');
+    const symlinkPath = path.join(symlinkDir, 'mount-encrypted-home.service');
+    // Create dirs
+    fs.mkdirSync(path.dirname(scriptPath), { recursive: true });
+    fs.mkdirSync(path.dirname(servicePath), { recursive: true });
+    fs.mkdirSync(symlinkDir, { recursive: true });
+    // Scrivi lo script
+    fs.writeFileSync(scriptPath, bashScript);
+    fs.chmodSync(scriptPath, 0o755);
+    // Scrivi il service
+    fs.writeFileSync(servicePath, systemdService);
+    // Crea il symlink per abilitare il service
+    if (fs.existsSync(symlinkPath)) {
+        fs.unlinkSync(symlinkPath);
+    }
+    fs.symlinkSync('../mount-encrypted-home.service', symlinkPath);
+}

package/dist/classes/ovary.d/luks-home-support.d.ts

@@ -8,5 +8,6 @@
 import Ovary from '../ovary.js';
 /**
  * Installa i file necessari per sbloccare home.img LUKS durante il boot
+ * Supporta sia Systemd (Debian/Ubuntu) che SysVinit (Devuan)
  */
 export declare function installHomecryptSupport(this: Ovary, squashfsRoot: string, homeImgPath: string): void;

package/dist/classes/ovary.d/luks-home-support.js

@@ -15,18 +15,23 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 /**
  * Installa i file necessari per sbloccare home.img LUKS durante il boot
+ * Supporta sia Systemd (Debian/Ubuntu) che SysVinit (Devuan)
  */
 export function installHomecryptSupport(squashfsRoot, homeImgPath) {
     Utils.warning('installing encrypted home support...');
-    // console.log("squashfsRoot:", squashfsRoot)
-    // console.log("homeImgPath:", homeImgPath)
-    // Leggi il template bash
+    // 1. PREPARAZIONE SCRIPT DI MONTAGGIO (Il "Motore")
     const templatePath = path.join(__dirname, '../../../scripts/mount-encrypted-home.sh');
     let bashScript = fs.readFileSync(templatePath, 'utf8');
-    // Sostituisci il placeholder con il path reale
     bashScript = bashScript.replace('__HOME_IMG_PATH__', homeImgPath);
-    // Systemd service
-    const systemdService = `[Unit]
+    const mountScriptPath = path.join(squashfsRoot, 'usr/local/bin/mount-encrypted-home.sh');
+    fs.mkdirSync(path.dirname(mountScriptPath), { recursive: true });
+    fs.writeFileSync(mountScriptPath, bashScript);
+    fs.chmodSync(mountScriptPath, 0o755);
+    // ---------------------------------------------------------
+    // RAMO SYSTEMD (Invariato - funziona bene con i .service)
+    // ---------------------------------------------------------
+    if (Utils.isSystemd()) {
+        const systemdService = `[Unit]
 Description=Unlock and mount encrypted home.img
 DefaultDependencies=no
 After=systemd-udev-settle.service local-fs-pre.target
@@ -48,23 +53,95 @@ ExecStop=/bin/bash -c 'umount /home && cryptsetup close live-home'
 [Install]
 WantedBy=local-fs.target
 `;
-    // Percorsi di destinazione
-    const scriptPath = path.join(squashfsRoot, 'usr/local/bin/mount-encrypted-home.sh');
-    const servicePath = path.join(squashfsRoot, 'etc/systemd/system/mount-encrypted-home.service');
-    const symlinkDir = path.join(squashfsRoot, 'etc/systemd/system/local-fs.target.wants');
-    const symlinkPath = path.join(symlinkDir, 'mount-encrypted-home.service');
-    // Create dirs
-    fs.mkdirSync(path.dirname(scriptPath), { recursive: true });
-    fs.mkdirSync(path.dirname(servicePath), { recursive: true });
-    fs.mkdirSync(symlinkDir, { recursive: true });
-    // Scrivi lo script
-    fs.writeFileSync(scriptPath, bashScript);
-    fs.chmodSync(scriptPath, 0o755);
-    // Scrivi il service
-    fs.writeFileSync(servicePath, systemdService);
-    // Crea il symlink per abilitare il service
-    if (fs.existsSync(symlinkPath)) {
-        fs.unlinkSync(symlinkPath);
+        const servicePath = path.join(squashfsRoot, 'etc/systemd/system/mount-encrypted-home.service');
+        const symlinkDir = path.join(squashfsRoot, 'etc/systemd/system/local-fs.target.wants');
+        const symlinkPath = path.join(symlinkDir, 'mount-encrypted-home.service');
+        fs.mkdirSync(path.dirname(servicePath), { recursive: true });
+        fs.mkdirSync(symlinkDir, { recursive: true });
+        fs.writeFileSync(servicePath, systemdService);
+        if (fs.existsSync(symlinkPath))
+            fs.unlinkSync(symlinkPath);
+        fs.symlinkSync('../mount-encrypted-home.service', symlinkPath);
+    }
+    // ---------------------------------------------------------
+    // RAMO SYSVINIT (DEVUAN) - METODO INITTAB HIJACK
+    // ---------------------------------------------------------
+    else if (Utils.isSysvinit()) {
+        Utils.warning('Configuring SysVinit via /etc/inittab hijacking (Persistent Method)...');
+        // A. Creiamo un Wrapper Script che fa: Sblocco -> Poi lancia Login
+        // Questo script prenderà il posto di 'agetty' su tty1
+        const wrapperScript = `#!/bin/sh
+# Wrapper per sbloccare la home prima del login su TTY1
+
+# 1. Setup ambiente minimale
+export TERM=linux
+export PATH=/sbin:/usr/sbin:/bin:/usr/bin
+
+# 2. Pulizia schermo e stop Plymouth
+clear
+if [ -x /bin/plymouth ] && /bin/plymouth --ping; then
+    /bin/plymouth quit
+fi
+
+# 3. Attesa dispositivi (importante per USB)
+echo "Waiting for devices..."
+/sbin/udevadm settle
+
+# 4. Esecuzione script di sblocco
+echo "------------------------------------------------"
+echo " CHECKING ENCRYPTED HOME STORAGE"
+echo "------------------------------------------------"
+/usr/local/bin/mount-encrypted-home.sh
+
+# 5. Controllo esito (visivo)
+if mountpoint -q /home; then
+    echo ">> Home mounted successfully."
+    sleep 1
+else
+    echo ">> Home NOT mounted. Continuing unencrypted..."
+    sleep 2
+fi
+
+# 6. LANCIO DEL VERO LOGIN (Sostituisce questo processo)
+# Nota: --noclear evita di cancellare i messaggi di errore precedenti
+exec /sbin/agetty --noclear tty1 linux
+`;
+        const wrapperPath = path.join(squashfsRoot, 'usr/local/bin/tty1-unlock-wrapper.sh');
+        fs.writeFileSync(wrapperPath, wrapperScript);
+        fs.chmodSync(wrapperPath, 0o755);
+        // B. Modifichiamo /etc/inittab per usare il nostro wrapper
+        const inittabPath = path.join(squashfsRoot, 'etc/inittab');
+        if (fs.existsSync(inittabPath)) {
+            let content = fs.readFileSync(inittabPath, 'utf8');
+            // La riga standard è solitamente: 1:2345:respawn:/sbin/getty 38400 tty1
+            // Oppure su Devuan: 1:2345:respawn:/sbin/agetty --noclear tty1 linux
+            // Cerchiamo qualsiasi riga che inizia con "1:" (tty1)
+            const regexTTY1 = /^1:.*$/m;
+            // La nuova riga che lancia il nostro wrapper invece di agetty diretto
+            const newLine = `1:2345:respawn:/usr/local/bin/tty1-unlock-wrapper.sh`;
+            if (regexTTY1.test(content)) {
+                content = content.replace(regexTTY1, newLine);
+                Utils.warning('Patched /etc/inittab to run home unlock on TTY1');
+            }
+            else {
+                // Se non la trova, la aggiungiamo in fondo (caso raro ma possibile)
+                content += `\n${newLine}\n`;
+            }
+            fs.writeFileSync(inittabPath, content);
+        }
+        // C. Pulizia vecchi tentativi (Rimuoviamo script init.d se presenti per evitare conflitti)
+        const badSymlinks = [
+            path.join(squashfsRoot, 'etc/rcS.d/S05mount-encrypted-home'),
+            path.join(squashfsRoot, 'etc/rcS.d/S20mount-encrypted-home'),
+            path.join(squashfsRoot, 'etc/rc2.d/S02mount-encrypted-home')
+        ];
+        badSymlinks.forEach(link => {
+            if (fs.existsSync(link))
+                fs.unlinkSync(link);
+        });
+        // Rimuoviamo anche lo script init.d stesso se esiste, non serve più
+        const initdFile = path.join(squashfsRoot, 'etc/init.d/mount-encrypted-home');
+        if (fs.existsSync(initdFile))
+            fs.unlinkSync(initdFile);
     }
-    fs.symlinkSync('../mount-encrypted-home.service', symlinkPath);
 }

package/dist/classes/ovary.d/luks-home.js

@@ -27,7 +27,7 @@ export async function luksHome(clone = false, homecrypt = false) {
     try {
         /**
          * this.luksMappedName = 'home.img';
-         * this.luksFile = `/tmp/${luksMappedName}`
+         * this.luksFile = `/var/tmp/${luksMappedName}`
          * this.luksDevice = `/dev/mapper/${luksMappedName}`
          * this.luksMountpoint = `/tmp/mnt/${luksMappedName}`
          * this.luksPassword = '0'
@@ -42,15 +42,21 @@ export async function luksHome(clone = false, homecrypt = false) {
         // Utils.warning('1. Calculation of space requirements...')
         let sizeString = (await exec('du -sb --exclude=/home/eggs /home', { capture: true })).data.trim().split(/\s+/)[0];
         let size = Number.parseInt(sizeString, 10);
-        const luksSize = Math.ceil(size * 2);
-        /**
-         * E' più precisa ma equivalente grazie
-         * al truncate
-         */
-        // const fsOverhead = Math.max(size * 0.1, 100 * 1024 * 1024)
-        // const luksSize = size * 1.25 + fsOverhead // +25% 
-        warning(`homes size: ${bytesToGB(size)}`);
-        warning(`partition LUKS ${this.luksFile} size: ${bytesToGB(luksSize)}`);
+        const fsOverhead = Math.ceil(size * 0.05);
+        const luksHeader = 32 * 1024 * 1024;
+        const safetyBuffer = 100 * 1024 * 1024;
+        let calculatedSize = size + fsOverhead + luksHeader + safetyBuffer;
+        const minSize = 64 * 1024 * 1024;
+        if (calculatedSize < minSize)
+            calculatedSize = minSize;
+        const alignment = 4 * 1024 * 1024;
+        const luksSize = Math.ceil(calculatedSize / alignment) * alignment;
+        warning(`------------------------------------------`);
+        warning(`HOME CRYPT CALCULATION (Read-Only):`);
+        warning(`  Data Payload:   ${bytesToGB(size)}`);
+        warning(`  Overhead+Buf:   ${bytesToGB(luksSize - size)}`);
+        warning(`  TOTAL SIZE:     ${bytesToGB(luksSize)}`);
+        warning(`------------------------------------------`);
         warning(`creating partition LUKS: ${this.luksFile}`);
         await this.luksExecuteCommand('truncate', ['--size', `${luksSize}`, this.luksFile]);
         warning(`formatting ${this.luksFile} as a LUKS volume...`);
@@ -59,7 +65,7 @@ export async function luksHome(clone = false, homecrypt = false) {
         await this.luksExecuteCommand('cryptsetup', luksFormatArgs, `${this.luksPassword}\n`);
         warning(`opening the LUKS volume. It will be mapped to ${this.luksDevice}`);
         await this.luksExecuteCommand('cryptsetup', ['luksOpen', this.luksFile, this.luksMappedName], `${this.luksPassword}\n`);
-        warning(`formatting c ext4 `);
+        warning(`formatting ext4 `);
         await exec(`mkfs.ext4 -L live-home ${this.luksDevice}`, this.echo);
         warning(`mounting ${this.luksDevice} on ${this.luksMountpoint}`);
         if (fs.existsSync(this.luksMountpoint)) {
@@ -74,17 +80,21 @@ export async function luksHome(clone = false, homecrypt = false) {
         await exec(`mount /dev/mapper/${this.luksMappedName} ${this.luksMountpoint}`, this.echo);
         warning(`copying /home on  ${this.luksMountpoint}`);
         await exec(`rsync -ah --exclude='eggs' /home/ ${this.luksMountpoint}`, this.echo);
+        /**
+         * utenti e gruppi in .system-backup
+         */
         warning(`saving user accounts info...`);
-        // Crea directory per backup system files
         await exec(`mkdir -p ${this.luksMountpoint}/.system-backup`, this.echo);
-        // Filtra solo utenti con UID >= 1000
+        // passwd/shadow: solo utenti con UID >= 1000
         await exec(`awk -F: '$3 >= 1000 {print}' /etc/passwd > ${this.luksMountpoint}/.system-backup/passwd`, this.echo);
         await exec(`awk -F: '$3 >= 1000 {print}' /etc/shadow > ${this.luksMountpoint}/.system-backup/shadow`, this.echo);
-        // Per i gruppi: salva TUTTI (non filtrare per GID)
+        // group/gshadow TUTTI
         // Gli utenti possono appartenere a gruppi di sistema (sudo, audio, video, etc.)
         await exec(`cp /etc/group ${this.luksMountpoint}/.system-backup/group`, this.echo);
         await exec(`cp /etc/gshadow ${this.luksMountpoint}/.system-backup/gshadow`, this.echo);
-        // saving display manager (autologin) configs...
+        /**
+         * saving display manager (autologin) configs...
+         */
         warning(`saving display manager configuration...`);
         // GDM (gdm3 è comune su Debian/Ubuntu)
         await exec(`[ -e /etc/gdm3 ] && cp -a /etc/gdm3 ${this.luksMountpoint}/.system-backup/`, this.echo);
@@ -95,10 +105,10 @@ export async function luksHome(clone = false, homecrypt = false) {
         // SDDM (sia file .conf che directory .conf.d)
         await exec(`[ -e /etc/sddm.conf ] && cp -a /etc/sddm.conf ${this.luksMountpoint}/.system-backup/`, this.echo);
         await exec(`[ -e /etc/sddm.conf.d ] && cp -a /etc/sddm.conf.d ${this.luksMountpoint}/.system-backup/`, this.echo);
-        warning(`unmount ${this.luksDevice}`);
-        await exec(`umount ${this.luksMountpoint}`, this.echo);
-        warning(`closing LUKS volume ${this.luksMappedName}.`);
-        await this.luksExecuteCommand('cryptsetup', ['close', this.luksMappedName]);
+        warning(`Syncing filesystem on ${this.luksMountpoint}...`);
+        await exec('sync', this.echo); // Forza scrittura dati su disco
+        // Shrink()
+        await this.luksShrink();
         warning(`moving ${this.luksMappedName}  to (ISO)/live/.`);
         await exec(`mv ${this.luksFile} ${this.settings.iso_work}/live`, this.echo);
         warning('encryption process successfully completed!');
@@ -117,6 +127,10 @@ export async function luksHome(clone = false, homecrypt = false) {
         if (fs.existsSync(this.luksDevice)) {
             await this.luksExecuteCommand('cryptsetup', ['close', this.luksMappedName]).catch(() => { });
         }
+        if (fs.existsSync(this.luksFile)) {
+            Utils.warning(`Removing temporary container: ${this.luksFile}`);
+            fs.unlinkSync(this.luksFile);
+        }
         await Utils.pressKeyToExit();
         process.exit(1);
     }

package/dist/classes/ovary.d/luks-root.d.ts

@@ -8,8 +8,7 @@
 import Ovary from '../ovary.js';
 /**
  * luksRoot()
- *
- * create a container LUKS with the entire
+ * * create a container LUKS with the entire
  * filesystem.squashfs
  */
 export declare function luksRoot(this: Ovary): Promise<void>;