├── LICENSE
├── README.md
├── build
├── install
├── modules.d
├── 10_bond
│ ├── configVars
│ ├── hook
│ ├── hook.vlans
│ ├── packageDependencies
│ └── setup
├── 10_iphone
│ ├── configVars
│ ├── hook
│ ├── packageDependencies
│ └── setup
├── 10_wifi
│ ├── configVars
│ ├── hook
│ ├── packageDependencies
│ └── setup
├── 15_dhcp
│ ├── configVars
│ ├── hook
│ ├── packageDependencies
│ └── setup
├── 19_keyfile
│ ├── configVars
│ ├── hook
│ ├── packageDependencies
│ └── setup
├── 19_serial
│ ├── configVars
│ ├── hook
│ ├── packageDependencies
│ └── setup
├── 20_vault
│ ├── configVars
│ ├── hook
│ ├── packageDependencies
│ └── setup
├── 21_ssh
│ ├── configVars
│ ├── hook
│ ├── packageDependencies
│ └── setup
└── 5_configuration
│ └── configVars
├── zfsUnlocker.hook
└── zfsUnlocker.install
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # zfsUnlocker
2 |
3 | ## About
4 |
5 | A port/rewrite of my local git server's zfsvault project which is a heavy modification of the Archlinux zfs boot hook. Rewritten a bit more modular.
6 |
7 | Designed to unlock the root dataset at boot time (but also others if seen) by reaching out to a Hashicorp Vault server.
8 |
9 | ## Notes
10 |
11 | At the current time this is only designed for mkinitcpio hook use
12 |
13 |
14 | ## How to use it
15 |
16 | 1. Clone the repository or grab the latest stable release
17 | 2. run zfsUnlocker/install.
18 |
19 | This will copy itself into a new directory `/etc/zfsUnlocker` with a config file `/etc/zfsUnlocker/zfsUnlocker.conf`.
20 |
21 | The script also places a hook and install file for mkinitcpio to reference.
22 |
23 | 3. Edit `/etc/mkinitcpio.conf` and add `zfsUnlocker` to your hooks. I put it at the end.
24 | 4. Optionally edit `/etc/zfsUnlocker/zfsUnlocker.conf` adding your vault server's fqdn and either a vault token or approle role_id/secret_id pair. These can also be passed in kernel arguments if desired. Among other features.
25 | 5. Run `mkinitcpio -P` to build an initramfs with this hook, its modules and config inside.
26 |
27 | If you're using a kv secret engine which is named something other than `kv` you can modify the vaultKvEngineName variable to match.
28 |
29 | If you also aren't storing the secrets directly under kvEngineName/zfs/zpoolNames/datasetNames you can also change `vaultRootSearchPath` to match your secret paths.
30 |
31 | If you also aren't using the key `passphrase` to store the passphrase value there's `vaultKeyName` too.
32 |
33 |
34 | ## Notes and other features
35 |
36 | Configuring the conf file is optional for the most part but has some potentially nifty configuration options among other bits and pieces:
37 |
38 | * Network bond creation
39 | * Designed for servers which can't just DHCP directly on an interface
40 | * iPhone tethering (Enabled by default)
41 | * For Internet access via idevicepair, ipheth & usbmuxd
42 | * variable `wirelessNetworks`
43 | * For defining one or more SSID:PSK combos for wpa_supplicant to try joining during the DHCP section of the script.
44 | * variable `forceInterface`
45 | * to override the DHCP interface
46 | * ssh passphrase generation and pubkey installation
47 | * For rare scenarios where a token may have expired for unlocking the machine remotely
48 |
49 | The script tries stored vault tokens first and if unsuccessful looks to the kernel arguments for another token or approle role_id/secret_id combo to try.
50 |
51 | If kernel arguments are used the script attempts to protect them by changing the permissions on `/proc/cmdline`.
52 |
53 | ## Hashicorp Vault setup example
54 |
55 | Examples assuming a ZFS rootfs system consisting of a zpool named after its shortname and a natively encrypted dataset 'root' (computer-name/root)
56 |
57 | ### kv configuration
58 |
59 | 1. `vault secrets enable -version=2 kv`
60 |
61 | 2. `vault kv put kv/zfs/computer-name/root passphrase='testPa5sphraseH3re'`
62 |
63 | ### Policy
64 | An example policy which allows reading all of a zpool's dataset keys, if defined.
65 |
66 | echo 'path "kv/data/zfs/computer-name/*" {capabilities = ["read"]}
67 | path "auth/token/lookup-self" {capabilities = ["read"]}' | \
68 | vault policy write zfs/computer-name -
69 |
70 |
71 | ### Token based access
72 |
73 | vault token create -policy=zfs/computer-name -ttl=30d -display-name=computer-name
74 |
75 | Specify the resulting string as VAULT_TOKEN=xxx in either `/etc/zfsUnlocker/zfsUnlocker.conf` or in your kernel arguments.
76 |
77 | ### Approle based access
78 |
79 | An example approle granting read access to the above strict single-zpool policy.
80 |
81 | Successful auth for this example generates a token valid for one minute or two uses. Exactly enough for the hook to look its own token up (-1) and read exactly one kv secret afterwards (-1) before expiring - or 60 seconds. With the secret_id being reusable infinitely until it expires after 7 days.
82 |
83 | In an example where there are more datasets to unlock in the early boot stage with unique passphrases, it may be a better idea to set `token_num_uses=0` for infinite uses until the minute is up and the token expires.
84 |
85 | Aptly named after the computer the approle's being made for.
86 |
87 | 1. `vault auth enable approle`
88 | 2. `vault write auth/approle/role/zfs_computer-name secret_id_ttl=7d token_num_uses=2 token_ttl=60s token_max_ttl=60s secret_id_num_uses=0 policies=zfs/computer-name`
89 | 3. `vault read auth/approle/role/zfs_computer-name/role-id # Get the role_id`
90 | 4. `vault write -f auth/approle/role/zfs_computer-name/secret-id # Create a secret_id`
91 |
92 | Note down the returned role and secret IDs. They can be specified as `role_id=xxx` and `secret_id=xxx` in `/etc/zfsUnlocker/zfsUnlocker.conf` or in your kernel arguments.
93 |
94 | ### Hook > Vault Testing
95 |
96 | Once the script is installed and your VAULT_ADDR,and either a VAULT_TOKEN or role_id&secret_id are added to /etc/zfsUnlocker/zfsUnlocker.conf` the vault hook has a test function we can check with:
97 |
98 | $ sudo /etc/zfsUnlocker/modules.d/20_vault/hook test computer-name/root
99 | Entering test mode.
100 |
101 | Testing config approle...
102 | Got a vault token successfully...
103 | Attempting unlock of: computer-name/root
104 | Passphrase found for computer-name/root
105 | cannot open 'computer-name/root': dataset does not exist
106 |
107 | My machine here doesn't actually have a zpool named `computer-name` with a dataset named `root` in it. But the example read was a success and wanted to unlock something!
108 |
109 | The script will also consider kernel arguments which can be activated and also tested with a reboot - Otherwise the Vault module of this script can be temporarily modified to include additional arguments on the fly.
110 |
111 | Testing 'proposed' kernel args on the fly may be added in a later commit if I find myself testing them frequently enough without wanting to hack the script apart for each try or reboot for each test.
--------------------------------------------------------------------------------
/build:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Prepares the hook installation based on requirements of extensions in modules.d (Such as Vault)
4 |
--------------------------------------------------------------------------------
/install:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [ -t 1 ]
4 | then
5 | # Some colors
6 | declare -A colors
7 | colors[none]="\e[0m"
8 | colors[red]="\e[31m"
9 | colors[green]="\e[32m"
10 | colors[yellow]="\e[33m"
11 | colors[blue]="\e[34m"
12 | colors[magenta]="\e[35m"
13 | colors[cyan]="\e[36m"
14 | colors[lightgray]="\e[37m"
15 | colors[white]="\e[97m"
16 | fi
17 | _scriptRoot="$(dirname $(realpath $0))"
18 |
19 | # Used for updating the conf file
20 |
21 | conf="/etc/zfsUnlocker/zfsUnlocker.conf"
22 | head="#$(git -C "$_scriptRoot" rev-parse HEAD)"
23 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
24 |
25 |
26 | # Check if we need sudo
27 | [[ $UID != 0 ]] && SUDO=`which sudo`
28 |
29 | $SUDO mkdir -p /etc/zfsUnlocker
30 | $SUDO rsync -r --delete $DIR/modules.d /etc/zfsUnlocker/
31 |
32 |
33 | if [ -f "$conf" ]
34 | then
35 | if [ "$head" != "$($SUDO head -n1 "$conf")" ] || [[ "$@" == *"force"* ]] # If different commit/version of the script detected, rebuild the conf.
36 | then
37 | writeConf=1
38 | echo "Installing new version, existing conf will be renamed and replaced."
39 | confBak="${conf}_$(date +%s).bak"
40 | $SUDO mv -v "$conf" "$confBak"
41 | fi
42 | else
43 | writeConf=1
44 | echo -e "\nBefore using this make sure you setup $conf."
45 | fi
46 |
47 | if [ -n "$writeConf" ]
48 | then
49 | echo "${head}" | $SUDO tee -a "${conf}" > /dev/null
50 | $SUDO chown root:root $conf ; $SUDO chmod 600 $conf
51 | fi
52 |
53 |
54 | echo "Evaluating module package dependencies"
55 | moduleBasedir="/etc/zfsUnlocker/modules.d"
56 | modules="$(ls -1v $moduleBasedir| grep -v disabled)"
57 |
58 | # We need 'which'
59 | which -v >/dev/null 2>&1 || yes | sudo pacman -S which
60 |
61 | for module in $modules
62 | do
63 |
64 | if [ -f ${moduleBasedir}/${module}/packageDependencies ]
65 | then
66 | echo "${module}:"
67 | while read packageDependency
68 | do
69 | echo -ne '\t'
70 | pacman -Q $packageDependency || yes | sudo pacman --noconfirm -S "$packageDependency"
71 | done < ${moduleBasedir}/${module}/packageDependencies
72 | fi
73 |
74 | if [ -n "$writeConf" ]
75 | then
76 | echo "#${module}" | $SUDO tee -a "${conf}" > /dev/null
77 | cat ${moduleBasedir}/${module}/configVars | $SUDO tee -a "${conf}" > /dev/null
78 | echo "" | $SUDO tee -a "${conf}" # spacer
79 | fi
80 |
81 | done
82 |
83 |
84 |
85 |
86 | $SUDO cp $DIR/zfsUnlocker.hook /usr/lib/initcpio/hooks/zfsUnlocker
87 | $SUDO cp $DIR/zfsUnlocker.install /usr/lib/initcpio/install/zfsUnlocker
88 |
89 |
90 | find /etc/zfsUnlocker -type f -name 'hook' -exec $SUDO chmod 740 "{}" \;
91 |
92 |
93 | # Append custom variables from previous file.
94 | if [ -n "${confBak}" ]
95 | then
96 | variableDifferences="$(comm -23 <($SUDO grep -v '^#' "${confBak}" | sort -u) <($SUDO grep -v '^#' "${conf}" | sort -u))"
97 | if [ -n "${variableDifferences}" ]
98 | then
99 | echo -e "${colors[red]}Old ${colors[none]}${conf}${colors[red]} moved to ${colors[none]}${confBak}${colors[red]}.${colors[none]}"
100 | echo -e "${colors[red]}The script will attempt to append previously used variables to this new config. Please review the content before continuing.${colors[none]}"
101 |
102 | echo -e "Appending previous config..."
103 | echo "# Configuration copied from previous version [$($SUDO head -n1 ${confBak})] [${confBak}]:" | $SUDO tee -a "${conf}"
104 | echo "${variableDifferences}" | $SUDO tee -a "${conf}"
105 | fi
106 | fi
107 |
--------------------------------------------------------------------------------
/modules.d/10_bond/configVars:
--------------------------------------------------------------------------------
1 | # Search for bond traffic on links and try to create bond interfaces before DHCPing?
2 | createBonds=0
3 | # LACP PDUs are sent every 30 seconds as most.
4 | tcpdumpTimeout=35
5 |
--------------------------------------------------------------------------------
/modules.d/10_bond/hook:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | function hook {
4 |
5 | if [ -f /etc/zfsUnlocker/zfsUnlocker.conf ]
6 | then
7 | . /etc/zfsUnlocker/zfsUnlocker.conf
8 | else
9 | echo -e "\t\t/etc/zfsUnlocker/zfsUnlocker.conf missing, skipping module."
10 | return 1
11 | fi
12 |
13 | # Track our bond peers so we don't accidentally bond two different interface pairs together.
14 | declare -A -g peers
15 |
16 | function testBonding {
17 | declare -A -g peers
18 | ip link set $1 up
19 | result=$(timeout ${tcpdumpTimeout} tcpdump -i ${1} -nnevvvv --immediate-mode -l ether proto 0x8809 2>/dev/null |grep 'Actor Information TLV' -A1 --line-buffered | grep -m1 -oE '([a-f0-9]|:){17}' --line-buffered) ; exitCode=$?
20 | ip link set $1 down
21 |
22 | if [ ${exitCode} -eq 0 ]
23 | then
24 | echo -e "\t\tLACP detected on ${1}. Added to bond group ${result}."
25 | result=$(tr -d ':' <<< ${result})
26 | echo "${result} ${intbasename}" >> /tmp/10_bond_results
27 | else
28 | echo -e "\t\tNo LACPs seen on ${1}"
29 | fi
30 | }
31 |
32 | if [ "$createBonds" == 1 ]
33 | then
34 | echo -en "\t\tChecking interfaces for LACP..."
35 |
36 | for interface in /sys/class/net/*
37 | do
38 | unset path
39 | unset intbasename
40 | intbasename=$(basename $interface)
41 | path=$(readlink $interface)
42 | [ ! -h ${interface} ] && continue # Ignore non-symlinks
43 | [[ "$path" =~ "virtual" ]] && continue # Ignore virtual links
44 | [[ "$intbasename" =~ ^w ]] && continue # Ignore wireless links
45 | echo -ne "[${intbasename}] "
46 | testBonding $intbasename &
47 | done
48 | echo ""
49 |
50 | # Wait for the tcpdump threads to wrap up before continuing.
51 | # This asynchronous packet capturing lets multiple interfaces receive an LACP packet at the same time.
52 | sleep 1
53 | until ! ps | grep -qs [t]cpdump
54 | do
55 | sleep 1
56 | done
57 |
58 | # Load the results from tmp into the array.
59 | # Background processes can't update global arrays. This is a workaround.
60 | while read peerInts
61 | do
62 | array=(${peerInts})
63 | peers[${array[0]}]+="${array[1]} "
64 | done < /tmp/10_bond_results
65 |
66 | for peer in ${!peers[@]}
67 | do
68 | bondInc=0
69 | while [ -h /sys/class/net/bond${bondInc} ]; do (((bondInc++))); done # Be courteous of any other early bond interfaces
70 | ourBondInterfaces+=(bond${bondInc})
71 | ip link add bond${bondInc} type bond miimon 100 mode 802.3ad
72 | ip link set bond${bondInc} up
73 | echo -e "\t\t${link} bonded."
74 |
75 | for link in ${peers[${peer}]}
76 | do
77 | ip link set ${link} master bond${bondInc}
78 | echo -e "\t\t${link} bonded and ready"
79 | done
80 |
81 |
82 | # If VLANs are configured, create them per bond interface.
83 | # This might be better as a standalone hook applicable to all interfaces.
84 | if [ -n "${Vlans}" ]
85 | then
86 | sleep 1 # Wait for bond interface creation.
87 | for vlan in ${Vlans[*]}
88 | do
89 | ip link add link bond${bondInc} name bond${bondInc}.${vlan} type vlan id ${vlan}
90 | ip link set bond${bondInc}.${vlan} up
91 | done
92 | fi
93 | done
94 | fi
95 |
96 | ourBondInterfaces+=(testBondInterface)
97 | #export ourBondInterfaces
98 | }
99 |
100 | function cleanup {
101 | # We cannot access ${ourBondInterfaces} here set by the main hook.
102 | # Lazily remove all numbered bond interfaces (This may not be a good idea for certain configurations)
103 | for bondInterface in $(find /sys/class/net -mindepth 1 -maxdepth 1 -name bond[0-9] -printf '%f\n')
104 | do
105 | bondInterfaceBasename="$(basename ${bondInterface})"
106 | echo "Removing bond link: ${bondInterfaceBasename}"
107 | ip link del ${bondInterfaceBasename}
108 | done
109 | }
110 |
111 | $1
112 |
113 |
--------------------------------------------------------------------------------
/modules.d/10_bond/hook.vlans:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | function hook {
4 |
5 | if [ -f /etc/zfsUnlocker/zfsUnlocker.conf ]
6 | then
7 | . /etc/zfsUnlocker/zfsUnlocker.conf
8 | else
9 | echo -e "\t\t/etc/zfsUnlocker/zfsUnlocker.conf missing, skipping module."
10 | return 1
11 | fi
12 |
13 | # Track our bond peers so we don't accidentally bond two different interface pairs together.
14 | declare -A -g peers
15 |
16 | function testBonding {
17 | declare -A -g peers
18 | ip link set $1 up
19 | result=$(timeout ${tcpdumpTimeout} tcpdump -i ${1} -nnevvvv --immediate-mode -l ether proto 0x8809 2>/dev/null |grep 'Actor Information TLV' -A1 --line-buffered | grep -m1 -oE '([a-f0-9]|:){17}' --line-buffered) ; exitCode=$?
20 | ip link set $1 down
21 |
22 | if [ ${exitCode} -eq 0 ]
23 | then
24 | echo -e "\t\tLACP detected on ${1}. Added to bond group ${result}."
25 | result=$(tr -d ':' <<< ${result})
26 | echo "${result} ${intbasename}" >> /tmp/10_bond_results
27 | else
28 | echo -e "\t\tNo LACPs seen on ${1}"
29 | fi
30 | }
31 |
32 | if [ "$createBonds" == 1 ]
33 | then
34 | echo -en "\t\tChecking interfaces for LACP..."
35 |
36 | for interface in /sys/class/net/*
37 | do
38 | unset path
39 | unset intbasename
40 | intbasename=$(basename $interface)
41 | path=$(readlink $interface)
42 | [ ! -h ${interface} ] && continue # Ignore non-symlinks
43 | [[ "$path" =~ "virtual" ]] && continue # Ignore virtual links
44 | [[ "$intbasename" =~ ^w ]] && continue # Ignore wireless links
45 | echo -ne "[${intbasename}] "
46 | testBonding $intbasename &
47 | done
48 | echo ""
49 |
50 | # Wait for the tcpdump threads to wrap up before continuing.
51 | # This asynchronous packet capturing lets multiple interfaces receive an LACP packet at the same time.
52 | sleep 1
53 | until ! ps | grep -qs [t]cpdump
54 | do
55 | sleep 1
56 | done
57 |
58 | # Load the results from tmp into the array.
59 | # Background processes can't update global arrays. This is a workaround.
60 | while read peerInts
61 | do
62 | array=(${peerInts})
63 | peers[${array[0]}]+="${array[1]} "
64 | done < /tmp/10_bond_results
65 |
66 | for peer in ${!peers[@]}
67 | do
68 | bondInc=0
69 | while [ -h /sys/class/net/bond${bondInc} ]; do (((bondInc++))); done # Be courteous of any other early bond interfaces
70 | ourBondInterfaces+=(bond${bondInc})
71 | ip link add bond${bondInc} type bond miimon 100 mode 802.3ad
72 | ip link set bond${bondInc} up
73 | echo "Sleeping before adding vid 10..."
74 | sleep 5
75 | ip link add link bond${bondInc} name bond${bondInc}.10 type vlan id 10
76 | ip link set bond${bondInc}.10 up
77 | for link in ${peers[${peer}]}
78 | do
79 | ip link set ${link} master bond${bondInc}
80 | echo -e "\t\t${link} bonded and ready"
81 | done
82 | done
83 |
84 | fi
85 | }
86 |
87 | function cleanup {
88 | for bond in ${ourBondInterfaces[*]}
89 | do
90 | ip link del ${bond}
91 | done
92 | }
93 |
94 | $1
95 |
96 |
--------------------------------------------------------------------------------
/modules.d/10_bond/packageDependencies:
--------------------------------------------------------------------------------
1 | tcpdump
2 | grep
3 | coreutils
4 |
--------------------------------------------------------------------------------
/modules.d/10_bond/setup:
--------------------------------------------------------------------------------
1 | map add_binary grep \
2 | tr \
3 | timeout \
4 | tcpdump \
5 | ip
6 |
7 | map add_module bonding \
8 | tls \
9 | 8021q
10 |
--------------------------------------------------------------------------------
/modules.d/10_iphone/configVars:
--------------------------------------------------------------------------------
1 | # Check for an iphone hotspot over USB?
2 | TryiPhoneUSB=1
3 |
--------------------------------------------------------------------------------
/modules.d/10_iphone/hook:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | function hook {
4 |
5 | if [ -f /etc/zfsUnlocker/zfsUnlocker.conf ]
6 | then
7 | . /etc/zfsUnlocker/zfsUnlocker.conf
8 | else
9 | echo "/etc/zfsUnlocker/zfsUnlocker.conf missing, skipping module."
10 | return 1
11 | fi
12 |
13 | if [ "$TryiPhoneUSB" == 1 ]
14 | then
15 |
16 | usbmuxd >/dev/null 2>&1 && sleep 1
17 |
18 | validateResult="$(idevicepair validate)"
19 | if grep -qs 'No device found.' <<< "$validateResult"
20 | then
21 | echo -e "\t\tNo phone found."
22 | return 0
23 | elif grep -Eqs '^SUCCESS' <<< "$validateResult"
24 | then
25 | echo -e "\t\tPhone detected and ready."
26 | return 0
27 | fi
28 |
29 | pairResult="$(idevicepair pair)"
30 | if grep -qs 'Please enter the passcode' <<< "$pairResult"
31 | then
32 | headsup=1
33 | echo -e "\t\tUnlock phone to trust this PC"
34 | elif grep -qs 'Please accept the trust' <<< "$pairResult"
35 | then
36 | headsup=1
37 | echo -e "\t\tPhone is asking to trust this PC"
38 | elif grep -qs 'user denied the trust' <<< "$pairResult"
39 | then
40 | headsup=1
41 | echo -e "\t\tPhone does not trust this PC. Replug o try again next boot."
42 | else
43 | echo -e "\t\tIt seems something else went wrong trying to talk with the phone:\n$pairResult"
44 | fi
45 | else
46 | echo -e "\t\tModule not in use"
47 | fi
48 | }
49 |
50 | function cleanup {
51 | pkill usbmuxd
52 | }
53 |
54 | $1
55 |
56 |
--------------------------------------------------------------------------------
/modules.d/10_iphone/packageDependencies:
--------------------------------------------------------------------------------
1 | libimobiledevice
2 | usbmuxd
3 | usbutils
4 | procps-ng
5 |
--------------------------------------------------------------------------------
/modules.d/10_iphone/setup:
--------------------------------------------------------------------------------
1 | map add_binary grep \
2 | idevicepair \
3 | lsusb \
4 | pkill \
5 | usbmuxd \
6 |
7 | map add_module ipheth
8 |
9 | map add_full_dir /var/lib/lockdown
10 |
11 | iDevices=($(idevicepair list))
12 |
13 | if [ -z "${iDevices[0]}" ]
14 | then
15 | echo -e "\t10_iphone module: For best results, pair your phone with 'idevicepair pair' and"
16 | echo -e "\tconfirm with 'idevicepair validate' before generating your initramfs."
17 |
18 | echo -e "\tYou can pair on the fly in initramfs if you're quick enough, but it's an extra step that way."
19 | echo -e ""
20 | else
21 | echo -e "\tAdded iDevices: ${iDevices[*]}"
22 | fi
23 |
24 | echo -e "" # Spacer
25 |
--------------------------------------------------------------------------------
/modules.d/10_wifi/configVars:
--------------------------------------------------------------------------------
1 | # List of wireless networks to connect to as colon-delimited SSID:PSK combinations.
2 | # If var empty/unset, module skips.
3 | # You can generate network PSKs with the wpa_passphrase command
4 | # SSID priority is set by the below ordering with the first SSID in the list being
5 | # the most preferred to connect with.
6 |
7 | #wirelessNetworks=("My AP:pskpskpsk" "Another SSID:pskpskpsk")
8 |
--------------------------------------------------------------------------------
/modules.d/10_wifi/hook:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | function hook {
4 |
5 | if [ -f /etc/zfsUnlocker/zfsUnlocker.conf ]
6 | then
7 | . /etc/zfsUnlocker/zfsUnlocker.conf
8 | else
9 | echo "/etc/zfsUnlocker/zfsUnlocker.conf missing, skipping module."
10 | return 1
11 | fi
12 |
13 | if [ -z "$wirelessNetworks" ]
14 | then
15 | echo -e "\t\tNo SSID set in zfsUnlocker.conf, skipping module."
16 | return 1
17 | else
18 | echo -e "\t\tTrying to join a wireless network..."
19 |
20 | [ ! -h /dev/fd ] && ln -s /proc/self/fd /dev/fd >/dev/null 2>&1
21 |
22 | interfaces="$(find /sys/class/net -mindepth 1)"
23 | for interface in $interfaces # Look for wireless interfaces
24 | do
25 | if [ -d $interface/wireless ]
26 | then
27 | interfaceShort="$(basename $interface)"
28 | echo -e "\t\tDetected: $interfaceShort"
29 | wirelessInterfaces+="$interfaceShort "
30 | fi
31 | done
32 | fi
33 |
34 | if [ -z "$wirelessInterfaces" ] ; then echo -e "\t\tNo wireless interfaces seen. Did the drivers add correctly?" ; exit 1 ; fi
35 |
36 | # Build configuration
37 |
38 | priorityCounter=0 # Assign priorities to SSIDs where the first specified is the highest priority.
39 | for wirelessInterface in $wirelessInterfaces ; do interfaceArgs+="-i $wirelessInterface " ; done
40 | for network in ${!wirelessNetworks[@]}
41 | do
42 | SSID="$( cut -f1 -d':' <<< ${wirelessNetworks[${network}]})"
43 | PSK="$( cut -f2 -d':' <<< ${wirelessNetworks[${network}]})"
44 | wpa_supplicant_configuration+="$(echo -e "\nnetwork={\n ssid=\"${SSID}\"\n psk=${PSK}\n priority=${priorityCounter}\n}")"
45 | ((priorityCounter++))
46 | done
47 | echo -ne '\t\t'; wpa_supplicant -B ${interfaceArgs} -c <(echo "${wpa_supplicant_configuration}")
48 | }
49 |
50 | function cleanup {
51 | killall -q wpa_supplicant
52 | }
53 |
54 | $1
55 |
--------------------------------------------------------------------------------
/modules.d/10_wifi/packageDependencies:
--------------------------------------------------------------------------------
1 | wpa_supplicant
2 |
--------------------------------------------------------------------------------
/modules.d/10_wifi/setup:
--------------------------------------------------------------------------------
1 | map add_binary wpa_supplicant \
2 | find \
3 | killall
4 |
5 | map add_module ccm
6 |
7 | function add_wificard {
8 |
9 | map add_module $driver mac80211 # Always add the core driver plus mac80211
10 |
11 | # Special cases for certain drivers
12 | if [ "$driver" == "iwlwifi" ]
13 | then
14 | echo -e "\t$busPath is an iwlwifi card, also adding iwlmvm"
15 | map add_module iwlmvm
16 |
17 | echo -e "\tScanning journalctl for modules iwlwifi has used this boot..."
18 |
19 | activeFirmwareList=$(journalctl --boot|grep -o 'iwlwifi.*loaded firmware version.*ucode' | awk -F' ' '{print $NF}' | sort -u | tr '\n' ' ')
20 |
21 | for iwlwifi_firmware_file in $activeFirmwareList
22 | do
23 | echo -e "\tDetected ${iwlwifi_firmware_file} in use, adding to initramfs for next boot."
24 | map add_file /usr/lib/firmware/iwlwifi-${iwlwifi_firmware_file}*
25 | done
26 |
27 | pnvmFiles="/usr/lib/firmware/*pnvm*"
28 | if [ -n "${pnvmFiles}" ]
29 | then
30 | echo -e "\tAdding all available PNVM files (Programmable Non-Volatile Memory):"
31 |
32 | for pnvmFile in ${pnvmFiles}
33 | do
34 | map add_file ${pnvmFile}
35 | echo -e "\t\t${pnvmFile}"
36 | done
37 | fi
38 | fi
39 | }
40 |
41 | # Main loop to search for wifi devices
42 | while read pci_wireless_controller
43 | do
44 | if [ -n "$pci_wireless_controller" ]
45 | then
46 | busPath="$(cut -f1 -d' ' <<< $pci_wireless_controller)"
47 | busPathEscaped="$(sed 's/:/\\:/g' <<< $busPath)"
48 | vendorClass="$(grep -Eo '[0-9a-z]{4}:[0-9a-z]{4}' <<< $pci_wireless_controller)"
49 | vendor="$(cut -f1 -d : <<< $vendorClass)" ; class="$(cut -f2 -d : <<< $vendorClass)"
50 | driver="$(basename $(readlink /sys/bus/pci/devices/${busPath}/driver))"
51 |
52 | echo -e "\tFound $vendorClass at path $busPath using driver $driver"
53 | add_wificard
54 |
55 | fi
56 |
57 |
58 |
59 | done <<< "$(grep -Ei '(Wi(-)?Fi|Wireless)' <<< $(lspci -D -nn))"
60 |
61 | echo -e ""
62 |
--------------------------------------------------------------------------------
/modules.d/15_dhcp/configVars:
--------------------------------------------------------------------------------
1 | dhcpHostname=$(cat /etc/hostname)
2 | forceInterface=''
3 |
--------------------------------------------------------------------------------
/modules.d/15_dhcp/hook:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Read the global Vlans variable
3 | if [ -f /etc/zfsUnlocker/zfsUnlocker.conf ]
4 | then
5 | . /etc/zfsUnlocker/zfsUnlocker.conf
6 | fi
7 |
8 | function hook {
9 | # Figure out if there are any interfaces with a master who shouldn't be directly DHCP'd on.
10 |
11 | for interface in $(find /sys/class/net/ -type l -not -name '*.*' -not -name lo)
12 | do
13 | intbasename=$(basename $interface)
14 | [ ! -h ${interface} ] && continue # Ignore non-symlinks
15 | [ -h ${interface}/master ] && continue # Ignore non-master links
16 |
17 | echo -e "\t\tAdded to dhclient interface list: ${intbasename}"
18 | echo "interface\"${intbasename}\" {}" >> /etc/dhclient.conf
19 |
20 | if [ -n "${Vlans[*]}" ]
21 | then
22 | for vlan in ${Vlans[*]}
23 | do
24 | vlanIntName="${intbasename}.${vlan}"
25 | ip link add link ${intbasename} ${vlanIntName} type vlan id ${vlan} && \
26 | echo -e "\t\t\tCreated and added vlan interface: ${vlanIntName}"
27 | echo "interface\"${vlanIntName}\" {}" >> /etc/dhclient.conf
28 | done
29 | fi
30 |
31 | done
32 | echo ""
33 |
34 | if dhclient $forceInterface -v >/dev/null 2>&1
35 | then
36 | if [ -f '/var/lib/dhclient/dhclient.leases' ]
37 | then
38 | myAddress="$(grep -m1 -o 'fixed-address.*' /var/lib/dhclient/dhclient.leases |grep -Eo '([0-9]+|\.)+')"
39 | [ -n "$myAddress" ] && echo -e "\t\tGot address $myAddress"
40 | fi
41 | else
42 | echo -e "\t\tCouldn't get an IP, manual unlock may be required."
43 | fi
44 |
45 | }
46 |
47 | function cleanup {
48 | # Release the lease
49 | dhclient -r >/dev/null 2>&1
50 |
51 |
52 | if [ -n "${Vlans[*]}" ]
53 | then
54 | for interface in $(find /sys/class/net/ -type l -not -name '*.*' -not -name lo)
55 | do
56 | intbasename=$(basename $interface)
57 | for vlan in ${Vlans[*]}
58 | do
59 | vlanIntName="${intbasename}.${vlan}"
60 | ip link del ${vlanIntName} && echo "Deleting Vlan interface: ${vlanIntName}"
61 | done
62 | done
63 | fi
64 | }
65 |
66 | $1
67 |
--------------------------------------------------------------------------------
/modules.d/15_dhcp/packageDependencies:
--------------------------------------------------------------------------------
1 | dhclient
2 |
--------------------------------------------------------------------------------
/modules.d/15_dhcp/setup:
--------------------------------------------------------------------------------
1 | function mapEthernetDrivers {
2 | declare -a drivers
3 | ethernetCards=($(lspci -D |grep -i eth | cut -f1 -d' '))
4 |
5 | for pciDevice in ${ethernetCards[*]}
6 | do
7 | unset driver
8 | driver="$(basename $(readlink -f "/sys/bus/pci/devices/${pciDevice}/driver"))"
9 | if ! [[ " ${drivers[*]} " =~ " ${driver} " ]]
10 | then
11 | echo -e "\t15_dhcp module: Detected active Ethernet driver ${driver}, added to initramfs."
12 | drivers+=(${driver})
13 | map add_module ${driver}
14 | fi
15 | done
16 |
17 | for usbNetworkDevice in $(find /sys/bus/usb/devices/*/net -mindepth 1 -maxdepth 1 2>/dev/null)
18 | do
19 | usbNetworkingDetected=1
20 |
21 | # Try to determine the driver in use.
22 | [ -h "${usbNetworkDevice}/device/driver" ] && driver=$(basename $(readlink ${usbNetworkDevice}/device/driver))
23 |
24 | if [ -z "${driver}" ]
25 | then
26 | echo "Failed to discover its driver..."
27 | continue
28 | fi
29 |
30 | echo driver is :${driver}:
31 | echo -e "\t15_dhcp module: Detected active USB Ethernet driver ${driver}, added to initramfs."
32 | map add_module ${driver}
33 | . /etc/mkinitcpio.conf
34 | [[ ! ${MODULES[@]} =~ ${driver} ]] && usbHint=1
35 | done
36 |
37 | if [ -n "${usbNetworkingDetected}" ] && [ -n "${usbHint}" ]
38 | then
39 | echo -e "\tIf these USB network devices won't always be present for each initramfs regeneration"
40 | echo -e "\tyou may wish to consider adding their modules directly to /etc/mkinitcpio.conf for persistence"
41 | fi
42 | }
43 |
44 | mapEthernetDrivers
45 |
46 | map add_binary dhclient \
47 | grep
48 |
49 | map add_module 8021q
50 |
51 | map add_file /sbin/dhclient-script
52 |
53 | # Use the machine's hostname if available for dhclient.
54 | if [ -f "/etc/hostname" ]
55 | then
56 | echo "send host-name \"$(cat /etc/hostname)\";" > "${BUILDROOT}/etc/dhclient.conf"
57 | map add_file /etc/hostname
58 | fi
59 |
60 | mkdir -p "${BUILDROOT}/var/lib/dhclient"
61 |
--------------------------------------------------------------------------------
/modules.d/19_keyfile/configVars:
--------------------------------------------------------------------------------
1 | # A UUID of a partition we can mount and a passphrase text file path on said mount
2 | # For reading out one or more passphrase lines from external storage.
3 | # Currently adds only the fat and vfat kernel modules.
4 | # More can be supported by adding their modules to your initramfs.
5 | PART_UUID=''
6 | PASSPHRASE_FILE_PATH='passphrase.txt'
7 |
--------------------------------------------------------------------------------
/modules.d/19_keyfile/hook:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | function hook {
4 |
5 | if [ -f /etc/zfsUnlocker/zfsUnlocker.conf ]
6 | then
7 | . /etc/zfsUnlocker/zfsUnlocker.conf
8 | else
9 | echo "\t\t/etc/zfsUnlocker/zfsUnlocker.conf missing, skipping module."
10 | return 1
11 | fi
12 |
13 | if [ -z "${PART_UUID}" ] || [ -z "${PASSPHRASE_FILE_PATH}" ]
14 | then
15 | echo -e "\t\tPART_UUID or PASSPHRASE_FILE_PATH not set. Skipping module."
16 | return 1
17 | fi
18 |
19 | mkdir -p /keyFileMount
20 | set -o pipefail
21 | if ! mount /dev/disk/by-partuuid/${PART_UUID} /keyFileMount 2>&1 | sed -E -e 's/^/\t\t/g'
22 | then
23 | echo -e "\t\tFailed to mount the desired partition UUID."
24 | return 1
25 | fi
26 | set +o pipefail
27 |
28 | if ! [ -f "/keyFileMount/${PASSPHRASE_FILE_PATH}" ]
29 | then
30 | echo -e "\t\tKeyfile ${PASSPHRASE_FILE_PATH} not found on the mounted filesystem."
31 | return 1
32 | fi
33 |
34 | # Try all passphrase lines in the text file
35 | while read line
36 | do
37 | yes "${line}" | zfs load-key -a 2>&1 | sed -E -e 's/^/\t\t/g'
38 | done <<< "$(cat "/keyFileMount/${PASSPHRASE_FILE_PATH}")"
39 | }
40 |
41 | function cleanup {
42 | if grep -qs keyFileMount /proc/mounts
43 | then
44 | umount /keyFileMount
45 | rmdir -p /keyFileMount
46 | fi
47 | }
48 |
49 | ${1}
50 |
--------------------------------------------------------------------------------
/modules.d/19_keyfile/packageDependencies:
--------------------------------------------------------------------------------
1 | dosfstools
2 |
--------------------------------------------------------------------------------
/modules.d/19_keyfile/setup:
--------------------------------------------------------------------------------
1 | map add_binary mount \
2 | umount \
3 | cat \
4 | yes
5 |
6 | map add_module fat \
7 | vfat
8 |
--------------------------------------------------------------------------------
/modules.d/19_serial/configVars:
--------------------------------------------------------------------------------
1 | # Whether or not we should listen to serial interfaces to receive a potentially valid passphrase
2 | askPassphraseOnSerial=1
3 |
--------------------------------------------------------------------------------
/modules.d/19_serial/hook:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | function hook {
4 | . /etc/zfsUnlocker/zfsUnlocker.conf
5 |
6 | if [ ${askPassphraseOnSerial} -eq 1 ]
7 | then
8 | echo -e "\t\tListening to serial interfaces for a passphrase..."
9 | validSerialInterfaceIndex=$(awk -F':' '/uart:[0-9]/{ print $1 }' /proc/tty/driver/serial)
10 |
11 | if [ -n "${validSerialInterfaceIndex}" ]
12 | then
13 |
14 | # Print out to each serial interface that we are accepting input
15 | for serialIndex in ${validSerialInterfaceIndex}
16 | do
17 | echo -e "[zfsUnlocker]" >/dev/ttyS${serialIndex}
18 | echo -e "Listening on all ttyS* interfaces for an unlock passphrase." > /dev/ttyS${serialIndex}
19 | echo -e "Type a passphrase on serial and press Enter to submit:" > /dev/ttyS${serialIndex}
20 | done
21 |
22 | # Enter main loop of pestering serial interfaces for a passphrase
23 | # This could be implemented better.
24 | cat /dev/ttyS* | \
25 | while read passphraseLine
26 | do
27 | echo "${passphraseLine}" | zfs load-key -a
28 | done &
29 | fi
30 |
31 | else
32 | echo -e "\t\tIgnoring serial interfaces..."
33 | fi
34 |
35 | }
36 |
37 | function cleanup {
38 | pkill -HUP cat
39 | }
40 |
41 | $1
42 |
--------------------------------------------------------------------------------
/modules.d/19_serial/packageDependencies:
--------------------------------------------------------------------------------
1 | awk
2 | coreutils
3 |
--------------------------------------------------------------------------------
/modules.d/19_serial/setup:
--------------------------------------------------------------------------------
1 | map add_binary awk \
2 | cat
3 |
--------------------------------------------------------------------------------
/modules.d/20_vault/configVars:
--------------------------------------------------------------------------------
1 | VAULT_ADDR='' # Vault server FQDN
2 | VAULT_TOKEN='' # Pre-issued token for this host.
3 | role_id='' # An approle ID for token generation
4 | secret_id='' # An approle Secret for token generation
5 | vaultKvEngineName='kv' # default when enabling a kv engine.
6 | vaultRootSearchPath=data/zfs # path in KvEngine to find keys.
7 | vaultKeyName=passphrase # What field you're after in a kv result
8 | vaultPromptForMissingInfo=0 # Prompt on the command line if missing a token or URL from other sources?
9 |
10 | # [Example] For an encrypted root dataset named 'root' on zpool 'myPool'
11 | # as 'myPool/root'
12 | #
13 | # 'kv/data/zfs/myPool/root' with the key value name "passphrase"
14 | #
15 | # ( You'll want an active kv engine on your Vault named 'kv'
16 | # in this example.
17 | # You may name your kv engine something else like 'secret' ).
18 |
19 | #
20 | # If it fails [connectivity, SSL, Missing secret, token permission / policy]
21 | # You'll be prompted as a last resort.
22 |
23 | # Make sure this computer trusts the certificate/CA for your Vault.
24 | # You can usually test this with a cURL to the https vault URL.
25 | # Trusts will be copied to initramfs if hook used.
26 |
--------------------------------------------------------------------------------
/modules.d/20_vault/hook:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | sealedError='{"errors":["Vault is sealed"]}'
4 | badTokenError='{"errors":["permission denied"]}'
5 | validTokenPermissionDeniedError='{"errors":["1 error occurred:\n\t* permission denied\n\n"]}'
6 | blankResponseError='{"errors":[]}'
7 | curlErrorRegex='^curl:.*$'
8 |
9 | function evalCmdline {
10 |
11 | for entry in $(cat /proc/cmdline | sed -e 's/VAULTHOSTOVERRIDE/VAULT_ADDR/g' -e 's/VAULTTOKENOVERRIDE/VAULT_TOKEN/g')
12 | do
13 | param=${entry/=*/}
14 | value=${entry/*=/}
15 |
16 | if [[ ! "${entry}" =~ '=' ]] || [[ "${param}" =~ '.' ]] || [[ "${value}" =~ ',' ]]
17 | then
18 | continue # Ignore args with a literal dot (module params) or without a param=value format
19 | fi
20 |
21 | case "$(tr '[:upper:]' '[:lower:]' <<< ${param})" in
22 |
23 | vault_addr)
24 | export VAULT_ADDR="${value}"
25 | setFromCmdline+=(VAULT_ADDR)
26 | lockdownCmdline
27 | ;;
28 |
29 | vault_token)
30 | export VAULT_TOKEN="${value}"
31 | setFromCmdline+=(VAULT_TOKEN)
32 | lockdownCmdline
33 | ;;
34 |
35 | role_id)
36 | export role_id="${value}"
37 | setFromCmdline+=(role_id)
38 | lockdownCmdline
39 | ;;
40 |
41 | secret_id)
42 | export secret_id="${value}"
43 | setFromCmdline+=(secret_id)
44 | lockdownCmdline
45 | ;;
46 | esac
47 | done
48 |
49 | [[ -n "${setFromCmdline[@]}" ]] && echo -e "\n\t\tSet from kernel cmdline: ${setFromCmdline[@]}"
50 | }
51 |
52 | function kernelArgumentSpiel {
53 | echo -e "\t\tConfig can be overridden with kernel arguments VAULT_ADDR=, VAULT_TOKEN=, role_id=, secret_id="
54 | echo -e "\t\t(non-case sensitive)"
55 | }
56 |
57 | function curlErrorHandler {
58 |
59 | if [ ${curlReturnCode} -eq 0 ] && jq -e .request_id <<< ${response} >/dev/null 2>&1
60 | then
61 | [ -n "${successText}" ] && echo -e "${successText}"
62 | return ${curlReturnCode}
63 | elif [ "${response}" == "${blankResponseError}" ]
64 | then
65 | echo -e "\t\tVault returned a blank response for ${lockedDataset}."
66 | echo -e "\t\tYou have access to read this secret path but it may not exist."
67 | return 1
68 | elif [ "${response}" == "${validTokenPermissionDeniedError}" ]
69 | then
70 | echo -e "\t\tVault claims our token doesn't have permission to read the secret for ${lockedDataset}."
71 | echo -e "\t\tPlease consult your policies."
72 | return 1
73 | elif [ "${response}" == "${sealedError}" ]
74 | then
75 | echo -e "\t\tThe vault address provided claims to be sealed."
76 | echo -e "\t\tCannot continue until its unsealed."
77 | return 1
78 | elif [ "${response}" == "${badTokenError}" ]
79 | then
80 | echo -e "\t\t\tVault server reachable but trying to lookup own token resulted in a permission error."
81 | echo -e "\t\t\tToken may be invalid. If valid, policies may be too tight."
82 | return 1
83 | elif [[ "$(head -n1 <<< ${response})" =~ ${curlErrorRegex} ]] # If we're dealing with a cURL error
84 | then
85 | echo -e "\t\tcURL threw an error trying to ${goalText} against ${VAULT_ADDR}"
86 | echo
87 | sed -E -e 's/^/\t\t\t/g' <<< "${response}" # Share cURL's output
88 | elif [[ "${response}" =~ \[0-9]{3} ]] # If a general upstream error occured
89 | then
90 | echo -e "\t\tA HTTP error was thrown by the remote trying to ${goalText} against ${VAULT_ADDR}"
91 | echo
92 | sed -E -e 's/^/\t\t\t/g' <<< "${response}" # Share cURL's output
93 | else # If we don't know what we're looking at
94 | echo -e "\t\tSomething else went wrong trying to ${goalText} against ${VAULT_ADDR} [cURL exit code ${curlReturnCode}]"
95 | sed -E -e 's/^/\t\t\t/g' <<< "${response}" # Share cURL's output
96 | echo ${response}
97 | fi
98 |
99 |
100 | }
101 |
102 | function curler {
103 | # Further URL preparation and multiple attempts in case a cluster member is sealed.
104 | # '--retry' and Co don't establish new connections - preventing RRDNS from rerolling.
105 |
106 | unset goalText successText METHOD postdata
107 | while [ $# -gt 0 ]
108 | do
109 | case "$(tr '[:upper:]' '[:lower:]'<<<$1)" in
110 | -goalText)
111 | goalText="$2"
112 | shift
113 | ;;
114 | -successText)
115 | successText="$2"
116 | shift
117 | ;;
118 | -method)
119 | METHOD="-X${2}"
120 | shift
121 | ;;
122 | -postdata)
123 | postdata=("-d" "$2")
124 | shift
125 | ;;
126 | esac
127 | shift
128 | done
129 |
130 | if [ -n "${VAULT_TOKEN}" ]
131 | then
132 | TokenHeader="X-Vault-Token: ${VAULT_TOKEN}"
133 | else
134 | unset TokenHeader
135 | fi
136 |
137 | # Prepend the https protocol if omitted from VAULT_ADDR
138 | [[ ! "${URL}" =~ ^[a-z]+:// ]] && URL="https://${URL}"
139 |
140 | retryAttempts=10 attemptNumber=0
141 |
142 | while [[ ${attemptNumber} -lt ${retryAttempts} ]]
143 | do
144 | (((attemptNumber++)))
145 | response="$(curl -q -sS ${METHOD} -H "${TokenHeader}" "${URL}" "${postdata[@]}" 2>&1)" ; curlReturnCode=$?
146 | if [ "${response}" == "${sealedError}" ]
147 | then
148 | # Only print this text once.
149 | [ ${attemptNumber} -eq 1 ] && echo -e "\t\tHit sealed vault... retrying" >&2
150 | else
151 | break
152 | fi
153 | done
154 |
155 | curlErrorHandler "${goalText}" "${successText}" # Check for problems before continuing
156 | return ${?}
157 | }
158 |
159 | function attemptTokenSelfLookup {
160 | # Do a self-lookup API call before waiting any time
161 | URL="${VAULT_ADDR}/v1/auth/token/lookup-self"
162 | curler -method GET -goalText "validate the token" -successText "\t\tAccessing vault [${VAULT_ADDR}] successful, Token valid."
163 | return ${?}
164 | }
165 |
166 | function attemptVaultRead {
167 | URL="${VAULT_ADDR}/v1/${vaultKvEngineName}/${vaultRootSearchPath}/${lockedDataset}"
168 | curler -goalText "read the kv secret" -successText "\t\t\tSuccessfully read secret data"
169 | return ${?}
170 | }
171 |
172 | function getTokenFromApprole {
173 | URL="${VAULT_ADDR}/v1/auth/approle/login"
174 | curler -goalText "get token from approle" -successText "\t\t\tSuccessfully got token from approle" -postdata "{\"role_id\": \"${role_id}\", \"secret_id\":\"${secret_id}\"}"
175 |
176 | if VAULT_TOKEN=$(jq -e -r .auth.client_token <<< "${response}")
177 | then
178 | echo -e "\t\tGot a vault token successfully..."
179 | else
180 | echo -e "\t\tFailed to get a vault token, check approle"
181 | exit 1
182 | fi
183 | }
184 |
185 | function lockdownCmdline {
186 | desiredPermissions=440
187 | currentPermissions=$(stat -c '%a' /proc/cmdline)
188 | if [ ${desiredPermissions} -ne ${currentPermissions} ]
189 | then
190 | chmod 440 /proc/cmdline # Best effort protection from regular processes
191 | echo -e "\t\t/proc/cmdline permissions switched to 440 to help protect sensitive data."
192 | fi
193 | }
194 |
195 | function tryToken {
196 | if [ -n "${VAULT_ADDR}" ] && [ -n "${VAULT_TOKEN}" ]
197 | then
198 | attemptTokenSelfLookup
199 | checkReturn=$?
200 | if [ ${checkReturn} -eq 0 ]
201 | then
202 | echo -e "\t\tToken valid"
203 | else
204 | unset VAULT_TOKEN
205 | fi
206 |
207 | return ${checkReturn}
208 | fi
209 | }
210 |
211 | function tryApprole {
212 | # Check for an approle role_id and secret_id in kernel arguments to try.
213 | if [ -n "${role_id}" ] && [ -n "${secret_id}" ]
214 | then
215 | getTokenFromApprole
216 | if [ -n "${VAULT_TOKEN}" ] && attemptTokenSelfLookup
217 | then
218 | lockdownCmdline
219 | return
220 | else
221 | echo -e "\t\tApprole valid"
222 | unset role_id secret_id
223 | fi
224 | fi
225 | }
226 |
227 | function prepare {
228 |
229 | if [ -n "${VAULT_ADDR}" ] && [ -n "${VAULT_TOKEN}" ]
230 | then
231 | echo -e "\n\t\tTesting config token..."
232 | tryToken
233 | return $?
234 | fi
235 |
236 | if [ -n "${role_id}" ] && [ -n "${secret_id}" ]
237 | then
238 | echo -e "\n\t\tTesting config approle..."
239 | tryApprole
240 | return $?
241 | fi
242 |
243 | evalCmdline # Set variables from /proc/cmdline
244 |
245 | if [ -n "${VAULT_ADDR}" ] && [ -n "${VAULT_TOKEN}" ]
246 | then
247 | echo -e "\n\t\tTesting cmdline token..."
248 | tryToken
249 | return $?
250 | fi
251 |
252 | if [ -n "${role_id}" ] && [ -n "${secret_id}" ]
253 | then
254 | echo -e "\n\t\tTesting cmdline approle..."
255 | tryApprole
256 | return $?
257 | fi
258 |
259 | kernelArgumentSpiel
260 | }
261 |
262 | function hook {
263 |
264 | if [ -f /etc/zfsUnlocker/zfsUnlocker.conf ]
265 | then
266 | . /etc/zfsUnlocker/zfsUnlocker.conf
267 | else
268 | echo "\t\t/etc/zfsUnlocker/zfsUnlocker.conf missing, skipping module."
269 | return 1
270 | fi
271 |
272 | prepare # Enumerate options and cmdline looking for a valid token.
273 |
274 | if [ ${vaultPromptForMissingInfo} -eq 1 ] && [ -z "${VAULT_ADDR}" -o -z "${VAULT_TOKEN}" ]
275 | then
276 | echo -e "\t\tUnable to determine Vault details and prompting is enabled."
277 | [ -z "${VAULT_ADDR}" ] && read -sp "Vault Host:" VAULT_ADDR
278 | [ -z "${VAULT_ADDR}" ] && read -sp "Vault Token:" VAULT_TOKEN
279 | fi
280 |
281 | if [ -z "${VAULT_ADDR}" ] || [ -z "${VAULT_TOKEN}" ]
282 | then
283 | echo -e "\t\tNot enough info to run vault hook"
284 | [ -z "${VAULT_ADDR}" ] && echo -e "\t\tVault host missing"
285 | [ -z "${VAULT_TOKEN}" ] && echo -e "\t\tVault token missing"
286 | return 1
287 | fi
288 |
289 | # Try unlocking all datasets with an 'unavailable' keystatus, but root first.
290 |
291 | if [ -n "${testDataset}" ]
292 | then
293 | lockedDatasets="${testDataset}"
294 | else
295 | lockedDatasets="${dataset} $(zfs get -H -o name,value keystatus 2>/dev/null | grep unavailable | grep -v '@' | cut -f1)"
296 | fi
297 |
298 | for lockedDataset in ${lockedDatasets}
299 | do
300 |
301 | # If unlocked and not a test run, skip
302 | grep -qsP '\tavailable' <<< $(zfs get -H -o name,value keystatus ${lockedDataset} 2>/dev/null) && [ -z "${testDataset}" ] && continue
303 |
304 | echo -e "\t\tAttempting unlock of: ${lockedDataset}"
305 | attemptVaultRead
306 | vaultPassphraseResult="$(jq -e -r '.data.data.passphrase' <<< ${response})" ; jqParseExitCode=$?
307 | [ ${jqParseExitCode} -gt 0 ] && { echo -e "\t\tFailed to read a passphrase from the result" ; exit 1 ;}
308 |
309 | echo -e "\t\t\tPassphrase found for ${lockedDataset}"
310 |
311 | if result=$(yes "${vaultPassphraseResult}" | zfs load-key ${lockedDataset} 2>&1)
312 | then
313 | echo -e "\t\t\tSuccessfully unlocked ${lockedDataset}"
314 | else
315 | sed 's/^/\t\t\t/g' <<<${result}
316 | fi
317 |
318 | # Quietly try the passphrase on other datasets too
319 | yes "${vaultPassphraseResult}" | zfs load-key -a >/dev/null 2>&1
320 | done
321 | }
322 |
323 |
324 | function test { # For someone to test the hook with before rebooting
325 | echo "This is a test function to try reading a vault dataset secret before rebooting."
326 |
327 | }
328 |
329 | function cleanup {
330 | :
331 | }
332 |
333 | if [ "${1}" == 'test' ]
334 | then
335 | echo "Entering test mode."
336 |
337 | if [ "${2}" ]
338 | then
339 | testDataset=${2}
340 | hook
341 | else
342 | echo "Please provide a dataset name as an argument."
343 | fi
344 | else
345 | ${1}
346 | fi
347 |
--------------------------------------------------------------------------------
/modules.d/20_vault/packageDependencies:
--------------------------------------------------------------------------------
1 | jq
2 | curl
3 |
--------------------------------------------------------------------------------
/modules.d/20_vault/setup:
--------------------------------------------------------------------------------
1 | map add_binary curl \
2 | jq
3 |
4 | map add_file /usr/lib/libresolv.so.2 \
5 | /usr/lib/libnss_resolve.so.2
6 |
7 | # Certificates for cURL>vault using host's existing trust store
8 | map add_full_dir /etc/ssl/certs \
9 | /etc/ca-certificates
10 |
11 | # Needed for DNS to work for cURL
12 | add_file "/usr/lib/libnss_dns.so.2" "/usr/lib/libnss_dns.so.2" "$(stat -Lc %a /usr/lib/libnss_dns.so.2)"
13 | add_file "/usr/lib/libnss_files.so.2" "/usr/lib/libnss_files.so.2" "$(stat -Lc %a /usr/lib/libnss_files.so.2)"
14 |
15 | #[[ -f `which jq` ]] && cp "`which jq`" "${BUILDROOT}/bin/jq"
16 |
--------------------------------------------------------------------------------
/modules.d/21_ssh/configVars:
--------------------------------------------------------------------------------
1 | # Any accounts on this system who's public keys are important enough to allow root passphrase entry?
2 | #authorizedUsers='root operator'
3 |
4 | # What should we use as a format for the root ssh passphrase?
5 | # passphraseMode=base64
6 | passphraseMode=hex
7 |
8 | # How long (roughly) should the temporary root ssh passphrase be?
9 | passphraseLength=12
10 |
11 | # How long should the timeout be before ssh stops listening?
12 | sshTimeout=1h
13 |
--------------------------------------------------------------------------------
/modules.d/21_ssh/hook:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | function hook {
4 | . /etc/zfsUnlocker/zfsUnlocker.conf
5 | if [ "$passphraseMode" == "hex" ] ; then passphraseLength=$((($passphraseLength / 2))) ; fi
6 | transientPassword="$(openssl rand -${passphraseMode} ${passphraseLength})"
7 | echo -e "\t\tTransient password set, refer to the module documentation or note it below. Prompt is open for 5 minutes."
8 | echo -e "\t\t$transientPassword"
9 | rootShadow="$(openssl passwd -6 "$transientPassword")"
10 | [ ! -f '/etc/passwd' ] && echo 'root:x:0:0::/root:/bin/bash' > /etc/passwd
11 | [ ! -f '/etc/shadow' ] && echo "root:${rootShadow}:1::::::" > /etc/shadow
12 | mkdir /dev/pts ; mount -t devpts devpts /dev/pts
13 | timeout ${sshTimeout} dropbear -E -F -R -c '. /etc/zfsUnlocker/modules.d/21_ssh/hook' &
14 | }
15 |
16 | function tryPassword {
17 | while [ "$(zfs get -H -o value keystatus "$(/dev/null
28 | }
29 |
30 |
31 | [ -z "$1" ] && tryPassword # Assume no argument is here to unlock something.
32 | $1
33 |
--------------------------------------------------------------------------------
/modules.d/21_ssh/packageDependencies:
--------------------------------------------------------------------------------
1 | coreutils
2 | openssh
3 | procps-ng
4 | mkinitcpio-dropbear
5 |
--------------------------------------------------------------------------------
/modules.d/21_ssh/setup:
--------------------------------------------------------------------------------
1 | map add_binary sshd \
2 | base64 \
3 | cut \
4 | date \
5 | dropbear \
6 | passwd \
7 | sha1sum \
8 | pkill \
9 | timeout \
10 | openssl
11 |
12 | map add_file /etc/ld.so.cache \
13 | /usr/lib/libssl.so \
14 | /usr/lib/libcrypto.so \
15 | /usr/lib/libc.so \
16 | /etc/ssl/openssl.cnf \
17 | /etc/shells
18 |
19 | mkdir "${BUILDROOT}/etc/dropbear"
20 |
21 | . /etc/zfsUnlocker/zfsUnlocker.conf
22 | if [ -n "$authorizedUsers" ]
23 | then
24 | for user in $authorizedUsers
25 | do
26 | if grep -q $user /etc/passwd
27 | then
28 | homedir="$(getent passwd $user | cut -d: -f6)"
29 | mkdir -p ${BUILDROOT}/root/.ssh
30 | if [ -f "${homedir}/.ssh/authorized_keys" ]
31 | then
32 | cat "${homedir}/.ssh/authorized_keys" >> "${BUILDROOT}/root/.ssh/authorized_keys"
33 | else
34 | echo "$user authorized_keys file not found?"
35 | fi
36 | fi
37 | done
38 | fi
39 |
--------------------------------------------------------------------------------
/modules.d/5_configuration/configVars:
--------------------------------------------------------------------------------
1 | # If we need to access one or more VLAN interfaces to access the world
2 | # they can be defined here.
3 | #Vlans=(2 4 6 8)
4 |
--------------------------------------------------------------------------------
/zfsUnlocker.hook:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | #
4 | # Goal: Find and unlock datasets, particularly the root.
5 | #
6 |
7 | zfs_get_bootfs () {
8 | for zfs_dataset in $(zpool list -H -o bootfs); do
9 | case ${zfs_dataset} in
10 | "" | "-")
11 | # skip if unset
12 | ;;
13 | "no pools available")
14 | return 1
15 | ;;
16 | *)
17 | ZFS_DATASET=${zfs_dataset}
18 | return 0
19 | ;;
20 | esac
21 | done
22 | return 1
23 | }
24 |
25 | zfs_decrypt_fs() {
26 | export dataset=$1
27 |
28 | # check if 'zfs load-key' is available
29 | zfs 2>&1 | grep load-key > /dev/null || return 0
30 |
31 | # check if dataset is encrypted
32 | [ "$(zfs get -H -o value encryption "${dataset}")" != "off" ] || return 0
33 |
34 | # check if key is already loaded
35 | [ "$(zfs get -H -o value keystatus "${dataset}")" != "available" ] || return 0
36 |
37 | # get the encryption root
38 | encryptionroot=$(zfs get -H -o value encryptionroot "${dataset}")
39 | echo $encryptionroot > /tmp/encryptionroot # For any other modules to have a crack at it
40 |
41 | echo -e "\tTrying modules..."
42 |
43 | # Try zfsUnlocker's modules.d hooks in order
44 | moduleBasepath="/etc/zfsUnlocker/modules.d"
45 | moduleList="$(ls -1 ${moduleBasepath} | grep -v disabled)"
46 |
47 | for module in $moduleList
48 | do
49 | [ "$(zfs get -H -o value keystatus "${encryptionroot}")" = "available" ] && break
50 | echo "" # spacer
51 | echo -e "\t[${module}]"
52 | if [ -f ${moduleBasepath}/${module}/hook ]
53 | then
54 | ${moduleBasepath}/${module}/hook hook
55 | fi
56 | done
57 |
58 | # When out of options, loop indefinitely on a password prompt.
59 | [ "$(zfs get -H -o value keystatus "${encryptionroot}")" != "available" ] && echo "Out of options, prompting indefinitely."
60 | while [ "$(zfs get -H -o value keystatus "${encryptionroot}")" != "available" ]
61 | do
62 | read -t 30 -s -p "Enter unlock passphrase: " userinput
63 |
64 | if [ -n "$userinput" ]
65 | then
66 | yes "${userinput}" | zfs load-key -a
67 | unset userinput
68 | sleep 2
69 | fi
70 | done
71 |
72 | # If we make it to a mountable root, run the cleanup functions of our hook modules before we get there.
73 | for module in $moduleList
74 | do
75 | if [ -f ${moduleBasepath}/${module}/hook ]
76 | then
77 | ${moduleBasepath}/${module}/hook cleanup
78 | fi
79 | done
80 |
81 |
82 |
83 | }
84 |
85 | zfs_mount_handler () {
86 |
87 | if [ "${ZFS_DATASET}" = "bootfs" ] ; then
88 | if ! zfs_get_bootfs ; then
89 | # Lets import everything and try again
90 | zpool import ${ZPOOL_IMPORT_FLAGS} -N -a ${ZPOOL_FORCE}
91 | if ! zfs_get_bootfs ; then
92 | err "zfsUnlocker: Cannot find a dataset marked as bootfs."
93 | exit 1
94 | fi
95 | fi
96 | fi
97 |
98 | local pool="${ZFS_DATASET%%/*}"
99 | local rwopt_exp="${rwopt:-ro}"
100 |
101 | if ! zpool list -H "${pool}" 2>1 > /dev/null ; then
102 | if [ ! "${rwopt_exp}" = "rw" ]; then
103 | msg "ZFS: Importing pool ${pool} readonly."
104 | ZPOOL_IMPORT_FLAGS="${ZPOOL_IMPORT_FLAGS} -o readonly=on"
105 | else
106 | msg "ZFS: Importing pool ${pool}."
107 | fi
108 |
109 | if ! zpool import ${ZPOOL_IMPORT_FLAGS} -N "${pool}" ${ZPOOL_FORCE} ; then
110 | err "ZFS: Unable to import pool ${pool}."
111 | exit 1
112 | fi
113 | fi
114 |
115 | local newrootDir="$1" # Work off desired mountdir as advised by /init to $mount_handler function.
116 | local rootmnt=$(zfs get -H -o value mountpoint "${ZFS_DATASET}")
117 | local zfs_datasets="$(zfs list -H -o name -t filesystem -r ${ZFS_DATASET})"
118 |
119 | # Handle unlocking the root and any child datasets, but only mount the root now.
120 | for dataset in ${zfs_datasets}; do
121 | mountpoint=$(zfs get -H -o value mountpoint "${dataset}")
122 | canmount=$(zfs get -H -o value canmount "${dataset}")
123 |
124 | # Skip datasets where canmount=off and mountpoint=none or unset.
125 | [ ${canmount} = "off" -o ${mountpoint} = "none" -o ${mountpoint} = "-" ] && continue
126 |
127 | # Check for encryption on the dataset and fire the modules if so.
128 | zfs_decrypt_fs "${dataset}"
129 |
130 | # At this point stop processing datasets we don't intend to mount as the rootfs.
131 |
132 | if [ ${mountpoint} = "legacy" ]
133 | then
134 | mountOpts="${opt}"
135 | else
136 | mountOpts="zfsutil,${rwopt_exp}"
137 | fi
138 |
139 | if [ "${dataset}" == "${ZFS_DATASET}" ] # If this is the root to be
140 | then
141 | mount -t zfs -o "${mountOpts}" "${dataset}" "${newrootDir}"
142 | elif [ ${mountpoint} = "legacy" ]
143 | then
144 | [ ${mountpoint} = "legacy" ] && echo "Leaving legacy mount for host fstab to handle: ${dataset}"
145 | continue
146 | else
147 | echo "Mounting $dataset under rootfs"
148 | mount -t zfs -o "${mountOpts}" "${dataset}" "${newrootDir}${mountpoint}"
149 | fi
150 | done
151 | }
152 |
153 | run_hook() {
154 |
155 | echo "[zfsUnlocker]"
156 | [ ! -h /dev/fd ] && ln -s /proc/self/fd /dev/fd >/dev/null 2>&1
157 | until grep -q zfs <(lsmod)
158 | do
159 | echo -ne "Modprobing ZFS..."
160 | modprobe zfs
161 | echo -ne '.'
162 | count=$(( $count + 1 ))
163 | [ $count -eq 5 ] && echo -ne "\rStuck trying to modprobe zfs... being patient"
164 | [ $count -ge 60 ] && { echo -e "\nCouldn't modprobe ZFS. Waited too long for this to be a slow host. Missing zfs module in initramfs?" ; break ;}
165 | sleep 1
166 | done
167 |
168 | case ${root} in
169 | # root=zfs
170 | "zfs")
171 | ZFS_DATASET="${root}"
172 | mount_handler="zfs_mount_handler"
173 | ;;
174 | # root=ZFS=xxx
175 | "ZFS="*)
176 | ZFS_DATASET="${root#*[=]}"
177 | mount_handler="zfs_mount_handler"
178 | ;;
179 | esac
180 |
181 | case ${zfs} in
182 | "")
183 | # skip if empty/unset
184 | ;;
185 | auto|bootfs)
186 | ZFS_DATASET="bootfs"
187 | mount_handler="zfs_mount_handler"
188 | local pool="[a-zA-Z][^ ]*"
189 | ;;
190 | *)
191 | ZFS_DATASET="${zfs}"
192 | mount_handler="zfs_mount_handler"
193 | local pool="${ZFS_DATASET%%/*}"
194 | ;;
195 | esac
196 |
197 | }
198 |
--------------------------------------------------------------------------------
/zfsUnlocker.install:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | build() {
4 |
5 |
6 | # Grab the general dependencies we're going to always need.
7 | map add_module zavl znvpair zunicode zcommon zfs spl
8 | map add_binary bash \
9 | fsck.zfs \
10 | mount.zfs \
11 | seq \
12 | zdb \
13 | zed \
14 | zfs \
15 | zhack \
16 | zinject \
17 | zpool \
18 | zstreamdump \
19 | /lib/udev/vdev_id \
20 | /lib/udev/zvol_id findmnt
21 |
22 | map add_file /lib/udev/rules.d/60-zvol.rules \
23 | /lib/udev/rules.d/69-vdev.rules \
24 | /lib/udev/rules.d/90-zfs.rules \
25 | /lib/libgcc_s.so.1
26 |
27 | map add_dir /etc/zfs/zed.d
28 | map add_file /etc/zfsUnlocker/zfsUnlocker.conf
29 | map add_full_dir /etc/zfsUnlocker/modules.d
30 |
31 | # Primarily for interface naming
32 | map add_full_dir /usr/lib/udev/rules.d
33 |
34 | # Also append everything our zfsUnlocker modules claim they need.
35 | # And let them run their own checks/copies.
36 | for hookSetup in /etc/zfsUnlocker/modules.d/*/setup
37 | do
38 | . $hookSetup
39 | done
40 |
41 |
42 | add_runscript
43 |
44 | # allow mount(8) to "autodetect" ZFS
45 | echo 'zfs' >>"${BUILDROOT}/etc/filesystems"
46 |
47 | [[ -f /etc/zfs/zpool.cache ]] && cp "/etc/zfs/zpool.cache" "${BUILDROOT}/etc/zfs/zpool.cache.org"
48 | [[ -f /etc/modprobe.d/zfs.conf ]] && add_file "/etc/modprobe.d/zfs.conf"
49 | }
50 |
51 | help() {
52 | cat<