Merge pull request 'install.sh bug fixes, autostart cgroup detachment, vault key security' (#20) from unbrot/fedora-OEMDRV:main into main

Reviewed-on: #20

client_software/0010_kwallet/user_run.sh

@@ -11,7 +11,7 @@ if [[ -z $(wmctrl -m | grep "KWin") ]]; then
 fi
 
 #Restart the service
-/usr/bin/setsid kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
+systemd-run --user --scope --unit=kwalletd6-logon kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
 sleep 1
 
 #Check if kwalletd is enabled now

client_software/0050_nextcloud_desktopclient/user_run.sh

@@ -151,7 +151,7 @@ done
 #fi
 # Now start Nextcloud
 echo "Starting Nextcloud Client in Background"
-/usr/bin/setsid ${BASECMD} >${TEMPDIR}/nc_desktop_client.log 2>&1 &
+systemd-run --user --no-block --unit=nextcloud-client.service ${BASECMD} >>${TEMPDIR}/nc_desktop_client.log 2>&1
 sleep 2
 echo "Done Setup of Nextcloud."
 exit 0

client_software/0110_nextcloud_talk_app/user_run.sh

@@ -8,6 +8,7 @@ fi
 # Start Nextcloud Talk in Background
 #Current Version of Talk is dumping Core
 echo "Starting Nextcloud Talk in Background."
-/usr/bin/setsid -f /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=electron-wrapper --file-forwarding com.nextcloud.talk --background >${TEMPDIR}/talk.log 2>&1
+systemd-run --user --no-block --unit=nextcloud-talk.service --property=Delegate=yes \
+    /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=electron-wrapper --file-forwarding com.nextcloud.talk --background >>${TEMPDIR}/talk.log 2>&1
 
 exit 0

install.md

@@ -1,4 +1,4 @@
-# OEMDRV Bootstrap — install.sh + install_from_repo.sh
+# OEMDRV Bootstrap — install.sh
 
 the script `./system_setup/install.sh` prepares a target machine for automated Fedora deployment. It shrinks an existing partition to carve out a dedicated **OEMDRV** partition, which Anaconda/Kickstart will detect automatically during installation.
 
@@ -37,7 +37,7 @@ curl -fsSL ${REPO_URL%.git}/raw/branch/${REPO_BRANCH:-main}/system_setup/install
 sudo -E bash /tmp/install.sh
 ```
 
-That way, install.sh should know what to pull.
+Both are optional. That way, install.sh should know what to pull.
 
 ## After the script completes
 

system_setup/install.sh

@@ -196,9 +196,12 @@ collect_free_space() {
                 $1+0 > 0 {
                     for (i = 1; i <= NF; i++) {
                         if ($i == "free") {
-                            start=$2; end=$3; size=$4;
-                            gsub(/MiB/,"",start); gsub(/MiB/,"",end); gsub(/MiB/,"",size);
-                            s=int(start+0); e=int(end+0); sz=int(size+0);
+                            gsub(/MiB/,"",$2); gsub(/MiB/,"",$3);
+                            e=int($3+0);
+                            raw_s=$2+0;
+                            s=int(raw_s)+(raw_s>int(raw_s)?1:0);
+                            if (s < 1) s = 1;
+                            sz=e-s;
                             if (sz >= min) print s " " e " " sz;
                             break
                         }
@@ -332,12 +335,12 @@ SEL=-1
 while true; do
     echo
     if [[ $FS_IDX -gt 0 && $shrink_count -gt 0 ]]; then
-        read -r -p "Enter  f<n>  to use free space,  s<n>  to shrink a partition, or  q  to quit: " INPUT
+        read -r -p "Enter  f<n>  to use free space,  s<n>  to shrink a partition, or  q  to quit: " INPUT || { echo; echo "Aborted."; exit 0; }
     elif [[ $FS_IDX -gt 0 ]]; then
-        read -r -p "Enter number of free space region to use, or  q  to quit: " INPUT
+        read -r -p "Enter number of free space region to use, or  q  to quit: " INPUT || { echo; echo "Aborted."; exit 0; }
         [[ "$INPUT" =~ ^[0-9]+$ ]] && INPUT="f${INPUT}"
     else
-        read -r -p "Enter number of partition to shrink, or  q  to quit: " INPUT
+        read -r -p "Enter number of partition to shrink, or  q  to quit: " INPUT || { echo; echo "Aborted."; exit 0; }
         [[ "$INPUT" =~ ^[0-9]+$ ]] && INPUT="s${INPUT}"
     fi
 
@@ -458,15 +461,16 @@ fi
 # ── Create OEMDRV partition ───────────────────────────────────────────────────
 
 info "Creating new OEMDRV partition (${OEMDRV_START}–${OEMDRV_END} MiB) on $WORK_DISK..."
-printf 'Yes\n' | parted "$WORK_DISK" mkpart anacondainstall btrfs "${OEMDRV_START}MiB" "${OEMDRV_END}MiB" \
+parted -s "$WORK_DISK" mkpart anacondainstall btrfs "${OEMDRV_START}MiB" "${OEMDRV_END}MiB" \
     || die "parted mkpart failed. Check that the target area is free space on $WORK_DISK."
 
 partprobe "$WORK_DISK"
 sleep 1
 
-# Determine new partition number (highest on the disk after partprobe)
+# Find the partition whose start matches OEMDRV_START (±1 MiB for alignment)
 NEW_PNUM=$(parted -s "$WORK_DISK" -m unit MiB print 2>/dev/null \
-    | awk -F: '/^[0-9]/{n=$1} END{print n}')
+    | awk -F: -v s="$OEMDRV_START" '
+        /^[0-9]/ { gsub(/MiB/,"",$2); if (int($2+0) >= s-1 && int($2+0) <= s+1) { print $1; exit } }')
 [[ -n "$NEW_PNUM" ]] || die "Could not determine new partition number on $WORK_DISK."
 
 OEMDRV_DEV=$(new_part_device "$WORK_DISK" "$NEW_PNUM")

system_setup/mount_ecrypt_home.sh

@@ -42,7 +42,7 @@ if [ $? -ne 0 ]; then
     if [ -d "${ENCRYPTEDDATADIR}" ]; then
         echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists."
         read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY
-        echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt
+        echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
     else
         echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue."
         echo "Please check your Connection/Server and retry."
@@ -52,12 +52,12 @@ else
     # Server is online
     #Get the Token from IPA
     echo Getting the Vault ${IPAVAULTNAME}
-    ipa vault-retrieve ${IPAVAULTNAME} --out /var/tmp/IPAVAULTKEY.txt >/dev/null #TODO: Instead of /var/tmp use tmpfs for more security
+    ipa vault-retrieve ${IPAVAULTNAME} --out ${XDG_RUNTIME_DIR}/IPAVAULTKEY >/dev/null
     if [ $? -ne 0 ]; then
         echo "No Key found. Will try to Setup a new one."
         ENCKEY=$( openssl rand -base64 24 )
-        echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt
-        ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in /var/tmp/IPAVAULTKEY.txt
+        echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
+        ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in ${XDG_RUNTIME_DIR}/IPAVAULTKEY
         if [ $? -eq 0 ]; then
             echo
             echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}"
@@ -75,13 +75,13 @@ else
             ENCKEY=""
         fi
     else
-        ENCKEY=$( cat /var/tmp/IPAVAULTKEY.txt )
+        ENCKEY=$( cat ${XDG_RUNTIME_DIR}/IPAVAULTKEY )
 #        echo "The Key is: ${ENCKEY}"
     fi
 fi
 if [ "${ENCKEY}." == "." ]; then
     echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit."
-    rm /var/tmp/IPAVAULTKEY.txt
+    rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
     exit 2
 fi
 echo "Sucessfuly obtained IPA vault fileencryption key."
@@ -91,11 +91,12 @@ if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs
     #Key has been obtained, but no Directory was created till know
     echo "First Setup of encryption: Creating new Directories now"
     mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
-    gocryptfs -init -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
+    gocryptfs -init -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
 fi
-gocryptfs -noprealloc -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
+systemd-run --user --scope --unit=gocryptfs-home \
+    gocryptfs -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
 RETVAL=$?
-rm /var/tmp/IPAVAULTKEY.txt
+rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
 cd ${EXECDIR}
 if [ ${RETVAL} -eq 0 ]; then
     echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"

system_setup/setup_system_full.sh

@@ -127,7 +127,7 @@ install_sw()
   ( sed 's/^UMASK.*022$/UMASK\t077/' /etc/login.defs | sudo tee /etc/login.defs ) >/dev/null
 
   #Append OEMDRV mount to SYSCONFIGPATH in fstab
-  echo "LABEL=OEMDRV ${SYSCONFIGPATH} btrfs noatime,nodiratime,nofail 0 0" >> /etc/fstab
+  echo "LABEL=OEMDRV ${SYSCONFIGPATH} btrfs noatime,nodiratime,nofail,compress=zstd:6 0 0" >> /etc/fstab
 
   #Make KDE single click
   echo -e "[KDE]\nSingleClick=true" | tee -a /etc/xdg/kdeglobals