obel1x/fedora-OEMDRV
0
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

install.sh bug fixes, autostart cgroup detachment, vault key security #20

Merged
obel1x merged 9 commits from unbrot/fedora-OEMDRV:main into main 2026-05-01 17:59:24 +02:00
Conversation 0 Commits 9 Files Changed 7
+30 -24
7 changed files with 30 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
client_software/0010_kwallet/user_run.sh
+1 -1
View File
@@ -11,7 +11,7 @@ if [[ -z $(wmctrl -m | grep "KWin") ]]; then
fi fi
#Restart the service #Restart the service
/usr/bin/setsid kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 & systemd-run --user --scope --unit=kwalletd6-logon kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
sleep 1 sleep 1
#Check if kwalletd is enabled now #Check if kwalletd is enabled now
client_software/0050_nextcloud_desktopclient/user_run.sh
+1 -1
View File
@@ -151,7 +151,7 @@ done
#fi #fi
# Now start Nextcloud # Now start Nextcloud
echo "Starting Nextcloud Client in Background" echo "Starting Nextcloud Client in Background"
/usr/bin/setsid ${BASECMD} >${TEMPDIR}/nc_desktop_client.log 2>&1 & systemd-run --user --no-block --unit=nextcloud-client.service ${BASECMD} >>${TEMPDIR}/nc_desktop_client.log 2>&1
sleep 2 sleep 2
echo "Done Setup of Nextcloud." echo "Done Setup of Nextcloud."
exit 0 exit 0
client_software/0110_nextcloud_talk_app/user_run.sh
+2 -1
View File
@@ -8,6 +8,7 @@ fi
# Start Nextcloud Talk in Background # Start Nextcloud Talk in Background
#Current Version of Talk is dumping Core #Current Version of Talk is dumping Core
echo "Starting Nextcloud Talk in Background." echo "Starting Nextcloud Talk in Background."
/usr/bin/setsid -f /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=electron-wrapper --file-forwarding com.nextcloud.talk --background >${TEMPDIR}/talk.log 2>&1 systemd-run --user --no-block --unit=nextcloud-talk.service --property=Delegate=yes \
/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=electron-wrapper --file-forwarding com.nextcloud.talk --background >>${TEMPDIR}/talk.log 2>&1
exit 0 exit 0
install.md
+2 -2
View File
@@ -1,4 +1,4 @@
# OEMDRV Bootstrap — install.sh + install_from_repo.sh # OEMDRV Bootstrap — install.sh
the script `./system_setup/install.sh` prepares a target machine for automated Fedora deployment. It shrinks an existing partition to carve out a dedicated **OEMDRV** partition, which Anaconda/Kickstart will detect automatically during installation. the script `./system_setup/install.sh` prepares a target machine for automated Fedora deployment. It shrinks an existing partition to carve out a dedicated **OEMDRV** partition, which Anaconda/Kickstart will detect automatically during installation.
@@ -37,7 +37,7 @@ curl -fsSL ${REPO_URL%.git}/raw/branch/${REPO_BRANCH:-main}/system_setup/install
sudo -E bash /tmp/install.sh sudo -E bash /tmp/install.sh
``` ```
That way, install.sh should know what to pull. Both are optional. That way, install.sh should know what to pull.
## After the script completes ## After the script completes
system_setup/install.sh
+13 -9
View File
@@ -196,9 +196,12 @@ collect_free_space() {
$1+0 > 0 { $1+0 > 0 {
for (i = 1; i <= NF; i++) { for (i = 1; i <= NF; i++) {
if ($i == "free") { if ($i == "free") {
start=$2; end=$3; size=$4; gsub(/MiB/,"",$2); gsub(/MiB/,"",$3);
gsub(/MiB/,"",start); gsub(/MiB/,"",end); gsub(/MiB/,"",size); e=int($3+0);
s=int(start+0); e=int(end+0); sz=int(size+0); raw_s=$2+0;
s=int(raw_s)+(raw_s>int(raw_s)?1:0);
if (s < 1) s = 1;
sz=e-s;
if (sz >= min) print s " " e " " sz; if (sz >= min) print s " " e " " sz;
break break
} }
@@ -332,12 +335,12 @@ SEL=-1
while true; do while true; do
echo echo
if [[ $FS_IDX -gt 0 && $shrink_count -gt 0 ]]; then if [[ $FS_IDX -gt 0 && $shrink_count -gt 0 ]]; then
read -r -p "Enter f<n> to use free space, s<n> to shrink a partition, or q to quit: " INPUT read -r -p "Enter f<n> to use free space, s<n> to shrink a partition, or q to quit: " INPUT || { echo; echo "Aborted."; exit 0; }
elif [[ $FS_IDX -gt 0 ]]; then elif [[ $FS_IDX -gt 0 ]]; then
read -r -p "Enter number of free space region to use, or q to quit: " INPUT read -r -p "Enter number of free space region to use, or q to quit: " INPUT || { echo; echo "Aborted."; exit 0; }
[[ "$INPUT" =~ ^[0-9]+$ ]] && INPUT="f${INPUT}" [[ "$INPUT" =~ ^[0-9]+$ ]] && INPUT="f${INPUT}"
else else
read -r -p "Enter number of partition to shrink, or q to quit: " INPUT read -r -p "Enter number of partition to shrink, or q to quit: " INPUT || { echo; echo "Aborted."; exit 0; }
[[ "$INPUT" =~ ^[0-9]+$ ]] && INPUT="s${INPUT}" [[ "$INPUT" =~ ^[0-9]+$ ]] && INPUT="s${INPUT}"
fi fi
@@ -458,15 +461,16 @@ fi
# ── Create OEMDRV partition ─────────────────────────────────────────────────── # ── Create OEMDRV partition ───────────────────────────────────────────────────
info "Creating new OEMDRV partition (${OEMDRV_START}${OEMDRV_END} MiB) on $WORK_DISK..." info "Creating new OEMDRV partition (${OEMDRV_START}${OEMDRV_END} MiB) on $WORK_DISK..."
printf 'Yes\n' | parted "$WORK_DISK" mkpart anacondainstall btrfs "${OEMDRV_START}MiB" "${OEMDRV_END}MiB" \ parted -s "$WORK_DISK" mkpart anacondainstall btrfs "${OEMDRV_START}MiB" "${OEMDRV_END}MiB" \
|| die "parted mkpart failed. Check that the target area is free space on $WORK_DISK." || die "parted mkpart failed. Check that the target area is free space on $WORK_DISK."
partprobe "$WORK_DISK" partprobe "$WORK_DISK"
sleep 1 sleep 1
# Determine new partition number (highest on the disk after partprobe) # Find the partition whose start matches OEMDRV_START (±1 MiB for alignment)
NEW_PNUM=$(parted -s "$WORK_DISK" -m unit MiB print 2>/dev/null \ NEW_PNUM=$(parted -s "$WORK_DISK" -m unit MiB print 2>/dev/null \
| awk -F: '/^[0-9]/{n=$1} END{print n}') | awk -F: -v s="$OEMDRV_START" '
/^[0-9]/ { gsub(/MiB/,"",$2); if (int($2+0) >= s-1 && int($2+0) <= s+1) { print $1; exit } }')
[[ -n "$NEW_PNUM" ]] || die "Could not determine new partition number on $WORK_DISK." [[ -n "$NEW_PNUM" ]] || die "Could not determine new partition number on $WORK_DISK."
OEMDRV_DEV=$(new_part_device "$WORK_DISK" "$NEW_PNUM") OEMDRV_DEV=$(new_part_device "$WORK_DISK" "$NEW_PNUM")
system_setup/mount_ecrypt_home.sh
+10 -9
View File
@@ -42,7 +42,7 @@ if [ $? -ne 0 ]; then
if [ -d "${ENCRYPTEDDATADIR}" ]; then if [ -d "${ENCRYPTEDDATADIR}" ]; then
echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists." echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists."
read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY
echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
else else
echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue." echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue."
echo "Please check your Connection/Server and retry." echo "Please check your Connection/Server and retry."
@@ -52,12 +52,12 @@ else
# Server is online # Server is online
#Get the Token from IPA #Get the Token from IPA
echo Getting the Vault ${IPAVAULTNAME} echo Getting the Vault ${IPAVAULTNAME}
ipa vault-retrieve ${IPAVAULTNAME} --out /var/tmp/IPAVAULTKEY.txt >/dev/null #TODO: Instead of /var/tmp use tmpfs for more security ipa vault-retrieve ${IPAVAULTNAME} --out ${XDG_RUNTIME_DIR}/IPAVAULTKEY >/dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "No Key found. Will try to Setup a new one." echo "No Key found. Will try to Setup a new one."
ENCKEY=$( openssl rand -base64 24 ) ENCKEY=$( openssl rand -base64 24 )
echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in /var/tmp/IPAVAULTKEY.txt ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in ${XDG_RUNTIME_DIR}/IPAVAULTKEY
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo echo
echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}" echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}"
@@ -75,13 +75,13 @@ else
ENCKEY="" ENCKEY=""
fi fi
else else
ENCKEY=$( cat /var/tmp/IPAVAULTKEY.txt ) ENCKEY=$( cat ${XDG_RUNTIME_DIR}/IPAVAULTKEY )
# echo "The Key is: ${ENCKEY}" # echo "The Key is: ${ENCKEY}"
fi fi
fi fi
if [ "${ENCKEY}." == "." ]; then if [ "${ENCKEY}." == "." ]; then
echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit." echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit."
rm /var/tmp/IPAVAULTKEY.txt rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
exit 2 exit 2
fi fi
echo "Sucessfuly obtained IPA vault fileencryption key." echo "Sucessfuly obtained IPA vault fileencryption key."
@@ -91,11 +91,12 @@ if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs
#Key has been obtained, but no Directory was created till know #Key has been obtained, but no Directory was created till know
echo "First Setup of encryption: Creating new Directories now" echo "First Setup of encryption: Creating new Directories now"
mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
gocryptfs -init -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null gocryptfs -init -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
fi fi
gocryptfs -noprealloc -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null systemd-run --user --scope --unit=gocryptfs-home \
gocryptfs -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
RETVAL=$? RETVAL=$?
rm /var/tmp/IPAVAULTKEY.txt rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
cd ${EXECDIR} cd ${EXECDIR}
if [ ${RETVAL} -eq 0 ]; then if [ ${RETVAL} -eq 0 ]; then
echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}" echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
system_setup/setup_system_full.sh
+1 -1
View File
@@ -127,7 +127,7 @@ install_sw()
( sed 's/^UMASK.*022$/UMASK\t077/' /etc/login.defs | sudo tee /etc/login.defs ) >/dev/null ( sed 's/^UMASK.*022$/UMASK\t077/' /etc/login.defs | sudo tee /etc/login.defs ) >/dev/null
#Append OEMDRV mount to SYSCONFIGPATH in fstab #Append OEMDRV mount to SYSCONFIGPATH in fstab
echo "LABEL=OEMDRV ${SYSCONFIGPATH} btrfs noatime,nodiratime,nofail 0 0" >> /etc/fstab echo "LABEL=OEMDRV ${SYSCONFIGPATH} btrfs noatime,nodiratime,nofail,compress=zstd:6 0 0" >> /etc/fstab
#Make KDE single click #Make KDE single click
echo -e "[KDE]\nSingleClick=true" | tee -a /etc/xdg/kdeglobals echo -e "[KDE]\nSingleClick=true" | tee -a /etc/xdg/kdeglobals