scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-01 19:07:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: copy config from upstream and remove dep (#593)

Browse Source
This commit is contained in:
RoyalOughtness
2024-11-21 17:23:06 -08:00
committed by GitHub
parent 5172baa133
commit 261936654f
59 changed files with 2753 additions and 1161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
files/system/usr/bin/ugum Executable file
View File

@@ -0,0 +1,204 @@
#!/usr/bin/bash
# Copyright 2024 Universal Blue
#
# This file includes code that is licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.
##################################################################
# This is a helper script to provide a basic fallback replacement
# for just commands and bash scripts that want to use gum in uBlue
##################################################################
# Supported menu handlers
SUPPORTED_HANDLERS=(
"fzf"
)
# Check if gum is present
GUM=$(which gum 2>/dev/null)
# Check if fzf is installed and set it as the handler
FALLBACK_HANDLER=$(which fzf 2>/dev/null)
HANDLER=""
if [[ -n $FALLBACK_HANDLER ]]; then
HANDLER="fzf"
fi
# If $MENU is set
if [[ -n $MENU ]]; then
for BIN in "${SUPPORTED_HANDLERS[@]}"
do
if [[ "$BIN" == "$MENU" ]]; then
HANDLER=$BIN
fi
done
fi
# Logic for what to do if gum is not installed
function noGum () {
if [[ -z "$1" ]]; then
# If no arguments are provided then error with
echo "ugum supports only choose or confirm as the first argument!"
echo "Usage:"
echo ' ugum choose option1 option2 \"option 3\"'
echo ' Returns: selected string'
echo ' ugum confirm "this is an optional question'
echo ' Returns: exit code in $? will be 0 for YES and 1 for NO'
exit 5
elif [[ "$1" == "choose" ]]; then
# If choose is the verb then run the choose function and pass all remaining args to an appropriate handler
if [[ "$HANDLER" == "fzf" ]]; then
# Use fzf for choice selector
choose_Fzf "${@:2}"
else
# Use generic bash selector
choose_Generic "${@:2}"
fi
elif [[ "$1" == "confirm" ]]; then
# If confirm is the verb then run the confirm function and pass all remaining args to an appropriate handler
if [[ "$HANDLER" == "fzf" ]]; then
# Use fzf as a confirm dialog
confirm_Fzf "${@:2}"
else
# Use a generic bash dialog
confirm_Generic "${@:2}"
fi
fi
}
# Implements a generic bash choice dialog
function choose_Generic () {
# Change PS3 to our select prompt
PS3='Please enter your choice: '
# Make an array to contain all options in
OPTIONS=()
# Parse the arguments for the ones we support and care about
for arg in "$@"
do
# If the argument does not start with -
if [[ ! $arg =~ ^- ]]; then
OPTIONS+=("$arg")
fi
done
# Make a select prompt in bash
select opt in "${OPTIONS[@]}"
do
case $opt in
"")
# Invalid options print to STDERR and then loops back for the user to select again
echo "Invalid option $REPLY" >&2
;;
"$opt")
echo "$opt"
break
;;
esac
done
}
# Implements a choice dialog using fzf
function choose_Fzf () {
# Change our select prompt
PROMPT='Please select your choice: '
# Make an array to contain all options in
local OPTIONS
# Parse the arguments for the ones we support and care about
for arg in "$@"
do
# If the argument does not start with -
if [[ ! $arg =~ ^- ]]; then
if [[ "$OPTIONS" == "" ]]; then
OPTIONS="${arg}"
continue
fi
OPTIONS="${OPTIONS}\n${arg}"
fi
done
# Make a select prompt using fzf
echo -e "$OPTIONS" | fzf --layout=reverse --height="~20%" --prompt="$PROMPT"
}
# Implements a generic bash confirm dialog
function confirm_Generic () {
# Set default prompt
PROMPT="Are you sure?"
# Parse the arguments for the ones we support and care about
for arg in "$@"
do
if [[ ! $arg =~ ^- ]]; then
PROMPT="$arg"
fi
done
# Print the prompt and read input
read -r -p "$PROMPT [Y/n]: " YESNO
confirm_Parse "$YESNO"
}
# Implements a confirm dialog in fzf
function confirm_Fzf () {
PROMPT=$(confirm_getPrompt "$@")
# Make the confirm prompt using fzf and read response
YESNO=$(echo -e "Yes\nNo" | fzf --layout=reverse --height="~20%" --prompt="$PROMPT ")
confirm_Parse "$YESNO"
}
# Gets the prompt for the confirm dialog, with a fallback to "Are you sure?"
function confirm_getPrompt () {
# Set default prompt
PROMPT="Are you sure?"
# Parse the arguments for the ones we support and care about
for arg in "$@"
do
if [[ ! $arg =~ ^- ]]; then
PROMPT="$arg"
fi
done
# Return the prompt
echo "$PROMPT"
}
# Parse the confirm response and translate it the same exit codes gum uses
function confirm_Parse () {
case "$@" in
[Yy]*)
# Use exit code 0 for yes, just like gum
exit 0
;;
[Nn]*)
# Use exit code 1 for no, just like gum
exit 1
;;
*)
# Default exit code is 0
exit 0
;;
esac
}
# If gum is not present
if [[ -z "$GUM" ]]; then
noGum "$@"
else
# If gum is present just pass args to gum
$GUM "$@"
fi

15
files/system/usr/bin/ujust Executable file
View File

@@ -0,0 +1,15 @@
#!/usr/bin/bash
# Copyright 2024 Universal Blue
#
# This file includes code that is licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.
/usr/bin/just --justfile /usr/share/ublue-os/justfile "${@}"

1
files/system/usr/lib/dracut/dracut.conf.d/90-ublue-luks.conf Normal file
View File

@@ -0,0 +1 @@
add_dracutmodules+=" fido2 tpm2-tss pkcs11 pcsc "

1
files/system/usr/lib/systemd/system-preset/10-flatpak-system-update.preset Normal file
View File

@@ -0,0 +1 @@
enable flatpak-system-update.service

10
files/system/usr/lib/systemd/system/flatpak-system-update.service Normal file
View File

@@ -0,0 +1,10 @@
[Unit]
Description=Flatpak Automatic Update
Documentation=man:flatpak(1)
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
ExecCondition=/bin/bash -c '[[ "$(busctl get-property org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager Metered | cut -c 3-)" == @(2|4) ]]'
ExecStart=/usr/bin/flatpak --system uninstall --unused -y --noninteractive ; /usr/bin/flatpak --system update -y --noninteractive ; /usr/bin/flatpak --system repair

12
files/system/usr/lib/systemd/system/flatpak-system-update.timer Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=Flatpak Automatic Update Trigger
Documentation=man:flatpak(1)
[Timer]
RandomizedDelaySec=10m
OnBootSec=2m
OnCalendar=*-*-* 4:00:00
Persistent=true
[Install]
WantedBy=timers.target

1
files/system/usr/lib/systemd/user-preset/10-flatpak-user-update.preset Normal file
View File

@@ -0,0 +1 @@
enable flatpak-user-update.service

10
files/system/usr/lib/systemd/user/flatpak-user-update.service Normal file
View File

@@ -0,0 +1,10 @@
[Unit]
Description=Flatpak Automatic Update
Documentation=man:flatpak(1)
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
ExecCondition=/bin/bash -c '[[ "$(busctl get-property org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager Metered | cut -c 3-)" == @(2|4) ]]'
ExecStart=/usr/bin/flatpak --user uninstall --unused -y --noninteractive ; /usr/bin/flatpak --user update -y --noninteractive ; /usr/bin/flatpak --user repair

12
files/system/usr/lib/systemd/user/flatpak-user-update.timer Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=Flatpak Automatic Update Trigger
Documentation=man:flatpak(1)
[Timer]
RandomizedDelaySec=10m
OnBootSec=2m
OnCalendar=*-*-* 4:00:00
Persistent=true
[Install]
WantedBy=timers.target

11
files/system/usr/lib/ujust/COPYRIGHT.md Normal file
View File

@@ -0,0 +1,11 @@
Copyright 2024 Universal Blue
The files in this directory contain code that is licensed under the Apache License, Version 2.0 (the "License");
you may not use these files except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is
distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.

50
files/system/usr/lib/ujust/libcolors.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/usr/bin/bash
# Disable shellchecks for things that do not matter for
# a sourceable file
# shellcheck disable=SC2034,SC2155
########
### Basic Colors
### the bg function allows flipping these to background colors
### using the 90-97 colors is not supported by the bg function
### add them as extended colors instead which uses
### option 38 (foreground) which can be flipped to 48 (background)
########
declare -r black=$'\033[30m'
declare -r red=$'\033[31m'
declare -r green=$'\033[32m'
declare -r yellow=$'\033[33m'
declare -r blue=$'\033[34m'
declare -r magenta=$'\033[35m'
declare -r purple="$magenta"
declare -r cyan=$'\033[36m'
declare -r lightgrey=$'\033[37m'
declare -r lightgray="$lightgrey"
########
### Extended Colors
### You can use cpick from https://github.com/ethanbaker/cpick to get the colors
### cpick bash varname | sed -E 's/readonly/declare/'
########
declare -r darkgrey=$'\033[38;2;168;168;168m'
declare -r darkgray="$darkgrey"
declare -r lightred=$'\033[38;2;255;114;118m'
declare -r lightgreen=$'\033[38;2;146;240;146m'
declare -r lightyellow=$'\033[38;2;255;255;224m'
declare -r lightblue=$'\033[38;2;172;215;230m'
declare -r pink=$'\033[38;2;255;20;146m'
declare -r lightmagenta="$pink"
declare -r lightcyan=$'\033[38;2;224;255;255m'
declare -r white=$'\033[38;2;250;235;215m'
declare -r lightpink=$'\033[38;2;255;181;192m'
declare -r darkorange=$'\033[38;2;255;129;3m'
## Function to generate background color from foreground color
## NOTE: doublequote the color or future calls to bg will error out!
# bgblue=$(Bg "$blue")
# echo "${bgblue}text now has blue background${normal} this text has no background color"
function Bg (){
COLOR="$1"
# Flip foreground to background
echo "$COLOR" | sed -E 's/\[3([0-8]{1,1})/\[4\1/'
}

138
files/system/usr/lib/ujust/libdistrobox.sh Normal file
View File

@@ -0,0 +1,138 @@
#!/usr/bin/bash
# shellcheck disable=SC2154
########
## Function to create a distrobox with standardized args
########
## Create a distrobox using default fedora:latest, name the box "my-fedora-box" and give it a custom homedir
# Distrobox "fedora:latest" "my-fedora-box" "$HOME/.var/containers/fedora-box"
## Create a debian toolbox distrobox named debian-unstable
# Distrobox "quay.io/toolbx-images/debian-toolbox:unstable" "debian-unstable"
## Create an ubuntu distrobox named someubuntubox with no custom homedir and unshare network namespace
## ($3 is required if supplying extra args, using "" makes the function skip it)
# Distrobox "ubuntu:latest" "someubuntubox" "" --unshare-ns
function Distrobox (){
IMAGE="$1"
NAME="$2"
HOMEDIR=""
# If custom home directory is supplied
if [ -n "$3" ]; then
HOMEDIR="$3"
fi
# If a custom home directory is not specified
if [ -z "$HOMEDIR" ]; then
distrobox create --nvidia -Y --image "$IMAGE" -n "$NAME" "${@:3}"
else
# Make the custom homedir path if it does not exist
if [ ! -d "$HOMEDIR" ]; then
mkdir -p "$HOMEDIR"
fi
# Create distrobox with custom home path
distrobox create --nvidia -Y --image "$IMAGE" -n "$NAME" -H "$HOMEDIR" "${@:4}"
fi
}
########
## Function to assemble pre-defined distrobox containers from manifest files
########
## Assemble all containers defined in an ini file without confirmation
# Assemble noconfirmcreate "/etc/distrobox/distrobox.ini"
# Assemble noconfirmcreate "" ALL
## Assemble ubuntu from default ini manifest, with confirmation
# Assemble confirm "" ubuntu
## Remove a container defined in the default ini manifest
# Assemble rm "" ubuntu
function Assemble(){
# Set defaults
ACTION="create"
FILE="/etc/distrobox/distrobox.ini"
NAME=""
# If an action is provided
if [ -n "$1" ]; then
# Set ACTION to the action specified
# and remove "noconfirm" from $1 when assigning it to ACTION
ACTION="${1/noconfirm/}"
fi
# If a filename is provided
if [ -n "$2" ]; then
# Set FILE to the provided filename
FILE="$2"
fi
# If container name is ALL
if [ "$3" == "ALL" ] || [ -z "$3" ]; then
if [[ ! "$1" =~ ^noconfirm ]]; then
# Ask user if they REALLY want to assemble all the containers
echo -e "${b}WARNING${n}: This will assemble and ${u}replace${n}\nALL containers defined in ${b}$FILE${n}."
CONFIRM=$(Confirm "Are you sure you want to do this?")
if [ "$CONFIRM" == "1" ]; then
echo "Aborting..."
return 1
fi
fi
# Run the distrobox assemble command
distrobox assemble "$ACTION" --file "$FILE" --replace
return $?
else
# Set distrobox name to provided name
NAME="$3"
fi
# If we do not want confirmations
if [[ ! "$1" =~ ^noconfirm ]]; then
# Ask the user if they really want to replace $NAME container
echo -e "${b}WARNING${n}: This will assemble and ${u}replace${n} the container ${b}$NAME${n}\nwith the one defined in ${b}$FILE${n}."
CONFIRM=$(Confirm "Are you sure you want to do this?")
if [ "$CONFIRM" == "1" ]; then
echo "Aborting..."
return 1
fi
fi
# Run the distrobox assemble command
distrobox assemble "$ACTION" --file "$FILE" --name "$NAME" --replace
}
########
## Function to parse a distrobox.ini file and make a selectable list from it
########
## Parse a distrobox.ini manifest and let user select which container to setup
# AssembleList "$HOME/distrobox.ini" create
## Parse a distrobox.ini manifest and create ubuntu container without confirmation
# AssembleList "$HOME/distrobox.ini" noconfirmcreate ubuntu
function AssembleList (){
# Set defaults
FILE="$1"
ACTION="create"
CHOICE="prompt"
# If an ACTION is supplied
if [ -n "$2" ]; then
# Replace default action
ACTION="$2"
fi
# If a CHOICE is predefined
if [ -n "$3" ]; then
# Replace default choice
CHOICE="$3"
fi
# If the choice is "prompt" then ask user what container they want
if [ "$CHOICE" == "prompt" ]; then
CONTAINERS=$(grep -P "\[.+\]" "$FILE" | sed -E 's/\[(.+)\]/\1/')
echo "${b}Pre-defined Containers${n}"
echo "Please select a container to create"
# Disable an irrelevant shellscheck for next line as we want word splitting
# shellcheck disable=SC2086
CHOICE=$(Choose ALL $CONTAINERS)
fi
# If choice is not empty by now (will be empty if escaped from Choice function)
if [ -n "$CHOICE" ]; then
# Assemble the selected container
Assemble "$ACTION" "$FILE" "$CHOICE"
fi
}

42
files/system/usr/lib/ujust/libformatting.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/usr/bin/bash
# Disable shellchecks for things that do not matter for
# a sourceable file
# shellcheck disable=SC2034,SC2155
########
### Text Formating
########
declare -r bold=$'\033[1m'
declare -r b="$bold"
declare -r dim=$'\033[2m'
declare -r underline=$'\033[4m'
declare -r u="$underline"
declare -r blink=$'\033[5m'
declare -r invert=$'\033[7m'
declare -r highlight="$invert"
declare -r hidden=$'\033[8m'
########
### Remove Text Formating
########
declare -r normal=$'\033[0m'
declare -r n="$normal"
declare -r unbold=$'\033[21m'
declare -r undim=$'\033[22m'
declare -r nounderline=$'\033[24m'
declare -r unblink=$'\033[25m'
declare -r uninvert=$'\033[27m'
declare -r unhide=$'\033[28m'
########
### Special text formating
########
## Function to generate a clickable link, you can call this using
# url=$(Urllink "https://ublue.it" "Visit the ublue website")
# echo "${url}"
function Urllink (){
URL=$1
TEXT=$2
# Generate a clickable hyperlink
printf "\e]8;;%s\e\\%s\e]8;;\e\\" "$URL" "$TEXT${n}"
}

31
files/system/usr/lib/ujust/libfunctions.sh Normal file
View File

@@ -0,0 +1,31 @@
#!/usr/bin/bash
# shellcheck disable=SC2154
########
## Useful functions we use a lot, if you want to use them, source libjust.sh
## As it depends on libformatting.sh and libcolors.sh
## They are not imported here to avoid attempting to redeclare readonly vars.
########
########
## Function to generate a choice selection and return the selected choice
########
# CHOICE=$(Choice option1 option2 "option 3")
# *user selects "option 3"*
# echo "$CHOICE" will return "option 3"
function Choose (){
CHOICE=$(ugum choose "$@")
echo "$CHOICE"
}
########
## Function to generate a confirm dialog and return the selected choice
########
# CHOICE=$(Confirm "Are you sure you want to do this?")
# *user selects "No"*
# echo "$CHOICE" will return "1"
# 0 = Yes
# 1 = No
function Confirm (){
ugum confirm "$@"
echo $?
}

171
files/system/usr/lib/ujust/libtoolbox.sh Normal file
View File

@@ -0,0 +1,171 @@
#!/usr/bin/bash
# shellcheck disable=SC2154
########
## Function to create a toolbox with standardized args
########
## Create a debian toolbox toolbox named debian-unstable
# Toolbox create "quay.io/toolbx-images/debian-toolbox:unstable" "debian-unstable"
## Create an ubuntu toolbox and provide an authfile to authenticate with the registry
# Toolbox create "ubuntu:22.04" --authfile "/path/to/file"
function Toolbox (){
# Get the action we want to do
local ACTION="$1"
# Get the "image" argument, we use this as an abstraction layer
# To decide if it is an image registry or a distro+release image argument
local IMAGE="$2"
# Define local variables
local DISTRORELEASE
# If the ACTION is "replace"
if [ "$1" == "replace" ]; then
# Set ACTION to create
ACTION="create"
# Remove old image before continuing
toolbox rm --force "${@:3}"
fi
# Check if $IMAGE is an image registry url
if [[ "$IMAGE" =~ / ]]; then
# Create toolbox based on image from registry
toolbox "$ACTION" --image "$IMAGE" "${@:3}"
else
# Split IMAGE string into an array
# shellcheck disable=SC2206
DISTRORELEASE=(${IMAGE//:/ })
# Create toolbox with distro and release args
toolbox "$ACTION" --distro "${DISTRORELEASE[0]}" --release "${DISTRORELEASE[1]}" "${@:3}"
fi
}
########
## Function to assemble pre-defined toolbox containers from manifest files
########
## Assemble all containers defined in an ini file without confirmation
# ToolboxAssemble noconfirmcreate "/etc/toolbox/toolbox.ini"
# ToolboxAssemble noconfirmcreate "/etc/toolbox/toolbox.ini" ALL
## Assemble ubuntu from default ini manifest, with confirmation
# ToolboxAssemble confirm "/etc/toolbox/toolbox.ini" ubuntu-toolbox-22.04
## Remove a container defined in the default ini manifest
# ToolboxAssemble rm "/etc/toolbox/toolbox.ini" ubuntu-toolbox-22.04
function ToolboxAssemble (){
# Set defaults
local ACTION="create"
local FILE="/etc/toolbox/toolbox.ini"
local NAME=""
# Define local variables
local CONTAINERS
local IMAGE
local CONFIRM
# If an action is provided
if [ -n "$1" ]; then
# Set ACTION to the action specified
# and remove "noconfirm" from $1 when assigning it to ACTION
ACTION="${1/noconfirm/}"
fi
# If a filename is provided
if [ -n "$2" ]; then
# Set FILE to the provided filename
FILE="$2"
fi
# If container name is ALL
if [ "$3" == "ALL" ] || [ -z "$3" ]; then
if [[ ! "$1" =~ ^noconfirm ]]; then
# Ask user if they REALLY want to assemble all the containers
echo -e "${b}WARNING${n}: This will assemble and ${u}replace${n}\nALL containers defined in ${b}$FILE${n}."
CONFIRM=$(Confirm "Are you sure you want to do this?")
if [ "$CONFIRM" == "1" ]; then
echo "Aborting..."
return 1
fi
fi
# Get all the containers
CONTAINERS=$(grep -P "\[.+\]" "$FILE" | sed -E 's/\[(.+)\]/\1/')
# Run the toolbox assemble command
#toolbox assemble "$ACTION" --file "$FILE" --replace
for CONTAINER in $CONTAINERS
do
# Get the image for the container
IMAGE=$(grep -A1 -P "\[$CONTAINER\]" "$FILE" | grep "image" | sed 's/image=//')
# Replace the container
Toolbox replace "$IMAGE" "$CONTAINER"
done
return $?
else
# Set toolbox name to provided name
NAME="$3"
fi
# If we do not want confirmations
if [[ ! "$1" =~ ^noconfirm ]]; then
# Ask the user if they really want to replace $NAME container
echo -e "${b}WARNING${n}: This will assemble and ${u}replace${n} the container ${b}$NAME${n}\nwith the one defined in ${b}$FILE${n}."
CONFIRM=$(Confirm "Are you sure you want to do this?")
if [ "$CONFIRM" == "1" ]; then
echo "Aborting..."
return 1
fi
fi
# Get the image for the container
IMAGE=$(grep -A1 -P "\[$NAME\]" "$FILE" | grep "image" | sed 's/image=//')
# Replace the toolbox container
Toolbox replace "$IMAGE" "$NAME"
}
########
## Function to parse a toolbox.ini file and make a selectable list from it
########
## Parse a toolbox.ini manifest and let user select which container to setup
# ToolboxAssembleList "$HOME/toolbox.ini" create
## Parse a toolbox.ini manifest and create ubuntu container without confirmation
# ToolboxAssembleList "$HOME/toolbox.ini" noconfirmcreate ubuntu-toolbox-22.04
function ToolboxAssembleList (){
# Set defaults
local FILE="$1"
local ACTION="create"
local CHOICE="prompt"
# Define local variables
local CONTAINERS
# If an ACTION is supplied
if [ -n "$2" ]; then
# Replace default action
ACTION="$2"
fi
# If a CHOICE is predefined
if [ -n "$3" ]; then
# Replace default choice
CHOICE="$3"
fi
# If the choice is "prompt" then ask user what container they want
if [ "$CHOICE" == "prompt" ]; then
CONTAINERS=$(grep -P "\[.+\]" "$FILE" | sed -E 's/\[(.+)\]/\1/')
echo "${b}Pre-defined Containers${n}"
echo "Please select a container to create"
# Disable an irrelevant shellscheck for next line as we want word splitting
# shellcheck disable=SC2086
CHOICE=$(Choose ALL $CONTAINERS)
fi
# If choice is not empty by now (will be empty if escaped from Choice function)
if [ -n "$CHOICE" ]; then
# If ACTION is create
if [ "$ACTION" == "create" ]; then
ACTION="replace"
fi
# Assemble the selected container
ToolboxAssemble "$ACTION" "$FILE" "$CHOICE"
fi
}

12
files/system/usr/lib/ujust/ujust.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/bash
# shellcheck source=/dev/null
# Import color formatting
source /usr/lib/ujust/libcolors.sh
# Import text formatting
source /usr/lib/ujust/libformatting.sh
# Import functionality for just
source /usr/lib/ujust/libfunctions.sh
# Import functionality related to distrobox
source /usr/lib/ujust/libdistrobox.sh
# Import functionality related to toolbox
source /usr/lib/ujust/libtoolbox.sh

95
files/system/usr/libexec/luks-disable-tpm2-autounlock Executable file
View File

@@ -0,0 +1,95 @@
#!/bin/bash
# Copyright 2024 Universal Blue
#
# This file includes code that is licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.
## disable auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
set -euo pipefail
[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
echo "This script utilizes systemd-cryptenroll for removing tpm2 auto-unlock."
echo "You can review systemd-cryptenroll's manpage for more information."
echo "This will modify your system and disable TPM2 auto-unlock of your LUKS partition!"
read -p "Are you sure are good with this and want to disable TPM2 auto-unlock? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
fi
## Inspect Kernel Cmdline for rd.luks.uuid
RD_LUKS_UUID="$(xargs -n1 -a /proc/cmdline | grep rd.luks.uuid | cut -d = -f 2)"
# Check to make sure cmdline rd.luks.uuid exists
if [[ -z ${RD_LUKS_UUID:-} ]]; then
printf "LUKS device not defined on Kernel Commandline.\n"
printf "This is not supported by this script.\n"
printf "Exiting...\n"
exit 1
fi
# Check to make sure that the specified cmdline uuid exists.
if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
printf "LUKS device not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
# Cut off the luks-
LUKS_PREFIX="luks-"
if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
else
echo "LUKS UUID format mismatch."
echo "Exiting..."
exit 1
fi
# Specify Crypt Disk by-uuid
CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
# Check to make sure crypt disk exists
if [[ ! -L "$CRYPT_DISK" ]]; then
printf "LUKS device not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
## Restore the crypttab
cp -a /etc/crypttab /etc/crypttab.working-before-disable-tpm2
if [ -f /etc/crypttab.known-good ]; then
echo "Restoring /etc/crypttab.known-good to original /etc/crypttab"
mv /etc/crypttab.known-good /etc/crypttab
fi
## Wipe luks slot
if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
echo "Wiping systemd-tpm2 from LUKS on $CRYPT_DISK"
systemd-cryptenroll --wipe-slot=tpm2 "$CRYPT_DISK"
else
echo "No systemd-tpm2 found in LUKS to wipe"
fi
## Disable initramfs
if rpm-ostree initramfs | grep tpm2 > /dev/null; then
echo "WARNING: if you configured initramfs for anything other than TPM2, this wipes that too..."
echo "here's a printout:"
rpm-ostree initramfs
echo
echo "Disabling rpm-ostree initramfs..."
rpm-ostree initramfs --disable
else
echo "TPM2 is not configured in 'rpm-ostree initramfs'..."
fi
echo "TPM2 auto-unlock disabled..."

123
files/system/usr/libexec/luks-enable-tpm2-autounlock Executable file
View File

@@ -0,0 +1,123 @@
#!/bin/bash
# Copyright 2024 Universal Blue
#
# This file includes code that is licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.
## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
set -eou pipefail
[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
echo "WARNING: Do NOT use this if your CPU is vulnerable to faulTPM!"
echo "All AMD Zen2 and Zen3 Processors are known to be affected!"
echo "All AMD Zen1 processors are also likely affected, with Zen4 unknown!"
echo "If you have an AMD CPU, you likely shouldn't use this!"
echo "----------------------------------------------------------------------------"
echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock."
echo "You can review systemd-cryptenroll's manpage for more information."
echo "This script will modify your system."
echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
echo "It will bind to PCR 7 and 14 which is tied to your secureboot and moklist state."
read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
fi
## Inspect Kernel Cmdline for rd.luks.uuid
RD_LUKS_UUID="$(xargs -n1 -a /proc/cmdline | grep rd.luks.uuid | cut -d = -f 2)"
# Check to make sure cmdline rd.luks.uuid exists
if [[ -z ${RD_LUKS_UUID:-} ]]; then
printf "LUKS device not defined on Kernel Commandline.\n"
printf "This is not supported by this script.\n"
printf "Exiting...\n"
exit 1
fi
# Check to make sure that the specified cmdline uuid exists.
if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
printf "LUKS device not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
# Cut off the luks-
LUKS_PREFIX="luks-"
if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
else
echo "LUKS UUID format mismatch."
echo "Exiting..."
exit 1
fi
SET_PIN_ARG=""
read -p "Would you like to set a PIN? (y/N): " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
SET_PIN_ARG=" --tpm2-with-pin=yes "
fi
# Specify Crypt Disk by-uuid
CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
# Check to make sure crypt disk exists
if [[ ! -L "$CRYPT_DISK" ]]; then
printf "LUKS device not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
KEYSLOT=$(cryptsetup luksDump "$CRYPT_DISK"|grep -A29 systemd-tpm2|grep Keyslot|awk '{print $2}')
echo "TPM2 already present in LUKS keyslot $KEYSLOT of $CRYPT_DISK."
read -p "Wipe it and re-enroll? (y/N): " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
systemd-cryptenroll --wipe-slot=tpm2 "$CRYPT_DISK"
else
echo
echo "Either clear the existing TPM2 keyslot before retrying, else choose 'y' next time."
echo "Exiting..."
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
fi
fi
## Run crypt enroll
echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+14 $SET_PIN_ARG "$CRYPT_DISK"
if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then
## add tpm2-tss to initramfs
if rpm-ostree initramfs | grep tpm2 > /dev/null; then
echo "TPM2 already present in rpm-ostree initramfs config."
rpm-ostree initramfs
echo "Re-running initramfs to pickup changes above."
fi
rpm-ostree initramfs --enable --arg=--force-add --arg=tpm2-tss
else
## initramfs already containts tpm2-tss
echo "TPM2 already present in initramfs."
fi
## Now reboot
echo
echo "TPM2 LUKS auto-unlock configured. Reboot now."
# References:
# https://www.reddit.com/r/Fedora/comments/uo4ufq/any_way_to_get_systemdcryptenroll_working_on/
# https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

2
files/system/usr/share/ublue-os/just/60-custom.just Normal file
View File

@@ -0,0 +1,2 @@
# vim: set ft=make :
# This file can be modified downstream to add custom just commands

10
files/system/usr/share/ublue-os/justfile Normal file
View File

@@ -0,0 +1,10 @@
set allow-duplicate-recipes := true
set ignore-comments := true
_default:
#!/usr/bin/bash
source /usr/lib/ujust/libformatting.sh
/usr/bin/ujust --list --list-heading $'Available commands:\n' --list-prefix $' - '
# Imports
import "/usr/share/ublue-os/just/60-custom.just"