v1.1-2

Sometimes we need to change the sources, but only for minor external
dependencies diff (e.g. adding/removing upstream source), in which
case we wish to only bump pkgrel.

ChangeLog

@@ -1,75 +1,107 @@
+2025-11-15 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v1.1-2
+        Removed 11-dm-initramfs.rules, which was added to 10-dm.rules.
+        See: https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/589e0397ea55e61a08fdbcab52ad4639d382f08e
+
+        Use full version (pkgver and pkgrel) for source archive name.
+        Sometimes we need to change the sources, but only for minor external
+        dependencies diff (e.g. adding/removing upstream source), in which
+        case we wish to only bump pkgrel.
+
+
+2022-03-24 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v1.1-1
+        Refactored install script to more easily spot code coming from other
+        nominal hooks.
+        Updated install script message with latest available options.
+
+        Removed dependency to '/lib/libnss_files.so', as it does not exist and
+        should not be needed anymore.
+        Prevents unwanted warning when building initcpio
+          ==> ERROR: file not found: `/lib/libnss_files.so'
+        See: https://bugs.archlinux.org/task/73702
+
+
 2021-11-13 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v1.0-1
-        Option to use login shell instead of cryptsetup unlocking script
-        Option to re-enable Wake-on-LAN on network device
+        Option to use login shell instead of cryptsetup unlocking script.
+        Option to re-enable Wake-on-LAN on network device.
 
 
 2021-11-12 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.9-2
-        Use SHA256 checksums instead of MD5
+        Use SHA256 checksums instead of MD5.
 
 
 2021-10-24 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.9-1
-        Try to print network devices information when interface setup fails
+        Try to print network devices information when interface setup fails.
 
 
 2021-08-15 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.8-1
-        Include 'libgcc_s.so.1' which is necessary for (at least) proper LUKS v2 handling
+        Include 'libgcc_s.so.1' which is necessary for (at least) proper LUKS
+        v2 handling.
 
 
 2020-07-14 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.7-1
-        Dropped 'dsa' private key support; added 'ed25519' private key support
+        Dropped 'dsa' private key support; added 'ed25519' private key support.
 
 
 2018-03-13 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.6-1
-        Dropped '-m' option when calling dropbear (latest ArchLinux version does not handle it)
+        Dropped '-m' option when calling dropbear (latest ArchLinux version
+        does not handle it).
 
 
 2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.5-1
-        Fixed cryptsetup additional arguments handling: were not properly passed
+        Fixed cryptsetup additional arguments handling: were not properly
+        passed.
 
 
 2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.4-1
-        Fixed TRIM option handling in /etc/crypttab: 'discard' ('allow-discards' being the switch name to use in cryptsetup)
+        Fixed TRIM option handling in /etc/crypttab: 'discard'
+        ('allow-discards' being the switch name to use in cryptsetup).
 
 
 2015-11-22 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.3-1
-        Added configurable timeout for ipconfig
-        Moved configuration file from /etc/dropbear/initrd.env to /etc/initcpio/sshcs_env
+        Added configurable timeout for ipconfig.
+        Moved configuration file from /etc/dropbear/initrd.env to
+        /etc/initcpio/sshcs_env.
 
 
 2014-05-20 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.2-1
-        Removed unnecessary dependency: psmisc
-        Added configurable timeout to unlock devices before automatic poweroff
+        Removed unnecessary dependency: psmisc.
+        Added configurable timeout to unlock devices before automatic poweroff.
 
 
 2014-05-19 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.1-1
 
-        * Code adapted from dropbear_initrd_encrypt (https://aur.archlinux.org/packages/dropbear_initrd_encrypt/)
-        Reworked code
-        Dropped non-LUKS support
-        Rely on /etc/crypttab
-        Handle multiple devices to unlock
-        Merged dropbear and encryptssh hooks
-        Better resources cleanup
+        Code adapted from dropbear_initrd_encrypt.
+        See: https://aur.archlinux.org/packages/dropbear_initrd_encrypt/
 
+        Reworked code.
+        Dropped non-LUKS support.
+        Rely on /etc/crypttab.
+        Handle multiple devices to unlock.
+        Merged dropbear and encryptssh hooks.
+        Better resources cleanup.

PKGBUILD

@@ -1,7 +1,7 @@
 # Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com>
 pkgname=initrd-ssh-cryptsetup
-pkgver=1.0
-pkgrel=1
+pkgver=1.1
+pkgrel=2
 pkgdesc="Allows to remotely unlock LUKS-encrypted devices over SSH"
 arch=('any')
 url="https://github.com/suiryc/archlinux-$pkgname"
@@ -9,8 +9,8 @@ license=('GPL3')
 depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2' 'ethtool')
 install=$pkgname.install
 changelog='ChangeLog'
-source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install")
-sha256sums=('de6ef287ecfd57614835fec1fcaa01eb3a7f999d42a749e20b6747671320508f'
+source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver-$pkgrel.tar.xz" "$pkgname.install")
+sha256sums=('bfd3e55ef8d3dd9e0b24f5b6b708a41520ee426ed980366f7ffbd12e30b5230b'
             'b84978b3c2ef32208c2b104ee2d3ce8aaec26da0bd4e9e1c83942f373bbf6285')
 
 package() {

README.md

@@ -68,8 +68,8 @@ For example:
 ## Building notes
 1. Modify the sources (features in `src`, and/or package building files)
 2. If `src` was modified
-   * bump `pkgver` in `PKGBUILD`
-   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-$(grep "^pkgver=" PKGBUILD | cut -d'=' -f2).tar.xz src`
+   * bump `pkgver`, or `pkgrel`, in `PKGBUILD`
+   * archive the `src` folder in `$pkgname-$pkgver-$pkgrel.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-$(grep "^pkgver=" PKGBUILD | cut -d'=' -f2)-$(grep "^pkgrel=" PKGBUILD | cut -d'=' -f2).tar.xz src`
    * upload the archive on the online repository (pointed by `PKGBUILD`)
 3. Update ChangeLog
 4. Update `PKGBUILD`

src/install/ssh-cryptsetup

@@ -52,56 +52,70 @@ build() {
 
   sshcs_check_keys
 
-  add_checked_modules "/drivers/net/"
-  # Note: parts of this script (modules/binaries added) are the same than the
-  # 'encrypt' install script (/usr/lib/initcpio/install/encrypt) which is the
-  # nominal one to deal with encrypted volumes at boot time.
-  add_module dm-crypt
-  # Note: crypto modules are necessary
-  if [ -n "${CRYPTO_MODULES}" ]; then
+  # Note: parts of this script (modules/binaries/files added) are the same than
+  # other install scripts (/usr/lib/initcpio/install/):
+  #   - 'encryp': nominal support of encrypted volumes at boot time
+  #   - 'net': network tools
+
+  ## Modules
+  # (from 'encrypt')
+  add_module 'dm-crypt'
+  add_module 'dm-integrity'
+  if [[ $CRYPTO_MODULES ]]; then
     local mod
-    for mod in ${CRYPTO_MODULES}; do
-      add_module "${mod}"
+    for mod in $CRYPTO_MODULES; do
+      add_module "$mod"
     done
   else
-    add_all_modules "/crypto/"
+    add_all_modules '/crypto/'
   fi
 
-  # Note: dmsetup is necessary for device mapper features
-  add_binary "cryptsetup"
-  add_binary "dmsetup"
-  add_binary "dropbear"
-  add_binary "ip"
-  add_binary "/usr/lib/initcpio/ipconfig" "/bin/ipconfig"
-  add_binary "ethtool"
+  # (from 'net')
+  add_checked_modules '/drivers/net/'
 
-  # Our hook files
+
+  ## Binaries
+  # (from 'encrypt')
+  add_binary 'cryptsetup'
+  # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
+  # Note: at least necessary for LUKS v2 volumes.
+  # Also see similar/related bug reports (e.g. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950254).
+  add_binary '/usr/lib/libgcc_s.so.1'
+
+  # (from 'net')
+  add_binary '/usr/lib/initcpio/ipconfig' '/bin/ipconfig'
+
+  # (ours)
+  # Note: dmsetup is necessary for device mapper features
+  add_binary 'dmsetup'
+  add_binary 'dropbear'
+  add_binary 'ip'
+  add_binary 'ethtool'
+
+
+  ## Other files
+  # (from 'encrypt')
+  # cryptsetup-related files
+  map add_udev_rule \
+      '10-dm.rules' \
+      '13-dm-disk.rules' \
+      '95-dm-notify.rules'
+
+  # (ours)
+  # Our script and options
   [ -e "${sshcs_env}" ] && add_file "${sshcs_env}"
   # Note: use /usr/local/bin, even though everything actually points to /usr/bin
   # in initramfs.
-  add_file "/usr/lib/initcpio/hooks/ssh-cryptsetup-tools" "/usr/local/bin/ssh-cryptsetup-tools"
-
-  # auth-related files
-  add_file "/lib/libnss_files.so"
+  add_file '/usr/lib/initcpio/hooks/ssh-cryptsetup-tools' '/usr/local/bin/ssh-cryptsetup-tools'
 
   # SSH-related files
-  add_file "${dropbear_authorized_keys}" "/root/.ssh/authorized_keys"
+  add_file "${dropbear_authorized_keys}" '/root/.ssh/authorized_keys'
   for keytype in "${dropbear_key_types[@]}"; do
     add_file "${dropbear_keyfile_prefix}${keytype}${dropbear_keyfile_suffix}"
   done
 
-  # cryptsetup-related files
+  # crypt partitions
   add_file "${etc_crypttab}"
-  add_file "/usr/lib/udev/rules.d/10-dm.rules"
-  add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
-  add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
-  add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
-
-  # At least with LUKS v2 volumes, cryptsetup calls pthread_cancel(), which
-  # dlopen()s libgcc_s.so.1.
-  # See the nominal 'encrypt' module, and similar/related bug reports (e.g.
-  # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950254).
-  add_binary "/usr/lib/libgcc_s.so.1"
 
   add_runscript
 }
@@ -117,13 +131,25 @@ LUKS encrypted devices to unlock are derived from '/etc/crypttab', which must
 be present.
 Some options can be set in '/etc/initcpio/sshcs_env' (file is sourced in
 initrd shell):
- * 'sshcs_opt_timeout_ipconfig': time (s) to configure IP
-   - default: 10 seconds
- * 'sshcs_opt_listen': listening port (22 by default)
- * 'sshcs_opt_timeout_poweroff': time (s) to unlock devices before automatic
-   powering off
-   - default (and minimum value): 2 minutes
+ * 'sshcs_opt_debug': whether to be more verbose about ongoing actions
+   - default: '0'
+   - any non-zero value to enable
+ * 'sshcs_opt_net_wol': Wake-on-LAN option to set on network device
+   - default: 'g' (MagicPacket™)
+   - usually WOL is disabled once in initramfs shell
+   - set empty to not change network device WOL setting
+ * 'sshcs_opt_timeout_ipconfig': time (in seconds) to configure IP
+   - default: '10'
+ * 'sshcs_opt_listen': SSH listening port
+   - default: '22'
+ * 'sshcs_opt_timeout_poweroff': time (in seconds) to unlock devices before
+   automatic powering off
+   - default (and minimum value): '120' (2 minutes)
    - negative value to deactivate
+ * 'sshcs_opt_use_shell': whether to start a full 'ash' shell
+   - default: '0'
+   - '1' to enable
+   - when disabled (the default), a script to unlock devices is executed instead
 
 Each SSH server key ('dropbear_rsa_host_key', 'dropbear_ecdsa_host_key' and
 'dropbear_ed25519_host_key' in '/etc/dropbear' folder) is imported from OpenSSH