summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Harrigan2019-10-22 09:15:33 +0100
committerDavid Harrigan2019-10-22 09:19:35 +0100
commit20b2b7af017ea381fd217592c29abf63e835083d (patch)
treeedeb68db1a245e24f9e53b5305a9859bf80dcf5a
downloadaur-20b2b7af017ea381fd217592c29abf63e835083d.tar.gz
addpkg: mkinitcpio-wireguard 0.1.0-1
Initial Commit
-rw-r--r--.SRCINFO20
-rw-r--r--.gitignore5
-rw-r--r--PKGBUILD27
-rw-r--r--README.adoc139
-rw-r--r--UNLICENSED24
-rw-r--r--mkinitcpio-wireguard.install15
-rw-r--r--wireguard_config60
-rw-r--r--wireguard_hook90
-rw-r--r--wireguard_install52
9 files changed, 432 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 00000000000..c579ddbfcf2
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,20 @@
+pkgbase = mkinitcpio-wireguard
+ pkgdesc = mkinitcpio hook that initialises Wireguard to assist in the remote unlocking of encrypted partitions.
+ pkgver = 0.1.0
+ pkgrel = 1
+ url = https://github.com/dharrigan/mkinitcpio-wireguard
+ install = mkinitcpio-wireguard.install
+ arch = x86_64
+ license = Unlicense
+ depends = mkinitcpio>=0.9.0
+ depends = wireguard-tools
+ backup = etc/wireguard/remote-unlock
+ source = wireguard_hook
+ source = wireguard_install
+ source = wireguard_config
+ sha256sums = baa64d53adf5a60092c5df59c6ccf9e8253be4b7c947f89a9afd2cf0a84eea97
+ sha256sums = edf47fa52c1e5e802a5920b8fc3dea281d33c243e79364717c64588f384befaf
+ sha256sums = 9385ec468589f0621d2a90839ebe4b38d37824ea706c2b2edf8f41b0f239f7e8
+
+pkgname = mkinitcpio-wireguard
+
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000000..ab42fdb9f0a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+/*.pkg.tar.*
+/*.src.tar.*
+tags
+pkg/
+src/
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 00000000000..77fe8f2d3af
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,27 @@
+# Maintainer: David Harrigan <dharrigan [@] gmail [dot] com>
+
+pkgname=mkinitcpio-wireguard
+pkgver=0.1.0
+pkgrel=1
+pkgdesc='mkinitcpio hook that initialises Wireguard to assist in the remote unlocking of encrypted partitions.'
+url='https://github.com/dharrigan/mkinitcpio-wireguard'
+arch=('x86_64')
+license=('Unlicense')
+install="${pkgname}.install"
+depends=('mkinitcpio>=0.9.0' 'wireguard-tools')
+backup=('etc/wireguard/remote-unlock')
+source=('wireguard_hook' 'wireguard_install' 'wireguard_config')
+
+package() {
+ install -o root -g root -D ${srcdir}/wireguard_hook ${pkgdir}/usr/lib/initcpio/hooks/wireguard
+ install -o root -g root -D ${srcdir}/wireguard_install ${pkgdir}/usr/lib/initcpio/install/wireguard
+ install -o root -g root -D ${srcdir}/wireguard_config ${pkgdir}/etc/wireguard/remote-unlock
+}
+
+sha256sums=(
+'baa64d53adf5a60092c5df59c6ccf9e8253be4b7c947f89a9afd2cf0a84eea97'
+'edf47fa52c1e5e802a5920b8fc3dea281d33c243e79364717c64588f384befaf'
+'9385ec468589f0621d2a90839ebe4b38d37824ea706c2b2edf8f41b0f239f7e8'
+)
+
+# vim:set syntax=sh tw=78:
diff --git a/README.adoc b/README.adoc
new file mode 100644
index 00000000000..aa2c441da46
--- /dev/null
+++ b/README.adoc
@@ -0,0 +1,139 @@
+= mkinitcpio Wireguard hook
+:author: David Harrigan
+:email: <dharrigan [@] gmail [dot] com>
+:docinfo: true
+:doctype: book
+:icons: font
+:numbered:
+:sectlinks:
+:sectnums:
+:setanchors:
+:source-highlighter: highlightjs
+:toc:
+:toclevels: 5
+
+== Rationale
+
+Firstly, encryption. Encrypt all the things.
+
+Secondly, I think https://www.wireguard.io[Wireguard] is pretty awesome. It's
+really easy to setup and use and works flawlessly (at least for me 😄).
+
+Thirdly, the ability to remotely unlock encrypted partitions is extremely
+useful. However, a limitation is that in order to remotely unlock the
+partition via SSH, you normally need to be on the same network (or at least
+routeable) to the computer that needs unlocking.
+
+As far as I could tell, there was nothing available in
+https://aur.archlinux.org[AUR] that provided a Wireguard hook for
+`mkinitcpio`. Creating a hook should allow a basic Wireguard interface to be
+established so that - via a secure network - you could gain access to the
+remote machine. This is my small attempt to achieve that aim.
+
+IMPORTANT: I developed this little hook for myself and I'm releasing it into
+the general community in the (probably misguided) hope that others may find it
+useful too. As usual, no warranty implied or otherwise is given towards the
+fitness of this software in meeting *YOUR* needs. Please refer to the included
+https://unlicense.org[Unlicense] license file for more information. That said,
+I find this little hook useful - perhaps you may too - so please enjoy! Oh,
+and please be be awesome to each other!
+
+WARNING: Ensure you have read the Arch wiki section on
+https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_of_the_root_(or_other)_partition[remote
+unlocking]. It's a *very* good idea to get remote unlocking working *first* on
+your local network - proving that it works for you (this includes using either
+*tinyssh* or *dropbear* to authenticate and unlock successfully)
+- *before* attempting to setup this mkinitcpio Wireguard hook for remote
+unlocking.
+
+IMPORTANT: It is also *strongly* recommend that a *separate* Wireguard network
+is setup and configured *just* for unlocking. You see, a private key (and a
+public key) and a configuration file are written to the ramdisk (which
+typically lives in an unencrypted boot partition). It's super trivially easy
+for anyone to copy this ramdisk, extract out the contents and use the private
+key and Wireguard configuration found therein to connect to your Wireguard
+network. As a minimum, you could disable (on the remote peer *nominally called
+the `server`*) the ability for the target machine (the `client` - the one on
+which you are remotely unlocking partitions) to connect and authenticate -
+only enabling connection *when* and *if* required. Please be careful and think
+this through! Safety first!
+
+== OS Installation
+
+Standard installation rules apply. Here's an example using the
+https://github.com/Jguer/yay[yay] package manager to install the utility.
+
+`yay -S mkinitcpio-wireguard`
+
+Please refer to your favourite package manager's documentation in learn how to
+install it for you 😄
+
+NOTE: Obviously, you must also install Wireguard! Choose either manual
+installation (using git and compiling it yourself), or using `wireguard-arch`
+or `wireguard-dkms`. Life is short, so personally I just roll with
+`wireguard-arch`. Seems to work OOTB for me, but YMMV...
+
+== Configuration
+
+IMPORTANT: The setup and running of `mkinitcpio-wireguard` is *very* basic and
+makes *lots* of assumptions. *This is intentional!* This hook is simple
+because it is designed to get a minimal Wireguard up and running so that you
+can remotely unlock encrypted partitions. The script does not attempt to do
+anything else. This script will never be super fancy or clever.
+
+WARNING: Please read and familiarise yourself with how Wireguard works. In
+particular, please refer to the *numerous* examples online of how to setup and
+configure Wireguard. It is *strongly* suggested you get Wireguard up and
+running first. A few examples of where to find documentation are listed below:
+
+* https://wiki.archlinux.org/index.php/WireGuard
+* https://www.wireguard.com/quickstart/
+* https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
+
+After installing `mkinitcpio-wireguard`, a configuration file will be written
+to `/etc/wireguard/remote-unlock`. You *MUST* edit this file to suit your
+particular Wireguard requirements. The file is really simple and therefore
+should be pretty self-explanatory.
+
+NOTE: If you have an existing `wg0.conf` in your `/etc/wireguard` directory,
+you can use the contents of that file as a reference. Please be aware of the
+warning above concerning the recommended use of a separate network for remote
+unlocking.
+
+== Hook Installation
+
+After you have edited the `/etc/wireguard/remote-unlock` file to suit your
+needs, ensure that you've added the `wireguard` hook to the *HOOKS* array of
+`/etc/mkinitcpio.conf`. Shown below is an example that also includes the use
+of `netconf`, `tinyssh` and `encryptssh`.
+
+----
+HOOKS=(base udev autodetect keyboard keymap modconf block netconf wireguard tinyssh encryptssh filesystems fsck)
+----
+
+== Final Steps
+
+Lastly, run (as root):
+
+----
+mkinitcpio -P
+----
+
+This will regenerate the ramdisk with your Wireguard configuration.
+
+You should now be able to reboot your machine and after the interface has come
+up be able to ping it via your Wireguard network! You should now also be able
+to SSH to the machine (you did remember to set that all up before doing this,
+right?) and unlock any encrypted partitions and thus enable the continuation
+of your boot process! FTW!
+
+== Unlicensed
+
+Find the full unlicense in the UNLICENSE file, but here's a snippet.
+This is free and unencumbered software released into the public domain.
+
+----
+Anyone is free to copy, modify, publish, use, compile, sell, or distribute
+this software, either in source code form or as a compiled binary, for any
+purpose, commercial or non-commercial, and by any means.
+----
diff --git a/UNLICENSED b/UNLICENSED
new file mode 100644
index 00000000000..cf1ab25da03
--- /dev/null
+++ b/UNLICENSED
@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org>
diff --git a/mkinitcpio-wireguard.install b/mkinitcpio-wireguard.install
new file mode 100644
index 00000000000..aedd9a6616f
--- /dev/null
+++ b/mkinitcpio-wireguard.install
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+post_install() {
+ echo ">"
+ echo "> Now add 'wireguard' to your HOOKS array in your '/etc/mkinitcpio.conf' and rebuild the ramdisk."
+ echo "> e.g., HOOKS=(base udev autodetect keyboard keymap modconf block netconf wireguard tinyssh encryptssh filesystems fsck)"
+ echo "> don't forget to configure the '/etc/wireguard/remote-unlock' file then rerun mkinitcpio..."
+ echo ">"
+}
+
+post_remove() {
+ sed -i "/^HOOKS=/s/wireguard//" /etc/mkinitcpio.conf
+}
+
+# vim:set syntax=sh tw=78:
diff --git a/wireguard_config b/wireguard_config
new file mode 100644
index 00000000000..ec0907cc1d0
--- /dev/null
+++ b/wireguard_config
@@ -0,0 +1,60 @@
+#
+# This is free and unencumbered software released into the public domain.
+#
+# Anyone is free to copy, modify, publish, use, compile, sell, or
+# distribute this software, either in source code form or as a compiled
+# binary, for any purpose, commercial or non-commercial, and by any
+# means.
+#
+# In jurisdictions that recognize copyright laws, the author or authors
+# of this software dedicate any and all copyright interest in the
+# software to the public domain. We make this dedication for the benefit
+# of the public at large and to the detriment of our heirs and
+# successors. We intend this dedication to be an overt act of
+# relinquishment in perpetuity of all present and future rights to this
+# software under copyright law.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+# For more information, please refer to <http://unlicense.org/>
+#
+
+# Information pertaining to the Wireguard mkinitcpio hook
+#
+# Please ensure you've read the documentation on how to setup and configure
+# Wireguard for your needs. It's vital that you ensure that you can connect
+# successfully before working on enabling remote unlocking functionality.
+
+# All the values below are just examples. You must change them to suit
+# your Wireguard network setup.
+
+# Specifies the name of the Wireguard interface (usually wg0)
+INTERFACE=wg0
+
+# Specifies the address that the Wireguard interface will use.
+# Please ensure you specify the address in CIDR format.
+INTERFACE_ADDR=10.0.200.21/24
+
+# This is the public key of the peer.
+PEER_PUBLIC_KEY=abcdefg
+
+# This is the IP address and port of the peer.
+# Usually this is the external public-facing IP, but it may also be internal!
+PEER_ENDPOINT=192.168.80.1:12912
+
+# This is your private key previously setup to establish connection to the peer.
+PRIVATE_KEY_FILE=/etc/wireguard/privatekey
+
+# If you're behind a NAT, a ping of 25 seconds is useful!
+PERSISTENT_KEEPALIVES=25
+
+# The IP range that will be allowed.
+ALLOWED_IPS=10.0.200.0/24
+
+# vim:set syntax=sh tw=78:
diff --git a/wireguard_hook b/wireguard_hook
new file mode 100644
index 00000000000..f914e7cf50b
--- /dev/null
+++ b/wireguard_hook
@@ -0,0 +1,90 @@
+#!/bin/ash
+#
+# This is free and unencumbered software released into the public domain.
+#
+# Anyone is free to copy, modify, publish, use, compile, sell, or
+# distribute this software, either in source code form or as a compiled
+# binary, for any purpose, commercial or non-commercial, and by any
+# means.
+#
+# In jurisdictions that recognize copyright laws, the author or authors
+# of this software dedicate any and all copyright interest in the
+# software to the public domain. We make this dedication for the benefit
+# of the public at large and to the detriment of our heirs and
+# successors. We intend this dedication to be an overt act of
+# relinquishment in perpetuity of all present and future rights to this
+# software under copyright law.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+# For more information, please refer to <http://unlicense.org/>
+#
+
+_fatal () { echo ":: wireguard [FATAL]: ${@}. Cannot initialise Wireguard\!"; break=y; }
+
+if [ -f /etc/wireguard/remote-unlock ]; then
+ . /etc/wireguard/remote-unlock
+fi
+
+run_hook()
+{
+ if [ -z $INTERFACE ]; then
+ _fatal 'Interface name is not defined!'
+ return 1
+ fi
+
+ if [ -z $INTERFACE_ADDR ]; then
+ _fatal 'Interface address is not defined!'
+ return 1
+ fi
+
+ if [ -z $PEER_PUBLIC_KEY ]; then
+ _fatal 'Peer Public Key is not defined!'
+ return 1
+ fi
+
+ if [ -z $PRIVATE_KEY_FILE -a -f $PRIVATE_KEY_FILE ]; then
+ _fatal 'Private key file is not defined!'
+ return 1
+ fi
+
+ if [ -z $PEER_ENDPOINT ]; then
+ _fatal 'Peer endpoint is not defined!'
+ return 1
+ fi
+
+ if [ -z $PERSISTENT_KEEPALIVES ]; then
+ _fatal 'Persistent Keep Alives is not defined!'
+ return 1
+ fi
+
+ if [ -z $ALLOWED_IPS ]; then
+ _fatal 'Allowed IPs is not defined!'
+ return 1
+ fi
+
+ echo "Starting Wireguard Remote Unlock."
+
+ ip link add dev $INTERFACE type wireguard
+ wg set $INTERFACE \
+ private-key $PRIVATE_KEY_FILE \
+ peer $PEER_PUBLIC_KEY \
+ endpoint $PEER_ENDPOINT \
+ persistent-keepalive $PERSISTENT_KEEPALIVES \
+ allowed-ips $ALLOWED_IPS
+ ip addr add $INTERFACE_ADDR dev $INTERFACE
+ ip link set $INTERFACE up
+}
+
+run_cleanuphook() {
+
+ ip link delete dev $INTERFACE
+
+}
+# vim:set syntax=sh tw=78:
diff --git a/wireguard_install b/wireguard_install
new file mode 100644
index 00000000000..d681830892d
--- /dev/null
+++ b/wireguard_install
@@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# This is free and unencumbered software released into the public domain.
+#
+# Anyone is free to copy, modify, publish, use, compile, sell, or
+# distribute this software, either in source code form or as a compiled
+# binary, for any purpose, commercial or non-commercial, and by any
+# means.
+#
+# In jurisdictions that recognize copyright laws, the author or authors
+# of this software dedicate any and all copyright interest in the
+# software to the public domain. We make this dedication for the benefit
+# of the public at large and to the detriment of our heirs and
+# successors. We intend this dedication to be an overt act of
+# relinquishment in perpetuity of all present and future rights to this
+# software under copyright law.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+# For more information, please refer to <http://unlicense.org/>
+#
+
+build()
+{
+ add_binary wg
+ add_module wireguard
+
+ add_full_dir /etc/wireguard
+
+ add_runscript
+}
+
+help() {
+ cat <<HELPME
+This hook provides basic Wireguard support to assist in the remote unlocking
+of encrypted partitions. There are various parameters that are to be
+configured via the "/etc/wireguard/remote-unlock" file. This must be done!
+
+In addition to this hook, you will require something like tinyssh or dropbear
+appropriately configured in order to gain remote access. Please refer to the
+Arch Wiki for further details with regards to remote unlocking of encrypted
+partitions.
+HELPME
+}
+
+# vim:set syntax=sh tw=78: