diff options
author | David Harrigan | 2021-01-25 15:53:50 +0000 |
---|---|---|
committer | David Harrigan | 2021-01-25 15:53:50 +0000 |
commit | 9114e75a97cf792d2c3767a43c765bfb882497ea (patch) | |
tree | b464059dbfb284ede90a5ec94aadb8c4b9953fbc | |
parent | 702fcdea6db270c65118b439fd5a586b8e08ab68 (diff) | |
download | aur-9114e75a97cf792d2c3767a43c765bfb882497ea.tar.gz |
upgpkg: mkinitcpio-wireguard 0.4.1-3
Split out source from packaging.
-=david=-
-rw-r--r-- | .SRCINFO | 12 | ||||
-rw-r--r-- | PKGBUILD | 23 | ||||
-rw-r--r-- | README.adoc | 180 | ||||
-rw-r--r-- | UNLICENSED | 24 | ||||
-rw-r--r-- | wireguard_config | 34 | ||||
-rw-r--r-- | wireguard_hook | 65 | ||||
-rw-r--r-- | wireguard_install | 40 |
7 files changed, 13 insertions, 365 deletions
@@ -1,7 +1,7 @@ pkgbase = mkinitcpio-wireguard pkgdesc = mkinitcpio hook that initialises Wireguard to assist in the remote unlocking of encrypted partitions. pkgver = 0.4.1 - pkgrel = 1 + pkgrel = 3 url = https://github.com/dharrigan/mkinitcpio-wireguard install = mkinitcpio-wireguard.install arch = x86_64 @@ -9,14 +9,8 @@ pkgbase = mkinitcpio-wireguard depends = mkinitcpio>=0.9.0 depends = wireguard-tools backup = etc/wireguard/initcpio/unlock - source = wireguard_hook - source = wireguard_install - source = wireguard_config - source = UNLICENSED - sha256sums = 4d406d605297cdf11cc4de93616808063c255e4b54f27731d850acc71bf28b3b - sha256sums = 67e56a6d5b3cab8cf1ae475f7728a9c0a148447da9d1246e53683f75fb1b6091 - sha256sums = 0dee9306a558623fc3c7bf22348f3049189e69be7c66bc7530fee0748fb9ad93 - sha256sums = 88d9b4eb60579c191ec391ca04c16130572d7eedc4a86daa58bf28c6e14c9bcd + source = https://github.com/dharrigan/mkinitcpio-wireguard/archive/0.4.1.tar.gz + sha256sums = a46582e0220ed7e000ee85d6ef03be6c44ce181b7f1a281352d0986688129da2 pkgname = mkinitcpio-wireguard @@ -2,28 +2,25 @@ pkgname=mkinitcpio-wireguard pkgver=0.4.1 -pkgrel=1 +pkgrel=3 pkgdesc='mkinitcpio hook that initialises Wireguard to assist in the remote unlocking of encrypted partitions.' -url='https://github.com/dharrigan/mkinitcpio-wireguard' arch=('x86_64') +url='https://github.com/dharrigan/mkinitcpio-wireguard' license=('Unlicense') install="${pkgname}.install" depends=('mkinitcpio>=0.9.0' 'wireguard-tools') backup=('etc/wireguard/initcpio/unlock') -source=('wireguard_hook' 'wireguard_install' 'wireguard_config' 'UNLICENSED') + +source=("${url}/archive/${pkgver}.tar.gz") + +sha256sums=('a46582e0220ed7e000ee85d6ef03be6c44ce181b7f1a281352d0986688129da2') package() { - install -Dm644 ${srcdir}/wireguard_hook ${pkgdir}/usr/lib/initcpio/hooks/wireguard - install -Dm644 ${srcdir}/wireguard_install ${pkgdir}/usr/lib/initcpio/install/wireguard - install -Dm644 ${srcdir}/wireguard_config ${pkgdir}/etc/wireguard/initcpio/unlock - install -Dm644 ${srcdir}/UNLICENSED ${pkgdir}/usr/share/licenses/${pkgname}/UNLICENSED + install -Dm644 ${srcdir}/${pkgname}-${pkgver}/wireguard_hook ${pkgdir}/usr/lib/initcpio/hooks/wireguard + install -Dm644 ${srcdir}/${pkgname}-${pkgver}/wireguard_install ${pkgdir}/usr/lib/initcpio/install/wireguard + install -Dm644 ${srcdir}/${pkgname}-${pkgver}/wireguard_config ${pkgdir}/etc/wireguard/initcpio/unlock + install -Dm644 ${srcdir}/${pkgname}-${pkgver}/UNLICENSED ${pkgdir}/usr/share/licenses/${pkgname}/UNLICENSED } -sha256sums=( -'4d406d605297cdf11cc4de93616808063c255e4b54f27731d850acc71bf28b3b' -'67e56a6d5b3cab8cf1ae475f7728a9c0a148447da9d1246e53683f75fb1b6091' -'0dee9306a558623fc3c7bf22348f3049189e69be7c66bc7530fee0748fb9ad93' -'88d9b4eb60579c191ec391ca04c16130572d7eedc4a86daa58bf28c6e14c9bcd' -) # vim:set syntax=sh tw=78: diff --git a/README.adoc b/README.adoc deleted file mode 100644 index 5ecc8bb8f967..000000000000 --- a/README.adoc +++ /dev/null @@ -1,180 +0,0 @@ -= mkinitcpio Wireguard hook -:author: David Harrigan -:email: <dharrigan [@] gmail [dot] com> -:docinfo: true -:doctype: book -:icons: font -:numbered: -:sectlinks: -:sectnums: -:setanchors: -:source-highlighter: highlightjs -:toc: -:toclevels: 5 - -== ChangeLog - -IMPORTANT: Until this package has stabilised and until it has reached a 1.0.0 -release, *please be very careful* to examine the version changes listed below -as the package requirements and instructions can change to reflect a better -understanding of the problem domain. *DO NOT ASSUME THAT ANYTHING UNTIL AT -LEAST A 1.0.0 RELEASE* - -WARNING: Read the warning above. - -|=== -|Version | Note - -| *0.4.1* -a| -* Remove unnecessary license headers and simply copy UNLICENSED to appropriate place -* Minor bugfixes - thanks @undiabler! - -| *0.4.0* -a| -* Add a route based upon the ALLOWED_IPS. - -| *0.3.0* -a| -* Various tidy ups and script improvements. -* Rename PRIVATE_KEY_FILE to PRIVATE_KEYFILE - BREAKING CHANGE! - -| *0.2.0* -a| -* Don't include the entire `/etc/wireguard` directory, instead use a subdirectory, namely `/etc/wireguard/initcpio` to keep things separate. - -| *0.1.0* -a| -* Initial Release. - -|=== - -== Rationale - -Firstly, encryption. Encrypt all the things. - -Secondly, I think https://www.wireguard.io[Wireguard] is pretty awesome. It's -really easy to setup and use and works flawlessly (at least for me 😄). - -Thirdly, the ability to remotely unlock encrypted partitions is extremely -useful. However, a limitation is that in order to remotely unlock the -partition via SSH, you normally need to be on the same network (or at least -routeable) to the computer that needs unlocking. - -As far as I could tell, there was nothing available in -https://aur.archlinux.org[AUR] that provided a Wireguard hook for -`mkinitcpio`. Creating a hook should allow a basic Wireguard interface to be -established so that - via a secure network - you could gain access to the -remote machine. This is my small attempt to achieve that aim. - -IMPORTANT: I developed this little hook for myself and I'm releasing it into -the general community in the (probably misguided) hope that others may find it -useful too. As usual, no warranty implied or otherwise is given towards the -fitness of this software in meeting *YOUR* needs. Please refer to the included -https://unlicense.org[Unlicense] license file for more information. That said, -I find this little hook useful - perhaps you may too - so please enjoy! Oh, -and please be be awesome to each other! - -WARNING: Ensure you have read the Arch wiki section on -https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_of_the_root_(or_other)_partition[remote -unlocking]. It's a *very* good idea to get remote unlocking working *first* on -your local network - proving that it works for you (this includes using either -*tinyssh* or *dropbear* to authenticate and unlock successfully) -- *before* attempting to setup this mkinitcpio Wireguard hook for remote -unlocking. - -IMPORTANT: It is also *strongly* recommend that a *separate* Wireguard network -is setup and configured *just* for unlocking. You see, a private key (and a -public key) and a configuration file are written to the ramdisk (which -typically lives in an unencrypted boot partition). It's super trivially easy -for anyone to copy this ramdisk, extract out the contents and use the private -key and Wireguard configuration found therein to connect to your Wireguard -network. As a minimum, you could disable (on the remote peer *nominally called -the `server`*) the ability for the target machine (the `client` - the one on -which you are remotely unlocking partitions) to connect and authenticate - -only enabling connection *when* and *if* required. Please be careful and think -this through! Safety first! - -== OS Installation - -Standard installation rules apply. Here's an example using the -https://github.com/Jguer/yay[yay] package manager to install the utility. - -`yay -S mkinitcpio-wireguard` - -Please refer to your favourite package manager's documentation in learn how to -install it for you 😄 - -NOTE: Obviously, you must also install Wireguard! Choose either manual -installation (using git and compiling it yourself), or using `wireguard-arch` -or `wireguard-dkms`. Life is short, so personally I just roll with -`wireguard-arch`. Seems to work OOTB for me, but YMMV... - -== Configuration - -IMPORTANT: The setup and running of `mkinitcpio-wireguard` is *very* basic and -makes *lots* of assumptions. *This is intentional!* This hook is simple -because it is designed to get a minimal Wireguard up and running so that you -can remotely unlock encrypted partitions. The script does not attempt to do -anything else. This script will never be super fancy or clever. - -WARNING: Please read and familiarise yourself with how Wireguard works. In -particular, please refer to the *numerous* examples online of how to setup and -configure Wireguard. It is *strongly* suggested you get Wireguard up and -running first. A few examples of where to find documentation are listed below: - -* https://wiki.archlinux.org/index.php/WireGuard -* https://www.wireguard.com/quickstart/ -* https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 - -After installing `mkinitcpio-wireguard`, an example configuration file will be -written to `/etc/wireguard/initcpio/unlock`. You *MUST* edit this file to suit -your particular Wireguard requirements. The file is really simple and -therefore should be pretty self-explanatory. - -NOTE: If you have an existing `wg0.conf` in your `/etc/wireguard` directory, -you can use the contents of that file as a reference. Please be aware of the -warning above concerning the recommended use of a separate network for remote -unlocking. - -== Hook Installation - -After you have edited the `/etc/wireguard/initcpio/unlock` file to suit your -needs, ensure that you've added the `wireguard` hook to the *HOOKS* array of -`/etc/mkinitcpio.conf`. Shown below is an example that also includes the use -of `netconf`, `tinyssh` and `encryptssh`. - ----- -HOOKS=(base udev autodetect keyboard keymap modconf block netconf wireguard tinyssh encryptssh filesystems fsck) ----- - -== Final Steps - -Lastly, run (still as root): - ----- -mkinitcpio -P ----- - -This will regenerate the ramdisk with your Wireguard configuration. - -You should now be able to reboot your machine and after the interface has come -up be able to ping it via your Wireguard network! You should now also be able -to SSH to the machine (you did remember to set that all up before doing this, -right?) and unlock any encrypted partitions and thus enable the continuation -of your boot process! FTW! - -NOTE: It could take a minute or two for your Wireguard interface to -authenticate and be recognised by the remote peer. Please be patient and hang -on in there! - -== Unlicensed - -Find the full unlicense in the UNLICENSE file, but here's a snippet. -This is free and unencumbered software released into the public domain. - ----- -Anyone is free to copy, modify, publish, use, compile, sell, or distribute -this software, either in source code form or as a compiled binary, for any -purpose, commercial or non-commercial, and by any means. ----- diff --git a/UNLICENSED b/UNLICENSED deleted file mode 100644 index cf1ab25da034..000000000000 --- a/UNLICENSED +++ /dev/null @@ -1,24 +0,0 @@ -This is free and unencumbered software released into the public domain. - -Anyone is free to copy, modify, publish, use, compile, sell, or -distribute this software, either in source code form or as a compiled -binary, for any purpose, commercial or non-commercial, and by any -means. - -In jurisdictions that recognize copyright laws, the author or authors -of this software dedicate any and all copyright interest in the -software to the public domain. We make this dedication for the benefit -of the public at large and to the detriment of our heirs and -successors. We intend this dedication to be an overt act of -relinquishment in perpetuity of all present and future rights to this -software under copyright law. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR -OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -OTHER DEALINGS IN THE SOFTWARE. - -For more information, please refer to <http://unlicense.org> diff --git a/wireguard_config b/wireguard_config deleted file mode 100644 index 758a108d2d9d..000000000000 --- a/wireguard_config +++ /dev/null @@ -1,34 +0,0 @@ -# -# Information pertaining to the Wireguard mkinitcpio hook -# -# Please ensure you've read the documentation on how to setup and configure -# Wireguard for your needs. It's vital that you ensure that you can connect -# successfully before working on enabling remote unlocking functionality. - -# All the values below are just examples. You must change them to suit -# your Wireguard network setup. - -# Specifies the name of the Wireguard interface (usually wg0) -INTERFACE=wg0 - -# Specifies the address that the Wireguard interface will use. -# Please ensure you specify the address in CIDR format. -INTERFACE_ADDR=10.0.200.21/32 - -# This is the public key of the peer. -PEER_PUBLIC_KEY=abcdefg - -# This is the IP address and port of the peer. -# Usually this is the external public-facing IP, but it may also be internal! -PEER_ENDPOINT=192.168.80.1:12912 - -# This is your private key previously setup to establish connection to the peer. -PRIVATE_KEYFILE=/etc/wireguard/initcpio/privatekey - -# If you're behind a NAT, a ping of 25 seconds is useful! -PERSISTENT_KEEPALIVES=25 - -# The IP range that will be allowed. -ALLOWED_IPS=10.0.200.0/24 - -# vim:set syntax=sh tw=78: diff --git a/wireguard_hook b/wireguard_hook deleted file mode 100644 index da8c0d232171..000000000000 --- a/wireguard_hook +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash - -_fatal () { echo ":: wireguard [FATAL]: ${@}. Cannot initialise Wireguard!"; break=y; } - -if [ -s /etc/wireguard/initcpio/unlock ]; then - . /etc/wireguard/initcpio/unlock -fi - -run_hook() -{ - if [ -z $INTERFACE ]; then - _fatal 'Interface name is not defined!' - return 1 - fi - - if [ -z $INTERFACE_ADDR ]; then - _fatal 'Interface address is not defined!' - return 1 - fi - - if [ -z $PEER_PUBLIC_KEY ]; then - _fatal 'Peer Public Key is not defined!' - return 1 - fi - - if [ ! -s $PRIVATE_KEYFILE ]; then - _fatal 'Private keyfile is not defined!' - return 1 - fi - - if [ -z $PEER_ENDPOINT ]; then - _fatal 'Peer endpoint is not defined!' - return 1 - fi - - if [ -z $PERSISTENT_KEEPALIVES ]; then - _fatal 'Persistent Keep Alives is not defined!' - return 1 - fi - - if [ -z $ALLOWED_IPS ]; then - _fatal 'Allowed IPs is not defined!' - return 1 - fi - - echo "Starting Wireguard." - - ip link add dev $INTERFACE type wireguard - wg set $INTERFACE \ - private-key $PRIVATE_KEYFILE \ - peer $PEER_PUBLIC_KEY \ - endpoint $PEER_ENDPOINT \ - persistent-keepalive $PERSISTENT_KEEPALIVES \ - allowed-ips $ALLOWED_IPS - ip addr add $INTERFACE_ADDR dev $INTERFACE - ip link set $INTERFACE up - ip route add $ALLOWED_IPS dev $INTERFACE -} - -run_cleanuphook() { - - ip link delete dev $INTERFACE - -} -# vim:set syntax=sh tw=78: diff --git a/wireguard_install b/wireguard_install deleted file mode 100644 index 4438f4654182..000000000000 --- a/wireguard_install +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash - -build() -{ - if [ ! -s /etc/wireguard/initcpio/unlock ]; then - error "Missing Wireguard initcpio hook unlock configuration file! Exiting!" - return 1 - else - . /etc/wireguard/initcpio/unlock - if [ ! -s $PRIVATE_KEYFILE ]; then - error "Missing Wireguard initcpio hook Private Keyfile! Exiting!" - return 1 - fi - fi - - add_binary wg - add_module wireguard - - add_dir /etc/wireguard/initcpio - - add_file $PRIVATE_KEYFILE - add_file /etc/wireguard/initcpio/unlock - - add_runscript -} - -help() { - cat <<HELPME -This hook provides basic Wireguard support to assist in the remote unlocking -of encrypted partitions. There are various parameters that are to be -configured via the "/etc/wireguard/initcpio/unlock" file. This must be done! - -In addition to this hook, you will require something like tinyssh or dropbear -appropriately configured in order to gain remote access. Please refer to the -Arch Wiki for further details with regards to remote unlocking of encrypted -partitions. -HELPME -} - -# vim:set syntax=sh tw=78: |