function create_config() # Parameter: device { local device=$1 unload_config # create the new configuration filesystem if it is not static if [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ] then log_msg "Using static configuration ..." else log_msg "Creating config filesystem ..." "$ROOT_PERM_SCRIPT" create_config "$device" log_msg "Mounting config partition ..." "$ROOT_PERM_SCRIPT" mount_config "$device" "$ROOT_PERM_SCRIPT" remount_config rw fi log_msg "Copying configuration defaults ..." cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR" log_msg "Copying temporary certificate file to config filesystem ..." log_msg "Setting inital values ..." # beware: config_set_value remounts the config partition read-only config_set_value "ip" "$(get_current_ip)" # create database of readable names config_set_value "names.db" "" # create a marker to recognize a cryptobox partition # this should be the last step, to prevent a half-initialized state config_set_value "$CONFIG_MARKER" "$(date -I)" } function find_harddisk() # look for the harddisk to be partitioned { local device=$(get_available_disks | head -1) if [ -z "$device" ] ; then log_msg "no valid harddisk for initialisation found!" cat /proc/partitions >>"$LOG_FILE" # do not return with an error, to avoid a failing of the script ('break on error') # the caller of this function should handle an empty return string fi echo -n "$device" } function load_config() { unload_config local status=0 # look for a configuration partition [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && \ list_partitions_of_type config | while read part && [ "$status" = 0 ] do log_msg "configuraton found on $part" # error check? "$ROOT_PERM_SCRIPT" mount_config "/dev/$part" status=1 done if is_config_active then return 0 else log_msg "failed to locate config partition" return 1 fi } function unload_config() { is_config_active || return # only try to unmount, if it is not static (the config of a live-cd is always dynamic) if [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] then "$ROOT_PERM_SCRIPT" umount_config else return 0 fi } # rename to "prepare_cryptobox" function init_cryptobox() # this is only the first part of initialisation that takes no time - good for a smooth web interface { local device=$(find_harddisk) [ -z "$device" ] && log_msg 'No valid harddisk found!' && return 1 turn_off_all_crypto unload_config || true log_msg "Partitioning the device ($device) ..." "$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n" log_msg "Initializing config partition on ${device}1 ..." # TODO: this should not be hard-coded create_config "${device}1" } case "$ACTION" of network-up ) if [ "$SKIP_NETWORK_CONFIG" != 1 ] then conf_ip=$(config_get_value "ip") log_msg "Configuring $NET_IFACE for $conf_ip ..." echo "Configuring network interface for $NET_IFACE: $conf_ip" "$IFCONFIG" "$NET_IFACE" "$conf_ip" fi if [ "$EXEC_FIREWALL_RULES" = 1 ] then log_msg "Starting the firewall ..." "$FIREWALL_SCRIPT" start fi if [ "$USE_STUNNEL" = 1 ] then # start stunnel if [ -f "$CERT_FILE" ] then USE_CERT=$CERT_FILE else USE_CERT=$CERT_TEMP $MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1 # TODO: this could be dangerous - right? # this is necessary, to allow www-data to copy the certificate chown "$WEB_USER" "$CERT_TEMP" fi log_msg "Starting stunnel ..." stunnel -p "$USE_CERT" -r localhost:80 -d 443 \ || echo "$USE_CERT not found - not starting stunnel" fi ;; network-down ) if [ "$EXEC_FIREWALL_RULES" = 1 ] then log_msg "Stopping the firewall ..." "$FIREWALL_SCRIPT" stop fi if [ "$USE_STUNNEL" = 1 ] then log_msg "Stopping stunnel ..." # TODO: what about a pid? killall stunnel 2>/dev/null || true fi if [ "$SKIP_NETWORK_CONFIG" != 1 ] then log_msg "Shutting the network interface down ..." "$IFCONFIG" "$NET_IFACE" down fi ;; services-up ) # the mount point has to be writeable # this action is called as root - so we are allowed to umount # TODO: do this only for ro-filesystem # TODO: this way of mounting is evil if mountpoint -q "$MNT_PARENT" then true else mount -t tmpfs tmpfs "$MNT_PARENT" fi true ;; services-down ) # this action is called as root - so we are allowed to umount mountpoint -q "$MNT_PARENT" && umount "$MNT_PARENT" # TODO: we should not depend on samba and thttpd # /etc/init.d/samba stop || true # /etc/init.d/thttpd stop || true true ;; is_harddisk_available ) [ -z "$(find_harddisk)" ] && exit 1 exit 0 ;; update_ip_address ) # reconfigure the network interface to a new IP address # wait for 5 seconds to finish present http requests if [ "$SKIP_NETWORK_CONFIG" != 1 ] then echo -n "sleep 5; \"$ROOT_PERM_SCRIPT\" update_network" | at now fi ;; poweroff ) log_msg "Turning off the CryptoBox ..." turn_off_all_crypto echo "poweroff" | at now ;; reboot ) log_msg "Rebooting the CryptoBox ..." turn_off_all_crypto echo "reboot" | at now ;; * ) echo "Syntax: $(basename $0) ACTION" echo " config-up - scan for configuration partition and mount it" echo " config-down - unmount configuration partition" echo " network-up - enable network interface" echo " network-down - disable network interface" echo " services-up - run some cryptobox specific daemons" echo " services-down - stop some cryptobox specific daemons" echo " update_ip_address - update the network interface after reconfiguration" echo " is_config_mounted - check, if configuration partition is mounted" echo " box-init - initialize cryptobox (ALL data is LOST)" echo " box-init-fg - the first part of initialization" echo " box-init-bg - the last part of initialization (background)" echo " is_harddisk_available - check, if there is a usable harddisk" echo " poweroff - shutdown the cryptobox" echo " reboot - reboot the cryptobox" echo ;; esac