From d8a4f9d0635cdfda2f56b675a8a2e1d69fc4e252 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Mon, 8 Nov 2021 16:15:46 +0100
Subject: [PATCH] stages: add new org.osbuild.crypttab stage

New stage to configure /etc/crypttab to setup encrypted block devices.
See the documentation of the stage for more information.
---
 stages/org.osbuild.crypttab | 91 +++++++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100755 stages/org.osbuild.crypttab

diff --git a/stages/org.osbuild.crypttab b/stages/org.osbuild.crypttab
new file mode 100755
index 00000000..f12beecd
--- /dev/null
+++ b/stages/org.osbuild.crypttab
@@ -0,0 +1,91 @@
+#!/usr/bin/python3
+"""
+Create /etc/crypttab entries for encrypted block devices
+
+See crypttab(5) for a detailed description of the format but in brief:
+each item in the list of `volumes` describes an encrypted block device
+and how it should it should be setup. The block device is identified
+either by `uuid` or by `path` (device node path). The volume will be
+named as `volume`, i.e. made available as `/dev/mapper/$volume`.
+Additionally, a keyfile can (optionally) be specified via `keyfile`.
+Specific device options can be specified via `options`.
+
+This stage replaces /etc/crypttab, removing any existing entries.
+"""
+
+
+import sys
+
+import osbuild.api
+
+
+SCHEMA = """
+"additionalProperties": false,
+"required": ["volumes"],
+"properties": {
+  "volumes": {
+    "type": "array",
+    "description": "array of volume objects",
+    "items": {
+      "type": "object",
+      "oneOf": [{
+        "required": ["uuid", "volume"]
+      }, {
+        "required": ["path", "volume"]
+      }],
+      "properties": {
+        "volume": {
+          "description": "volume mountpoint",
+          "type": "string"
+        },
+        "uuid": {
+          "description": "device UUID",
+          "type": "string"
+        },
+        "path": {
+          "description": "device path",
+          "type": "string"
+        },
+        "keyfile": {
+          "description": "",
+          "type": "string",
+          "default": "none"
+        },
+        "options": {
+          "description": "options (comma-separated)",
+          "type": "string",
+          "default": ""
+        }
+      }
+    }
+  }
+}
+"""
+
+
+def main(tree, options):
+    volumes = options["volumes"]
+
+    with open(f"{tree}/etc/crypttab", "w") as f:
+        for volume in volumes:
+            name = volume["volume"]
+            uuid = volume.get("uuid")
+            path = volume.get("path")
+            options = volume.get("options", "")
+            keyfile = volume.get("keyfile", "none")
+
+            if uuid:
+                device = f"UUID={uuid}"
+            elif path:
+                device = path
+            else:
+                raise ValueError("Need 'uuid' or 'label'")
+
+            f.write(
+                f"{name}\t{device}\t{keyfile}\t{options}\n")
+
+
+if __name__ == '__main__':
+    args = osbuild.api.arguments()
+    r = main(args["tree"], args["options"])
+    sys.exit(r)