/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
// Package systemd configures systemd units for encrypted volumes.
package systemd
import (
"bytes"
"errors"
"fmt"
"os"
"path/filepath"
"strings"
"text/template"
"github.com/spf13/afero"
)
const (
systemdRuntimeUnitPath = "/run/systemd/system"
systemdUnitName = "systemd-cryptsetup@state.service"
systemdDeviceRequires = "dev-mapper-state.device.requires"
systemdCryptsetupTargetRequires = "cryptsetup.target.requires"
)
// CryptsetupUnitGenerator generates systemd-cryptsetup@.service unit files.
type CryptsetupUnitGenerator struct {
fs afero.Afero
}
// New returns a new CryptsetupUnitGenerator.
func New(fs afero.Afero) CryptsetupUnitGenerator {
return CryptsetupUnitGenerator{fs: fs}
}
// Generate generates a systemd-cryptsetup@.service unit file and its dependencies.
func (g CryptsetupUnitGenerator) Generate(volumeName, encryptedDevice, keyFile, options string) error {
unitContents, err := g.configureUnit(volumeName, encryptedDevice, keyFile, options)
if err != nil {
return err
}
return g.writeUnits(unitContents)
}
// configureUnit generates the systemd-cryptsetup@.service unit file contents.
func (g CryptsetupUnitGenerator) configureUnit(volumeName, encryptedDevice, keyFile, options string) (string, error) {
deviceUnit := strings.ReplaceAll(encryptedDevice, "/", "-") + ".device"
deviceUnit = strings.TrimPrefix(deviceUnit, "-")
templ, err := template.New("").Parse(`[Unit]
Description=Cryptography Setup for %I
Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)
DefaultDependencies=no
IgnoreOnIsolate=true
After=cryptsetup-pre.target systemd-udevd-kernel.socket
Before=blockdev@dev-mapper-%i.target
Wants=blockdev@dev-mapper-%i.target
Conflicts=umount.target
Before=cryptsetup.target
RequiresMountsFor={{.keyFile}}
BindsTo={{.deviceUnit}}
After={{.deviceUnit}}
Before=umount.target
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
KeyringMode=shared
OOMScoreAdjust=500
ExecStart=/usr/lib/systemd/systemd-cryptsetup attach '{{.volumeName}}' '{{.encryptedDevice}}' '{{.keyFile}}' '{{.options}}'
ExecStop=/usr/lib/systemd/systemd-cryptsetup detach '{{.volumeName}}'
`)
if err != nil {
return "", err
}
var buf bytes.Buffer
err = templ.Execute(&buf, map[string]string{
"volumeName": volumeName,
"encryptedDevice": encryptedDevice,
"deviceUnit": deviceUnit,
"keyFile": keyFile,
"options": options,
})
if err != nil {
return "", err
}
return buf.String(), nil
}
// writeUnits writes the unit file and its dependencies to the filesystem.
func (g CryptsetupUnitGenerator) writeUnits(unitContents string) error {
if err := g.fs.MkdirAll(systemdRuntimeUnitPath, os.ModePerm); err != nil {
return err
}
if err := g.fs.Mkdir(filepath.Join(systemdRuntimeUnitPath, systemdDeviceRequires), os.ModePerm); err != nil {
return err
}
if err := g.fs.Mkdir(filepath.Join(systemdRuntimeUnitPath, systemdCryptsetupTargetRequires), os.ModePerm); err != nil {
return err
}
unitPath := filepath.Join(systemdRuntimeUnitPath, systemdUnitName)
if err := g.fs.WriteFile(unitPath, []byte(unitContents), 0o444); err != nil {
return err
}
if symlinker, ok := g.fs.Fs.(afero.Symlinker); ok {
if err := symlinker.SymlinkIfPossible(unitPath, filepath.Join(systemdRuntimeUnitPath, systemdDeviceRequires, systemdUnitName)); err != nil {
return fmt.Errorf("creating device symlink: %w", err)
}
if err := symlinker.SymlinkIfPossible(unitPath, filepath.Join(systemdRuntimeUnitPath, systemdCryptsetupTargetRequires, systemdUnitName)); err != nil {
return fmt.Errorf("creating cryptsetup target symlink: %w", err)
}
} else {
return errors.New("fs does not support symlinks")
}
return nil
}