From d18cdafa5ba5a2c0e2558ea1861a66576f816802 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 10 Sep 2018 15:50:31 +0200
Subject: [PATCH] update

---
 clonedisk.sh    | 35 ++++++++++++++++++++++++++---------
 pkglist.txt     |  1 +
 prepare-root.sh |  3 +++
 quirks/nss.sh   |  7 ++++++-
 update.sh       |  6 +-----
 5 files changed, 37 insertions(+), 15 deletions(-)

diff --git a/clonedisk.sh b/clonedisk.sh
index 5fd822c..9274ef1 100755
--- a/clonedisk.sh
+++ b/clonedisk.sh
@@ -37,6 +37,7 @@ while true; do
             shift 1; continue
             ;;
         '--crypttpm2')
+	    USE_CRYPT="y"
 	    USE_TPM="y"
             shift 1; continue
             ;;
@@ -139,14 +140,30 @@ for i in 1 2 3; do
 done
 
 if ! [[ $UPDATE ]]; then
-    swapoff ${OUT}6 || :
-    # ------------------------------------------------------------------------------
-    # swap
-    echo -n "zero key" \
-        | cryptsetup luksFormat --type luks2 ${OUT}6 /dev/stdin
+    swapoff -a :
 
-    # ------------------------------------------------------------------------------
-    # data
-    echo -n "zero key" \
-        | cryptsetup luksFormat --type luks2 ${OUT}7 /dev/stdin
+    if [[ $USE_CRYPT ]]; then
+           # ------------------------------------------------------------------------------
+        # swap
+        echo -n "zero key" \
+            | cryptsetup luksFormat --type luks2 ${OUT}6 /dev/stdin
+        
+        # ------------------------------------------------------------------------------
+        # data
+        echo -n "zero key" \
+            | cryptsetup luksFormat --type luks2 ${OUT}7 /dev/stdin
+    else
+        mkswap ${OUT}6
+        mkfs.xfs -L data ${OUT}7
+    fi
+fi
+
+efibootmgr -C -b FED1 -d ${OUT_DEV} -p 1 -L "FedoraBook 1" -l '\efi\fedorabook\1.efi'
+efibootmgr -C -b FED2 -d ${OUT_DEV} -p 1 -L "FedoraBook 2" -l '\efi\fedorabook\2.efi'
+efibootmgr -C -b FED3 -d ${OUT_DEV} -p 1 -L "FedoraBook Old 1" -l '\efi\fedorabook\_1.efi'
+efibootmgr -C -b FED4 -d ${OUT_DEV} -p 1 -L "FedoraBook Old 2" -l '\efi\fedorabook\_2.efi'
+
+BOOT_ORDER=$(efibootmgr | grep BootOrder: | { read _ a; echo "$a"; })
+if ! [[ $BOOT_ORDER == *FED1* ]]; then
+    efibootmgr -o "FED1,FED2,FED3,FED4,$BOOT_ORDER"
 fi
diff --git a/pkglist.txt b/pkglist.txt
index 8afd386..39e6524 100644
--- a/pkglist.txt
+++ b/pkglist.txt
@@ -77,3 +77,4 @@ libvirt-daemon-kvm
 squashfs-tools
 mc
 veritysetup
+rsync
diff --git a/prepare-root.sh b/prepare-root.sh
index 6ac38b2..e388e76 100755
--- a/prepare-root.sh
+++ b/prepare-root.sh
@@ -163,6 +163,7 @@ for i in passwd shadow group gshadow subuid subgid; do
 done
 
 chown -R +0.+0 "$sysroot"
+chmod 0000 "$sysroot"/etc/{shadow,gshadow}
 
 mkdir -p "$sysroot"/{dev,proc,sys,run}
 mount --bind /proc "$sysroot/proc"
@@ -235,6 +236,8 @@ find "$sysroot" -name '*.rpmnew' -print0 | xargs -0 rm -fv
 mkdir -p ${BASEDIR}/${NAME}
 for i in passwd shadow group gshadow subuid subgid; do
     cp "$sysroot"/etc/"$i" ${BASEDIR}/${NAME}
+    chown "$USER" "${BASEDIR}/${NAME}/$i"
+    chmod u+r "${BASEDIR}/${NAME}/$i"
 done
 
 cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
diff --git a/quirks/nss.sh b/quirks/nss.sh
index 3bac2aa..4740020 100644
--- a/quirks/nss.sh
+++ b/quirks/nss.sh
@@ -1,9 +1,10 @@
+chroot "$sysroot" bash -c 'useradd -G wheel admin' 
+
 sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
     "$sysroot"/etc/nsswitch.conf
 mkdir -p "$sysroot"/usr/db
 sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
 
-chroot "$sysroot" bash -c 'useradd -G wheel admin'
 egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
 egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
 
@@ -16,12 +17,16 @@ chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /
 
 mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
 mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
+chmod 0000 "$sysroot"/etc/gshadow
+
 chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
 chroot "$sysroot" bash -c 'passwd -e admin'
 
 mkdir -p "$sysroot"/usr/share/factory/var
 mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
 
+rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow-
+
 sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
 
 for i in passwd shadow group gshadow .pwd.lock subuid subgid; do 
diff --git a/update.sh b/update.sh
index a2bb4e9..1a6d00f 100755
--- a/update.sh
+++ b/update.sh
@@ -79,9 +79,5 @@ sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
 mkdir -p /efi/EFI/${NAME}
 cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
 
-# better swap prio with efibootmgr
 mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi
-
-## unless proper boot entries set, just force copy to default boot loader
-cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi
-mv --backup=simple /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi
+rm /efi/EFI/${NAME}/_${NEW_ROOT_NUM}.efi