From 26fcc787ee8ed61f9cff52d4e805c97c85eddccd Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 27 Feb 2026 13:34:38 +1100 Subject: [PATCH 01/13] Retab turnkey-init-fence executable --- bin/turnkey-init-fence | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/bin/turnkey-init-fence b/bin/turnkey-init-fence index b001f21..a123969 100755 --- a/bin/turnkey-init-fence +++ b/bin/turnkey-init-fence @@ -66,15 +66,15 @@ iptables_redirect() { case "$1" in start) - echo "Starting turnkey-init-fence" + echo "Starting turnkey-init-fence" iptables_redirect start - ;; + ;; stop) - echo "Stopping turnkey-init-fence" + echo "Stopping turnkey-init-fence" iptables_redirect stop - ;; - *) - echo "Unknown command: $1" >&2 + ;; + *) + echo "Unknown command: $1" >&2 exit 1 - ;; + ;; esac From 3ad04586fd6b461412d5311fae7f6104b517b607 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 27 Feb 2026 14:25:08 +1100 Subject: [PATCH 02/13] Bugfix init-fence - although still not working properly... --- bin/turnkey-init-fence | 2 ++ turnkey-init-fence/turnkey-init-fence.service | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bin/turnkey-init-fence b/bin/turnkey-init-fence index a123969..2244e95 100755 --- a/bin/turnkey-init-fence +++ b/bin/turnkey-init-fence @@ -3,6 +3,8 @@ # TurnKey web interface fence - blocks access to web app until system is # initialized (admin password configure, etc) +source /etc/default/turnkey-init-fence + iptables_delete_redirect() { local dport=$1 local to_port=$2 diff --git a/turnkey-init-fence/turnkey-init-fence.service b/turnkey-init-fence/turnkey-init-fence.service index a038d77..6b80e7a 100644 --- a/turnkey-init-fence/turnkey-init-fence.service +++ b/turnkey-init-fence/turnkey-init-fence.service @@ -6,7 +6,7 @@ Before=apache2.service nginx.service lighttpd.service [Service] Type=oneshot -EnvironmentFile=/etc/default/turnkey-init-fence +RemainAfterExit=true ExecStart=/usr/lib/inithooks/bin/turnkey-init-fence start ExecStop=/usr/lib/inithooks/bin/turnkey-init-fence stop From ca822eee116be1df50391548ddbbfe4df4e78301 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Thu, 26 Mar 2026 16:02:15 +1100 Subject: [PATCH 03/13] Refactor package building - trying to leverage Debian pkg build tools --- debian/control | 12 ++++++------ .../inithooks.inithooks-restart-getty.service | 0 {systemd/system => debian}/inithooks.service | 0 .../inithooks.turnkey-init-fence.service | 0 debian/rules | 5 +++++ 5 files changed, 11 insertions(+), 6 deletions(-) rename systemd/system/inithooks-restart-getty.service => debian/inithooks.inithooks-restart-getty.service (100%) rename {systemd/system => debian}/inithooks.service (100%) rename turnkey-init-fence/turnkey-init-fence.service => debian/inithooks.turnkey-init-fence.service (100%) diff --git a/debian/control b/debian/control index 7f33cb7..226cfd0 100644 --- a/debian/control +++ b/debian/control @@ -3,11 +3,11 @@ Section: admin Priority: optional Maintainer: Stefan Davis Build-Depends: - debhelper (>= 10), + debhelper-compat (= 13), dh-python, - python3-all (>= 3.5~), -Standards-Version: 4.0.0 -X-Python-Version: >= 3.5 + python3 (>= 3.13~), + python3-dialog (>= 3.5.3~), +Standards-Version: 4.7.2 Package: inithooks Architecture: all @@ -16,8 +16,8 @@ Depends: ${misc:Depends}, ${python3:Depends}, turnkey-ssl, - python3-dialog (>= 3.4.0~), + python3-dialog (>= 3.5.3~), dialog (>= 1.3~), Recommends: - confconsole (>= 1.1.0~) + confconsole (>= 2.1.0~) Description: Executes firstboot and everyboot scripts diff --git a/systemd/system/inithooks-restart-getty.service b/debian/inithooks.inithooks-restart-getty.service similarity index 100% rename from systemd/system/inithooks-restart-getty.service rename to debian/inithooks.inithooks-restart-getty.service diff --git a/systemd/system/inithooks.service b/debian/inithooks.service similarity index 100% rename from systemd/system/inithooks.service rename to debian/inithooks.service diff --git a/turnkey-init-fence/turnkey-init-fence.service b/debian/inithooks.turnkey-init-fence.service similarity index 100% rename from turnkey-init-fence/turnkey-init-fence.service rename to debian/inithooks.turnkey-init-fence.service diff --git a/debian/rules b/debian/rules index dbbb8b8..61a7afd 100755 --- a/debian/rules +++ b/debian/rules @@ -9,3 +9,8 @@ export PYTHONDONTWRITEBYTECODE=1 %: dh $@ --with=python3 --buildsystem=pybuild + +override_dh_installsystemd: + dh_installsystemd --name=inithooks + dh_installsystemd --name=inithooks-restart-getty + dh_installsystemd --name=turnkey-init-fence From 96163f45a03b837a676736fe483fc3c7aa3d3f95 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 27 Mar 2026 08:08:15 +1100 Subject: [PATCH 04/13] Resolve conflict between compat & control (rm deprecated debian/compat) A separate debian/compat file noting the "compatability" version is deprecated (although still supported). It is replaced by a build depends on 'debhelper-compat' - e.g. 'debhelper-compat (= 13)' is the same as the text '13' in a debian/compat file. --- debian/compat | 1 - 1 file changed, 1 deletion(-) delete mode 100644 debian/compat diff --git a/debian/compat b/debian/compat deleted file mode 100644 index f599e28..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -10 From 006ef980b8dbf2c404157d2e292664e58ab9f55b Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 27 Mar 2026 08:08:15 +1100 Subject: [PATCH 05/13] Fix packaging issues... --- debian/inithooks.install | 3 --- 1 file changed, 3 deletions(-) diff --git a/debian/inithooks.install b/debian/inithooks.install index 2e83fde..df98d01 100644 --- a/debian/inithooks.install +++ b/debian/inithooks.install @@ -5,11 +5,8 @@ everyboot.d/* /usr/lib/inithooks/everyboot.d run /usr/lib/inithooks rsyslog.d/* /etc/rsyslog.d -turnkey-init-fence/turnkey-init-fence.service /usr/lib/systemd/system turnkey-init-fence/htdocs /usr/lib/inithooks/turnkey-init-fence turnkey-init /usr/sbin turnkey-sudoadmin /usr/sbin turnkey-install-security-updates /usr/sbin - -systemd /etc From 10c1efd7fef430dd1e67e2648eca863badf26b68 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 27 Mar 2026 10:47:43 +1100 Subject: [PATCH 06/13] fixing & refactoring of 01ipconfig (issues noted by lintian; passes shellcheck) --- firstboot.d/01ipconfig | 62 ++++++++++++++++++++++++++++-------------- 1 file changed, 42 insertions(+), 20 deletions(-) diff --git a/firstboot.d/01ipconfig b/firstboot.d/01ipconfig index 9861b14..8f3b3ab 100755 --- a/firstboot.d/01ipconfig +++ b/firstboot.d/01ipconfig @@ -1,30 +1,51 @@ #!/bin/bash -e -# set ipconfig -. /etc/default/inithooks +# firstboot network interfaces file generation - runs non-interactively. +# - config can be customized via inithooks conf file (i.e. preseed) -fatal() { echo "fatal $@" >&2; exit 1; } +# shellcheck source=default/inithooks +source /etc/default/inithooks -[[ -e $INITHOOKS_CONF ]] && . $INITHOOKS_CONF -[[ -z "$IP_CONFIG" ]] && exit 0 -[[ "$IP_CONFIG" != "manual" ]] \ - && [[ "$IP_CONFIG" != "static" ]] \ - && [[ "$IP_CONFIG" != "dhcp" ]] \ - && fatal "IP_CONFIG set incorrectly" -[[ ! -e /etc/network/interfaces ]] && fatal "intefaces file not found" +fatal() { echo "fatal $*" >&2; exit 1; } -APP=$(turnkey-version -n) +if [[ -e $INITHOOKS_CONF ]]; then + source $INITHOOKS_CONF +fi -IP_IFACE="eth0" -[[ "$APP" == "lxc" ]] && IP_IFACE="br0" +if [[ -z "$IP_CONFIG" ]]; then + # exit cleanly if env var not set + exit 0 +fi -# if IP_CONFIG is not changed skip this script and avoid a interface -# reconfiguration -grep "iface $IP_IFACE inet $IP_CONFIG" /etc/network/interfaces >/dev/null \ - && exit 0 +case "$IP_CONFIG" in + manual|static|dhcp) + : # known/valid value, do nothing + ;; + *) + fatal "Invalid: IP_CONFIG='$IP_CONFIG' - valid values: manual|static|dhcp" + ;; +esac -# since debian 8 (systemd) ifdown no longer takes the interface down if we -# change between manual, static or dhcp so using 'ip' instead +if ! [[ -e /etc/network/interfaces ]]; then + fatal "/etc/network/interfaces file not found" +fi + + +if [[ "$(turnkey-version -n)" == "lxc" ]]; then + # LXC app not currently being built, but leaving for now... + IP_IFACE="br0" +else + IP_IFACE="eth0" +fi + +# if IP_CONFIG is not changed avoid a interface redundant reconfiguration +if grep --quiet --no-messages "iface $IP_IFACE inet $IP_CONFIG" \ + /etc/network/interfaces; then + exit 0 +fi + +# under systemd, ifdown no longer takes the interface down when changing +# between manual, static or dhcp so use 'ip' instead ip link set $IP_IFACE down cat > /etc/network/interfaces < Date: Fri, 27 Mar 2026 10:48:10 +1100 Subject: [PATCH 07/13] lintian fixes and overrides --- debian/control | 5 +++++ debian/copyright | 4 ++-- debian/inithooks.links | 1 + debian/postinst | 2 +- debian/source.lintian-overrides | 29 +++++++++++++++++++++++++++++ 5 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 debian/inithooks.links create mode 100644 debian/source.lintian-overrides diff --git a/debian/control b/debian/control index 226cfd0..4a65b14 100644 --- a/debian/control +++ b/debian/control @@ -21,3 +21,8 @@ Depends: Recommends: confconsole (>= 2.1.0~) Description: Executes firstboot and everyboot scripts + Inithooks provides facility to run scripts at boot time. It's + primary use is for firstboot system configuration/setup. Scripts in + firstboot.d (or everboot.d) are run in alphanumeric order. TurnKey + default firstboot script helpers (generally interactive python scripts) + are contained in a separate bin/ directory. diff --git a/debian/copyright b/debian/copyright index dbde083..e1d2158 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,5 @@ Copyright (C) 2009 Alon Swartz +Copyright (C) 2010-2026 TurnKey Linux maintainers This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -11,8 +12,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License -along with this program; if not, write to the Free Software -Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +along with this program; If not, see . On Debian and Ubuntu systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL file. diff --git a/debian/inithooks.links b/debian/inithooks.links new file mode 100644 index 0000000..a09c042 --- /dev/null +++ b/debian/inithooks.links @@ -0,0 +1 @@ +usr/lib/python3/dist-packages/libinithooks/inithooks_cache.py usr/lib/inithooks/bin/inithooks_cache.py diff --git a/debian/postinst b/debian/postinst index 8d77142..6f12836 100755 --- a/debian/postinst +++ b/debian/postinst @@ -6,7 +6,7 @@ mkdir -p /var/run/turnkey-init-fence if [ -f /etc/default/turnkey-init-fence ]; then RUNAS=$(sed -n 's/^RUNAS=//p' /etc/default/turnkey-init-fence) if [ -n "$RUNAS" ]; then - chown -R $RUNAS /var/run/turnkey-init-fence + chown -R "$RUNAS" /var/run/turnkey-init-fence fi fi diff --git a/debian/source.lintian-overrides b/debian/source.lintian-overrides new file mode 100644 index 0000000..23af0e0 --- /dev/null +++ b/debian/source.lintian-overrides @@ -0,0 +1,29 @@ +# TODO (feature): +# - avoid use of Google's CDN for jquery - advantages are two-fold: +# - increases user privacy +# - increases performance +# - improves offline support + +inithooks source: privacy-breach-uses-embedded-file [usr/lib/inithooks/turnkey-init-fence/htdocs/index.html] + +# TODO (wishlist): +# - set ownership of inithooks cache dir at buildtime and/or runtime as +# appropriate; rather than at install time. +# - OTOH it works "as is" and is a "best practice" issue, rather than a +# functional problem - thus low priority + +inithooks source: recursive-privilege-change "chown -R" [postinst:9] + +# TODO (wishlist): +# - man files... + +inithooks source: no-manual-page [usr/sbin/turnkey-init] +inithooks source: no-manual-page [usr/sbin/turnkey-install-security-updates] +inithooks source: no-manual-page [usr/sbin/turnkey-sudoadmin] + +# these files are intentionally not executable as it is not always desireable +# to execute them - they will be updated if/when required. +# +inithooks source: script-not-executable [usr/lib/inithooks/firstboot.d/30turnkey-init-fence] +inithooks source: script-not-executable [usr/lib/inithooks/firstboot.d/97turnkey-init-fence-disable] +inithooks source: script-not-executable [usr/lib/inithooks/firstboot.d/99reboot] From 1aaefcb3f2e9973b8e1595a1c1b12acdc369a30c Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 27 Mar 2026 11:36:22 +1100 Subject: [PATCH 08/13] update gitignore to ommit deb package build local assets --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index a295864..cfd4193 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ *.pyc __pycache__ +.pybuild/ +inithooks.egg-info/ +debian/debhelper-build-stamp From 1f6003eb108ad99e21b6eaab9873b12c925fd6f0 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Fri, 27 Mar 2026 11:37:52 +1100 Subject: [PATCH 09/13] fix lintian overrides filename --- ...n-overrides => inithooks.lintian-overrides} | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) rename debian/{source.lintian-overrides => inithooks.lintian-overrides} (59%) diff --git a/debian/source.lintian-overrides b/debian/inithooks.lintian-overrides similarity index 59% rename from debian/source.lintian-overrides rename to debian/inithooks.lintian-overrides index 23af0e0..1f8f00b 100644 --- a/debian/source.lintian-overrides +++ b/debian/inithooks.lintian-overrides @@ -4,7 +4,7 @@ # - increases performance # - improves offline support -inithooks source: privacy-breach-uses-embedded-file [usr/lib/inithooks/turnkey-init-fence/htdocs/index.html] +inithooks binary: privacy-breach-uses-embedded-file [usr/lib/inithooks/turnkey-init-fence/htdocs/index.html] # TODO (wishlist): # - set ownership of inithooks cache dir at buildtime and/or runtime as @@ -12,18 +12,18 @@ inithooks source: privacy-breach-uses-embedded-file [usr/lib/inithooks/turnkey-i # - OTOH it works "as is" and is a "best practice" issue, rather than a # functional problem - thus low priority -inithooks source: recursive-privilege-change "chown -R" [postinst:9] +inithooks binary: recursive-privilege-change "chown -R" [postinst:9] # TODO (wishlist): # - man files... -inithooks source: no-manual-page [usr/sbin/turnkey-init] -inithooks source: no-manual-page [usr/sbin/turnkey-install-security-updates] -inithooks source: no-manual-page [usr/sbin/turnkey-sudoadmin] +inithooks binary: no-manual-page [usr/sbin/turnkey-init] +inithooks binary: no-manual-page [usr/sbin/turnkey-install-security-updates] +inithooks binary: no-manual-page [usr/sbin/turnkey-sudoadmin] # these files are intentionally not executable as it is not always desireable # to execute them - they will be updated if/when required. -# -inithooks source: script-not-executable [usr/lib/inithooks/firstboot.d/30turnkey-init-fence] -inithooks source: script-not-executable [usr/lib/inithooks/firstboot.d/97turnkey-init-fence-disable] -inithooks source: script-not-executable [usr/lib/inithooks/firstboot.d/99reboot] + +inithooks binary: script-not-executable [usr/lib/inithooks/firstboot.d/30turnkey-init-fence] +inithooks binary: script-not-executable [usr/lib/inithooks/firstboot.d/97turnkey-init-fence-disable] +inithooks binary: script-not-executable [usr/lib/inithooks/firstboot.d/99reboot] From caf73e1d8c709aad38415206b06e1a7b84125a88 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Mon, 30 Mar 2026 03:53:00 +0000 Subject: [PATCH 10/13] rename inithooks-restart-getty1.service (previously ommited '1') --- ...t-getty.service => inithooks.inithooks-restart-getty1.service} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename debian/{inithooks.inithooks-restart-getty.service => inithooks.inithooks-restart-getty1.service} (100%) diff --git a/debian/inithooks.inithooks-restart-getty.service b/debian/inithooks.inithooks-restart-getty1.service similarity index 100% rename from debian/inithooks.inithooks-restart-getty.service rename to debian/inithooks.inithooks-restart-getty1.service From b446ba7fb9ae2c02d62e3e22a0942d1829814f5a Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Mon, 30 Mar 2026 15:06:32 +1100 Subject: [PATCH 11/13] update debian/rules for renamed (fixed) inithooks-restart-getty1.service --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index 61a7afd..43f8788 100755 --- a/debian/rules +++ b/debian/rules @@ -12,5 +12,5 @@ export PYTHONDONTWRITEBYTECODE=1 override_dh_installsystemd: dh_installsystemd --name=inithooks - dh_installsystemd --name=inithooks-restart-getty + dh_installsystemd --name=inithooks-restart-getty1 dh_installsystemd --name=turnkey-init-fence From 53d7f0a262ed509221d336ce59618eee931dd47a Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Mon, 30 Mar 2026 17:31:43 +1100 Subject: [PATCH 12/13] use syslog-style priority prefixes in restart-getty script (honored by systemd) --- bin/restart-getty | 40 +++++++++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/bin/restart-getty b/bin/restart-getty index 29db5cc..035f6c2 100755 --- a/bin/restart-getty +++ b/bin/restart-getty @@ -1,7 +1,7 @@ #!/bin/bash -e # This script is intended to be automatically triggered by -# inithooks-restart-getty.service, which in turn is intended to be started +# inithooks-restart-getty1.service, which in turn is intended to be started # when inithooks.service exits (regardless of exit status) # # Assuming this script _was_ triggered by inithooks.service exit, on most @@ -9,24 +9,33 @@ # only loop 1 additional times. However to ensure that it is as robust as # possible, it will wait up to 10 secs for inithooks.service to stop. -fatal() { echo "$*" >&2; exit 1; } +# systemd honors syslog-style priority prefixes on stdout/stderr +# supports journalctl log level filtering - and colors the messages +warn() { echo "<4>$*" >&2; } +fatal() { + echo "<3>$*" >&2 + echo "<3>Please report to support@turnkeylinux.org" + exit 1 +} +# only run this script if started by systemd if [[ "$_STARTED_BY_SYSTEMD" == yes ]]; then - echo "$(basename "$0") running" + echo "$(basename "$0") script running" else - fatal "$(basename "$0") not started by systemd - exiting" + echo "$(basename "$0") script not started by systemd - exiting" >&2 + exit 0 fi getty1_services=(getty@tty1.service container-getty@1.service) getty_target=/etc/systemd/system/getty.target.wants -getty1_service= +getty1_service="" for _getty1 in "${getty1_services[@]}"; do _getty_target="$getty_target/$_getty1" if [[ -L "$_getty_target" ]]; then if [[ -f "$_getty_target" ]]; then getty1_service="$_getty1" - echo "system getty service is '$getty1_service'" + echo "Found default system getty service: '$getty1_service'" break fi fi @@ -35,23 +44,28 @@ if [[ -z "$getty1_service" ]]; then fatal "Could not find valid getty1 service (tried ${getty1_services[*]})" fi +echo "Starting $getty1_service" for i in {10..0}; do if systemctl is-active -q inithooks.service; then msg="inithooks.service running" if [[ $1 -gt 0 ]]; then - echo "$msg - waiting $i more seconds for it to stop" >&2 + msg="inithooks.service running" + warn "$msg - waiting $i more seconds for it to stop" >&2 else - fatal "$msg - giving up..." + warn "Failed to stop inithooks.service - giving up..." + fatal "$getty1_service could not be started" fi sleep 1 else - echo "inithooks service is not running" + echo "inithooks.service is not running" if systemctl is-active -q "$getty1_service"; then - echo "$getty1_service already running, nothing to do" + warn "$getty1_service already running, nothing to do" else - echo "starting $getty1_service" - if ! systemctl start ; then - fatal "failed to start $getty1_service" + echo "Starting $getty1_service..." + if ! systemctl start "$getty1_service"; then + fatal "Failed to start $getty1_service" + else + echo "$getty1_service started..." fi fi exit 0 From a81b1e8f027d5e807aa42634f3b2d1640e17b503 Mon Sep 17 00:00:00 2001 From: Jeremy Davis Date: Mon, 30 Mar 2026 17:58:23 +1100 Subject: [PATCH 13/13] Double check that getty has started --- bin/restart-getty | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/bin/restart-getty b/bin/restart-getty index 035f6c2..90d1306 100755 --- a/bin/restart-getty +++ b/bin/restart-getty @@ -65,7 +65,13 @@ for i in {10..0}; do if ! systemctl start "$getty1_service"; then fatal "Failed to start $getty1_service" else - echo "$getty1_service started..." + # because getty@.service is 'Type=idle' systemctl start may + # exit zero even if it fails, so double check to be sure + if ! systemctl is-active -q "$getty1_service"; then + fatal "$getty1_service failed" + else + echo "$getty1_service started..." + fi fi fi exit 0