Re: unlocking encfs during boot (Re: systemd now appears to be only possible init system in testing)

Mon, 28 Jul 2014 09:37:46 -0700

El lun, 28 de jul 2014 a las 8:21 , Michael Biebl <bi...@debian.org> escribió: 
Am 28.07.2014 16:53, schrieb Michael Biebl:

 ------8<-----------
 [Unit]
 Description=Unlock EncFS
 DefaultDependencies=no
 After=local-fs.target
 Before=display-manager.service getty@tty1.service
[Service] 
 Type=oneshot
 RemainAfterExit=true
 Environment=RootDir=/home/.encfs/crypt
 Environment=MountPoint=/home/crypt
ExecStart=/bin/sh -c "systemd-ask-password --no-tty --timeout=30 'Unlock 
 EncFS' | encfs --stdinpass $RootDir $MountPoint"
 ExecStop=/bin/umount $MountPoint
[Install] 
 WantedBy=sysinit.target
 ------>8-----------



To show you some additional cool systemd features, I'm going a step
further and make this unit file a completely generic template unit, so

it can easily be re-used, say if you have multiple encfs file systems 
to

unlock and you don't want to copy that file over and over again.

Only 3 small modifications are necessary:
- Rename the file unlock@.service
- Update Description: Description=Unlock %I EncFS
- Use EnvironmentFile=/etc/encfs/%I

The %I is the instance name specfier and denotes the part between
unlock@<instance name>.service. See man systemd.unit(5)

The resulting template unit looks like this and is completely generic:

------8<-----------
[Unit]
Description=Unlock %I EncFS
DefaultDependencies=no
After=local-fs.target
Before=display-manager.service getty@tty1.service

[Service]
Type=oneshot
RemainAfterExit=true
EnvironmentFile=/etc/encfs/%I

ExecStart=/bin/sh -c "systemd-ask-password --no-tty --timeout=30 
'Unlock

EncFS' | encfs --stdinpass $RootDir $MountPoint"
ExecStop=/bin/umount $MountPoint

[Install]
WantedBy=sysinit.target
------>8-----------

So how do we create a new encfs unit now?

- mkdir /etc/encfs/
- echo -e "RootDir=/home/.encfs/crypt/\nMountPoint=/home/crypt" >
/etc/encfs/home
- systemctl enable unlock@home.service
Note how the file name and the instance name match.



Maybe you could use BindsTo=/etc/encfs/%I.path (I think that would 
work, right?) so that you do not have to explicitly enable it. Although 
that would cause the MTPT to be unmounted if the file is deleted 
(unless the ExecStop= is removed)... Anyway, pretty cool.


Thanks for sharing,
--
Cameron Norman























					Reply via email to