Add zfs-mount-generator integration

Funny moment: https://twitter.com/nabijaczleweli/status/1472986504272261124

.gitignore

@@ -18,3 +18,5 @@
 !contrib/**
 !initrd
 !initrd/**
+!init.d
+!init.d/**

Makefile

@@ -43,14 +43,14 @@ else
 DEF_TPH_MAN ?= .
 endif
 
-.PHONY : all clean build shellcheck i-t dracut manpages htmlpages
+.PHONY : all clean build shellcheck i-t dracut init.d-systemd manpages htmlpages
 .SECONDARY:
 
 
-all : build manpages htmlpages shellcheck i-t dracut
+all : build manpages htmlpages shellcheck i-t init.d-systemd dracut
 
 shellcheck : i-t dracut
-	find $(OUTDIR)initramfs-tools/ $(OUTDIR)dracut -name '*.sh' -exec echo $(SHELLCHECK) --exclude SC1091 {} + | sh -x
+	find $(OUTDIR)initramfs-tools/ $(OUTDIR)dracut/ init.d/ -name '*.sh' -exec echo $(SHELLCHECK) --exclude SC1091,SC2093 {} + | sh -x
 
 clean :
 	rm -rf $(OUTDIR)
@@ -60,6 +60,7 @@ manpages : $(patsubst $(MANDIR)%.pp,$(OUTDIR)man/%,$(MANPAGE_SOURCES))
 htmlpages : $(patsubst $(MANDIR)%.pp,$(OUTDIR)man/%.html,$(MANPAGE_SOURCES)) $(OUTDIR)man/style.css
 i-t : $(OUTDIR)initramfs-tools/usr/share/initramfs-tools/hooks/tzpfms $(OUTDIR)initramfs-tools/usr/share/tzpfms/initramfs-tools-zfs-patch.sh
 dracut : $(patsubst $(INITRDDIR)dracut/%,$(OUTDIR)dracut/usr/lib/dracut/modules.d/91tzpfms/%,$(sort $(wildcard $(INITRDDIR)dracut/*.sh)))
+init.d-systemd : $(OUTDIR)systemd/$(SYSTEMD_SYSTEM_UNITDIR)/zfs-load-key@.service.d/tzpfms.conf $(OUTDIR)systemd/usr/libexec/tzpfms-zfs-load-key@
 
 
 $(OUTDIR)initramfs-tools/usr/share/initramfs-tools/hooks/tzpfms: $(INITRDDIR)initramfs-tools/hook $(INITRD_HEADERS)
@@ -72,6 +73,14 @@ $(OUTDIR)initramfs-tools/usr/share/tzpfms/initramfs-tools-zfs-patch.sh: $(INITRD
 	$(AWK) -f pp.awk $< > $@
 	chmod --reference $< $@
 
+$(OUTDIR)systemd/$(SYSTEMD_SYSTEM_UNITDIR)/zfs-load-key@.service.d/tzpfms.conf : init.d/systemd/zfs-load-key@.service.d-tzpfms.conf
+	@mkdir -p $(dir $@)
+	ln -f $< $@ || cp $< $@
+
+$(OUTDIR)systemd/usr/libexec/tzpfms-zfs-load-key@ : init.d/systemd/libexec-tzpfms-zfs-load-key@.sh
+	@mkdir -p $(dir $@)
+	ln -f $< $@ || cp $< $@
+
 # The d-v-o-s string starts at "BSD" (hence the "BSD General Commands Manual" default); we're not BSD, so hide it
 # Can't put it at the very top, since man(1) only loads mdoc *after* the first mdoc macro (.Dd in our case)
 $(OUTDIR)man/% : $(MANDIR)%.pp $(MANPAGE_HEADERS)

README.md

@@ -45,6 +45,9 @@ For initrd support, copy the content of either `out/dracut/` or `out/initramfs-t
 these need `zfs-tpm-list` but will work with any combination of back-end `*-load-key` binaries
 (local TPM1.X initrds need to be updated when the system state changes (e.g. the TPM is taken ownership of)).
 
+To integrate with [zfs-mount-generator(8)](//manpages.debian.org/bookworm/zfsutils-linux/zfs-mount-generator.8.html)
+[copy](//twitter.com/nabijaczleweli/status/1472986504272261124) `out/systemd/` over `/`.
+
 #### From Debian repository
 
 The following line in `/etc/apt/sources.list` or equivalent:
@@ -55,7 +58,7 @@ deb https://debian.nabijaczleweli.xyz sid main
 With [my PGP key](//nabijaczleweli.xyz/pgp.txt) (the two URLs are interchangeable):
 ```sh
 sudo wget -O/etc/apt/trusted.gpg.d/nabijaczleweli.asc https://debian.nabijaczleweli.xyz/nabijaczleweli.gpg.key
-sudo wget -O/etc/apt/trusted.gpg.d/nabijaczleweli.asc https://keybase.io/nabijaczleweli/pgp_keys.asc
+sudo wget -O/etc/apt/trusted.gpg.d/nabijaczleweli.asc https://nabijaczleweli.xyz/pgp.txt
 ```
 
 Then the usual

configMakefile

@@ -48,6 +48,8 @@ endif
 TZPFMS_VERSION := "$(patsubst v%,%,$(shell git describe))"
 TZPFMS_DATE := $(shell date -d@$$(git log --no-show-signature -1 --pretty=%at) '+%B %e, %Y')
 
+SYSTEMD_SYSTEM_UNITDIR := $(shell ssud="$$(pkg-config --variable=systemd_system_unit_dir systemd 2>/dev/null)"; echo "$${ssud:-/usr/lib/systemd/system}")
+
 INCCMAKEAR := CXXFLAGS="$(INCCXXAR)"
 LNCMAKEAR := LDFLAGS="$(LNCXXAR)"
 

init.d/systemd/libexec-tzpfms-zfs-load-key@.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+# SPDX-License-Identifier: MIT
+
+DSET="$1"
+exec 2>>/dev/kmsg
+
+zfs-tpm-list -H "$DSET" | while read -r _ backend keystatus coherent; do
+	[ "$keystatus" = 'available' ] && exit
+
+	[ "$coherent" = 'yes' ] || {
+		printf "%s\n" "${0##*/}[$$]: $DSET: incoherent tzpfms back-end $backend." "You might need to restore from back-up!" >&2
+		exit 1
+	}
+
+	case "$backend" in
+		TPM1.X) unlock='zfs-tpm1x-load-key'; deps='trousers.service' ;;
+		TPM2)   unlock='zfs-tpm2-load-key';  deps=                   ;;
+		*)      unlock=;                     deps=                   ;;
+	esac
+
+	command -v "$unlock" >/dev/null || {
+		printf "%s\n" "${0##*/}[$$]: $DSET: unknown tzpfms back-end $backend." >&2
+		exit # fall through, maybe there's another handler
+	}
+
+	# shellcheck disable=2086
+	[ -n "$deps" ] && systemctl start $deps
+
+	# shellcheck disable=2016
+	[ -z "$TZPFMS_PASSPHRASE_HELPER" ] && export TZPFMS_PASSPHRASE_HELPER='exec systemd-ask-password --id="tzpfms:$2" "$1:"'
+	exec "$unlock" "$DSET"
+done
+
+# Dataset doesn't exist, fall through

init.d/systemd/zfs-load-key@.service.d-tzpfms.conf

@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: MIT
+
+[Service]
+ExecStartPre=/usr/libexec/tzpfms-zfs-load-key@ %I

tzpfms.sublime-project

@@ -35,6 +35,11 @@
 			"name": "Initrd plug-ins",
 			"path": "initrd"
 		},
+		{
+			"follow_symlinks": true,
+			"name": "Init system plug-ins",
+			"path": "init.d"
+		},
 		{
 			"follow_symlinks": true,
 			"name": "Manpages",