boot v2 progress: disks, ssh, success...

2022-03-08 11:45:56 +01:00 · 2022-03-08 11:45:56 +01:00 · 8506f8807d
commit 8506f8807d
parent 8e86579004
38 changed files with 1767 additions and 113 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 /dist
 /qemu.pid
 /test-initrd.cpio
+/tmp
--- a/alpine/Dockerfile
+++ b/alpine/Dockerfile
@ -1,18 +1,12 @@
 # ------------------------------------------------------------------------
 from alpine:3.15

-add alpine/alpine-minirootfs-3.15.0-x86_64.tar.gz /layer/
-
-run apk update
-run apk add -p /layer lvm2-static
+add alpine-minirootfs-3.15.0-x86_64.tar.gz /layer/

 workdir /layer

+run apk update
+run apk add -p . musl lvm2 lvm2-dmeventd udev cryptsetup e2fsprogs btrfs-progs
 run rm -rf usr/share/apk var/cache/apk

-#add build-layer /
-#run /build-layer
-
-copy dist/init /layer/init
-
 entrypoint ["sh","-c","find |cpio -H newc -o |base64"]
--- a/ask-secret.go
+++ b/ask-secret.go
@ -0,0 +1,43 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"os"
+)
+
+func askSecret(prompt string) []byte {
+	stdinTTY.EchoOff()
+
+	var (
+		in  io.Reader = stdin
+		out io.Writer = stdout
+	)
+
+	if stdin == nil {
+		in = os.Stdin
+		out = os.Stdout
+	}
+
+	out.Write([]byte(prompt + ": "))
+
+	if stdin != nil {
+		stdout.HideInput()
+	}
+
+	s, err := bufio.NewReader(in).ReadBytes('\n')
+
+	if stdin != nil {
+		stdout.ShowInput()
+	}
+
+	stdinTTY.Restore()
+
+	if err != nil {
+		fatalf("failed to read from stdin: %v", err)
+	}
+
+	s = bytes.TrimRight(s, "\r\n")
+	return s
+}
--- a/auth.go
+++ b/auth.go
@ -0,0 +1,58 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	"log"
+
+	"golang.org/x/crypto/ssh"
+	"novit.nc/direktil/initrd/config"
+)
+
+var (
+	auths []config.Auth
+)
+
+func localAuth() bool {
+	sec := askSecret("password")
+
+	for _, auth := range auths {
+		if auth.Password == "" {
+			continue
+		}
+
+		if config.CheckPassword(auth.Password, sec) {
+			log.Printf("login with auth %q", auth.Name)
+			return true
+		}
+	}
+
+	return false
+}
+
+func sshCheckPubkey(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+	keyBytes := key.Marshal()
+
+	for _, auth := range auths {
+		if auth.SSHKey == "" {
+			continue
+		}
+
+		allowedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(auth.SSHKey))
+		if err != nil {
+			log.Printf("SSH pubkey for %q invalid: %v", auth.Name, auth.SSHKey)
+			return nil, err
+		}
+
+		if bytes.Equal(allowedKey.Marshal(), keyBytes) {
+			log.Print("ssh: accepting public key for ", auth.Name)
+			return &ssh.Permissions{
+				Extensions: map[string]string{
+					"pubkey-fp": ssh.FingerprintSHA256(key),
+				},
+			}, nil
+		}
+	}
+
+	return nil, errors.New("no matching public key")
+}
--- a/boot-v1.go
+++ b/boot-v1.go
@ -14,7 +14,11 @@ import (
 	"novit.nc/direktil/pkg/sysfs"
 )

+var loopOffset = 0
+
 func bootV1() {
+	log.Print("-- boot v1 --")
+
 	// find and mount /boot
 	bootMatch := param("boot", "")
 	bootMounted := false
@ -47,12 +51,19 @@ func bootV1() {
 	// load config
 	cfgPath := param("config", "/boot/config.yaml")

+	layersDir = filepath.Join("/boot", bootVersion, "layers")
+	applyConfig(cfgPath, bootMounted)
+
+	finalizeBoot()
+}
+
+func applyConfig(cfgPath string, bootMounted bool) (cfg *configV1) {
 	cfgBytes, err := ioutil.ReadFile(cfgPath)
 	if err != nil {
 		fatalf("failed to read %s: %v", cfgPath, err)
 	}

-	cfg := &config{}
+	cfg = &configV1{}
 	if err := yaml.Unmarshal(cfgBytes, cfg); err != nil {
 		fatal("failed to load config: ", err)
 	}
@ -94,7 +105,7 @@ func bootV1() {

 		lowers[i] = dir

-		loopDev := fmt.Sprintf("/dev/loop%d", i)
+		loopDev := fmt.Sprintf("/dev/loop%d", i+loopOffset)
 		losetup(loopDev, path)

 		mount(loopDev, dir, "squashfs", layerMountFlags, "")
@ -136,12 +147,16 @@ func bootV1() {
 		ioutil.WriteFile(filePath, []byte(fileDef.Content), fileDef.Mode)
 	}

+	return
+}
+
+func finalizeBoot() {
 	// clean zombies
 	cleanZombies()

 	// switch root
 	log.Print("switching root")
-	err = syscall.Exec("/sbin/switch_root", []string{"switch_root",
+	err := syscall.Exec("/sbin/switch_root", []string{"switch_root",
 		"-c", "/dev/console", "/system", "/sbin/init"}, os.Environ())
 	fatal("switch_root failed: ", err)
 }
--- a/boot-v2.go
+++ b/boot-v2.go
@ -1,5 +1,88 @@
 package main

+import (
+	"log"
+	"os"
+	"os/exec"
+
+	"gopkg.in/yaml.v3"
+
+	"novit.nc/direktil/initrd/config"
+)
+
 func bootV2() {
-	fatal("boot v2 not finished")
+	log.Print("-- boot v2 --")
+
+	cfg := &config.Config{}
+
+	{
+		f, err := os.Open("/config.yaml")
+		if err != nil {
+			fatal("failed to open /config.yaml: ", err)
+		}
+
+		err = yaml.NewDecoder(f).Decode(cfg)
+		f.Close()
+
+		if err != nil {
+			fatal("failed to parse /config.yaml: ", err)
+		}
+	}
+
+	log.Print("config loaded")
+	log.Printf("anti-phishing code: %q", cfg.AntiPhishingCode)
+
+	auths = cfg.Auths
+
+	// mount kernel modules
+	if cfg.Modules != "" {
+		log.Print("mount modules from ", cfg.Modules)
+
+		err := os.MkdirAll("/modules", 0755)
+		if err != nil {
+			fatal("failed to create /modules: ", err)
+		}
+
+		run("mount", cfg.Modules, "/modules")
+		loopOffset++
+
+		err = os.Symlink("/modules/lib/modules", "/lib/modules")
+		if err != nil {
+			fatal("failed to symlink modules: ", err)
+		}
+	}
+
+	// load basic modules
+	run("modprobe", "unix")
+
+	// devices init
+	err := exec.Command("udevd").Start()
+	if err != nil {
+		fatal("failed to start udevd: ", err)
+	}
+
+	log.Print("udevadm triggers")
+	run("udevadm", "trigger", "-c", "add", "-t", "devices")
+	run("udevadm", "trigger", "-c", "add", "-t", "subsystems")
+
+	log.Print("udevadm settle")
+	run("udevadm", "settle")
+
+	// networks
+	setupNetworks(cfg)
+
+	// Wireguard VPN
+	// TODO startVPN()
+
+	// SSH service
+	startSSH(cfg)
+
+	// LVM
+	setupLVM(cfg)
+
+	// bootstrap the system
+	bootstrap(cfg)
+
+	// finalize
+	finalizeBoot()
 }
--- a/bootstrap.go
+++ b/bootstrap.go
@ -0,0 +1,123 @@
+package main
+
+import (
+	"bytes"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"novit.nc/direktil/initrd/config"
+)
+
+func bootstrap(cfg *config.Config) {
+	if cfg.Bootstrap.Dev == "" {
+		fatalf("bootstrap device not defined!")
+	}
+
+	const bsDir = "/bootstrap"
+	os.MkdirAll(bsDir, 0700)
+
+	run("mount", cfg.Bootstrap.Dev, bsDir)
+
+	baseDir := filepath.Join(bsDir, bootVersion)
+	sysCfgPath := filepath.Join(baseDir, "config.yaml")
+
+	if _, err := os.Stat(sysCfgPath); os.IsNotExist(err) {
+		log.Printf("bootstrap %q does not exist", bootVersion)
+
+		seed := cfg.Bootstrap.Seed
+		if seed == "" {
+			fatalf("boostrap seed not defined, admin required")
+		}
+
+		log.Printf("seeding bootstrap from %s", seed)
+
+		// TODO
+	}
+
+	layersDir = baseDir
+	layersOverride["modules"] = "/modules.sqfs"
+	sysCfg := applyConfig(sysCfgPath, false)
+
+	// mounts are v2 only
+	for _, mount := range sysCfg.Mounts {
+		log.Print("mount ", mount.Dev, " to system's ", mount.Path)
+
+		path := filepath.Join("/system", mount.Path)
+
+		os.MkdirAll(path, 0755)
+
+		args := []string{mount.Dev, path}
+		if mount.Type != "" {
+			args = append(args, "-t", mount.Type)
+		}
+		if mount.Options != "" {
+			args = append(args, "-o", mount.Options)
+		}
+
+		run("mount", args...)
+	}
+
+	// setup root user
+	if ph := sysCfg.RootUser.PasswordHash; ph != "" {
+		log.Print("setting root's password")
+		setUserPass("root", ph)
+	}
+	if ak := sysCfg.RootUser.AuthorizedKeys; len(ak) != 0 {
+		log.Print("setting root's authorized keys")
+		setAuthorizedKeys(ak)
+	}
+}
+
+func setUserPass(user, passwordHash string) {
+	const fpath = "/system/etc/shadow"
+
+	ba, err := ioutil.ReadFile(fpath)
+	if err != nil {
+		fatalf("failed to read shadow: %v", err)
+	}
+
+	lines := bytes.Split(ba, []byte{'\n'})
+
+	buf := new(bytes.Buffer)
+	for _, line := range lines {
+		line := string(line)
+		p := strings.Split(line, ":")
+		if len(p) < 2 || p[0] != user {
+			buf.WriteString(line)
+			continue
+		}
+
+		p[1] = passwordHash
+		line = strings.Join(p, ":")
+
+		buf.WriteString(line)
+		buf.WriteByte('\n')
+	}
+
+	err = ioutil.WriteFile(fpath, buf.Bytes(), 0600)
+	if err != nil {
+		fatalf("failed to write shadow: %v", err)
+	}
+}
+
+func setAuthorizedKeys(ak []string) {
+	buf := new(bytes.Buffer)
+	for _, k := range ak {
+		buf.WriteString(k)
+		buf.WriteByte('\n')
+	}
+
+	const sshDir = "/system/root/.ssh"
+	err := os.MkdirAll(sshDir, 0700)
+	if err != nil {
+		fatalf("failed to create %s: %v", sshDir, err)
+	}
+
+	err = ioutil.WriteFile(filepath.Join(sshDir, "authorized_keys"), buf.Bytes(), 0600)
+	if err != nil {
+		fatalf("failed to write authorized keys: %v", err)
+	}
+}
--- a/buildenv/Dockerfile
+++ b/buildenv/Dockerfile
@ -0,0 +1,5 @@
+from golang:1.18beta2-alpine3.15
+
+run apk add --update musl-dev git
+
+workdir /src
--- a/colorio/colorio.go
+++ b/colorio/colorio.go
@ -0,0 +1,45 @@
+package colorio
+
+import "io"
+
+var (
+	Reset      = []byte("\033[0m")
+	Bold       = []byte("\033[1m")
+	Dim        = []byte("\033[2m")
+	Underlined = []byte("\033[4m")
+	Blink      = []byte("\033[5m")
+	Reverse    = []byte("\033[7m")
+	Hidden     = []byte("\033[8m")
+)
+
+type writer struct {
+	before []byte
+	after  []byte
+	w      io.Writer
+}
+
+func NewWriter(color []byte, w io.Writer) io.Writer {
+	return writer{
+		before: color,
+		after:  Reset,
+		w:      w,
+	}
+}
+
+func (w writer) Write(ba []byte) (n int, err error) {
+	b := make([]byte, len(w.before)+len(ba)+len(w.after))
+	copy(b, w.before)
+	copy(b[len(w.before):], ba)
+	copy(b[len(w.before)+len(ba):], w.after)
+
+	n, err = w.w.Write(b)
+
+	n -= len(w.before)
+	if n < 0 {
+		n = 0
+	} else if n > len(ba) {
+		n = len(ba)
+	}
+
+	return
+}
--- a/colorio/colorio_test.go
+++ b/colorio/colorio_test.go
@ -0,0 +1,21 @@
+package colorio
+
+import (
+	"bytes"
+	"fmt"
+	"testing"
+)
+
+func TestWriter(t *testing.T) {
+	buf := new(bytes.Buffer)
+
+	w := NewWriter(Bold, buf)
+
+	buf.WriteByte('{')
+	fmt.Fprintln(w, "hello")
+	buf.WriteByte('}')
+
+	if s, exp := buf.String(), "{"+string(Bold)+"hello\n"+string(Reset)+"}"; s != exp {
+		t.Errorf("%q != %q", s, exp)
+	}
+}
--- a/config.go
+++ b/config.go
@ -4,7 +4,23 @@ import (
 	nconfig "novit.nc/direktil/pkg/config"
 )

-type config struct {
+type configV1 struct {
 	Layers []string          `yaml:"layers"`
 	Files  []nconfig.FileDef `yaml:"files"`
+
+	// v2 handles more
+
+	RootUser struct {
+		PasswordHash   string   `yaml:"password_hash"`
+		AuthorizedKeys []string `yaml:"authorized_keys"`
+	} `yaml:"root_user"`
+
+	Mounts []MountDef `yaml:"mounts"`
+}
+
+type MountDef struct {
+	Dev     string
+	Path    string
+	Options string
+	Type    string
 }
--- a/config/config.go
+++ b/config/config.go
@ -0,0 +1,61 @@
+package config
+
+type Config struct {
+	AntiPhishingCode string `json:"anti_phishing_code"`
+
+	Keymap  string
+	Modules string
+
+	Auths []Auth
+
+	Networks []struct {
+		Name       string
+		Interfaces []struct {
+			Var     string
+			N       int
+			Regexps []string
+		}
+		Script string
+	}
+
+	LVM       []LvmVG
+	Bootstrap Bootstrap
+}
+
+type Auth struct {
+	Name     string
+	SSHKey   string `yaml:"sshKey"`
+	Password string `yaml:"password"`
+}
+
+type LvmVG struct {
+	VG  string
+	PVs struct {
+		N       int
+		Regexps []string
+	}
+
+	Defaults struct {
+		FS   string
+		Raid *RaidConfig
+	}
+
+	LVs []struct {
+		Name    string
+		Crypt   string
+		FS      string
+		Raid    *RaidConfig
+		Size    string
+		Extents string
+	}
+}
+
+type RaidConfig struct {
+	Mirrors int
+	Stripes int
+}
+
+type Bootstrap struct {
+	Dev  string
+	Seed string
+}
--- a/config/password.go
+++ b/config/password.go
@ -0,0 +1,46 @@
+package config
+
+import (
+	"crypto/rand"
+	"crypto/sha512"
+	"encoding/base64"
+	"strings"
+
+	"golang.org/x/crypto/pbkdf2"
+)
+
+var (
+	encoding = base64.RawStdEncoding
+)
+
+func PasswordHashFromSeed(seed, pass []byte) string {
+	h := pbkdf2.Key(pass, seed, 2048, 32, sha512.New)
+	return encoding.EncodeToString(h)
+}
+
+func PasswordHash(pass []byte) (hashedPassWithSeed string) {
+	seed := make([]byte, 10) // 8 bytes min by the RFC recommendation
+	_, err := rand.Read(seed)
+	if err != nil {
+		panic(err) // we do not expect this to fail...
+	}
+	return JoinSeedAndHash(seed, PasswordHashFromSeed(seed, pass))
+}
+
+func JoinSeedAndHash(seed []byte, hash string) string {
+	return encoding.EncodeToString(seed) + ":" + hash
+}
+
+func CheckPassword(hashedPassWithSeed string, pass []byte) (ok bool) {
+	parts := strings.SplitN(hashedPassWithSeed, ":", 2)
+
+	encodedSeed := parts[0]
+	encodedHash := parts[1]
+
+	seed, err := encoding.DecodeString(encodedSeed)
+	if err != nil {
+		return false
+	}
+
+	return encodedHash == PasswordHashFromSeed(seed, pass)
+}
--- a/config/password_test.go
+++ b/config/password_test.go
@ -0,0 +1,12 @@
+package config
+
+import "fmt"
+
+func ExamplePasswordHash() {
+	seed := []byte("myseed")
+	hash := PasswordHashFromSeed(seed, []byte("mypass"))
+	fmt.Println(JoinSeedAndHash(seed, hash))
+
+	// Output:
+	// bXlzZWVk:HMSxrg1cYphaPuUYUbtbl/htep/tVYYIQAuvkNMVpw0
+}
--- a/cpiocat/cpiocat.go
+++ b/cpiocat/cpiocat.go
@ -22,12 +22,25 @@ func Append(out io.Writer, in io.Reader, filesToAppend []string) (err error) {
 			return
 		}

+		mode := hdr.FileInfo().Mode()
+
+		if mode&os.ModeSymlink != 0 {
+			// symlink target must be written after
+			hdr.Size = int64(len(hdr.Linkname))
+		}
+
 		err = cout.WriteHeader(hdr)
 		if err != nil {
 			return
 		}

-		_, err = io.Copy(cout, cin)
+		if mode.IsRegular() {
+			_, err = io.Copy(cout, cin)
+
+		} else if mode&os.ModeSymlink != 0 {
+			_, err = cout.Write([]byte(hdr.Linkname))
+		}
+
 		if err != nil {
 			return
 		}
@ -35,26 +48,41 @@ func Append(out io.Writer, in io.Reader, filesToAppend []string) (err error) {

 	for _, file := range filesToAppend {
 		err = func() (err error) {
-			stat, err := os.Stat(file)
+			stat, err := os.Lstat(file)
 			if err != nil {
 				return
 			}

-			hdr := &cpio.Header{
-				Name: file,
-				Size: stat.Size(),
-				Mode: cpio.FileMode(stat.Mode()),
+			link := ""
+			if stat.Mode()&os.ModeSymlink != 0 {
+				link, err = os.Readlink(file)
+				if err != nil {
+					return
+				}
 			}

+			hdr, err := cpio.FileInfoHeader(stat, link)
+			if err != nil {
+				return
+			}
+
+			hdr.Name = file
+
 			cout.WriteHeader(hdr)

-			f, err := os.Open(file)
-			if err != nil {
-				return
-			}
-			defer f.Close()
+			if stat.Mode().IsRegular() {
+				var f *os.File
+				f, err = os.Open(file)
+				if err != nil {
+					return
+				}
+				defer f.Close()

-			_, err = io.Copy(cout, f)
+				_, err = io.Copy(cout, f)
+
+			} else if stat.Mode()&os.ModeSymlink != 0 {
+				_, err = cout.Write([]byte(link))
+			}
 			return
 		}()
 		if err != nil {
--- a/filter.go
+++ b/filter.go
@ -0,0 +1,22 @@
+package main
+
+func filter[T any](values []T, accept func(T) bool) []T {
+	r := make([]T, 0, len(values))
+
+	for _, v := range values {
+		if accept(v) {
+			r = append(r, v)
+		}
+	}
+
+	return r
+}
+
+func contains[T any](values []T, accept func(T) bool) bool {
+	for _, v := range values {
+		if accept(v) {
+			return true
+		}
+	}
+	return false
+}
--- a/filter_test.go
+++ b/filter_test.go
@ -0,0 +1,13 @@
+package main
+
+import (
+    "fmt"
+    "testing"
+)
+
+func TestFilter(t*testing.T) {
+    a := filter([]string{"a","b","c"}, func(v string) bool { return v != "b" })
+    if fmt.Sprint(a) != "[a c]" {
+        t.Errorf("bad result: %v", a)
+    }
+}
--- a/go.mod
+++ b/go.mod
@ -2,23 +2,16 @@ module novit.nc/direktil/initrd

 require (
 	github.com/cavaliergopher/cpio v1.0.1
+	github.com/kr/pty v1.1.8
+	github.com/pkg/term v1.1.0
+	golang.org/x/crypto v0.0.0-20220214200702-86341886e292
+	golang.org/x/sys v0.0.0-20220209214540-3681064d5158
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2
 )

-require (
-	github.com/charmbracelet/bubbletea v0.19.3 // indirect
-	github.com/containerd/console v1.0.2 // indirect
-	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/mattn/go-isatty v0.0.13 // indirect
-	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b // indirect
-	github.com/muesli/reflow v0.3.0 // indirect
-	github.com/muesli/termenv v0.9.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
-	golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 // indirect
-)
+require github.com/creack/pty v1.1.17 // indirect

 go 1.18
--- a/go.sum
+++ b/go.sum
@ -1,56 +1,32 @@
 github.com/cavaliergopher/cpio v1.0.1 h1:KQFSeKmZhv0cr+kawA3a0xTQCU4QxXF1vhU7P7av2KM=
 github.com/cavaliergopher/cpio v1.0.1/go.mod h1:pBdaqQjnvXxdS/6CvNDwIANIFSP0xRKI16PX4xejRQc=
-github.com/charmbracelet/bubbletea v0.19.3 h1:OKeO/Y13rQQqt4snX+lePB0QrnW80UdrMNolnCcmoAw=
-github.com/charmbracelet/bubbletea v0.19.3/go.mod h1:VuXF2pToRxDUHcBUcPmCRUHRvFATM4Ckb/ql1rBl3KA=
-github.com/containerd/console v1.0.2 h1:Pi6D+aZXM+oUw1czuKgH5IJ+y0jhYcwBJfx5/Ghn9dE=
-github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
+github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
+github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.8 h1:AkaSdXYQOWeaO3neb8EM634ahkXXe3jYbVh/F9lq+GI=
+github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
-github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
-github.com/mattn/go-isatty v0.0.13 h1:qdl+GuBjcsKKDco5BsxPJlId98mSWNKqYA+Co0SC1yA=
-github.com/mattn/go-isatty v0.0.13/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
-github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
-github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b h1:1XF24mVaiu7u+CFywTdcDo2ie1pzzhwjt6RHqzpMU34=
-github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b/go.mod h1:fQuZ0gauxyBcmsdE3ZT4NasjaRdxmbCS0jRHsrWu3Ho=
-github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=
-github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8=
-github.com/muesli/termenv v0.9.0 h1:wnbOaGz+LUR3jNT0zOzinPnyDaCZUQRZj9GxK8eRVl8=
-github.com/muesli/termenv v0.9.0/go.mod h1:R/LzAKf+suGs4IsO95y7+7DpFHO0KABgnZqtlyx2mBw=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/pkg/term v1.1.0 h1:xIAAdCMh3QIAy+5FrE8Ad8XoDhEU4ufwbaSozViP9kk=
+github.com/pkg/term v1.1.0/go.mod h1:E25nymQcrSllhX42Ok8MRm1+hyBdHY0dCeiKZ9jpNGw=
 github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c h1:VwygUrnw9jn88c4u8GD3rZQbqrP/tgas88tPUbBxQrk=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 h1:XDXtA5hveEEV8JB2l7nhMTp3t3cHp9ZpwcdjqyEWLlo=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.0.0-20210422114643-f5beecf764ed h1:Ei4bQjjpYUsS4efOUz+5Nz++IVkHk87n2zBA0NxBWc0=
-golang.org/x/term v0.0.0-20210422114643-f5beecf764ed/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c=
+golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2 h1:LN3K19gAJ1GamJXkzXAQmjbl8xCV7utqdxTTrM89MMc=
 novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU=
--- a/lvm.go
+++ b/lvm.go
@ -0,0 +1,326 @@
+package main
+
+import (
+	"bytes"
+	"io/fs"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+
+	"novit.nc/direktil/initrd/config"
+	"novit.nc/direktil/initrd/lvm"
+)
+
+func setupLVM(cfg *config.Config) {
+	if len(cfg.LVM) == 0 {
+		log.Print("no LVM VG configured.")
+		return
+	}
+
+	run("pvscan")
+	run("vgscan", "--mknodes")
+
+	for _, vg := range cfg.LVM {
+		setupVG(vg)
+	}
+
+	for _, vg := range cfg.LVM {
+		setupLVs(vg)
+	}
+
+	run("vgchange", "--sysinit", "-a", "ly")
+
+	for _, vg := range cfg.LVM {
+		setupCrypt(vg)
+	}
+
+	for _, vg := range cfg.LVM {
+		setupFS(vg)
+	}
+}
+
+func setupVG(vg config.LvmVG) {
+	pvs := lvm.PVSReport{}
+	err := runJSON(&pvs, "pvs", "--reportformat", "json")
+	if err != nil {
+		fatalf("failed to list LVM PVs: %v", err)
+	}
+
+	vgExists := false
+	devNeeded := vg.PVs.N
+	for _, pv := range pvs.PVs() {
+		if pv.VGName == vg.VG {
+			vgExists = true
+			devNeeded--
+		}
+	}
+
+	if devNeeded <= 0 {
+		log.Print("LVM VG ", vg.VG, " has all its devices")
+		return
+	}
+
+	if vgExists {
+		log.Printf("LVM VG %s misses %d devices", vg.VG, devNeeded)
+	} else {
+		log.Printf("LVM VG %s does not exists, creating", vg.VG)
+	}
+
+	devNames := make([]string, 0)
+	err = filepath.Walk("/dev", func(n string, fi fs.FileInfo, err error) error {
+		if fi.Mode().Type() == os.ModeDevice {
+			devNames = append(devNames, n)
+		}
+		return err
+	})
+	if err != nil {
+		fatalf("failed to walk /dev: %v", err)
+	}
+
+	devNames = filter(devNames, func(v string) bool {
+		for _, pv := range pvs.PVs() {
+			if v == pv.Name {
+				return false
+			}
+		}
+		return true
+	})
+
+	m := regexpSelectN(vg.PVs.N, vg.PVs.Regexps, devNames)
+	if len(m) == 0 {
+		log.Printf("no devices match the regexps %v", vg.PVs.Regexps)
+		for _, d := range devNames {
+			log.Print("- ", d)
+		}
+
+		fatalf("failed to setup VG %s", vg.VG)
+	}
+
+	if vgExists {
+		log.Print("- extending vg to ", m)
+		run("vgextend", append([]string{vg.VG}, m...)...)
+		devNeeded -= len(m)
+	} else {
+		log.Print("- creating vg with devices ", m)
+		run("vgcreate", append([]string{vg.VG}, m...)...)
+		devNeeded -= len(m)
+	}
+
+	if devNeeded > 0 {
+		fatalf("VG %s does not have enough devices (%d missing)", vg.VG, devNeeded)
+	}
+}
+
+func setupLVs(vg config.LvmVG) {
+	lvsRep := lvm.LVSReport{}
+	err := runJSON(&lvsRep, "lvs", "--reportformat", "json")
+	if err != nil {
+		fatalf("lvs failed: %v", err)
+	}
+
+	lvs := lvsRep.LVs()
+
+	defaults := vg.Defaults
+
+	for _, lv := range vg.LVs {
+		lvKey := vg.VG + "/" + lv.Name
+
+		if contains(lvs, func(v lvm.LV) bool {
+			return v.VGName == vg.VG && v.Name == lv.Name
+		}) {
+			log.Printf("LV %s exists", lvKey)
+			continue
+		}
+
+		log.Printf("creating LV %s", lvKey)
+
+		if lv.Raid == nil {
+			lv.Raid = defaults.Raid
+		}
+
+		args := make([]string, 0)
+
+		if lv.Name == "" {
+			fatalf("LV has no name")
+		}
+		args = append(args, vg.VG, "--name", lv.Name)
+
+		if lv.Size != "" && lv.Extents != "" {
+			fatalf("LV has both size and extents defined!")
+		} else if lv.Size == "" && lv.Extents == "" {
+			fatalf("LV does not have size or extents defined!")
+		} else if lv.Size != "" {
+			args = append(args, "-L", lv.Size)
+		} else /* if lv.Extents != "" */ {
+			args = append(args, "-l", lv.Extents)
+		}
+
+		if raid := lv.Raid; raid != nil {
+			if raid.Mirrors != 0 {
+				args = append(args, "--mirrors", strconv.Itoa(raid.Mirrors))
+			}
+			if raid.Stripes != 0 {
+				args = append(args, "--stripes", strconv.Itoa(raid.Stripes))
+			}
+		}
+
+		log.Print("lvcreate args: ", args)
+		run("lvcreate", args...)
+
+		dev := "/dev/" + vg.VG + "/" + lv.Name
+		zeroDevStart(dev)
+	}
+}
+
+func zeroDevStart(dev string) {
+	f, err := os.OpenFile(dev, os.O_WRONLY, 0600)
+	if err != nil {
+		fatalf("failed to open %s: %v", dev, err)
+	}
+
+	defer f.Close()
+
+	_, err = f.Write(make([]byte, 8192))
+	if err != nil {
+		fatalf("failed to zero the beginning of %s: %v", dev, err)
+	}
+}
+
+func setupCrypt(vg config.LvmVG) {
+	cryptDevs := map[string]bool{}
+
+	var password []byte
+	passwordVerified := false
+
+	for _, lv := range vg.LVs {
+		if lv.Crypt == "" {
+			continue
+		}
+
+		if cryptDevs[lv.Crypt] {
+			fatalf("duplicate crypt device name: %s", lv.Crypt)
+		}
+		cryptDevs[lv.Crypt] = true
+
+	retryOpen:
+		if len(password) == 0 {
+			password = askSecret("crypt password")
+
+			if len(password) == 0 {
+				fatalf("empty password given")
+			}
+		}
+
+		dev := "/dev/" + vg.VG + "/" + lv.Name
+
+		needFormat := !devInitialized(dev)
+		if needFormat {
+			if !passwordVerified {
+			retry:
+				p2 := askSecret("verify crypt password")
+
+				eq := bytes.Equal(password, p2)
+
+				for i := range p2 {
+					p2[i] = 0
+				}
+
+				if !eq {
+					log.Print("passwords don't match")
+					goto retry
+				}
+			}
+
+			log.Print("formatting encrypted device ", dev)
+			cmd := exec.Command("cryptsetup", "luksFormat", dev, "--key-file=-")
+			cmd.Stdin = bytes.NewBuffer(password)
+			cmd.Stdout = stdout
+			cmd.Stderr = stderr
+			err := cmd.Run()
+			if err != nil {
+				fatalf("failed luksFormat: %v", err)
+			}
+		}
+
+		log.Print("openning encrypted device ", lv.Crypt, " from ", dev)
+		cmd := exec.Command("cryptsetup", "open", dev, lv.Crypt, "--key-file=-")
+		cmd.Stdin = bytes.NewBuffer(password)
+		cmd.Stdout = stdout
+		cmd.Stderr = stderr
+		err := cmd.Run()
+		if err != nil {
+			// maybe the password is wrong
+			for i := range password {
+				password[i] = 0
+			}
+			password = password[:0]
+			passwordVerified = false
+			goto retryOpen
+		}
+
+		if needFormat {
+			zeroDevStart("/dev/mapper/" + lv.Crypt)
+		}
+
+		passwordVerified = true
+	}
+
+	for i := range password {
+		password[i] = 0
+	}
+}
+
+func devInitialized(dev string) bool {
+	f, err := os.Open(dev)
+	if err != nil {
+		fatalf("failed to open %s: %v", dev, err)
+	}
+
+	defer f.Close()
+
+	ba := make([]byte, 8192)
+	_, err = f.Read(ba)
+	if err != nil {
+		fatalf("failed to read %s: %v", dev, err)
+	}
+
+	for _, b := range ba {
+		if b != 0 {
+			return true
+		}
+	}
+	return false
+}
+
+func setupFS(vg config.LvmVG) {
+	for _, lv := range vg.LVs {
+		dev := "/dev/" + vg.VG + "/" + lv.Name
+
+		if lv.Crypt != "" {
+			dev = "/dev/mapper/" + lv.Crypt
+		}
+
+		if devInitialized(dev) {
+			log.Print("device ", dev, " already formatted")
+			continue
+		}
+
+		if lv.FS == "" {
+			lv.FS = vg.Defaults.FS
+		}
+
+		log.Print("formatting ", dev, " (", lv.FS, ")")
+		args := make([]string, 0)
+
+		switch lv.FS {
+		case "btrfs":
+			args = append(args, "-f")
+		case "ext4":
+			args = append(args, "-F")
+		}
+
+		run("mkfs."+lv.FS, append(args, dev)...)
+	}
+}
--- a/lvm/lv.go
+++ b/lvm/lv.go
@ -0,0 +1,19 @@
+package lvm
+
+type LVSReport struct {
+	Report []struct {
+		LV []LV `json:"lv"`
+	} `json:"report"`
+}
+
+type LV struct {
+	Name   string `json:"lv_name"`
+	VGName string `json:"vg_name"`
+}
+
+func (r LVSReport) LVs() (ret []LV) {
+	for _, rep := range r.Report {
+		ret = append(ret, rep.LV...)
+	}
+	return
+}
--- a/lvm/pv.go
+++ b/lvm/pv.go
@ -0,0 +1,19 @@
+package lvm
+
+type PVSReport struct {
+	Report []struct {
+		PV []PV `json:"pv"`
+	} `json:"report"`
+}
+
+type PV struct {
+	Name   string `json:"pv_name"`
+	VGName string `json:"vg_name"`
+}
+
+func (r PVSReport) PVs() (ret []PV) {
+	for _, rep := range r.Report {
+		ret = append(ret, rep.PV...)
+	}
+	return
+}
--- a/main.go
+++ b/main.go
@ -6,11 +6,16 @@ import (
 	"log"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"runtime"
 	"syscall"
 	"time"

+	"github.com/pkg/term/termios"
 	"golang.org/x/term"
+
+	"novit.nc/direktil/initrd/colorio"
+	"novit.nc/direktil/initrd/shio"
 )

 const (
@ -24,22 +29,41 @@ const (

 var (
 	bootVersion string
+
+	stdin,
+	stdinPipe = newPipe()
+	stdout = shio.New()
+	stderr = colorio.NewWriter(colorio.Bold, stdout)
 )

+func newPipe() (io.ReadCloser, io.WriteCloser) {
+	return io.Pipe()
+}
+
 func main() {
 	runtime.LockOSThread()

+	// move log to shio
+	go io.Copy(os.Stdout, stdout.NewReader())
+	log.SetOutput(stderr)
+
+	// copy os.Stdin to my stdin pipe
+	go io.Copy(stdinPipe, os.Stdin)
+
 	log.Print("Welcome to ", VERSION)

 	// essential mounts
 	mount("none", "/proc", "proc", 0, "")
 	mount("none", "/sys", "sysfs", 0, "")
 	mount("none", "/dev", "devtmpfs", 0, "")
+	mount("none", "/dev/pts", "devpts", 0, "gid=5,mode=620")

 	// get the "boot version"
 	bootVersion = param("version", "current")
 	log.Printf("booting system %q", bootVersion)

+	os.Setenv("PATH", "/usr/bin:/bin:/usr/sbin:/sbin")
+
 	_, err := os.Stat("/config.yaml")
 	if err != nil {
 		if os.IsNotExist(err) {
@ -52,8 +76,16 @@ func main() {
 	bootV2()
 }

+var (
+	layersDir      = "/boot/current/layers/"
+	layersOverride = map[string]string{}
+)
+
 func layerPath(name string) string {
-	return fmt.Sprintf("/boot/%s/layers/%s.fs", bootVersion, name)
+	if override, ok := layersOverride[name]; ok {
+		return override
+	}
+	return filepath.Join(layersDir, name+".fs")
 }

 func fatal(v ...interface{}) {
@ -69,21 +101,36 @@ func fatalf(pattern string, v ...interface{}) {
 }

 func die() {
-	fmt.Println("\nwill reboot in 1 minute; press r to reboot now, o to power off, s to get a shell")
+	log.SetOutput(os.Stderr)
+	stdout.Close()
+	stdin.Close()
+	stdinPipe.Close()

-	deadline := time.Now().Add(time.Minute)
+	stdin = nil

-	term.MakeRaw(int(os.Stdin.Fd())) // disable line buffering
-	os.Stdin.SetReadDeadline(deadline)
-
-	b := []byte{0}
+mainLoop:
 	for {
+		termios.Tcdrain(os.Stdin.Fd())
+		termios.Tcdrain(os.Stdout.Fd())
+		termios.Tcdrain(os.Stderr.Fd())
+
+		fmt.Print("\nr to reboot, o to power off, s to get a shell: ")
+
+		// TODO flush stdin (first char lost here?)
+		deadline := time.Now().Add(time.Minute)
+		os.Stdin.SetReadDeadline(deadline)
+
+		termios.Tcflush(os.Stdin.Fd(), termios.TCIFLUSH)
+		term.MakeRaw(int(os.Stdin.Fd()))
+
+		b := make([]byte, 1)
 		_, err := os.Stdin.Read(b)
 		if err != nil {
-			break
+			log.Print("failed to read from stdin: ", err)
+			time.Sleep(5 * time.Second)
+			syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART)
 		}
-
-		fmt.Println(string(b))
+		fmt.Println()

 		switch b[0] {
 		case 'o':
@ -91,18 +138,42 @@ func die() {
 		case 'r':
 			syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART)
 		case 's':
-			err = syscall.Exec("/bin/ash", []string{"/bin/ash"}, os.Environ())
-			if err != nil {
-				fmt.Println("failed to start the shell:", err)
+			for _, sh := range []string{"bash", "ash", "sh", "busybox"} {
+				fullPath, err := exec.LookPath(sh)
+				if err != nil {
+					continue
+				}
+
+				args := make([]string, 0)
+				if sh == "busybox" {
+					args = append(args, "sh")
+				}
+
+				if !localAuth() {
+					continue mainLoop
+				}
+
+				cmd := exec.Command(fullPath, args...)
+				cmd.Env = os.Environ()
+				cmd.Stdin = os.Stdin
+				cmd.Stdout = os.Stdout
+				cmd.Stderr = os.Stderr
+				err = cmd.Run()
+				if err != nil {
+					fmt.Println("shell failed:", err)
+				}
+				continue mainLoop
 			}
+			log.Print("failed to find a shell!")
+
+		default:
+			log.Printf("unknown choice: %q", string(b))
 		}
 	}
-
-	syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART)
 }

 func losetup(dev, file string) {
-	run("/sbin/losetup", dev, file)
+	run("/sbin/losetup", "-r", dev, file)
 }

 func run(cmd string, args ...string) {
--- a/modd.conf
+++ b/modd.conf
@ -1,13 +1,24 @@
 modd.conf {}

+alpine/Dockerfile {
+  prep: docker build -t dkl-initrd alpine
+  prep: docker run --rm dkl-initrd | base64 -d >dist/base-initrd
+}
+
+buildenv/Dockerfile {
+  prep: docker build -t dkl-initrd-build buildenv
+}
+
 go.??? **/*.go {
  prep: go test ./...
  prep: mkdir -p dist
-  prep: go build -o dist/init -trimpath -ldflags "-extldflags '-static -pthread'" .
  prep: go build -o dist/ ./tools/...
+
+  prep: mkdir -p tmp/go tmp/.cache
+  prep: docker run --rm -v novit-go:/go -e GOCACHE=/go/.cache -v $PWD:/src -u $(id -u):$(id -g) dkl-initrd-build go build -o dist/init .
 }

-dist/init Dockerfile {
-  prep: docker build -t dkl-initrd .
-  prep: docker run dkl-initrd | base64 -d >dist/initrd
+dist/init dist/base-initrd {
+  prep: cd dist && ../dist/cpiocat init <base-initrd >initrd.new
+  prep: mv dist/initrd.new dist/initrd
 }
--- a/modd.test.conf
+++ b/modd.test.conf
@ -1,6 +1,6 @@
 modd.test.conf {}

-dist/initrd test-initrd/* {
+dist/initrd dist/cpiocat test-initrd/* {
    prep: cp -f dist/initrd test-initrd.cpio
    prep: cd test-initrd && ../dist/cpiocat <../dist/initrd >../test-initrd.cpio *
    prep: if cpio -t -F test-initrd.cpio 2>&1 |grep bytes.of.junk; then echo "bad cpio archive"; exit 1; fi
--- a/network.go
+++ b/network.go
@ -0,0 +1,75 @@
+package main
+
+import (
+	"log"
+	"net"
+	"os/exec"
+	"strings"
+
+	"novit.nc/direktil/initrd/config"
+)
+
+func setupNetworks(cfg *config.Config) {
+	if len(cfg.Networks) == 0 {
+		log.Print("no networks configured.")
+		return
+	}
+
+	ifNames := make([]string, 0)
+	{
+		ifaces, err := net.Interfaces()
+		if err != nil {
+			fatal("failed")
+		}
+		for _, iface := range ifaces {
+			ifNames = append(ifNames, iface.Name)
+		}
+	}
+
+	assigned := map[string]bool{}
+
+	for _, network := range cfg.Networks {
+		log.Print("setting up network ", network.Name)
+
+		// compute available names
+		if len(assigned) != 0 {
+			newNames := make([]string, 0, len(ifNames))
+			for _, n := range ifNames {
+				if assigned[n] {
+					continue
+				}
+				newNames = append(newNames, n)
+			}
+			ifNames = newNames
+		}
+
+		// assign envvars
+		envvars := make([]string, 0, 1+len(network.Interfaces))
+		envvars = append(envvars, "PATH=/bin:/sbin:/usr/bin:/usr/sbin")
+
+		for _, match := range network.Interfaces {
+			envvar := new(strings.Builder)
+			envvar.WriteString(match.Var)
+			envvar.WriteByte('=')
+
+			for i, m := range regexpSelectN(match.N, match.Regexps, ifNames) {
+				if i != 0 {
+					envvar.WriteByte(' ')
+				}
+				envvar.WriteString(m)
+				assigned[m] = true
+			}
+
+			log.Print("- ", envvar)
+			envvars = append(envvars, envvar.String())
+		}
+
+		cmd := exec.Command("/bin/sh", "-c", network.Script)
+		cmd.Env = envvars
+		cmd.Stdout = stdout
+		cmd.Stderr = stderr
+		if err := cmd.Run(); err != nil {
+			fatal("failed to setup network: ", err)
+		}
+	}
+}
--- a/regexp.go
+++ b/regexp.go
@ -0,0 +1,39 @@
+package main
+
+import (
+	"log"
+	"regexp"
+)
+
+func regexpSelectN(n int, regexps []string, names []string) (matches []string) {
+	if n <= 0 {
+		matches = make([]string, 0)
+	} else {
+		matches = make([]string, 0, n)
+	}
+
+	res := make([]*regexp.Regexp, 0, len(regexps))
+	for _, reStr := range regexps {
+		re, err := regexp.Compile(reStr)
+		if err != nil {
+			log.Printf("warning: invalid regexp ignored: %q: %v", reStr, err)
+			continue
+		}
+		res = append(res, re)
+	}
+
+namesLoop:
+	for _, name := range names {
+		if len(matches) == n {
+			break
+		}
+		for _, re := range res {
+			if re.MatchString(name) {
+				matches = append(matches, name)
+				continue namesLoop
+			}
+		}
+	}
+
+	return
+}
--- a/run-test.sh
+++ b/run-test.sh
@ -1,6 +1,19 @@
 #! /bin/sh

+disk1=tmp/test-vda.qcow2
+disk2=tmp/test-vdb.qcow2
+
+if ! [ -e $disk1 ]; then
+    qemu-img create -f qcow2 $disk1 10G
+fi
+if ! [ -e $disk2 ]; then
+    qemu-img create -f qcow2 $disk2 10G
+fi
+
 exec qemu-system-x86_64 -pidfile qemu.pid -kernel test-kernel -initrd test-initrd.cpio \
    -smp 2 -m 2048 \
+    -netdev bridge,br=novit,id=eth0 -device virtio-net-pci,netdev=eth0 \
+    -drive file=$disk1,if=virtio \
+    -drive file=$disk2,if=virtio \
    -nographic -serial mon:stdio -append 'console=ttyS0'
 #    -display curses
--- a/run.go
+++ b/run.go
@ -0,0 +1,18 @@
+package main
+
+import (
+	"encoding/json"
+	"os/exec"
+)
+
+func runJSON(v interface{}, cmd string, args ...string) (err error) {
+	c := exec.Command(cmd, args...)
+	c.Stderr = stderr
+	ba, err := c.Output()
+	if err != nil {
+		return
+	}
+
+	err = json.Unmarshal(ba, v)
+	return
+}
--- a/shio/shio.go
+++ b/shio/shio.go
@ -0,0 +1,118 @@
+// Shared IO
+package shio
+
+import (
+	"io"
+	"sync"
+
+	"novit.nc/direktil/initrd/colorio"
+)
+
+type ShIO struct {
+	buf       []byte
+	closed    bool
+	cond      *sync.Cond
+	hideInput bool
+}
+
+func New() *ShIO {
+	return NewWithCap(1024)
+}
+func NewWithCap(capacity int) *ShIO {
+	return NewWithBytes(make([]byte, 0, capacity))
+}
+func NewWithBytes(content []byte) *ShIO {
+	return &ShIO{
+		buf:  content,
+		cond: sync.NewCond(&sync.Mutex{}),
+	}
+}
+
+var (
+	_ io.WriteCloser = New()
+)
+
+func (s *ShIO) Write(data []byte) (n int, err error) {
+	s.cond.L.Lock()
+	defer s.cond.L.Unlock()
+
+	if s.closed {
+		err = io.EOF
+		return
+	}
+
+	if s.hideInput {
+		s.buf = append(s.buf, colorio.Reset...)
+	}
+
+	s.buf = append(s.buf, data...)
+	n = len(data)
+
+	if s.hideInput {
+		s.buf = append(s.buf, colorio.Hidden...)
+	}
+
+	s.cond.Broadcast()
+	return
+}
+
+func (s *ShIO) HideInput() {
+	s.cond.L.Lock()
+	defer s.cond.L.Unlock()
+
+	if s.closed {
+		return
+	}
+
+	s.buf = append(s.buf, colorio.Hidden...)
+	s.hideInput = true
+}
+func (s *ShIO) ShowInput() {
+	s.cond.L.Lock()
+	defer s.cond.L.Unlock()
+
+	if s.closed {
+		return
+	}
+
+	s.buf = append(s.buf, colorio.Reset...)
+	s.hideInput = false
+}
+
+func (s *ShIO) Close() (err error) {
+	s.cond.L.Lock()
+	defer s.cond.L.Unlock()
+
+	s.closed = true
+
+	s.cond.Broadcast()
+	return
+}
+
+func (s *ShIO) NewReader() io.Reader {
+	return &shioReader{s, 0}
+}
+
+type shioReader struct {
+	in  *ShIO
+	pos int
+}
+
+func (r *shioReader) Read(ba []byte) (n int, err error) {
+	r.in.cond.L.Lock()
+	defer r.in.cond.L.Unlock()
+
+	for r.pos == len(r.in.buf) && !r.in.closed {
+		r.in.cond.Wait()
+	}
+
+	if r.pos == len(r.in.buf) && r.in.closed {
+		err = io.EOF
+		return
+	}
+
+	n = copy(ba, r.in.buf[r.pos:])
+	r.pos += n
+
+	return
+}
--- a/shio/shio_test.go
+++ b/shio/shio_test.go
@ -0,0 +1,52 @@
+package shio
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"sync"
+	"time"
+)
+
+func ExampleOutput() {
+	done := false
+	defer func() { done = true }()
+	go func() {
+		time.Sleep(time.Second)
+		if !done {
+			panic("timeout")
+		}
+	}()
+
+	shio := NewWithCap(3)
+
+	r1 := shio.NewReader()
+
+	// read as you write
+	wg := new(sync.WaitGroup)
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		io.Copy(os.Stdout, r1)
+		fmt.Println("-- r1 done --")
+	}()
+
+	fmt.Fprintln(shio, "hello1")
+	fmt.Fprintln(shio, "hello2")
+	shio.Close()
+
+	wg.Wait()
+
+	// read after close
+	r2 := shio.NewReader()
+	io.Copy(os.Stdout, r2)
+	fmt.Println("-- r2 done --")
+
+	// Output:
+	// hello1
+	// hello2
+	// -- r1 done --
+	// hello1
+	// hello2
+	// -- r2 done --
+}
--- a/ssh.go
+++ b/ssh.go
@ -0,0 +1,229 @@
+package main
+
+import (
+	"encoding/binary"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net"
+	"os"
+	"os/exec"
+	"sync"
+	"syscall"
+	"unsafe"
+
+	"github.com/kr/pty"
+	"golang.org/x/crypto/ssh"
+
+	"novit.nc/direktil/initrd/config"
+)
+
+func startSSH(cfg *config.Config) {
+	sshConfig := &ssh.ServerConfig{
+		PublicKeyCallback: sshCheckPubkey,
+	}
+
+	pkBytes, err := ioutil.ReadFile("/id_rsa") // TODO configurable
+	if err != nil {
+		fatalf("ssh: failed to load private key: %v", err)
+	}
+
+	pk, err := ssh.ParsePrivateKey(pkBytes)
+	if err != nil {
+		fatalf("ssh: failed to parse private key: %v", err)
+	}
+
+	sshConfig.AddHostKey(pk)
+
+	sshBind := ":22" // TODO configurable
+	listener, err := net.Listen("tcp", sshBind)
+	if err != nil {
+		fatalf("ssh: failed to listen on %s: %v", sshBind, err)
+	}
+
+	log.Print("SSH server listening on ", sshBind)
+
+	go func() {
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				log.Print("ssh: accept conn failed: ", err)
+				continue
+			}
+
+			go sshHandleConn(conn, sshConfig)
+		}
+	}()
+}
+
+func sshHandleConn(conn net.Conn, sshConfig *ssh.ServerConfig) {
+	sshConn, chans, reqs, err := ssh.NewServerConn(conn, sshConfig)
+
+	if err != nil {
+		log.Print("ssh: handshake failed: ", err)
+		return
+	}
+
+	remoteAddr := sshConn.User() + "@" + sshConn.RemoteAddr().String()
+	log.Print("ssh: new connection from ", remoteAddr)
+
+	go sshHandleReqs(reqs)
+	go sshHandleChannels(remoteAddr, chans)
+}
+
+func sshHandleReqs(reqs <-chan *ssh.Request) {
+	for req := range reqs {
+		switch req.Type {
+		case "keepalive@openssh.com":
+			req.Reply(true, nil)
+
+		default:
+			log.Printf("ssh: discarding req: %+v", req)
+			req.Reply(false, nil)
+		}
+	}
+}
+
+func sshHandleChannels(remoteAddr string, chans <-chan ssh.NewChannel) {
+	for newChannel := range chans {
+		if t := newChannel.ChannelType(); t != "session" {
+			newChannel.Reject(ssh.UnknownChannelType, fmt.Sprintf("unknown channel type: %s", t))
+			continue
+		}
+
+		channel, requests, err := newChannel.Accept()
+		if err != nil {
+			log.Print("ssh: failed to accept channel: ", err)
+			continue
+		}
+
+		go sshHandleChannel(remoteAddr, channel, requests)
+	}
+}
+
+func sshHandleChannel(remoteAddr string, channel ssh.Channel, requests <-chan *ssh.Request) {
+	var (
+		ptyF, ttyF *os.File
+		termEnv    string
+	)
+
+	defer func() {
+		if ptyF != nil {
+			ptyF.Close()
+		}
+		if ttyF != nil {
+			ttyF.Close()
+		}
+	}()
+
+	var once sync.Once
+	close := func() {
+		channel.Close()
+	}
+
+	for req := range requests {
+		switch req.Type {
+		case "exec":
+			command := string(req.Payload[4 : req.Payload[3]+4])
+			switch command {
+			case "init":
+				go func() {
+					io.Copy(channel, stdout.NewReader())
+					once.Do(close)
+				}()
+				go func() {
+					io.Copy(stdinPipe, channel)
+					once.Do(close)
+				}()
+
+				req.Reply(true, nil)
+
+			default:
+				req.Reply(false, nil)
+			}
+
+		case "shell":
+			cmd := exec.Command("/bin/ash")
+			cmd.Env = []string{"TERM=" + termEnv}
+			cmd.Stdin = ttyF
+			cmd.Stdout = ttyF
+			cmd.Stderr = ttyF
+			cmd.SysProcAttr = &syscall.SysProcAttr{
+				Setctty:   true,
+				Setsid:    true,
+				Pdeathsig: syscall.SIGKILL,
+			}
+
+			cmd.Start()
+
+			go func() {
+				cmd.Wait()
+				ptyF.Close()
+				ptyF = nil
+				ttyF.Close()
+				ttyF = nil
+			}()
+
+			go func() {
+				io.Copy(channel, ptyF)
+				once.Do(close)
+			}()
+			go func() {
+				io.Copy(ptyF, channel)
+				once.Do(close)
+			}()
+
+			req.Reply(true, nil)
+
+		case "pty-req":
+			if ptyF != nil || ttyF != nil {
+				req.Reply(false, nil)
+				continue
+			}
+
+			var err error
+			ptyF, ttyF, err = pty.Open()
+			if err != nil {
+				log.Print("PTY err: ", err)
+				req.Reply(false, nil)
+				continue
+			}
+
+			termLen := req.Payload[3]
+			termEnv = string(req.Payload[4 : termLen+4])
+			w, h := sshParseDims(req.Payload[termLen+4:])
+			sshSetWinsize(ptyF.Fd(), w, h)
+
+			req.Reply(true, nil)
+
+		case "window-change":
+			w, h := sshParseDims(req.Payload)
+			sshSetWinsize(ptyF.Fd(), w, h)
+			// no response
+
+		default:
+			req.Reply(false, nil)
+		}
+	}
+}
+
+func sshParseDims(b []byte) (uint32, uint32) {
+	w := binary.BigEndian.Uint32(b)
+	h := binary.BigEndian.Uint32(b[4:])
+	return w, h
+}
+
+// SetWinsize sets the size of the given pty.
+func sshSetWinsize(fd uintptr, w, h uint32) {
+	// Winsize stores the Height and Width of a terminal.
+	type Winsize struct {
+		Height uint16
+		Width  uint16
+		x      uint16 // unused
+		y      uint16 // unused
+	}
+
+	ws := &Winsize{Width: uint16(w), Height: uint16(h)}
+	syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(syscall.TIOCSWINSZ), uintptr(unsafe.Pointer(ws)))
+}
--- a/test-initrd/config.yaml
+++ b/test-initrd/config.yaml
@ -1,11 +1,23 @@
 ---
 # early system configuration
+anti_phishing_code: "direktil<3"

 modules: /modules.sqfs

+auths:
+  - name:     novit
+    sshKey:   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkpbU6sf4t0f6XAv9DuW3XH5iLM0AI5rc8PT2jwea1N
+    password: bXlzZWVk:HMSxrg1cYphaPuUYUbtbl/htep/tVYYIQAuvkNMVpw0 # mypass
+
 networks:
+- name: loopback
+  interfaces: [ { var: iface, n: 1, regexps: [ "^lo$" ] } ]
+  script: |
+    ip a add 127.0.0.1/8 dev lo
+    ip a add ::1/128 dev lo
+    ip li set lo up
 - name: main
-  ifaces:
+  interfaces:
  - var: iface
    n: 1
    regexps:
@ -14,30 +26,44 @@ networks:
    - eno.*
    - enp.*
  script: |
-    # hello
-    . /env
-    ip a add $address dev $iface
-    ip route add default via $gateway
    ip li set $iface up
+    udhcpc $iface

 lvm:
+- vg: storage
  pvs:
-    n: 1
+    n: 2
    regexps:
-    - /dev/nvme[0-9]+n[0-9]+p[0-9]+
-    - /dev/vd[a-z]+[0-9]+
-    - /dev/sd[a-z]+[0-9]+
+    # to match full disks
+    - /dev/nvme[0-9]+n[0-9]+
+    - /dev/vd[a-z]+
+    - /dev/sd[a-z]+
+    - /dev/hd[a-z]+
+    # to match partitions:
+    #- /dev/nvme[0-9]+n[0-9]+p[0-9]+
+    #- /dev/vd[a-z]+[0-9]+
+    #- /dev/sd[a-z]+[0-9]+
+    #- /dev/hd[a-z]+[0-9]+

  defaults:
    fs: ext4
-    tags: [ encrypt ]
+    raid:
+      mirrors: 1

  lvs:
  - name: bootstrap
-    tags: [ bootstrap, -encrypt ]
+    crypt: bootstrap
    size: 2g

-  - name: dls
-    mountPoint: /var/lib/direktil
-    size: 100%FREE
+  - name: varlog
+    crypt: varlog
+    extents: 10%FREE
+
+  - name: dls
+    crypt: dls
+    extents: 100%FREE
+
+bootstrap:
+  dev: /dev/mapper/bootstrap
+  #seed: https://direktil.novit.io/bootstraps/dls

--- a/test-initrd/id_rsa
+++ b/test-initrd/id_rsa
@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAy6Ppr/tBiVYsBYiteGwMPI+B2BSBn+CP36ZiKsx6IX+9E0/nGKgC
+khwWFfrmIzS2EIm+iIv7YT3sXsqcO96au2ewh77m5xUFIrqie5c13leNeOn+Xhy++v0705
+irYUuBVRbWukpQjhOrp0eqvBzOdlUoo2r7aF95rrMboAsIWh5gTTnVCXDSEQiHsvEGjs7T
+ytOXQ6zmYTECYEkk/wUWja7WNP8UZiaPuU20Hso8g7kHSthKEudUDFs7E/yx+na0AYCnfE
+UR6oxIbHH2ldgpnX7lTv5YhHVvNnqTIBQhmLTHrT/67N2z5AvdFC8T2UsrWs+3ebsdXb0o
+Kzx81+N9OpPxj93ehLznncuCCgAedye5Xm760SOaU1T2b3f0bEhhsVCMI39mPExeZ2wtnd
+g+Tmrqn3r59vb3iEYfJqvgLCTJ5L1BcFUTfulg7GfhfNvgBmgiiRTUC2G0SrV1tM84vsE7
+JyyTcJaXr0X+tUgsXoUqnlX53OEw7ABskWvZ0m0fAAAFiBu7krYbu5K2AAAAB3NzaC1yc2
+EAAAGBAMuj6a/7QYlWLAWIrXhsDDyPgdgUgZ/gj9+mYirMeiF/vRNP5xioApIcFhX65iM0
+thCJvoiL+2E97F7KnDvemrtnsIe+5ucVBSK6onuXNd5XjXjp/l4cvvr9O9OYq2FLgVUW1r
+pKUI4Tq6dHqrwcznZVKKNq+2hfea6zG6ALCFoeYE051Qlw0hEIh7LxBo7O08rTl0Os5mEx
+AmBJJP8FFo2u1jT/FGYmj7lNtB7KPIO5B0rYShLnVAxbOxP8sfp2tAGAp3xFEeqMSGxx9p
+XYKZ1+5U7+WIR1bzZ6kyAUIZi0x60/+uzds+QL3RQvE9lLK1rPt3m7HV29KCs8fNfjfTqT
+8Y/d3oS8553LggoAHncnuV5u+tEjmlNU9m939GxIYbFQjCN/ZjxMXmdsLZ3YPk5q6p96+f
+b294hGHyar4CwkyeS9QXBVE37pYOxn4Xzb4AZoIokU1AthtEq1dbTPOL7BOycsk3CWl69F
+/rVILF6FKp5V+dzhMOwAbJFr2dJtHwAAAAMBAAEAAAGBAJ0rDBBjtkgd9unqfCAmHCedht
+RTt1vCgKhXjQqFOHmkUjSWhcD04s8L2EvskjR32VDYTvKqP0Dk/wqGC6D1hKzBMXEDeMi+
+43DTZNZIdS3+mtTInCbcvtWOHt+HxDXahZ47e0zaUGPncKMx3+dBwGN6BFxkFFeQ4KRh3h
+9ehHqxWRghW3fm2GqHD9yew7XykWnIdsWnq0M2BSR1L5WXwrllSDQs7vyMJH8bJrpg0eXE
+J4mvdzQx0B+dRfJ+JIsvkwvieAPb6sPmSgY47moP0xhbvs7/1UxPEY0Q2FpjQALQ0CnIC2
+LRHvGb7NJEX/ASDy/s1CNlk5ro/iht28wh0Iq8iqqpRkgKyhYsr8+QChs6oxcbx2xPRVy4
+NOBMLW6ppjIQO3rE79zPrp9tTmew5iQ4V58+DqhAZxeI4A6YZE98rAvRREqnT6HVmqtfHl
+gPMlrSDw1I8ZN8QT1dD1sMbi4Ud0eHdg1xLUpJ3dStgN45yhBiWuR2x4Jbn8ayeZwJmQAA
+AMA971gUyqrb7D6oFerzx3prijJoZOLE1Zluo3Q9Ise4KgDZ66QDE7mQRzSEniZcy77mSt
+VOhjVmI5CXREbpdGU6LxJujIAm4pKwyVEV8XVAzII6s4He5QUBxiLYWHDro3bOSmOZ50tk
+WBTO7llCR5FGbi7iJ1CP0C+CXRSaH8ug8Xqd0HBzTB2nXTGJNyx9lBwLY837VcdUIRrr+7
+QzVD/BQ/v+Ch21Ck0kMtLCv+lrXAeowsK89ExDp4HqMnOHnT0AAADBAObxbkJeoXfkmV7e
+0nAyQ/IDTs3Zlm3517mTzvc7j2o0qJQty+9pLD60S5s0VUpQpgeT3LzXRZ2eZlq3FcWsRa
+HyiovF6L5OUik1gVc/QiP+x6QSLdFi/ROHRT7DZFQ+1/bquGgVsoEVZJPDz7NJvBPLYwmj
+EGRZeKWVjIcDLSGq6fek9aTFUe7bcDCHx+QuovxeFWncmTNYC7jaYMff6DtHjokLgsyOzF
+FjYEC9wFVrEz+9oegDxatiJpWJN1zTWwAAAMEA4bwhyUDs0oyQ+16xpdd4f8PYfQ0HoLow
+ckvWCNS2Xmpnbe+dYqqRw7mchnYj4uXvhi391LwWTea5bQ78Hj+DnMugOLmmcHuFAbkxeL
+9x97iCIUrli5wawGfJgwPiGJlATUVz9Y3BOcg+uBmQ9qGR6wdI6N+zuu/54gGzW2gVanYs
+Gs0JH+C+afZ2yitUuGXDIVlYdgjESIszdK0wNGzZ4HDleFVhK3jFiK1CHHBb89Tbmd6fMZ
+NWpcpue2AYSUyNAAAADXRlc3RAbm92aXQuaW8BAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----
--- a/test-initrd/id_rsa.pub
+++ b/test-initrd/id_rsa.pub
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLo+mv+0GJViwFiK14bAw8j4HYFIGf4I/fpmIqzHohf70TT+cYqAKSHBYV+uYjNLYQib6Ii/thPexeypw73pq7Z7CHvubnFQUiuqJ7lzXeV4146f5eHL76/TvTmKthS4FVFta6SlCOE6unR6q8HM52VSijavtoX3musxugCwhaHmBNOdUJcNIRCIey8QaOztPK05dDrOZhMQJgSST/BRaNrtY0/xRmJo+5TbQeyjyDuQdK2EoS51QMWzsT/LH6drQBgKd8RRHqjEhscfaV2CmdfuVO/liEdW82epMgFCGYtMetP/rs3bPkC90ULxPZSytaz7d5ux1dvSgrPHzX4306k/GP3d6EvOedy4IKAB53J7lebvrRI5pTVPZvd/RsSGGxUIwjf2Y8TF5nbC2d2D5Oauqfevn29veIRh8mq+AsJMnkvUFwVRN+6WDsZ+F82+AGaCKJFNQLYbRKtXW0zzi+wTsnLJNwlpevRf61SCxehSqeVfnc4TDsAGyRa9nSbR8= test@novit.io
--- a/tools/cpiocat/main.go
+++ b/tools/cpiocat/main.go
@ -2,6 +2,7 @@ package main

 import (
 	"flag"
+	"log"
 	"os"

 	"novit.nc/direktil/initrd/cpiocat"
@ -10,5 +11,8 @@ import (
 func main() {
 	flag.Parse()

-	cpiocat.Append(os.Stdout, os.Stdin, flag.Args())
+	err := cpiocat.Append(os.Stdout, os.Stdin, flag.Args())
+	if err != nil {
+		log.Fatal(err)
+	}
 }
--- a/tty.go
+++ b/tty.go
@ -0,0 +1,38 @@
+package main
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+var (
+	stdinTTY = &tty{int(os.Stdin.Fd()), nil}
+)
+
+type tty struct {
+	fd      int
+	termios *unix.Termios
+}
+
+func (t *tty) EchoOff() {
+	termios, err := unix.IoctlGetTermios(t.fd, unix.TCGETS)
+	if err != nil {
+		return
+	}
+
+	t.termios = termios
+
+	newState := *termios
+	newState.Lflag &^= unix.ECHO
+	newState.Lflag |= unix.ICANON | unix.ISIG
+	newState.Iflag |= unix.ICRNL
+	unix.IoctlSetTermios(t.fd, unix.TCSETS, &newState)
+}
+
+func (t *tty) Restore() {
+	if t.termios != nil {
+		unix.IoctlSetTermios(t.fd, unix.TCSETS, t.termios)
+		t.termios = nil
+	}
+}
--- a/zombies.go
+++ b/zombies.go
@ -6,6 +6,8 @@ import (
 )

 func cleanZombies() {
+	return // FIXME noop... udhcpc is a daemon staying alive so we never finish
+
 	var wstatus syscall.WaitStatus

 	for {
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLo+mv+0GJViwFiK14bAw8j4HYFIGf4I/fpmIqzHohf70TT+cYqAKSHBYV+uYjNLYQib6Ii/thPexeypw73pq7Z7CHvubnFQUiuqJ7lzXeV4146f5eHL76/TvTmKthS4FVFta6SlCOE6unR6q8HM52VSijavtoX3musxugCwhaHmBNOdUJcNIRCIey8QaOztPK05dDrOZhMQJgSST/BRaNrtY0/xRmJo+5TbQeyjyDuQdK2EoS51QMWzsT/LH6drQBgKd8RRHqjEhscfaV2CmdfuVO/liEdW82epMgFCGYtMetP/rs3bPkC90ULxPZSytaz7d5ux1dvSgrPHzX4306k/GP3d6EvOedy4IKAB53J7lebvrRI5pTVPZvd/RsSGGxUIwjf2Y8TF5nbC2d2D5Oauqfevn29veIRh8mq+AsJMnkvUFwVRN+6WDsZ+F82+AGaCKJFNQLYbRKtXW0zzi+wTsnLJNwlpevRf61SCxehSqeVfnc4TDsAGyRa9nSbR8= test@novit.io