diff --git a/.gitignore b/.gitignore index 7f36549..ee4133c 100644 --- a/.gitignore +++ b/.gitignore @@ -84,3 +84,4 @@ pishrink.sh # Temp file storage frontends/web/temp_files/ +rpi/config.json diff --git a/PLAN-4.1.4.md b/PLAN-4.1.4.md index 808efae..e4ac973 100644 --- a/PLAN-4.1.4.md +++ b/PLAN-4.1.4.md @@ -2,9 +2,9 @@ ## Build / Deploy - [ ] Pre-built Python 3.12 venv tarball for Pi (skip 20+ min compile) -- [ ] Fixed partition sizing in flash script (8-16GB rootfs for faster imaging) -- [ ] Rename `flash-pi.sh` → `flash-stock-img.sh` for clarity -- [ ] pip-audit integration in release validation +- [x] Fixed partition sizing in flash script (16GB rootfs for faster imaging) +- [x] Rename `flash-pi.sh` → `flash-stock-img.sh` for clarity +- [x] pip-audit integration in release validation ## Features - [ ] QR channel key sharing (needs UI thought - avoid crowding encode/decode pages) diff --git a/rpi/config.json.example b/rpi/config.json.example new file mode 100644 index 0000000..02b9de9 --- /dev/null +++ b/rpi/config.json.example @@ -0,0 +1,12 @@ +{ + "hostname": "stegasoo", + "username": "admin", + "password": "stegasoo", + "wifiSSID": "YourNetworkName", + "wifiPassword": "YourWiFiPassword", + "wifiCountry": "US", + "locale": "en_US.UTF-8", + "keyboardLayout": "us", + "timezone": "America/New_York", + "enableSSH": true +} diff --git a/rpi/flash-pi.sh b/rpi/flash-stock-img.sh similarity index 79% rename from rpi/flash-pi.sh rename to rpi/flash-stock-img.sh index 8b9026f..3f5fce8 100755 --- a/rpi/flash-pi.sh +++ b/rpi/flash-stock-img.sh @@ -1,6 +1,6 @@ #!/bin/bash # Flash Raspberry Pi image with headless config (Trixie/Bookworm compatible) -# Usage: ./flash-pi.sh +# Usage: ./flash-stock-img.sh # Reads settings from config.json in same directory # # Uses the same firstrun.sh approach as rpi-imager for compatibility @@ -103,13 +103,66 @@ sleep 1 # ============================================================================ if [ -b "${DEVICE}1" ]; then BOOT_PART="${DEVICE}1" + ROOT_PART="${DEVICE}2" elif [ -b "${DEVICE}p1" ]; then BOOT_PART="${DEVICE}p1" + ROOT_PART="${DEVICE}p2" else echo "Error: Could not find boot partition" exit 1 fi +# ============================================================================ +# Resize rootfs to 16GB (faster imaging) +# ============================================================================ +echo +read -p "Resize rootfs to 16GB for faster imaging? [Y/n] " resize_confirm +if [[ ! "$resize_confirm" =~ ^[Nn]$ ]]; then + echo "Resizing rootfs partition to 16GB..." + + # Get boot partition end + BOOT_END=$(sudo parted -s "$DEVICE" unit s print | grep "^ 1" | awk '{print $3}' | tr -d 's') + + # Calculate 16GB in sectors (512 byte sectors) + # 16GB = 16 * 1024 * 1024 * 1024 / 512 = 33554432 sectors + ROOT_SIZE_SECTORS=33554432 + ROOT_END=$((BOOT_END + ROOT_SIZE_SECTORS)) + + # Delete and recreate partition 2 with fixed size + sudo parted -s "$DEVICE" rm 2 + sudo parted -s "$DEVICE" mkpart primary ext4 $((BOOT_END + 1))s ${ROOT_END}s + + # Refresh partition table + sudo partprobe "$DEVICE" + sleep 1 + + # Check and resize filesystem + echo "Checking filesystem..." + sudo e2fsck -f -y "$ROOT_PART" 2>/dev/null || true + + echo "Resizing filesystem to fit partition..." + sudo resize2fs "$ROOT_PART" + + # Disable Pi OS auto-expand on first boot + echo "Disabling auto-expand..." + TEMP_ROOT=$(mktemp -d) + sudo mount "$ROOT_PART" "$TEMP_ROOT" + + # Remove resize2fs_once service if it exists + sudo rm -f "$TEMP_ROOT/etc/init.d/resize2fs_once" + sudo rm -f "$TEMP_ROOT/etc/rc3.d/S01resize2fs_once" + + # Disable the systemd resize service + sudo rm -f "$TEMP_ROOT/etc/systemd/system/multi-user.target.wants/rpi-resizerootfs.service" + + # Remove init= parameter from cmdline.txt on boot partition (handled later) + + sudo umount "$TEMP_ROOT" + rmdir "$TEMP_ROOT" + + echo " Rootfs resized to 16GB (auto-expand disabled)" +fi + MOUNT_DIR=$(mktemp -d) # ============================================================================ @@ -213,8 +266,8 @@ sudo chmod +x "$MOUNT_DIR/firstrun.sh" echo "Updating cmdline.txt..." CMDLINE="$MOUNT_DIR/cmdline.txt" if [ -f "$CMDLINE" ]; then - # Read current cmdline, strip any existing systemd.run, append new one - CURRENT=$(cat "$CMDLINE" | tr -d '\n' | sed 's| systemd.run.*||g') + # Read current cmdline, strip existing systemd.run and init= (auto-expand) + CURRENT=$(cat "$CMDLINE" | tr -d '\n' | sed 's| systemd.run.*||g' | sed 's| init=[^ ]*||g') echo "$CURRENT systemd.run=/boot/firmware/firstrun.sh systemd.run_success_action=reboot systemd.unit=kernel-command-line.target" | sudo tee "$CMDLINE" > /dev/null echo " cmdline.txt updated" fi diff --git a/scripts/validate-release.sh b/scripts/validate-release.sh index d0eebde..8827ba1 100755 --- a/scripts/validate-release.sh +++ b/scripts/validate-release.sh @@ -120,7 +120,34 @@ else fi # ============================================================================= -# 2. Unit Tests (if they exist) +# 2. Security Audit +# ============================================================================= +section "Security Audit" + +# pip-audit for known vulnerabilities +if command -v ./venv/bin/pip-audit &> /dev/null; then + echo -n "Running pip-audit... " + if ./venv/bin/pip-audit --quiet 2>/dev/null; then + pass "No known vulnerabilities" + else + fail "pip-audit found vulnerabilities (run: ./venv/bin/pip-audit)" + fi +else + echo -n "Installing pip-audit... " + if ./venv/bin/pip install pip-audit --quiet 2>/dev/null; then + echo -n "Running pip-audit... " + if ./venv/bin/pip-audit --quiet 2>/dev/null; then + pass "No known vulnerabilities" + else + fail "pip-audit found vulnerabilities (run: ./venv/bin/pip-audit)" + fi + else + skip "Could not install pip-audit" + fi +fi + +# ============================================================================= +# 3. Unit Tests (if they exist) # ============================================================================= section "Unit Tests" @@ -136,7 +163,7 @@ else fi # ============================================================================= -# 3. Import Tests +# 4. Import Tests # ============================================================================= section "Import Tests" @@ -165,7 +192,7 @@ else fi # ============================================================================= -# 4. Encode/Decode Sanity Test +# 5. Encode/Decode Sanity Test # ============================================================================= section "Encode/Decode Test" @@ -205,7 +232,7 @@ else fi # ============================================================================= -# 5. Docker Build & Test (optional) +# 6. Docker Build & Test (optional) # ============================================================================= if $INCLUDE_DOCKER; then section "Docker" @@ -248,7 +275,7 @@ else fi # ============================================================================= -# 6. Pi Smoke Test (optional) +# 7. Pi Smoke Test (optional) # ============================================================================= if $INCLUDE_PI; then section "Pi Smoke Test"