{"id":18760997,"url":"https://github.com/atweiden/voidvault","last_synced_at":"2025-10-09T18:18:56.416Z","repository":{"id":44400969,"uuid":"143912430","full_name":"atweiden/voidvault","owner":"atweiden","description":"Bootstrap Void with FDE","archived":false,"fork":false,"pushed_at":"2025-04-01T06:02:21.000Z","size":994,"stargazers_count":68,"open_issues_count":2,"forks_count":7,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-02T12:24:42.106Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Raku","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/atweiden.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-07T18:31:30.000Z","updated_at":"2025-04-01T06:02:12.000Z","dependencies_parsed_at":"2024-05-08T00:37:27.325Z","dependency_job_id":"35870f32-98f7-40e1-87fc-203181aa779c","html_url":"https://github.com/atweiden/voidvault","commit_stats":null,"previous_names":[],"tags_count":32,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atweiden%2Fvoidvault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atweiden%2Fvoidvault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atweiden%2Fvoidvault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atweiden%2Fvoidvault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/atweiden","download_url":"https://codeload.github.com/atweiden/voidvault/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248085411,"owners_count":21045159,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T18:14:39.235Z","updated_at":"2025-10-09T18:18:51.395Z","avatar_url":"https://github.com/atweiden.png","language":"Raku","funding_links":[],"categories":["Minimal rootfs"],"sub_categories":[],"readme":"Voidvault\n=========\n\nLast tested | ISO | Result\n----------- | ---------------------------------------------------------------------------------- | ------\n2023-07-11 | [void-live-x86_64-20230628-base.iso][void-live-x86_64-20230628-base.iso] | PASS\n2023-07-11 | [void-live-x86_64-musl-20230628-base.iso][void-live-x86_64-musl-20230628-base.iso] | PASS\n2023-07-11 | [void-live-i686-20230628-base.iso][void-live-i686-20230628-base.iso] | PASS\n\nBootstrap Void with FDE\n\n\nDescription\n-----------\n\n### Overview\n\nVoidvault bootstraps Void with whole system Btrfs on LUKS.\n\nVoidvault works on Void with Intel or AMD x86 CPU. It assumes you are\ncomfortable working on the cmdline, and that you have no need for booting\nany other operating systems on the target block device.\n\n**WARNING**: failure to give appropriate values during Voidvault setup\ncould cause catastrophic data loss and system instability.\n\n### Features\n\n- whole system Btrfs on LUKS, including encrypted `/boot`\n- [runit][runit] PID 1\n- [GPT][GPT] partitioning\n- no swap partition, uses [zram][zram] via [zramen][zramen]\n- [GRUB][GRUB] bootloader with both legacy BIOS and UEFI support\n- custom GRUB command line username and password\n- custom root, admin, guest, and SFTP user account passwords\n- custom repository selection for `xbps-install` (optional)\n- adds randomized key to LUKS volume for [double password entry\n avoidance][double password entry avoidance] on boot\n- configures [OpenSSH][OpenSSH]\n - SFTP-only user enforced with OpenSSH\n `ChrootDirectory` and `ForceCommand internal-sftp` (see:\n [resources/etc/ssh/sshd_config](resources/etc/ssh/sshd_config))\n- uses [nftables][nftables] instead of iptables (see:\n [resources/etc/nftables.conf](resources/etc/nftables.conf))\n- configures kernel parameters with [Sysctl][Sysctl] (see:\n [resources/etc/sysctl.d/99-sysctl.conf](resources/etc/sysctl.d/99-sysctl.conf))\n- blacklists kernel modules for floppy drives, beeping speakers, Intel\n ME, firewire, bluetooth and thunderbolt (see:\n [resources/etc/modprobe.d/modprobe.conf](resources/etc/modprobe.d/modprobe.conf))\n- configures [dnscrypt-proxy][dnscrypt-proxy]\n - server must support DNS security extensions (DNSSEC)\n - always use TCP to connect to upstream servers\n - create new, unique key for each DNS query\n - disable TLS session tickets\n - unconditionally use fallback resolver\n - wait up to 7 minutes for network connectivity at startup\n - disable DNS cache\n - modify `/etc/resolv.conf` (see:\n [resources/etc/resolvconf.conf](resources/etc/resolvconf.conf))\n - skip resolvers incompatible with anonymization\n- forces password entry with every `sudo`\n - passwordless `sudo reboot` and `sudo shutdown`\n- ten minute shell timeout, your current shell or user\n session will end after ten minutes of inactivity (see:\n [resources/etc/profile.d/shell-timeout.sh](resources/etc/profile.d/shell-timeout.sh))\n- [hides process information][hidepid] from all other users besides admin\n- [denies console login as root][denies console login as root]\n- disables GRUB recovery mode\n- enables runit service for dnscrypt-proxy, nftables and socklog\n- configures [Xorg][Xorg], but does not install any Xorg packages (see:\n [resources/etc/X11](resources/etc/X11))\n- optionally disables IPv6, and makes IPv4-only adjustments to dhcpcd,\n dnscrypt-proxy, openresolv, OpenSSH\n- optionally enables classic (pre-[systemd][predictable network interface\n names]) naming scheme for network interfaces, e.g. `eth0`, `wlan0`\n\n### Filesystem\n\n- `/dev/sdX1` is the BIOS boot sector (size: 2M)\n- `/dev/sdX2` is the EFI system partition (size: [550M][550M])\n- `/dev/sdX3` is the root Btrfs filesystem on LUKS (size: remainder)\n\nVoidvault creates the following Btrfs subvolumes with a [flat layout][flat\nlayout]:\n\nSubvolume name | Mounting point | Mount options\n--- | --- | ---\n`@` | `/` |\n`@home` | `/home` | `nodev,nosuid`\n`@opt` | `/opt` | `nodev`\n`@srv` | `/srv` | `nodev,noexec,nosuid` + [nodatacow][nodatacow]²\n`@var` | `/var` | `nodev,noexec,nosuid`\n`@var-cache-xbps` | `/var/cache/xbps` | `nodev,noexec,nosuid`\n`@var-lib-ex` | `/var/lib/ex` | `nodev,noexec,nosuid` + nodatacow\n`@var-log` | `/var/log` | `nodev,noexec,nosuid` + nodatacow\n`@var-opt` | `/var/opt` | `nodev,noexec,nosuid`\n`@var-spool` | `/var/spool` | `nodev,noexec,nosuid` + nodatacow\n`@var-tmp` | `/var/tmp` | `nodev,noexec,nosuid` + nodatacow\n\n²: via `chattr -R +C`, not mount options\n\nAdditionally, Voidvault mounts the following directories with [protective\nmount options][protective mount options]:\n\nDirectory | Mount options\n--- | ---\n`/boot` | `nodev,noexec,nosuid`\n`/boot/efi` | `nodev,nosuid`\n`/etc` | `nodev,nosuid`\n`/mnt` | `nodev`\n`/proc` | `nodev,noexec,nosuid` + [hidepid][hidepid]\n`/root` | `nodev`\n`/tmp` | `nodev,noexec,nosuid`\n`/usr` | `nodev`\n`/usr/lib` | `nodev,nosuid`\n`/usr/lib32` | `nodev,nosuid`\n\n\nSynopsis\n--------\n\n### `voidvault new`\n\nBootstrap Voidvault. Must be run as root.\n\n**Supply options interactively (recommended)**:\n\n```sh\nvoidvault new\n```\n\n**Supply options via environment variables**:\n\n```sh\nexport VOIDVAULT_ADMIN_NAME=\"live\"\nexport VOIDVAULT_ADMIN_PASS=\"your admin user's password\"\nvoidvault new\n```\n\nVoidvault recognizes the following environment variables:\n\n```sh\nVOIDVAULT_ADMIN_NAME=\"live\"\nVOIDVAULT_ADMIN_PASS=\"your admin user's password\"\nVOIDVAULT_ADMIN_PASS_HASH='$6$rounds=700000$sleJxKNAgRnG7E8s$Fjg0/vuRz.GgF0FwDE04gP2i6oMq/Y4kodb1RLTbR3SpABVDKGdhCVfLpC5LwCOXDMEU.ylyV40..jrGmI.4N0'\nVOIDVAULT_GUEST_NAME=\"guest\"\nVOIDVAULT_GUEST_PASS=\"your guest user's password\"\nVOIDVAULT_GUEST_PASS_HASH='$6$rounds=700000$H0WWMRVAqKMmJVUx$X9NiHaL.cvZ1/nQzUL5fcRP12wvOyrZ/0YV57cFddcTEkVZKbtIBv48EEd4SVu.1D5RWVX43dfTuyudYem0gf0'\nVOIDVAULT_SFTP_NAME=\"variable\"\nVOIDVAULT_SFTP_PASS=\"your sftp user's password\"\nVOIDVAULT_SFTP_PASS_HASH='$6$rounds=700000$H0WWMRVAqKMmJVUx$X9NiHaL.cvZ1/nQzUL5fcRP12wvOyrZ/0YV57cFddcTEkVZKbtIBv48EEd4SVu.1D5RWVX43dfTuyudYem0gf0'\nVOIDVAULT_GRUB_NAME=\"grub\"\nVOIDVAULT_GRUB_PASS=\"your grub user's password\"\nVOIDVAULT_GRUB_PASS_HASH='grub.pbkdf2.sha512.25000.4A7BC4FE022FA7E7D32B0B132B4AA5A61A63C8076FF6A8AF38C718FF334772E499F45D186C9EECF3622E7BA24B02C24F283261AE2D18163D54FD2CAF7FF3F7B7610F85AAB2BB7BAF806EF381B73730D5032E9CF75548C8BA1813B62121DC29A75E677ED6.5C1B9525BDE9F79A90221DC423AA66D1108731C8F2F5B0A9DC74279562242F05A8CCA4522706A2A74308B272EC05D0ACC1DCDA7263B09BF2F4C006623B3CEC842AC061B6D73B09A0067B23E9BF8560F053F940D5061F413C23C9F4544FDFC3F9BD026FB7'\nVOIDVAULT_ROOT_PASS=\"your root password\"\nVOIDVAULT_ROOT_PASS_HASH='$6$rounds=700000$xDn3UJKNvfOxJ1Ds$YEaaBAvQQgVdtV7jFfVnwmh57Do1awMh8vTBtI1higrZMAXUisX2XKuYbdTcxgQMleWZvK3zkSJQ4F3Jyd5Ln1'\nVOIDVAULT_VAULT_NAME=\"vault\"\nVOIDVAULT_VAULT_PASS=\"your LUKS encrypted volume's password\"\nVOIDVAULT_DEVICE=\"/dev/sda\"\nVOIDVAULT_HOSTNAME=\"vault\"\nVOIDVAULT_PROCESSOR=\"other\"\nVOIDVAULT_GRAPHICS=\"intel\"\nVOIDVAULT_DISK_TYPE=\"usb\"\nVOIDVAULT_LOCALE=\"en_US\"\nVOIDVAULT_KEYMAP=\"us\"\nVOIDVAULT_TIMEZONE=\"America/Los_Angeles\"\nVOIDVAULT_REPOSITORY=\"/path/to/void/repository\"\nVOIDVAULT_IGNORE_CONF_REPOS=1\nVOIDVAULT_KERNEL=\"linux\"\nVOIDVAULT_PACKAGES=\"space separated list of packages\"\nVOIDVAULT_AUGMENT=1\nVOIDVAULT_CHROOT_DIR=\"/mnt\"\nVOIDVAULT_DISABLE_IPV6=1\nVOIDVAULT_ENABLE_CLASSIC_IFNAMES=1\nVOIDVAULT_ENABLE_SERIAL_CONSOLE=1\n```\n\n**Supply options via cmdline flags**:\n\n```sh\nvoidvault --admin-name=\"live\" \\\n --admin-pass=\"your admin user's password\" \\\n --guest-name=\"guest\" \\\n --guest-pass=\"your guest user's password\" \\\n --sftp-name=\"variable\" \\\n --sftp-pass=\"your sftp user's password\" \\\n --grub-name=\"grub\" \\\n --grub-pass=\"your grub user's password\" \\\n --root-pass=\"your root password\" \\\n --vault-name=\"vault\" \\\n --vault-pass=\"your LUKS encrypted volume's password\" \\\n --device=\"/dev/sda\" \\\n --hostname=\"vault\" \\\n --processor=\"other\" \\\n --graphics=\"intel\" \\\n --disk-type=\"usb\" \\\n --locale=\"en_US\" \\\n --keymap=\"us\" \\\n --timezone=\"America/Los_Angeles\" \\\n --repository=\"/path/to/void/repository\" \\\n --ignore-conf-repos \\\n --augment \\\n new\n```\n\n### `voidvault gen-pass-hash`\n\nGenerate a password hash suitable for creating Linux user accounts or\npassword-protecting the GRUB command line.\n\n```sh\nvoidvault gen-pass-hash\nEnter new password:\nRetype new password:\n$6$rounds=700000$sleJxKNAgRnG7E8s$Fjg0/vuRz.GgF0FwDE04gP2i6oMq/Y4kodb1RLTbR3SpABVDKGdhCVfLpC5LwCOXDMEU.ylyV40..jrGmI.4N0\n```\n\nAn example of using the generated hash with Voidvault:\n\n```sh\nvoidvault \\\n --admin-name='live' \\\n --admin-pass-hash='$6$rounds=700000$sleJxKNAgRnG7E8s$Fjg0/vuRz.GgF0FwDE04gP2i6oMq/Y4kodb1RLTbR3SpABVDKGdhCVfLpC5LwCOXDMEU.ylyV40..jrGmI.4N0' \\\n new\n```\n\n### `voidvault ls`\n\nList system information including devices, keymaps, locales, and\ntimezones.\n\nIt's recommended to run `voidvault ls \u003ckeymaps|locales|timezones\u003e`\nbefore running `voidvault new` to ensure Voidvault types\n`Keymap`, `Locale`, `Timezone` are working properly (see:\n[doc/TROUBLESHOOTING.md](doc/TROUBLESHOOTING.md#voidvault-type-errors)).\n\n**List devices**:\n\n```sh\nvoidvault ls devices\n```\n\n**List keymaps**:\n\n```sh\nvoidvault ls keymaps\n```\n\n**List locales**:\n\n```sh\nvoidvault ls locales\n```\n\n**List timezones**:\n\n```sh\nvoidvault ls timezones\n```\n\n### `voidvault disable-cow`\n\nDisable the Copy-on-Write attribute for Btrfs directories.\n\n```sh\nvoidvault -r disable-cow dest/\n```\n\n\nInstallation\n------------\n\nSee: [INSTALL.md](INSTALL.md).\n\n\nDependencies\n------------\n\nName | Provides | Included in Void ISO³?\n--- | --- | ---\nbtrfs-progs | Btrfs support | Y\ncoreutils | `chmod`, `chown`, `chroot`, `cp`, `rm` | Y\ncryptsetup | FDE with LUKS | Y\ndosfstools | create VFAT filesystem for UEFI with `mkfs.vfat` | Y\ne2fsprogs | `chattr` | Y\nefibootmgr | UEFI support | Y\neudev⁴ | `udevadm` | Y\nexpect | interactive command prompt automation | N\nglibc⁵ | libcrypt, locale data in `/usr/share/i18n/locales` | Y\ngrub | FDE on `/boot`, `grub-mkpasswd-pbkdf2` | Y\nkbd | keymap data in `/usr/share/kbd/keymaps`, `setfont` | Y\nkmod | `modprobe` | Y\nmusl⁵ | libcrypt | Y\nopenssl | user password salts | Y\nprocps-ng | `pkill` | Y\nrakudo | `voidvault` Raku runtime | N\ntzdata | timezone data in `/usr/share/zoneinfo/zone1970.tab` | Y\nutil-linux | `blkid`, `hwclock`, `lsblk`, `mkfs`, `mount`, `sfdisk`, `umount`, `unshare` | Y\nxbps | `xbps-install`, `xbps-query`, `xbps-reconfigure` | Y\n\n³: the [official installation medium](https://voidlinux.org/download/)\n\n⁴: 2FA mode only\n\n⁵: glibc or musl\n\n\nOptional Dependencies\n---------------------\n\nName | Provides | Included in Void ISO?\n--- | --- | ---\ndialog | ncurses user input menu | Y\n\n`dialog` is needed if you do not provide by cmdline flag or environment\nvariable values for all configuration options aside from:\n\n- `--admin-name`\n- `--admin-pass-hash`\n- `--admin-pass`\n- `--augment`\n- `--chroot-dir`\n- `--disable-ipv6`\n- `--enable-classic-ifnames`\n- `--enable-serial-console`\n- `--grub-name`\n- `--grub-pass-hash`\n- `--grub-pass`\n- `--guest-name`\n- `--guest-pass-hash`\n- `--guest-pass`\n- `--hostname`\n- `--ignore-conf-repos`\n- `--kernel`\n- `--packages`\n- `--repository`\n- `--root-pass-hash`\n- `--root-pass`\n- `--sftp-name`\n- `--sftp-pass-hash`\n- `--sftp-pass`\n- `--vault-name`\n- `--vault-pass`\n- `--vault-key-file`\n- `--vault-cipher`\n- `--vault-hash`\n- `--vault-iter-time`\n- `--vault-key-size`\n- `--vault-offset`\n- `--vault-sector-size`\n\nFor these options, console input is read with either `cryptsetup` or\nthe built-in Raku subroutine `prompt()`.\n\nNo console input is read for configuration options:\n\n- `--admin-pass-hash`\n- `--augment`\n- `--chroot-dir`\n- `--disable-ipv6`\n- `--enable-classic-ifnames`\n- `--enable-serial-console`\n- `--grub-pass-hash`\n- `--guest-pass-hash`\n- `--ignore-conf-repos`\n- `--kernel`\n- `--packages`\n- `--repository`\n- `--root-pass-hash`\n- `--sftp-pass-hash`\n- `--vault-key-file`\n- `--vault-cipher`\n- `--vault-hash`\n- `--vault-iter-time`\n- `--vault-key-size`\n- `--vault-offset`\n- `--vault-sector-size`\n\nFor user input of all other options, the `dialog` program is used.\n\n\nLicensing\n---------\n\nThis is free and unencumbered public domain software. For more\ninformation, see http://unlicense.org/ or the accompanying UNLICENSE file.\n\n[550M]: https://wiki.archlinux.org/index.php/EFI_system_partition#Create_the_partition\n[denies console login as root]: https://wiki.archlinux.org/index.php/Security#Denying_console_login_as_root\n[dnscrypt-proxy]: https://wiki.archlinux.org/index.php/DNSCrypt\n[double password entry avoidance]: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice\n[flat layout]: https://btrfs.wiki.kernel.org/index.php/SysadminGuide#Layout\n[GPT]: https://wiki.archlinux.org/index.php/Partitioning#GUID_Partition_Table\n[GRUB]: https://wiki.archlinux.org/index.php/GRUB\n[hidepid]: https://wiki.archlinux.org/index.php/Security#hidepid\n[nftables]: https://wiki.archlinux.org/index.php/nftables\n[nodatacow]: https://wiki.archlinux.org/index.php/Btrfs#Disabling_CoW\n[OpenSSH]: https://wiki.archlinux.org/index.php/Secure_Shell\n[predictable network interface names]: https://systemd.io/PREDICTABLE_INTERFACE_NAMES/\n[protective mount options]: https://www.softpanorama.org/Commercial_linuxes/Security/protective_partitioning_of_the_system.shtml\n[runit]: http://smarden.org/runit\n[Sysctl]: https://wiki.archlinux.org/index.php/Sysctl\n[void-live-i686-20230628-base.iso]: https://repo-default.voidlinux.org/live/current/void-live-i686-20230628-base.iso\n[void-live-x86_64-20230628-base.iso]: https://repo-default.voidlinux.org/live/current/void-live-x86_64-20230628-base.iso\n[void-live-x86_64-musl-20230628-base.iso]: https://repo-default.voidlinux.org/live/current/void-live-x86_64-musl-20230628-base.iso\n[Xorg]: https://wiki.archlinux.org/index.php/Xorg\n[zram]: https://www.kernel.org/doc/Documentation/blockdev/zram.txt\n[zramen]: https://github.com/atweiden/zramen\n\n\u003c!-- vim: set filetype=markdown foldmethod=marker foldlevel=0 nowrap: --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatweiden%2Fvoidvault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fatweiden%2Fvoidvault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatweiden%2Fvoidvault/lists"}