summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-hooks/52-update-rc.d
blob: 645b9c59b5f1e193f1cef79d603517559878a6fe (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/bin/sh

set -e

CUSTOM_INITSCRIPTS="
"

PATCHED_INITSCRIPTS="
alsa-utils
gdomap
haveged
hdparm
hwclock.sh
i2p
kexec-load
laptop-mode
memlockd
saned
spice-vdagent
tor
ttdnsd
"

echo "Configuring boot sequence"

# The patches to adjust the runlevels are applied to the chroot
# after the packages have been installed. So we need to remove them first,
# to re-install them with our settings.
insserv -r $PATCHED_INITSCRIPTS

# Re-install overriden initscripts and install our custom ones.
insserv $PATCHED_INITSCRIPTS $CUSTOM_INITSCRIPTS

### Tweak systemd unit files

# Workaround for https://bugs.debian.org/714957
systemctl enable memlockd.service

# Enable our own systemd unit files
systemctl enable tails-autotest-remote-shell.service
systemctl enable tails-reconfigure-kexec.service
systemctl enable tails-reconfigure-memlockd.service
systemctl enable tails-sdmem-on-media-removal.service
systemctl enable tails-set-wireless-devices-state.service
systemctl enable tails-tor-has-bootstrapped.target
systemctl enable tails-wait-until-tor-has-bootstrapped.service
systemctl enable tails-tor-has-bootstrapped-flag-file.service
systemctl enable tor-controlport-filter.service

# Enable our own systemd user unit files
systemctl --global enable tails-add-GNOME-bookmarks.service
systemctl --global enable tails-configure-keyboard.service
systemctl --global enable tails-create-tor-browser-directories.service
systemctl --global enable tails-security-check.service
systemctl --global enable tails-upgrade-frontend.service
systemctl --global enable tails-virt-notify-user.service
systemctl --global enable tails-wait-until-tor-has-bootstrapped.service

# Use socket activation only, to delay the startup of cupsd.
# In practice, on Jessie this means that cupsd is started during
# the initialization of the GNOME session, which is fine: by then,
# the persistent /etc/cups has been mounted.
# XXX: make sure it's the case on Stretch, adjust if not.
systemctl disable cups.service
systemctl enable  cups.socket

# We're starting NetworkManager, Tor and ttdnsd ourselves.
# We disable tor.service (as opposed to tor@default.service) because
# it's an important goal to never start Tor before the user has had
# a chance to choose to do so in an obfuscated way: if some other
# package enables tor@whatever.service someday, disabling tor.service
# will disable it as well, while disabling tor@default.service would not.
systemctl disable tor.service
systemctl disable NetworkManager.service
systemctl disable NetworkManager-wait-online.service
systemctl disable ttdnsd.service

# We don't run these services by default
systemctl disable gdomap.service
systemctl disable hdparm.service
systemctl disable i2p.service

# Don't hide tails-kexec's shutdown messages with an empty splash screen
for suffix in halt kexec poweroff reboot shutdown ; do
   systemctl mask "plymouth-${suffix}.service"
done

# systemd-networkd fallbacks to Google's nameservers when no other nameserver
# is provided by the network configuration. In Jessie, this service is disabled
# by default, but it feels safer to make this explicit. Besides, it might be
# that systemd-networkd vs. firewall setup ordering is suboptimal in this respect,
# so let's avoid any risk of DNS leaks here.
systemctl mask systemd-networkd.service

# Do not sync the system clock to the hardware clock on shutdown
systemctl mask hwclock-save.service

# Do not run timesyncd: we have our own time synchronization mechanism
systemctl mask systemd-timesyncd.service

# Unmute and sanitize mixer levels at boot time
# (`systemctl unmask` does not support initscripts on Jessie,
# hence the manual unmasking)
dpkg-divert --add --rename --divert \
	    /lib/systemd/system/alsa-utils.service.orig \
	    /lib/systemd/system/alsa-utils.service
# Disable the ALSA state store/restore systemd services (that lack mixer
# levels unmuting/sanitizing), we use the legacy initscript instead
systemctl mask alsa-restore.service
systemctl mask alsa-state.service
systemctl mask alsa-store.service