A suite to mollyguard your server to prevent accidental shutdowns, reboots, suspends etc. and to auto-decrypt a potential LUKS root volume on boot.
mollyguardctl is configured via /etc/mollyguardctl.conf.
unitsA space-seperated list of systemd units to mask. Defaults to the default units (see below).hostnameSpecifies whether to prompt for the host name. Defaults to:true.systemctlThe systemctl binary to use. Defaults to/usr/bin/systemctl.cryptsetupThe cryptsetup binary to use. Defaults to/usr/bin/cryptsetup.
The section LUKS is used to configure auto-decryption for the respective LUKS volume after reboot.
deviceThe LUKS device to auto-decrypt after reboot.keyfileThe LUKS key file to populate with random bytes.keysizeThe size of the LUKS key file. Defaults to 2048.
You will need the kernel parameters cryptdevice= and keyfile= to be set accordingly for this to work.
If not configured otherwise the following units will be masked by mollyguardctl:
halt.targethibernate.targetpoweroff.targetreboot.targetshutdown.targetsuspend.targetsuspend-then-hibernate.target
Start and enable mollyguard.service. On systems with / encrypted also start and enable clear-luks-autodecrypt-key.service.
To reboot the system then, use mollyguardctl reboot.