turnkeylinux · JedMeister · May 8, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
diff --git a/bin/reboot-ask.py b/bin/reboot-ask.py
@@ -4,6 +4,7 @@
 import sys
 import getopt
 import signal
+import subprocess
 from typing import NoReturn
 
 from libinithooks.dialog_wrapper import Dialog
@@ -22,7 +23,7 @@ def usage(msg: str | getopt.GetoptError = "") -> NoReturn:
     sys.exit(1)
 
 
-def main():
+def main() -> None:
     signal.signal(signal.SIGINT, signal.SIG_IGN)
     try:
         opts, _ = getopt.gnu_getopt(sys.argv[1:], "h", ["help"])
@@ -38,6 +39,7 @@ def main():
 
     if not reboot:
         sys.exit(1)
+    subprocess.run(["/usr/sbin/reboot"])
 
 
 if __name__ == "__main__":

diff --git a/bin/simplehttpd.py b/bin/simplehttpd.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 # Copyright (c) 2012-2015 Liraz Siri <liraz@turnkeylinux.org>
-# Copyright (c) 2015-2021 TurnKey GNU/Linux - https://www.turnkeylinux.org
+# Copyright (c) 2015-2026 TurnKey GNU/Linux - https://www.turnkeylinux.org
 
 """
 Simple HTTP server
@@ -25,6 +25,7 @@
 import os
 from os.path import exists, abspath, isdir, splitext
 from tempfile import NamedTemporaryFile
+import socket
 import sys
 import getopt
 from typing import NoReturn
@@ -110,19 +111,75 @@ def translate_path(self, path: str) -> str:
 class SimpleWebServer:
     class TCPServer(socketserver.ForkingTCPServer):
         allow_reuse_address = True
+        address_family = socket.AF_INET6  # enables IPv6
+
+        def server_bind(self):
+            # Disable IPV6_V6ONLY so the socket accepts IPv4 too (dual-stack)
+            self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
+            super().server_bind()
 
     class HTTPRequestHandler(SecureHTTPRequestHandler):
         ALLOWED_EXTS = ["css", "gif", "html", "js", "png", "jpg", "txt"]
 
     class Address:
         @staticmethod
         def parse_address(address: str) -> tuple[str, int]:
-            if ":" in address:
+            """Parse address and return listening IP & port.
+
+            Accepts a port number or an IP & port string. Supports both IPv4
+            and IPv6.
+
+            Args:
+                address (str):
+                    Port to listen on (integer as a string) or an IP address
+                    (interface) and port to listen on.
+
+                    IP address and port should be separated by a colon (':').
+
+                    IPv6 address should be wrapped in square brakets ('[]').
+
+                    E.g.:
+                        '8080'                  (port only)
+                        '[dead::beef]:8080'     (IPv6 and port)
+                        '123.123.123.123:8080'  (IPv4 and port)
+
+            Returns:
+                tuple[str, int]:
+                    Tuple of IP address (interface) and port.
+
+                    If address=<port-only> then the address will default to
+                    '::' (i.e. all interfaces via IPv4 & IPv6).
+
+            Raises:
+                SimpleWebServerError:
+                    If address is malformed.
+
+            """
+            # Default to all interfaces, IPv4 & IPv6
+            host = "::"
+            # IPv6 with brackets: [::1]:8080
+            if address.startswith("["):
+                try:
+                    bracket_end = address.index("]")
+                except ValueError:
+                    raise SimpleWebServerError(
+                        f"Malformed IPv6 address: '{address}'"
+                        " - expected closing ']'",
+                    )
+                host = address[1:bracket_end]
+                rest = address[bracket_end + 1:]
+                if not rest.startswith(":"):
+                    raise SimpleWebServerError(
+                            f"Malformed address: '{address}'"
+                            " - expected ':port' after ']'",
+                        )
+                _port = rest[1:]
+            # IPv4 or bare port (no brackets, at most one colon)
+            elif address.count(":") == 1:
                 host, _port = address.split(":", 1)
+            # Bare port number only
             else:
-                host = "0.0.0.0"
                 _port = address
-
             try:
                 port = int(_port)
                 assert port > 0 and port < 65535

diff --git a/bin/turnkey-init-fence b/bin/turnkey-init-fence
@@ -19,7 +19,10 @@ iptables_delete_redirect() {
     local to_port=$2
     echo "Removing REDIRECT firewall rule: $dport => $to_port"
     while true; do
-        (2>&1 iptables -t nat -D PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port") > /dev/null || break
+        (2>&1 iptables -t nat -D PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port") \
+            > /dev/null || break
+        (2>&1 ip6tables -t nat -D PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port") \
+            > /dev/null || break
     done
 }
 
@@ -29,14 +32,18 @@ iptables_add_redirect() {
     echo "Adding REDIRECT firewall rule: $dport => $to_port"
     iptables_delete_redirect "$dport" "$to_port"
     iptables -t nat -A PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port"
+    ip6tables -t nat -A PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port"
 }
 
 iptables_unensure_accept() {
     # Used in appliances that have a `filter` policy of `DROP`
     local dport=$1
     echo "Removing ACCEPT firewall rule for fence port: $dport"
     while true; do
-        (2>&1 iptables -t filter -D INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT) > /dev/null || break
+        (2>&1 iptables -t filter -D INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT) \
+            > /dev/null || break
+        (2>&1 ip6tables -t filter -D INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT) \
+            > /dev/null || break
     done
 }
 
@@ -46,6 +53,7 @@ iptables_ensure_accept() {
     echo "Adding ACCEPT firewall rule for fence port: $dport"
     iptables_unensure_accept "$dport"
     iptables -t filter -A INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT
+    ip6tables -t filter -A INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT
 }
 
 iptables_redirect() {

diff --git a/firstboot.d/01ipconfig b/firstboot.d/01ipconfig
@@ -3,6 +3,8 @@
 # firstboot network interfaces file generation - runs non-interactively.
 # - config can be customized via inithooks conf file (i.e. preseed)
 
+# TODO: update to also support ipv6
+
 # shellcheck source=default/inithooks
 source /etc/default/inithooks
 

diff --git a/firstboot.d/05autogrow-fs b/firstboot.d/05autogrow-fs
@@ -1,70 +1,99 @@
 #!/bin/bash
 # auto grow filesystem for block device based appliances - (c) Aug/2014 by Peter Lieven <pl@kamp.de>
 
-[ -n "$_TURNKEY_INIT" ] && exit 0
+[[ -z "$_TURNKEY_INIT" ]] || exit 0
 
-. /etc/default/inithooks
-
-[ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
+# shellcheck source=default/inithooks
+source /etc/default/inithooks
+if [[ -e "$INITHOOKS_CONF" ]]; then
+    # shellcheck disable=SC1090
+    source "$INITHOOKS_CONF"
+fi
 
-[ "$AUTOGROW" != "ONCE" ] && [ "$AUTOGROW" != "ALWAYS" ] && exit 0
-[ $(dirname $0) = "/usr/lib/inithooks/everyboot.d" ] && [ "$AUTOGROW" != "ALWAYS" ] && exit 0
+if [[ "$AUTOGROW" != "ONCE" ]] && [[ "$AUTOGROW" != "ALWAYS" ]]; then
+   exit 0
+fi
+if [[ "$(dirname "$0")" == "/usr/lib/inithooks/everyboot.d" ]] \
+    && [[ "$AUTOGROW" != "ALWAYS" ]]; then
+        exit 0
+fi
 
-[ -z "$AUTOGROW_DEV" ] && AUTOGROW_DEV=/dev/vda
-[ -z "$AUTOGROW_PART" ] && AUTOGROW_PART="${AUTOGROW_DEV}2"
-[ -z "$AUTOGROW_FS" ] && AUTOGROW_FS=/dev/turnkey/root
-[ -z "$AUTOGROW_FS_ALWAYS" ] && AUTOGROW_FS_ALWAYS=TRUE
+[[ -n "$AUTOGROW_DEV" ]] || AUTOGROW_DEV=/dev/vda
+[[ -n "$AUTOGROW_PART" ]] || AUTOGROW_PART="${AUTOGROW_DEV}2"
+[[ -n "$AUTOGROW_FS" ]] || AUTOGROW_FS=/dev/turnkey/root
+[[ -n "$AUTOGROW_FS_ALWAYS" ]] || AUTOGROW_FS_ALWAYS=TRUE
 
-DEVSIZE=$(blockdev --getsize $AUTOGROW_DEV)
+DEVSIZE=$(blockdev --getsize "$AUTOGROW_DEV")
 
-[ "0$DEVSIZE" -eq 0 ] && exit 1
+if [[ "0$DEVSIZE" -eq 0 ]]; then
+   exit 1
+fi
 
-PARTINFO=$(sfdisk -d -uS $AUTOGROW_DEV | grep -A1 $AUTOGROW_PART | grep -v $AUTOGROW_PART)
-if [ -n "$PARTINFO" ]; then
- PARTINFO=${PARTINFO/:/ }
- PARTINFO=${PARTINFO//,/ }
- PARTINFO=${PARTINFO//=/ }
- X=$(echo $PARTINFO | grep "start 0 size 0 Id 0")
- [ $? -ne 0 ] && exit 1
+PARTINFO=$(sfdisk -d -uS "$AUTOGROW_DEV" \
+    | grep -A1 "$AUTOGROW_PART" \
+    | grep -v "$AUTOGROW_PART")
+if [[ -n "$PARTINFO" ]]; then
+    PARTINFO=${PARTINFO/:/ }
+    PARTINFO=${PARTINFO//,/ }
+    PARTINFO=${PARTINFO//=/ }
+    if grep -s "start 0 size 0 Id 0" <<<"$PARTINFO"; then
+        exit 1
+    fi
 fi
 
-PARTINFO=$(sfdisk -d -uS $AUTOGROW_DEV | grep $AUTOGROW_PART)
-[ -z "$PARTINFO" ] && exit 1
+PARTINFO=$(sfdisk -d -uS "$AUTOGROW_DEV" | grep "$AUTOGROW_PART")
+if [[ -z "$PARTINFO" ]]; then
+   exit 1
+fi
 
 PARTINFO=${PARTINFO/:/ }
 PARTINFO=${PARTINFO//,/ }
 PARTINFO=${PARTINFO//=/ }
-PARTINFOX=(${PARTINFO})
+PARTINFOX=("${PARTINFO}")
 
-[ "${PARTINFOX[0]}" != "$AUTOGROW_PART" ] && exit 1
-[ "${PARTINFOX[1]}" != "start" ] && exit 1
-[ "${PARTINFOX[3]}" != "size" ] && exit 1
-[ "${PARTINFOX[5]}" != "Id" ] && [ "${PARTINFOX[5]}" != "type" ] && exit 1
+if [[ "${PARTINFOX[0]}" != "$AUTOGROW_PART" ]] \
+    || [[ "${PARTINFOX[1]}" != "start" ]] \
+    || [[ "${PARTINFOX[3]}" != "size" ]]; then
+        exit 1
+fi
+if [[ "${PARTINFOX[5]}" != "Id" ]] && [[ "${PARTINFOX[5]}" != "type" ]]; then
+   exit 1
+fi
 
 START=${PARTINFOX[2]}
 SIZE=${PARTINFOX[4]}
 ID=${PARTINFOX[6]}
 
 [ "$ID" != "8e" ] && exit 1
 
-if [ $((START + SIZE + 65536)) -lt $DEVSIZE ]; then
- [ -e /var/tmp/autogrow.size ] && [ $(cat /var/tmp/autogrow.size) -eq $DEVSIZE ] && exit 1
- echo $DEVSIZE >/var/tmp/autogrow.size
- sfdisk -d -uS $AUTOGROW_DEV | grep "${AUTOGROW_DEV}1" >/tmp/sfdisk.dump
- echo "$AUTOGROW_PART : start= $START, size= $((DEVSIZE - START)), ${PARTINFOX[5]}= $ID">>/tmp/sfdisk.dump
- cat /tmp/sfdisk.dump | sfdisk -uS --no-reread --force $AUTOGROW_DEV
- exit 42
-else
- if [ "$AUTOGROW_FS" != "SKIP" ]; then
-  [ -e /var/tmp/autogrow_fs.size ] && [ $(cat /var/tmp/autogrow_fs.size) -eq $DEVSIZE ] && exit 0
-  echo $DEVSIZE >/var/tmp/autogrow_fs.size
-  pvresize $AUTOGROW_PART
-  [ $(dirname $0) = "/usr/lib/inithooks/everyboot.d" ] && [ "$AUTOGROW_FS_ALWAYS" != "TRUE" ] && exit 0
-  lvextend -l+100%FREE $AUTOGROW_FS 2>/dev/null 
-  ERR=$?
-  [ $ERR -eq 3 ] && exit 0
-  [ $ERR -eq 0 ] && resize2fs $AUTOGROW_FS && touch /forcefsck && exit 42
- fi
+if [[ $((START + SIZE + 65536)) -lt "$DEVSIZE" ]]; then
+    if [[ -e /var/tmp/autogrow.size ]] \
+        && [[ "$(</var/tmp/autogrow.size)" -eq "$DEVSIZE" ]]; then
+            exit 1
+    fi
+    echo "$DEVSIZE" > /var/tmp/autogrow.size
+    sfdisk -d -uS "$AUTOGROW_DEV" | grep "${AUTOGROW_DEV}1" > /tmp/sfdisk.dump
+    echo "$AUTOGROW_PART : start= $START, size= $((DEVSIZE - START)), ${PARTINFOX[5]}= $ID" \
+        >> /tmp/sfdisk.dump
+    sfdisk -uS --no-reread --force "$AUTOGROW_DEV" < /tmp/sfdisk.dump
+    exit 42
+elif [[ "$AUTOGROW_FS" != "SKIP" ]]; then
+    if [[ -e /var/tmp/autogrow_fs.size ]] \
+        && [[ $(</var/tmp/autogrow_fs.size) -eq $DEVSIZE ]]; then
+            exit 0
+    fi
+    echo "$DEVSIZE" > /var/tmp/autogrow_fs.size
+    pvresize "$AUTOGROW_PART"
+    if [[ "$(dirname "$0")" == "/usr/lib/inithooks/everyboot.d" ]] \
+        && [[ "$AUTOGROW_FS_ALWAYS" != "TRUE" ]]; then
+            exit 0
+    fi
+    lvextend -l+100%FREE "$AUTOGROW_FS" 2>/dev/null || ERR=$?
+    if [[ "$ERR" -eq 3 ]]; then
+        exit 0
+    fi
+    if [[ $ERR -eq 0 ]] && resize2fs "$AUTOGROW_FS" && touch /forcefsck; then
+        exit 42
+    fi
 fi
-
 exit 1
diff --git a/firstboot.d/09hostname b/firstboot.d/09hostname
@@ -1,11 +1,14 @@
 #!/bin/bash -e
 # set hostname
 
-. /etc/default/inithooks
+# shellcheck source=default/inithooks
+source /etc/default/inithooks
+if [[ -e "$INITHOOKS_CONF" ]]; then
+    # shellcheck disable=SC1090
+    source "$INITHOOKS_CONF"
+fi
 
-[ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
-
-[ -z "$HOSTNAME" ] && exit 0
+[[ -n "$HOSTNAME" ]] || exit 0
 
 old=$(hostname)
 
@@ -24,9 +27,9 @@ for file in \
    /etc/motd \
    /etc/ssmtp/ssmtp.conf
 do
-   [ -f $file ] && sed -i -e "s:$old:$HOSTNAME:g" $file
+    if [[ -f $file ]]; then
+        sed -i -e "s:$old:$HOSTNAME:g" $file
+    fi
 done
 
-hostname $HOSTNAME
-
-exit 0
+hostname "$HOSTNAME"
diff --git a/firstboot.d/10randomize-cronapt b/firstboot.d/10randomize-cronapt
@@ -1,11 +1,11 @@
 #!/bin/bash -e
 # set random hour/minute for security updates (cron-apt)
 
-[ -n "$_TURNKEY_INIT" ] && exit 0
+[[ -z "$_TURNKEY_INIT" ]] || exit 0
 
 # random hour: 0-23, minute: 0-59
-HOUR=$[ ($RANDOM % 23) ]
-MINUTE=$[ ($RANDOM % 59) ]
+HOUR=$(( RANDOM % 23 ))
+MINUTE=$(( RANDOM % 59 ))
 
 cat > /etc/cron.d/cron-apt << EOF
 # cron job for cron-apt package

diff --git a/firstboot.d/10randomize-crontab b/firstboot.d/10randomize-crontab
@@ -1,7 +1,7 @@
 #!/bin/bash
 
-[ ! -e /etc/crontab ] && exit 0
-[ -n "$_TURNKEY_INIT" ] && exit 0
+[[ -e /etc/crontab ]] || exit 0
+[[ -z "$_TURNKEY_INIT" ]] || exit 0
 
 getrnd() {
     echo $(($(hexdump -n 2 -e '"%1u"' /dev/urandom) % $1))
@@ -34,4 +34,3 @@ sed --in-place --regexp-extended \
     --expression="s/47(\s*)6(\s*)\*(\s*)\*(\s*)7(\s*)root/${WEEKLY_MINUTE}\1${WEEKLY_HOUR}\2*\3*\47\5root/g" \
     --expression="s/52(\s*)6(\s*)1(\s*)\*(\s*)\*(\s*)root/${MONTHLY_MINUTE}\1${MONTHLY_HOUR}\21\3*\4*\5root/g" \
     /etc/crontab
-