Integrate encryption-at-rest support

ehdd/README.md

@@ -0,0 +1,35 @@
+# Encryption-at-rest support
+
+This directory contains support for encryption-at-rest of the
+user-data directory. Also known as STORAGE_ROOT, the user-data
+directory is typically located at /home/user-data, and is where
+non-system data is stored, like email, ssl certificates, backups, etc.
+
+Encryption-at-rest of STORAGE_ROOT is provided by a LUKS formatted
+hard disk (file) created and stored at /home/user-data.HDD.
+
+To enable encryption-at-rest ON A FRESH INSTALL, you must run
+`ehdd/setup-encrypted.sh` instead of setup/start.sh. This will set
+things up by creating and mounting the encypted disk for
+/home/user-data. Once created and mounted, setup/start.sh is run to
+continue normal setup operation.
+
+At the end of setup, services that utilize /home/user-data will be
+disabled from starting automatically after a reboot (because
+/home/user-data will not have been mounted). Run `ehdd/startup.sh`
+after a reboot to remount the encrypted hard drive and launch the
+disabled services.
+
+Do not forget your encryption passphrase - otherwise your
+/home/user-data files will be unrecoverable!
+
+For a non-interactive install, setting EHDD_GB will create a luks
+drive of that size without prompting, and EHDD_KEYFILE must be set to
+a file containing the encryption key (the file should not have any
+newlines). DO NOT USE A KEYFILE ON A PRODUCTION MACHINE.
+
+To upgrade a system to encryption-at-rest, shut down all services that
+use STORAGE_ROOT (postfix, dovecot, slapd, etc). Rename STORAGE_ROOT
+to something else. Run ehdd/create_hdd.sh, then ehdd/mount.sh. Copy or
+move the contents of the renamed directory to STORAGE_ROOT. Restart
+all services.

ehdd/mount.sh

@@ -3,7 +3,7 @@
 . "ehdd/ehdd_funcs.sh" || exit 1
 
 if [ ! -e "$EHDD_IMG" ]; then
-    echo "Warning: ecrypted HDD not found at $EHDD_IMG, not mounting"
+    echo "No ecrypted HDD not found at $EHDD_IMG, not mounting"
     exit 0
 fi
 

ehdd/shutdown.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+if [ -s /etc/mailinabox.conf ]; then
+    systemctl stop mailinabox
+    systemctl stop nginx
+    systemctl stop php7.2-fpm
+    systemctl stop postfix
+    systemctl stop dovecot
+    systemctl stop cron
+    #systemctl stop nsd
+    [ -x /usr/sbin/slapd ] && systemctl stop slapd
+    systemctl stop fail2ban
+fi
+
+ehdd/umount.sh

ehdd/start-encrypted.sh

@@ -21,13 +21,10 @@ elif [ ! -e "$EHDD_IMG" ]; then
     
 fi
 
-
-if ehdd/mount.sh; then
-    setup/start.sh $@
-    if [ $? -eq 0 ]; then
-        ehdd/postinstall.sh || exit 1
-    else
-        echo "setup/start.sh failed"
-    fi
+setup/start.sh $@
+if [ $? -eq 0 ]; then
+    ehdd/postinstall.sh || exit 1
+else
+    echo "setup/start.sh failed"
 fi