Integrate encryption-at-rest support

tests/system-setup/remote-nextcloud-docker.sh

@@ -47,7 +47,7 @@ fi
 init() {
     H1 "INIT"
     init_test_system
-    init_miab_testing || die "Initialization failed"    
+    init_miab_testing || die "Initialization failed"
 }
 
 

tests/system-setup/setup-defaults.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 # Used by setup/start.sh
+export PRIMARY_HOSTNAME=${PRIMARY_HOSTNAME:-$(hostname --fqdn || hostname)}
 export NONINTERACTIVE=${NONINTERACTIVE:-1}
 export SKIP_NETWORK_CHECKS=${SKIP_NETWORK_CHECKS:-1}
 export STORAGE_USER="${STORAGE_USER:-user-data}"
@@ -10,11 +11,10 @@ export EMAIL_PW="${EMAIL_PW:-Test_1234}"
 export PUBLIC_IP="${PUBLIC_IP:-$(source ${MIAB_DIR:-.}/setup/functions.sh; get_default_privateip 4)}"
 export LOCAL_MODS_DIR="${LOCAL_MODS_DIR:-local}"
 
-if [ "$TRAVIS" == "true" ]; then
-    export PRIMARY_HOSTNAME=${PRIMARY_HOSTNAME:-box.abc.com}
-elif [ -z "$PRIMARY_HOSTNAME" ]; then
-    export PRIMARY_HOSTNAME=${PRIMARY_HOSTNAME:-$(hostname --fqdn || hostname)}
-fi
+# Used by ehdd/start-encrypted.sh
+export EHDD_KEYFILE="${EHDD_KEYFILE:-}"
+export EHDD_GB="${EHDD_GB:-2}"
+
 
 # Placing this var in STORAGE_ROOT/ldap/miab_ldap.conf before running
 # setup/start.sh will avoid a random password from being used for the

tests/system-setup/setup-funcs.sh

@@ -102,6 +102,17 @@ init_miab_testing() {
         && echo "Error: STORAGE_ROOT not set" 1>&2 \
         && return 1
 
+    # If EHDD_KEYFILE is set, use encryption-at-rest support.  The
+    # drive must be created and mounted so that our QA files can be
+    # copied there.
+    H2 "Encryption-at-rest"
+    if [ ! -z "$EHDD_KEYFILE" ]; then
+        ehdd/create_hdd.sh ${EHDD_GB} || die "create luks drive failed"
+        ehdd/mount.sh || die "unable to mount luks drive"
+    else
+        echo "Not configured for encryption-at-rest"
+    fi
+    
     H2 "QA prerequisites"
     local rc=0
     
@@ -129,6 +140,11 @@ init_miab_testing() {
             echo "LDAP_NEXTCLOUD_PASSWORD=\"$LDAP_NEXTCLOUD_PASSWORD\"" >> $STORAGE_ROOT/ldap/miab_ldap.conf
         fi
     fi
+
+    # now that we've copied our files, unmount STORAGE_ROOT if
+    # encryption-at-rest was enabled
+    ehdd/umount.sh
+    
     return $rc
 }
 
@@ -155,21 +171,42 @@ tag_from_readme() {
 }
 
 
+workaround_dovecot_sieve_bug() {
+    # Workaround a bug in dovecot/sieve that causes attempted sieve
+    # compilation when a compiled sieve has the same date as the
+    # source file. The fialure occurs with miab-installed "spam"
+    # sieve, which can't be recompiled due to the read-only /etc
+    # filesystem restriction in systemd (ProtectSystem=efull is set,
+    # see `systemctl cat dovecot.service`).
+    sleep 1
+    touch /etc/dovecot/sieve-spam.svbin
+}
+
+
 miab_ldap_install() {
     H1 "MIAB-LDAP INSTALL"
     # ensure we're in a MiaB-LDAP working directory
     if [ ! -e setup/ldap.sh ]; then
         die "Cannot install: the working directory is not MiaB-LDAP!"
     fi
+
+    # if EHDD_KEYFILE is set, use encryption-at-rest support
+    if [ ! -z "$EHDD_KEYFILE" ]; then
+        ehdd/start-encrypted.sh
+    else
+        setup/start.sh
+    fi
     
-    if ! setup/start.sh; then
+    if [ $? -ne 0 ]; then
         H1 "OUTPUT OF SELECT FILES"
         dump_file "/var/log/syslog" 100
         dump_conf_files "$TRAVIS"
         H2; H2 "End"; H2
-        die "MiaB-LDAP setup/start.sh failed!"
+        die "MiaB-LDAP setup failed!"
     fi
 
+    workaround_dovecot_sieve_bug
+
     # set actual STORAGE_ROOT, STORAGE_USER, PRIVATE_IP, etc
     . /etc/mailinabox.conf || die "Could not source /etc/mailinabox.conf"
 }

tests/system-setup/upgrade-from-upstream.sh

@@ -88,6 +88,8 @@ upstream_install() {
     fi
     popd >/dev/null
     
+    workaround_dovecot_sieve_bug
+
     H2 "Upstream info"
     echo "Code version: $(git describe)"
     echo "Migration version: $(cat "$STORAGE_ROOT/mailinabox.version")"