Integrate encryption-at-rest support

.travis.yml

@@ -36,7 +36,6 @@ jobs:
     script:
       # launch automated tests, but skip tests that require remote
       # smtp support because Travis-CI blocks outgoing port 25
-      - sudo touch /etc/dovecot/sieve-spam.svbin
       - sudo tests/runner.sh -dumpoutput -no-smtp-remote default remote-nextcloud upgrade-basic
 
   # JOB: Upgrade from upstream install
@@ -49,5 +48,4 @@ jobs:
     script:
       # launch automated tests, but skip tests that require remote
       # smtp support because Travis-CI blocks outgoing port 25
-      - sudo touch /etc/dovecot/sieve-spam.svbin
       - sudo tests/runner.sh -dumpoutput -no-smtp-remote default upgrade-basic

ehdd/README.md

@@ -0,0 +1,35 @@
+# Encryption-at-rest support
+
+This directory contains support for encryption-at-rest of the
+user-data directory. Also known as STORAGE_ROOT, the user-data
+directory is typically located at /home/user-data, and is where
+non-system data is stored, like email, ssl certificates, backups, etc.
+
+Encryption-at-rest of STORAGE_ROOT is provided by a LUKS formatted
+hard disk (file) created and stored at /home/user-data.HDD.
+
+To enable encryption-at-rest ON A FRESH INSTALL, you must run
+`ehdd/setup-encrypted.sh` instead of setup/start.sh. This will set
+things up by creating and mounting the encypted disk for
+/home/user-data. Once created and mounted, setup/start.sh is run to
+continue normal setup operation.
+
+At the end of setup, services that utilize /home/user-data will be
+disabled from starting automatically after a reboot (because
+/home/user-data will not have been mounted). Run `ehdd/startup.sh`
+after a reboot to remount the encrypted hard drive and launch the
+disabled services.
+
+Do not forget your encryption passphrase - otherwise your
+/home/user-data files will be unrecoverable!
+
+For a non-interactive install, setting EHDD_GB will create a luks
+drive of that size without prompting, and EHDD_KEYFILE must be set to
+a file containing the encryption key (the file should not have any
+newlines). DO NOT USE A KEYFILE ON A PRODUCTION MACHINE.
+
+To upgrade a system to encryption-at-rest, shut down all services that
+use STORAGE_ROOT (postfix, dovecot, slapd, etc). Rename STORAGE_ROOT
+to something else. Run ehdd/create_hdd.sh, then ehdd/mount.sh. Copy or
+move the contents of the renamed directory to STORAGE_ROOT. Restart
+all services.

ehdd/mount.sh

@@ -3,7 +3,7 @@
 . "ehdd/ehdd_funcs.sh" || exit 1
 
 if [ ! -e "$EHDD_IMG" ]; then
-    echo "Warning: ecrypted HDD not found at $EHDD_IMG, not mounting"
+    echo "No ecrypted HDD not found at $EHDD_IMG, not mounting"
     exit 0
 fi
 

ehdd/shutdown.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+if [ -s /etc/mailinabox.conf ]; then
+    systemctl stop mailinabox
+    systemctl stop nginx
+    systemctl stop php7.2-fpm
+    systemctl stop postfix
+    systemctl stop dovecot
+    systemctl stop cron
+    #systemctl stop nsd
+    [ -x /usr/sbin/slapd ] && systemctl stop slapd
+    systemctl stop fail2ban
+fi
+
+ehdd/umount.sh

ehdd/start-encrypted.sh

@@ -21,13 +21,10 @@ elif [ ! -e "$EHDD_IMG" ]; then
     
 fi
 
-
+setup/start.sh $@
-if ehdd/mount.sh; then
+if [ $? -eq 0 ]; then
-    setup/start.sh $@
+    ehdd/postinstall.sh || exit 1
-    if [ $? -eq 0 ]; then
+else
-        ehdd/postinstall.sh || exit 1
+    echo "setup/start.sh failed"
-    else
-        echo "setup/start.sh failed"
-    fi
 fi
 

setup/start.sh

@@ -27,6 +27,9 @@ export LC_TYPE=en_US.UTF-8
 # Fix so line drawing characters are shown correctly in Putty on Windows. See #744.
 export NCURSES_NO_UTF8_ACS=1
 
+# if encryption-at-rest is enabled, make sure the drive is mounted
+ehdd/mount.sh    
+
 # Recall the last settings used if we're running this a second time.
 if [ -f /etc/mailinabox.conf ]; then
 	# Run any system migrations before proceeding. Since this is a second run,

tests/system-setup/remote-nextcloud-docker.sh

@@ -47,7 +47,7 @@ fi
 init() {
     H1 "INIT"
     init_test_system
-    init_miab_testing || die "Initialization failed"    
+    init_miab_testing || die "Initialization failed"
 }
 
 

tests/system-setup/setup-defaults.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 # Used by setup/start.sh
+export PRIMARY_HOSTNAME=${PRIMARY_HOSTNAME:-$(hostname --fqdn || hostname)}
 export NONINTERACTIVE=${NONINTERACTIVE:-1}
 export SKIP_NETWORK_CHECKS=${SKIP_NETWORK_CHECKS:-1}
 export STORAGE_USER="${STORAGE_USER:-user-data}"
@@ -10,11 +11,10 @@ export EMAIL_PW="${EMAIL_PW:-Test_1234}"
 export PUBLIC_IP="${PUBLIC_IP:-$(source ${MIAB_DIR:-.}/setup/functions.sh; get_default_privateip 4)}"
 export LOCAL_MODS_DIR="${LOCAL_MODS_DIR:-local}"
 
-if [ "$TRAVIS" == "true" ]; then
+# Used by ehdd/start-encrypted.sh
-    export PRIMARY_HOSTNAME=${PRIMARY_HOSTNAME:-box.abc.com}
+export EHDD_KEYFILE="${EHDD_KEYFILE:-}"
-elif [ -z "$PRIMARY_HOSTNAME" ]; then
+export EHDD_GB="${EHDD_GB:-2}"
-    export PRIMARY_HOSTNAME=${PRIMARY_HOSTNAME:-$(hostname --fqdn || hostname)}
+
-fi
 
 # Placing this var in STORAGE_ROOT/ldap/miab_ldap.conf before running
 # setup/start.sh will avoid a random password from being used for the

tests/system-setup/setup-funcs.sh

@@ -102,6 +102,17 @@ init_miab_testing() {
         && echo "Error: STORAGE_ROOT not set" 1>&2 \
         && return 1
 
+    # If EHDD_KEYFILE is set, use encryption-at-rest support.  The
+    # drive must be created and mounted so that our QA files can be
+    # copied there.
+    H2 "Encryption-at-rest"
+    if [ ! -z "$EHDD_KEYFILE" ]; then
+        ehdd/create_hdd.sh ${EHDD_GB} || die "create luks drive failed"
+        ehdd/mount.sh || die "unable to mount luks drive"
+    else
+        echo "Not configured for encryption-at-rest"
+    fi
+    
     H2 "QA prerequisites"
     local rc=0
     
@@ -129,6 +140,11 @@ init_miab_testing() {
             echo "LDAP_NEXTCLOUD_PASSWORD=\"$LDAP_NEXTCLOUD_PASSWORD\"" >> $STORAGE_ROOT/ldap/miab_ldap.conf
         fi
     fi
+
+    # now that we've copied our files, unmount STORAGE_ROOT if
+    # encryption-at-rest was enabled
+    ehdd/umount.sh
+    
     return $rc
 }
 
@@ -155,21 +171,42 @@ tag_from_readme() {
 }
 
 
+workaround_dovecot_sieve_bug() {
+    # Workaround a bug in dovecot/sieve that causes attempted sieve
+    # compilation when a compiled sieve has the same date as the
+    # source file. The fialure occurs with miab-installed "spam"
+    # sieve, which can't be recompiled due to the read-only /etc
+    # filesystem restriction in systemd (ProtectSystem=efull is set,
+    # see `systemctl cat dovecot.service`).
+    sleep 1
+    touch /etc/dovecot/sieve-spam.svbin
+}
+
+
 miab_ldap_install() {
     H1 "MIAB-LDAP INSTALL"
     # ensure we're in a MiaB-LDAP working directory
     if [ ! -e setup/ldap.sh ]; then
         die "Cannot install: the working directory is not MiaB-LDAP!"
     fi
+
+    # if EHDD_KEYFILE is set, use encryption-at-rest support
+    if [ ! -z "$EHDD_KEYFILE" ]; then
+        ehdd/start-encrypted.sh
+    else
+        setup/start.sh
+    fi
     
-    if ! setup/start.sh; then
+    if [ $? -ne 0 ]; then
         H1 "OUTPUT OF SELECT FILES"
         dump_file "/var/log/syslog" 100
         dump_conf_files "$TRAVIS"
         H2; H2 "End"; H2
-        die "MiaB-LDAP setup/start.sh failed!"
+        die "MiaB-LDAP setup failed!"
     fi
 
+    workaround_dovecot_sieve_bug
+
     # set actual STORAGE_ROOT, STORAGE_USER, PRIVATE_IP, etc
     . /etc/mailinabox.conf || die "Could not source /etc/mailinabox.conf"
 }

tests/system-setup/upgrade-from-upstream.sh

@@ -88,6 +88,8 @@ upstream_install() {
     fi
     popd >/dev/null
     
+    workaround_dovecot_sieve_bug
+
     H2 "Upstream info"
     echo "Code version: $(git describe)"
     echo "Migration version: $(cat "$STORAGE_ROOT/mailinabox.version")"

tests/vagrant/Vagrantfile

@@ -4,23 +4,42 @@ Vagrant.configure("2") do |config|
   config.vm.synced_folder "../..", "/mailinabox", id: "mailinabox", automount: false
   config.vm.provision "file", source:"globals.sh", destination:"globals.sh"
 
-  # remote-nextcloud-docker
+  # fresh install with encryption-at-rest
 
-  config.vm.define "remote-nextcloud-docker" do |m1|
+  config.vm.define "remote-nextcloud-docker-ehdd" do |m1|
     m1.vm.box = "ubuntu/bionic64"
     m1.vm.provision :shell, :inline => <<-SH
 source globals.sh || exit 1
 export PRIMARY_HOSTNAME=qa1.abc.com
 export FEATURE_MUNIN=false
+export EHDD_KEYFILE=$HOME/keyfile
+echo -n "boo" >$EHDD_KEYFILE
 cd /mailinabox
-if tests/system-setup/remote-nextcloud-docker.sh upgrade basic
+tests/system-setup/remote-nextcloud-docker.sh; rc=$?
-then
+if [ $rc -eq 0 ]; then
-   tests/runner.sh default remote-nextcloud upgrade-basic
+   tests/runner.sh default remote-nextcloud; rc=$?
 fi
-echo "EXITCODE: $?"
+echo "EXITCODE: $rc"
 SH
   end
-  
+
+  # remote-nextcloud-docker w/basic data
+
+  config.vm.define "remote-nextcloud-docker" do |m1|
+    m1.vm.box = "ubuntu/bionic64"
+    m1.vm.provision :shell, :inline => <<-SH
+source globals.sh || exit 1
+export PRIMARY_HOSTNAME=qa2.abc.com
+export FEATURE_MUNIN=false
+cd /mailinabox
+tests/system-setup/remote-nextcloud-docker.sh upgrade basic; rc=$?
+if [ $rc -eq 0 ]; then
+   tests/runner.sh default remote-nextcloud upgrade-basic; rc=$?
+fi
+echo "EXITCODE: $rc"
+SH
+  end
+
 
   # upgrade-from-upstream
   
@@ -28,14 +47,14 @@ SH
     m2.vm.box = "ubuntu/bionic64"
     m2.vm.provision :shell, :inline => <<-SH
 source globals.sh || exit 1
-export PRIMARY_HOSTNAME=qa2.abc.com
+export PRIMARY_HOSTNAME=qa3.abc.com
 export UPSTREAM_TAG=master
 cd /mailinabox
-if tests/system-setup/upgrade-from-upstream.sh basic
+tests/system-setup/upgrade-from-upstream.sh basic; rc=$?
-then
+if [ $rc -eq 0 ]; then
-  tests/runner.sh default upgrade-basic
+   tests/runner.sh default upgrade-basic; rc=$?
 fi
-echo "EXITCODE: $?"
+echo "EXITCODE: $rc"
 SH
   end