Initial commit to support a luks formatted partition holding user-data.

See #1340. Run setup/start-encrypted.sh instead of setup/start.sh. After reboots, login to your box and run tools/startup.sh.
2025-04-05 00:27:25 +00:00 · 2020-01-20 12:26:50 -05:00 · 2020-01-20 12:26:50 -05:00 · 42d471ba7f
commit 42d471ba7f
parent a67f90593d
6 changed files with 175 additions and 0 deletions
--- a/setup/ehdd/create_hdd.sh
+++ b/setup/ehdd/create_hdd.sh
@ -0,0 +1,48 @@
+#!/bin/bash
+if [ -s /etc/mailinabox.conf ]; then
+    source /etc/mailinabox.conf
+    [ $? -eq 0 ] || exit 1
+else
+    STORAGE_ROOT="/home/${STORAGE_USER:-user-data}"
+fi
+
+EHDD_IMG="$STORAGE_ROOT.HDD"
+EHDD_SIZE_GB="$1"
+MOUNTPOINT="$STORAGE_ROOT"
+
+if [ "$1" == "" ]; then
+    echo "usage: $0 <size-in-gb>"
+    echo -n "  hdd image location: $EHDD_IMG"
+    if [ -e "$EHDD_IMG" ]; then echo " (exists)"; else echo ""; fi
+    exit 1
+elif [ "$1" == "-location" ]; then
+    echo "$EHDD_IMG"
+    exit 0
+elif [ "$1" == "-mountpoint" ]; then
+    echo "$MOUNTPOINT"
+    exit 0
+fi
+
+
+if [ ! -e "$EHDD_IMG" ]; then
+    echo "Creating ${EHDD_SIZE_GB}G encryped drive: $EHDD_IMG"
+    let count="$EHDD_SIZE_GB * 1024"
+    [ $count -eq 0 ] && echo "Invalid size" && exit 1
+    apt-get -q=2 -y install cryptsetup || exit 1
+    dd if=/dev/zero of="$EHDD_IMG" bs=1M count=$count || exit 1
+    losetup /dev/loop0 "$EHDD_IMG" || exit 1
+    if ! cryptsetup luksFormat -i 15000 /dev/loop0; then
+        losetup -d /dev/loop0
+        rm -f "$EHDD_IMG"
+        exit 1
+    fi
+    echo ""
+    echo "NOTE: You will need to reenter your drive encryption password a number of times"
+    cryptsetup luksOpen /dev/loop0 c1  # map device to /dev/mapper/c1
+    mke2fs -j /dev/mapper/c1
+    cryptsetup luksClose c1
+    losetup -d /dev/loop0
+else
+    echo "$EHDD_IMG already exists..."
+    exit 1
+fi
--- a/setup/ehdd/mount.sh
+++ b/setup/ehdd/mount.sh
@ -0,0 +1,31 @@
+#!/bin/bash
+
+hdd="$(setup/ehdd/create_hdd.sh -location)"
+mountpoint="$(setup/ehdd/create_hdd.sh -mountpoint)"
+
+if [ ! -e "$hdd" ]; then
+    echo "NOTE: ecrypted HDD not found at $hdd, not mounting"
+    exit 0
+fi
+
+if mount | grep "^/dev/mapper/c1 on $mountpoint" >/dev/null; then
+    echo "$hdd already mounted"
+    exit 0
+fi
+
+losetup /dev/loop0 "$hdd" || exit 1
+# map device to /dev/mapper/c1
+cryptsetup luksOpen /dev/loop0 c1
+code=$?
+if [ $code -ne 0 ]; then
+    echo "luksOpen failed ($code) - is $hdd luks formatted?"
+    losetup -d /dev/loop0
+    exit 1
+fi
+
+if [ ! -e "$mountpoint" ]; then
+   echo "Creating mount point directory: $mountpoint"
+   mkdir -p "$mountpoint" || exit 1
+fi
+mount /dev/mapper/c1 "$mountpoint" || exit 1
+echo "Success: mounted $mountpoint"
--- a/setup/ehdd/postinstall.sh
+++ b/setup/ehdd/postinstall.sh
@ -0,0 +1,40 @@
+#!/bin/bash
+
+EHDD_IMG="$(setup/ehdd/create_hdd.sh -location)"
+if [ -e "$EHDD_IMG" ]; then
+    
+    if [ -s /etc/mailinabox.conf ]; then
+        echo ""
+        echo "** Disabling system services **"
+        systemctl disable postfix
+        systemctl disable dovecot
+        systemctl disable cron
+        systemctl disable nginx
+        systemctl disable php7.2-fpm
+        systemctl disable mailinabox
+        systemctl disable fail2ban
+        #systemctl disable nsd
+        [ -x /usr/sbin/slapd ] && systemctl disable slapd
+
+        echo ""
+        echo "IMPORTANT:"
+        echo "    Services have been disabled at startup because the encrypted HDD will"
+        echo "    be unavailable. Run tools/startup.sh after a reboot."
+    fi
+
+fi
+
+# run local modifications
+h=$(hostname --fqdn 2>/dev/null || hostname)
+count=0
+for d in local/mods.sh local/mods-${h}.sh; do
+    if [ -e $d ]; then
+        let count+=1
+        if ! ./$d; then
+            echo "Local modification script $d failed"
+            exit 1
+        fi
+    fi
+done
+
+
--- a/setup/ehdd/umount.sh
+++ b/setup/ehdd/umount.sh
@ -0,0 +1,11 @@
+#!/bin/bash
+
+mountpoint="$(setup/ehdd/create_hdd.sh -mountpoint)"
+
+if ! mount | grep "$mountpoint" >/dev/null; then
+    # not mounted
+    exit 0
+fi
+umount "$mountpoint" || exit 1
+cryptsetup luksClose c1
+losetup -d /dev/loop0
--- a/setup/start-encrypted.sh
+++ b/setup/start-encrypted.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+EHDD_IMG="$(setup/ehdd/create_hdd.sh -location)"
+
+[ -e /etc/mailinabox.conf ] && . /etc/mailinabox.conf
+
+if [ ! -e "$EHDD_IMG" -a ! -z "$STORAGE_ROOT" -a \
+       -e "$STORAGE_ROOT/ssl/ssl_private_key.pem" ]; then
+    
+    echo "System installed without encryption-at-rest"
+
+elif [ ! -e "$EHDD_IMG" ]; then
+    
+    echo "Creating a new encrypted HDD."
+    echo -n "How big should it be? Enter a number in gigabytes: "
+    read gb
+    setup/ehdd/create_hdd.sh "$gb" || exit 1
+    
+fi
+
+
+if setup/ehdd/mount.sh; then
+    setup/start.sh $@
+    if [ $? -eq 0 ]; then
+        setup/ehdd/postinstall.sh || exit 1
+    else
+        echo "setup/start.sh failed"
+    fi
+fi
+
--- a/tools/startup.sh
+++ b/tools/startup.sh
@ -0,0 +1,16 @@
+#!/bin/bash
+setup/ehdd/mount.sh || exit 1
+
+if [ -s /etc/mailinabox.conf ]; then
+    [ -x /usr/sbin/slapd ] && systemctl start slapd
+    systemctl start php7.2-fpm
+    systemctl start dovecot
+    systemctl start postfix
+    systemctl start nginx
+    systemctl start cron
+    #systemctl start nsd
+    systemctl link -f $HOME/mailinabox/conf/mailinabox.service
+    systemctl start mailinabox
+    systemctl start fail2ban
+fi
+