diff --git a/setup/ehdd/create_hdd.sh b/setup/ehdd/create_hdd.sh new file mode 100755 index 00000000..2a5e1fdf --- /dev/null +++ b/setup/ehdd/create_hdd.sh @@ -0,0 +1,48 @@ +#!/bin/bash +if [ -s /etc/mailinabox.conf ]; then + source /etc/mailinabox.conf + [ $? -eq 0 ] || exit 1 +else + STORAGE_ROOT="/home/${STORAGE_USER:-user-data}" +fi + +EHDD_IMG="$STORAGE_ROOT.HDD" +EHDD_SIZE_GB="$1" +MOUNTPOINT="$STORAGE_ROOT" + +if [ "$1" == "" ]; then + echo "usage: $0 " + echo -n " hdd image location: $EHDD_IMG" + if [ -e "$EHDD_IMG" ]; then echo " (exists)"; else echo ""; fi + exit 1 +elif [ "$1" == "-location" ]; then + echo "$EHDD_IMG" + exit 0 +elif [ "$1" == "-mountpoint" ]; then + echo "$MOUNTPOINT" + exit 0 +fi + + +if [ ! -e "$EHDD_IMG" ]; then + echo "Creating ${EHDD_SIZE_GB}G encryped drive: $EHDD_IMG" + let count="$EHDD_SIZE_GB * 1024" + [ $count -eq 0 ] && echo "Invalid size" && exit 1 + apt-get -q=2 -y install cryptsetup || exit 1 + dd if=/dev/zero of="$EHDD_IMG" bs=1M count=$count || exit 1 + losetup /dev/loop0 "$EHDD_IMG" || exit 1 + if ! cryptsetup luksFormat -i 15000 /dev/loop0; then + losetup -d /dev/loop0 + rm -f "$EHDD_IMG" + exit 1 + fi + echo "" + echo "NOTE: You will need to reenter your drive encryption password a number of times" + cryptsetup luksOpen /dev/loop0 c1 # map device to /dev/mapper/c1 + mke2fs -j /dev/mapper/c1 + cryptsetup luksClose c1 + losetup -d /dev/loop0 +else + echo "$EHDD_IMG already exists..." + exit 1 +fi diff --git a/setup/ehdd/mount.sh b/setup/ehdd/mount.sh new file mode 100755 index 00000000..2c9bd90f --- /dev/null +++ b/setup/ehdd/mount.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +hdd="$(setup/ehdd/create_hdd.sh -location)" +mountpoint="$(setup/ehdd/create_hdd.sh -mountpoint)" + +if [ ! -e "$hdd" ]; then + echo "NOTE: ecrypted HDD not found at $hdd, not mounting" + exit 0 +fi + +if mount | grep "^/dev/mapper/c1 on $mountpoint" >/dev/null; then + echo "$hdd already mounted" + exit 0 +fi + +losetup /dev/loop0 "$hdd" || exit 1 +# map device to /dev/mapper/c1 +cryptsetup luksOpen /dev/loop0 c1 +code=$? +if [ $code -ne 0 ]; then + echo "luksOpen failed ($code) - is $hdd luks formatted?" + losetup -d /dev/loop0 + exit 1 +fi + +if [ ! -e "$mountpoint" ]; then + echo "Creating mount point directory: $mountpoint" + mkdir -p "$mountpoint" || exit 1 +fi +mount /dev/mapper/c1 "$mountpoint" || exit 1 +echo "Success: mounted $mountpoint" diff --git a/setup/ehdd/postinstall.sh b/setup/ehdd/postinstall.sh new file mode 100755 index 00000000..b5fe3b45 --- /dev/null +++ b/setup/ehdd/postinstall.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +EHDD_IMG="$(setup/ehdd/create_hdd.sh -location)" +if [ -e "$EHDD_IMG" ]; then + + if [ -s /etc/mailinabox.conf ]; then + echo "" + echo "** Disabling system services **" + systemctl disable postfix + systemctl disable dovecot + systemctl disable cron + systemctl disable nginx + systemctl disable php7.2-fpm + systemctl disable mailinabox + systemctl disable fail2ban + #systemctl disable nsd + [ -x /usr/sbin/slapd ] && systemctl disable slapd + + echo "" + echo "IMPORTANT:" + echo " Services have been disabled at startup because the encrypted HDD will" + echo " be unavailable. Run tools/startup.sh after a reboot." + fi + +fi + +# run local modifications +h=$(hostname --fqdn 2>/dev/null || hostname) +count=0 +for d in local/mods.sh local/mods-${h}.sh; do + if [ -e $d ]; then + let count+=1 + if ! ./$d; then + echo "Local modification script $d failed" + exit 1 + fi + fi +done + + diff --git a/setup/ehdd/umount.sh b/setup/ehdd/umount.sh new file mode 100755 index 00000000..2a6ea3ef --- /dev/null +++ b/setup/ehdd/umount.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +mountpoint="$(setup/ehdd/create_hdd.sh -mountpoint)" + +if ! mount | grep "$mountpoint" >/dev/null; then + # not mounted + exit 0 +fi +umount "$mountpoint" || exit 1 +cryptsetup luksClose c1 +losetup -d /dev/loop0 diff --git a/setup/start-encrypted.sh b/setup/start-encrypted.sh new file mode 100755 index 00000000..131e6067 --- /dev/null +++ b/setup/start-encrypted.sh @@ -0,0 +1,29 @@ +#!/bin/bash +EHDD_IMG="$(setup/ehdd/create_hdd.sh -location)" + +[ -e /etc/mailinabox.conf ] && . /etc/mailinabox.conf + +if [ ! -e "$EHDD_IMG" -a ! -z "$STORAGE_ROOT" -a \ + -e "$STORAGE_ROOT/ssl/ssl_private_key.pem" ]; then + + echo "System installed without encryption-at-rest" + +elif [ ! -e "$EHDD_IMG" ]; then + + echo "Creating a new encrypted HDD." + echo -n "How big should it be? Enter a number in gigabytes: " + read gb + setup/ehdd/create_hdd.sh "$gb" || exit 1 + +fi + + +if setup/ehdd/mount.sh; then + setup/start.sh $@ + if [ $? -eq 0 ]; then + setup/ehdd/postinstall.sh || exit 1 + else + echo "setup/start.sh failed" + fi +fi + diff --git a/tools/startup.sh b/tools/startup.sh new file mode 100755 index 00000000..b9e18007 --- /dev/null +++ b/tools/startup.sh @@ -0,0 +1,16 @@ +#!/bin/bash +setup/ehdd/mount.sh || exit 1 + +if [ -s /etc/mailinabox.conf ]; then + [ -x /usr/sbin/slapd ] && systemctl start slapd + systemctl start php7.2-fpm + systemctl start dovecot + systemctl start postfix + systemctl start nginx + systemctl start cron + #systemctl start nsd + systemctl link -f $HOME/mailinabox/conf/mailinabox.service + systemctl start mailinabox + systemctl start fail2ban +fi +