Fixes #17: start services after unattended upgrades

conf/ehdd-unattended-upgrades-after.path

@@ -0,0 +1,9 @@
+[Unit]
+Description=Monitor unattended upgrades and ensure ehdd services are started after upgrades
+
+[Path]
+PathModified=/var/lib/apt/periodic/unattended-upgrades-stamp
+Unit=ehdd-unattended-upgrades-after.service
+
+[Install]
+WantedBy=paths.target

conf/ehdd-unattended-upgrades-after.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Starts ehdd services
+
+[Service]
+Type=oneshot
+WorkingDirectory=<INSTALL_ROOT>
+ExecStart=<INSTALL_ROOT>/ehdd/run-this-after-reboot.sh --no-mount

ehdd/ehdd_funcs.sh

@@ -50,3 +50,12 @@ is_mounted() {
         return 1
     fi
 }
+
+system_installed_with_encryption_at_rest() {
+    # must be mounted!
+    if [ -e "$EHDD_IMG" -a ! -z "$STORAGE_ROOT" -a \
+            -e "$STORAGE_ROOT/ssl/ssl_private_key.pem" ]; then
+        return 0
+    fi
+    return 1
+}

ehdd/postinstall.sh

@@ -11,28 +11,25 @@
 
 . "ehdd/ehdd_funcs.sh" || exit 1
 
-if [ -e "$EHDD_IMG" ]; then
+if system_installed_with_encryption_at_rest; then
-    
+    echo ""
-    if [ -s /etc/mailinabox.conf ]; then
+    echo "** Disabling system services that require encrypted HDD to be mounted **"
-        echo ""
+    systemctl disable --quiet postfix
-        echo "** Disabling system services **"
+    systemctl disable --quiet dovecot
-        systemctl disable --quiet postfix
+    systemctl disable --quiet postgrey
-        systemctl disable --quiet dovecot
+    systemctl disable --quiet cron
-        systemctl disable --quiet postgrey
+    systemctl disable --quiet nginx
-        systemctl disable --quiet cron
+    systemctl disable --quiet php8.0-fpm
-        systemctl disable --quiet nginx
+    systemctl disable --quiet mailinabox
-        systemctl disable --quiet php8.0-fpm
+    systemctl disable --quiet fail2ban
-        systemctl disable --quiet mailinabox
+    systemctl disable --quiet miabldap-capture
-        systemctl disable --quiet fail2ban
+    #systemctl disable nsd
-        systemctl disable --quiet miabldap-capture
+    [ -x /usr/sbin/slapd ] && systemctl disable --quiet slapd
-        #systemctl disable nsd
-        [ -x /usr/sbin/slapd ] && systemctl disable --quiet slapd
 
-        echo ""
+    echo ""
-        echo "IMPORTANT:"
+    echo "IMPORTANT:"
-        echo "    Services have been disabled at startup because the encrypted HDD will"
+    echo "    Services have been disabled at startup because the encrypted HDD will"
-        echo "    be unavailable. Run ehdd/run-this-after-reboot.sh after a reboot."
+    echo "    be unavailable. Run ehdd/run-this-after-reboot.sh after a reboot."
-    fi
 
 fi
 

ehdd/run-this-after-reboot.sh

@@ -8,21 +8,25 @@
 ##### details.
 #####
 
-ehdd/mount.sh || exit 1
+if [ "${1:-}" != "--no-mount" ]; then
+    ehdd/mount.sh || exit 1
+fi
 
-if [ -s /etc/mailinabox.conf ]; then
+.  ehdd/ehdd_funcs.sh || exit 1
+
+if system_installed_with_encryption_at_rest; then
     [ -x /usr/sbin/slapd ] && systemctl start slapd
     systemctl start php8.0-fpm
     systemctl start dovecot
     systemctl start postfix
     # postgrey's main database and local client whitelist are in user-data
-    systemctl restart postgrey
+    systemctl start postgrey
     systemctl start nginx
     systemctl start cron
     #systemctl start nsd
-    systemctl link -f $(pwd)/conf/mailinabox.service
+    systemctl link -q -f /lib/systemd/system/mailinabox.service
     systemctl start fail2ban
-    systemctl restart mailinabox
+    systemctl start mailinabox
     systemctl start miabldap-capture
 fi
 

setup/system.sh

@@ -410,3 +410,32 @@ EOF
 [ -e /var/log/mail.log ] && chown syslog:adm /var/log/mail.log
 [ -e /var/log/mail.err ] && chown syslog:adm /var/log/mail.err
 restart_service rsyslog
+
+
+# Encryption-at-rest disables certain services after setup runs (see
+# ehdd/postinstall.sh) because the STORAGE_ROOT directory won't be
+# mounted after a reboot and those services would fail. This causes a
+# problem if one of those services is upgraded by unattended-upgrades.
+#
+# The issue: when the system is running normally and
+# unattended-upgrades updates a disabled (but running) service
+# (eg. mariadb), the service is stopped for the upgrade but is
+# never re-started.
+#
+# The fix: have systemd watch unattended-upgrades, then start all
+# disabled services that were upgraded after updates have been
+# applied.
+
+cp conf/ehdd-unattended-upgrades-after.path \
+   conf/ehdd-unattended-upgrades-after.service \
+   /etc/systemd/system
+
+tools/editconf.py \
+     /etc/systemd/system/ehdd-unattended-upgrades-after.service \
+    -ini-section Service \
+    "WorkingDirectory=$(pwd)" \
+    "ExecStart=$(pwd)/ehdd/run-this-after-reboot.sh --no-mount"
+
+systemctl daemon-reload
+systemctl enable -q ehdd-unattended-upgrades-after.path
+systemctl start -q ehdd-unattended-upgrades-after.path