Gocrypt (#10)

.github/workflows/ci.yml

@@ -51,4 +51,11 @@ jobs:
 
       - name: Check encrypted data
         run: |
-          docker run --rm -v $(pwd)/data:/encrypted alpine:latest /bin/sh -c 'if [ $(ls /encrypted | wc -l) -gt 1 ]; then echo "Data is encrypted"; else echo "Data is not encrypted"; exit 1; fi'
+          docker run --rm -v $(pwd)/data:/encrypted alpine:latest /bin/sh -c '
+            if [ -f /encrypted/gocryptfs.conf ] && [ -f /encrypted/gocryptfs.diriv ]; then
+              echo "Encrypted volume configuration files found";
+            else
+              echo "Encrypted volume configuration files not found";
+              exit 1;
+            fi
+          '

docker-compose.yml

@@ -8,7 +8,6 @@ services:
       - ./mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf
       - ./mosquitto/aclfile:/mosquitto/config/aclfile
       - ./data:/encrypted
-      - ./config:/config
     restart: unless-stopped
     entrypoint: /entrypoint.sh
     cap_add:
@@ -24,7 +23,7 @@ services:
       retries: 10
     environment:
       # TODO: Adjust as neeed (but not here!)
-      ENCFS_PASSWORD: your_secure_password_here
+      GOCRYPT_PASSWORD: your_secure_password_here
 
 
   cloudflared:

mosquitto/Dockerfile

@@ -1,21 +1,22 @@
-# Start with an Alpine base image that supports FUSE
+# Start with an Alpine base image
 FROM alpine:latest
 
-# Install necessary packages including FUSE, Mosquitto, and encfs
+# Install necessary packages including FUSE, Mosquitto, and gocryptfs
 RUN apk update && \
     apk add --no-cache \
     bash \
     fuse \
-    encfs \
+    gocryptfs \
     mosquitto \
     mosquitto-clients \
     shadow
 
 # Create necessary directories and set permissions
-RUN mkdir -p /encrypted /var/lib/mosquitto && \
+RUN mkdir -p /encrypted /var/lib/mosquitto /config && \
     chown -R mosquitto:mosquitto /var/lib/mosquitto && \
     chmod -R 700 /var/lib/mosquitto && \
-    chmod -R 700 /encrypted
+    chmod -R 700 /encrypted && \
+    chmod -R 700 /config
 
 # Ensure mosquitto user has a valid shell
 RUN usermod -s /bin/bash mosquitto

mosquitto/entrypoint.sh

@@ -2,27 +2,36 @@
 
 set -e
 
-# Ensure ENCFS_PASSWORD is set
-if [ -z "$ENCFS_PASSWORD" ]; then
-  echo "ENCFS_PASSWORD is not set. Exiting."
+# Ensure GOCRYPT_PASSWORD is set
+if [ -z "$GOCRYPT_PASSWORD" ]; then
+  echo "GOCRYPT_PASSWORD is not set. Exiting."
   exit 1
 fi
 
+# Create /var/lib/mosquitto directory if not exists
+mkdir -p /var/lib/mosquitto
+
+# Adjust permissions for the mosquitto user
+chown mosquitto:mosquitto /var/lib/mosquitto /encrypted
+
 # Initialize or mount the encrypted filesystem as the mosquitto user
-if [ ! -f /encrypted/.encfs6.xml ]; then
-  echo "Initializing encrypted filesystem"
-  su mosquitto -c "echo \"$ENCFS_PASSWORD\" | encfs --standard --stdinpass /encrypted /var/lib/mosquitto --verbose"
-else
-  echo "Mounting encrypted filesystem"
-  su mosquitto -c "echo \"$ENCFS_PASSWORD\" | encfs --stdinpass /encrypted /var/lib/mosquitto --verbose"
+su mosquitto -c "
+if [ ! -f /encrypted/gocryptfs.conf ]; then
+  echo \"Initializing encrypted filesystem\"
+  if [ \"\$(ls -A /encrypted)\" ]; then
+    echo \"Error: /encrypted directory is not empty. Cannot initialize.\"
+    exit 1
+  fi
+  echo \"$GOCRYPT_PASSWORD\" | gocryptfs -init /encrypted
 fi
 
-# # Debug: Check if encfs is mounted
-echo "Checking if encfs is mounted:"
-mount | grep encfs || echo "encfs is not mounted"
+echo \"Mounting encrypted filesystem\"
+echo \"$GOCRYPT_PASSWORD\" | gocryptfs /encrypted /var/lib/mosquitto
 
-# Move .encfs6.xml to the config directory
-mv /encrypted/.encfs6.xml /config/
+# Debug: Check if gocryptfs is mounted
+echo \"Checking if gocryptfs is mounted:\"
+mount | grep gocryptfs || echo \"gocryptfs is not mounted\"
+"
 
-# Run Mosquitto
-exec mosquitto -c /mosquitto/config/mosquitto.conf
+# Run Mosquitto as the mosquitto user
+exec su mosquitto -c "mosquitto -c /mosquitto/config/mosquitto.conf"