From 679c7c019e01b76d722fb7c7c8d9efac63aca013 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 31 Jul 2024 17:52:35 -0600 Subject: [PATCH] Gocrypt (#10) --- .github/workflows/ci.yml | 9 ++++++++- docker-compose.yml | 3 +-- mosquitto/Dockerfile | 11 ++++++----- mosquitto/entrypoint.sh | 41 ++++++++++++++++++++++++---------------- 4 files changed, 40 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 045bed1..af86102 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,4 +51,11 @@ jobs: - name: Check encrypted data run: | - docker run --rm -v $(pwd)/data:/encrypted alpine:latest /bin/sh -c 'if [ $(ls /encrypted | wc -l) -gt 1 ]; then echo "Data is encrypted"; else echo "Data is not encrypted"; exit 1; fi' + docker run --rm -v $(pwd)/data:/encrypted alpine:latest /bin/sh -c ' + if [ -f /encrypted/gocryptfs.conf ] && [ -f /encrypted/gocryptfs.diriv ]; then + echo "Encrypted volume configuration files found"; + else + echo "Encrypted volume configuration files not found"; + exit 1; + fi + ' diff --git a/docker-compose.yml b/docker-compose.yml index 749755a..ae3b6b4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,7 +8,6 @@ services: - ./mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf - ./mosquitto/aclfile:/mosquitto/config/aclfile - ./data:/encrypted - - ./config:/config restart: unless-stopped entrypoint: /entrypoint.sh cap_add: @@ -24,7 +23,7 @@ services: retries: 10 environment: # TODO: Adjust as neeed (but not here!) - ENCFS_PASSWORD: your_secure_password_here + GOCRYPT_PASSWORD: your_secure_password_here cloudflared: diff --git a/mosquitto/Dockerfile b/mosquitto/Dockerfile index 391774d..2162738 100644 --- a/mosquitto/Dockerfile +++ b/mosquitto/Dockerfile @@ -1,21 +1,22 @@ -# Start with an Alpine base image that supports FUSE +# Start with an Alpine base image FROM alpine:latest -# Install necessary packages including FUSE, Mosquitto, and encfs +# Install necessary packages including FUSE, Mosquitto, and gocryptfs RUN apk update && \ apk add --no-cache \ bash \ fuse \ - encfs \ + gocryptfs \ mosquitto \ mosquitto-clients \ shadow # Create necessary directories and set permissions -RUN mkdir -p /encrypted /var/lib/mosquitto && \ +RUN mkdir -p /encrypted /var/lib/mosquitto /config && \ chown -R mosquitto:mosquitto /var/lib/mosquitto && \ chmod -R 700 /var/lib/mosquitto && \ - chmod -R 700 /encrypted + chmod -R 700 /encrypted && \ + chmod -R 700 /config # Ensure mosquitto user has a valid shell RUN usermod -s /bin/bash mosquitto diff --git a/mosquitto/entrypoint.sh b/mosquitto/entrypoint.sh index 71eb3e4..a35765e 100755 --- a/mosquitto/entrypoint.sh +++ b/mosquitto/entrypoint.sh @@ -2,27 +2,36 @@ set -e -# Ensure ENCFS_PASSWORD is set -if [ -z "$ENCFS_PASSWORD" ]; then - echo "ENCFS_PASSWORD is not set. Exiting." +# Ensure GOCRYPT_PASSWORD is set +if [ -z "$GOCRYPT_PASSWORD" ]; then + echo "GOCRYPT_PASSWORD is not set. Exiting." exit 1 fi +# Create /var/lib/mosquitto directory if not exists +mkdir -p /var/lib/mosquitto + +# Adjust permissions for the mosquitto user +chown mosquitto:mosquitto /var/lib/mosquitto /encrypted + # Initialize or mount the encrypted filesystem as the mosquitto user -if [ ! -f /encrypted/.encfs6.xml ]; then - echo "Initializing encrypted filesystem" - su mosquitto -c "echo \"$ENCFS_PASSWORD\" | encfs --standard --stdinpass /encrypted /var/lib/mosquitto --verbose" -else - echo "Mounting encrypted filesystem" - su mosquitto -c "echo \"$ENCFS_PASSWORD\" | encfs --stdinpass /encrypted /var/lib/mosquitto --verbose" +su mosquitto -c " +if [ ! -f /encrypted/gocryptfs.conf ]; then + echo \"Initializing encrypted filesystem\" + if [ \"\$(ls -A /encrypted)\" ]; then + echo \"Error: /encrypted directory is not empty. Cannot initialize.\" + exit 1 + fi + echo \"$GOCRYPT_PASSWORD\" | gocryptfs -init /encrypted fi -# # Debug: Check if encfs is mounted -echo "Checking if encfs is mounted:" -mount | grep encfs || echo "encfs is not mounted" +echo \"Mounting encrypted filesystem\" +echo \"$GOCRYPT_PASSWORD\" | gocryptfs /encrypted /var/lib/mosquitto -# Move .encfs6.xml to the config directory -mv /encrypted/.encfs6.xml /config/ +# Debug: Check if gocryptfs is mounted +echo \"Checking if gocryptfs is mounted:\" +mount | grep gocryptfs || echo \"gocryptfs is not mounted\" +" -# Run Mosquitto -exec mosquitto -c /mosquitto/config/mosquitto.conf +# Run Mosquitto as the mosquitto user +exec su mosquitto -c "mosquitto -c /mosquitto/config/mosquitto.conf"