add nc-encrypt

Signed-off-by: nachoparker <nacho@ownyourbits.com>

Author: nachoparker

bin/ncp-provisioning.sh

@@ -64,4 +64,12 @@ BKP="$( ls -1t /var/www/nextcloud-bkp_*.tar.gz 2>/dev/null | head -1 )"
   ncp-restore "$BKP_NEW" && rm "$BKP_NEW"
 }
 
+## Check for encrypted data and ask for password
+if needs_decrypt; then
+  echo "Detected encrypted instance"
+  a2dissite ncp nextcloud
+  a2ensite ncp-activation
+  apache2ctl -k graceful
+fi
+
 exit 0

bin/ncp/CONFIG/nc-datadir.sh

@@ -100,6 +100,7 @@ configure()
   # datadir
   ncc config:system:set datadirectory --value="$DATADIR"
   ncc config:system:set logfile --value="$DATADIR/nextcloud.log"
+  set_ncpcfg datadir "${datadir}"
   restore_maintenance_mode
 }
 

bin/ncp/SECURITY/nc-encrypt.sh

@@ -0,0 +1,107 @@
+#!/bin/bash
+
+# Data at rest encryption for NextCloudPi
+#
+# Copyleft 2021 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
+# GPL licensed (see end of file) * Use at your own risk!
+#
+# More at: nextcloudpi.com
+#
+
+is_active()
+{
+  mount | grep ncdata_enc | grep -q gocryptfs
+}
+
+install()
+{
+  apt_install gocryptfs
+}
+
+configure()
+{
+(
+  set -eu -o pipefail
+  local datadir parentdir encdir tmpdir
+  datadir="$(get_ncpcfg datadir)"
+  [[ "${datadir}" == "null" ]] && datadir=/var/www/nextcloud/data
+  parentdir="$(dirname "${datadir}")"
+  encdir="${parentdir}/ncdata_enc"
+  tmpdir="$(mktemp -u -p "${parentdir}" -t nc-data-crypt.XXXXXX))"
+
+  [[ "${ACTIVE}" != "yes" ]] && {
+    if ! is_active; then
+      echo "Data not currently encrypted"
+      return 0
+    fi
+    save_maintenance_mode
+    trap restore_maintenance_mode EXIT
+    echo "Decrypting data..."
+    mkdir "${tmpdir}"
+    chown www-data: "${tmpdir}"
+    pkill tail # prevents from umounting in docker
+    mv "${datadir}"/* "${datadir}"/.[!.]* "${tmpdir}"
+    fusermount -u "${datadir}"
+    rmdir "${datadir}"
+    mv "${tmpdir}" "${datadir}"
+    rm "${encdir}"/gocryptfs.*
+    rmdir "${encdir}"
+    echo "Data no longer encrypted"
+    return
+  }
+
+  if is_active; then
+    echo "Encrypted data already in use"
+    return
+  fi
+
+  # Just mount already encrypted data
+  if [[ -f "${encdir}"/gocryptfs.conf ]]; then
+    echo "${PASSWORD}" | gocryptfs -allow_other -q "${encdir}" "${datadir}" 2>&1 | sed /^Switch/d
+
+    # switch to the regular virtual hosts after we decrypt, so we can access NC and ncp-web
+    a2ensite ncp nextcloud
+    a2dissite ncp-activation
+    apache2ctl -k graceful
+
+    echo "Encrypted data now accessible"
+    return
+  fi
+  mkdir -p "${encdir}"
+  echo "${PASSWORD}" | gocryptfs -init -q "${encdir}"
+  save_maintenance_mode
+  trap restore_maintenance_mode EXIT
+
+  mv "${datadir}" "${tmpdir}"
+
+  mkdir "${datadir}"
+  echo "${PASSWORD}" | gocryptfs -allow_other -q "${encdir}" "${datadir}" 2>&1 | sed /^Switch/d
+
+  echo "Encrypting data..."
+  mv "${tmpdir}"/* "${tmpdir}"/.[!.]* "${datadir}"
+  chown -R www-data: "${datadir}"
+  rmdir "${tmpdir}"
+
+  set_ncpcfg datadir "${datadir}"
+
+  echo "Data is now encrypted"
+)
+}
+
+# License
+#
+# This script is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this script; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+# Boston, MA  02111-1307  USA
+

bin/nextcloud-domain.sh

@@ -2,6 +2,12 @@
 
 source /usr/local/etc/library.sh
 
+# wait until user decrypts the instance first
+while :; do
+  needs_decrypt || break
+  sleep 1
+done
+
 # wicd service finishes before completing DHCP
 while :; do
   local_ip="$(get_ip)"

build/docker/docker-compose.yml

@@ -10,6 +10,12 @@ services:
     volumes:
      - ncdata:/data
      - /etc/localtime:/etc/localtime:ro
+    # for nc-encrypt
+    devices:
+      - /dev/fuse:/dev/fuse
+    # for nc-encrypt # NOTE: take a look at this https://github.com/docker/for-linux/issues/321#issuecomment-677744121
+    cap_add:
+      - SYS_ADMIN
     container_name: nextcloudpi
 
 volumes:

build/docker/nextcloud/020nextcloud

@@ -58,6 +58,14 @@ bash /usr/local/bin/ncp-provisioning.sh
 echo "Starting notify_push daemon"
 start_notify_push
 
+if needs_decrypt; then
+  echo "Waiting for user to decrypt instance"
+  while :; do
+    sleep 1
+    needs_decrypt || break
+  done
+fi
+
 echo "Configuring Domain"
 # Trusted Domain (local/public IP)
 bash /usr/local/bin/nextcloud-domain.sh

changelog.md

@@ -1,7 +1,13 @@
 
-[v1.42.3](https://github.com/nextcloud/nextcloudpi/commit/2d804cb) (2021-10-25) nextcloud-domain: fix variable collision
+[v1.43.0](https://github.com/nextcloud/nextcloudpi/commit/9bad41c) (2021-10-22) add nc-encrypt
 
-[v1.42.2](https://github.com/nextcloud/nextcloudpi/commit/9ff21bb) (2021-10-23) nc-backup-auto: ncc path
+[v1.42.5](https://github.com/nextcloud/nextcloudpi/commit/f0abbbc) (2021-10-27) letsencrypt: sync ncp and nc cert paths
+
+[v1.42.4 ](https://github.com/nextcloud/nextcloudpi/commit/f7e28c2) (2021-10-27) small trusted domains refactor
+
+[v1.42.3 ](https://github.com/nextcloud/nextcloudpi/commit/b1e7323) (2021-10-25) nextcloud-domain: fix variable collision
+
+[v1.42.2 ](https://github.com/nextcloud/nextcloudpi/commit/9ff21bb) (2021-10-23) nc-backup-auto: ncc path
 
 [v1.42.1 ](https://github.com/nextcloud/nextcloudpi/commit/e11ce59) (2021-10-22) ncp-web: fix log download bug
 

etc/library.sh

@@ -32,7 +32,7 @@ command -v jq &>/dev/null || {
   PHPVER=$(     jq -r .php_version       < "$NCPCFG")
   RELEASE=$(    jq -r .release           < "$NCPCFG")
 }
-command -v ncc &>/dev/null && NCVER="$(ncc status | grep "version:" | awk '{ print $3 }')"
+command -v ncc &>/dev/null && NCVER="$(ncc status 2>/dev/null | grep "version:" | awk '{ print $3 }')"
 
 function configure_app()
 {
@@ -481,6 +481,29 @@ function restore_maintenance_mode()
   fi
 }
 
+function needs_decrypt()
+{
+  local active
+  active="$(find_app_param nc-encrypt ACTIVE)"
+  (! is_active_app nc-encrypt) && [[ "${active}" == "yes" ]]
+}
+
+function set_ncpcfg()
+{
+  local name="${1}"
+  local value="${2}"
+  local cfg
+  cfg="$(jq '.' "${NCPCFG}")"
+  cfg="$(jq ".${name} = \"${value}\"" <<<"${cfg}")"
+  echo "$cfg" > "${NCPCFG}"
+}
+
+function get_ncpcfg()
+{
+  local name="${1}"
+  jq -r ".${name}" < "${NCPCFG}"
+}
+
 # License
 #
 # This script is free software; you can redistribute it and/or modify it

etc/ncp-config.d/nc-encrypt.cfg

@@ -0,0 +1,22 @@
+{
+  "id": "nc-encrypt",
+  "name": "Nc-encrypt",
+  "title": "nc-encrypt",
+  "description": "Data at rest encryption for NCP",
+  "info": "The encryption password will be needed after every reboot.\nThis will increase CPU usage.",
+  "infotitle": "",
+  "params": [
+    {
+      "id": "ACTIVE",
+      "name": "Active",
+      "value": "no",
+      "type": "bool"
+    },
+    {
+      "id": "PASSWORD",
+      "name": "Password",
+      "value": "ownyourbits",
+      "type": "password"
+    }
+  ]
+}

ncp-web/activate/index.php

@@ -1,11 +1,25 @@
 <?php
-// disallow once activated
-exec("a2query -s ncp-activation", $output, $ret);
-if ($ret != 0) {
-  http_response_code(404);
-  exit();
-}
-session_start();
+  // disallow once activated
+  exec("a2query -s ncp-activation", $output, $ret);
+  if ($ret != 0) {
+    http_response_code(404);
+    exit();
+  }
+  ini_set('session.cookie_httponly', 1);
+  if (isset($_SERVER['HTTPS']))
+    ini_set('session.cookie_secure', 1);
+  session_start();
+
+  // security headers
+  header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
+  header("X-XSS-Protection: 1; mode=block");
+  header("X-Content-Type-Options: nosniff");
+  header("X-Robots-Tag: none");
+  header("X-Permitted-Cross-Domain-Policies: none");
+  header("X-Frame-Options: DENY");
+  header("Cache-Control: no-cache");
+  header('Pragma: no-cache');
+  header('Expires: -1');
 ?>
 <!DOCTYPE html>
 <html class="ng-csp" data-placeholder-focus="false" lang="en">
@@ -63,7 +77,7 @@
   </div>
   <footer role="contentinfo">
   <p class="info">
-  <a href="https://ownyourbits.com/2017/02/13/nextcloud-ready-raspberry-pi-image/" target="_blank" rel="noreferrer noopener">NextCloudPi</a> – Keep your data close</p>
+  <a href="https://nextcloudpi.com" target="_blank" rel="noreferrer noopener">NextCloudPi</a> – Keep your data close</p>
   </footer>
   <?php
     include('../csrf.php');