nginx-delay

docker-compose.yml

@@ -1,5 +1,26 @@
 version: "3.7"
 services:
+  # EncFS for /onion and /everyone
+  sf-encfs:
+    build: encfs
+    image: sf-encfs
+    restart: ${SF_RESTART:-on-failure}
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - apparmor:unconfined
+    environment:
+      - SF_SEED
+      - SF_DEBUG
+    command: ["/mount.sh", "server"]
+    network_mode: none
+    devices:
+      - "/dev/fuse:/dev/fuse"
+    volumes:
+      - "${SF_BASEDIR:-.}/config/etc/seed:/config/etc/seed"
+      - "${SF_BASEDIR:-.}/data/sf:/encfs/raw"
+      - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/encfs/sec:shared"
+
   dns-doh:
     image: crazymax/cloudflared
     restart: ${SF_RESTART:-on-failure}
@@ -117,7 +138,7 @@ services:
       - SF_SEED
     volumes:
       - "${SF_SHMDIR:-/dev/shm/sf}/run/gsnc:/sf/run/gsnc"
-      - "${SF_BASEDIR:-.}/config/etc/seed:/config/seed"
+      - "${SF_BASEDIR:-.}/config/etc/seed:/config/etc/seed"
     entrypoint: ["/sf-gsnc.sh", "172.20.0.110"]
 
   segfault:
@@ -151,36 +172,16 @@ services:
     volumes:
       - "${SF_BASEDIR:-.}/config/etc/ssh:/config/etc/ssh"
       - "${SF_BASEDIR:-.}/config/db:/config/db"
-      - "${SF_BASEDIR:-.}/config/etc/seed:/config/seed"
+      - "${SF_BASEDIR:-.}/config/etc/seed:/config/etc/seed"
       - "${SF_BASEDIR:-.}/config/etc/info:/config/etc/info:ro"
       - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/sec:slave"
       - "/var/run/docker.sock:/var/run/docker.sock"
 
-  # EncFS for /onion and /everyone
-  sf-encfs:
-    build: encfs
-    image: sf-encfs
-    restart: ${SF_RESTART:-on-failure}
-    cap_add:
-      - SYS_ADMIN
-    security_opt:
-      - apparmor:unconfined
-    environment:
-      - SF_SEED
-      - SF_DEBUG
-    command: ["/mount.sh", "server"]
-    network_mode: none
-    devices:
-      - "/dev/fuse:/dev/fuse"
-    volumes:
-      - "${SF_BASEDIR:-.}/config/etc/seed:/config/seed"
-      - "${SF_BASEDIR:-.}/data/sf:/encfs/raw"
-      - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/encfs/sec:shared"
-
   nginx:
     image: nginx
     restart: ${SF_RESTART:-on-failure}
     depends_on:
+      - dnsmasq # FIXME: This delays nginx until SHMDIR/encfs-sec/sf/onion-www is available
       - sf-encfs
     dns: 255.255.255.255
     networks:

encfs/mount.sh

@@ -22,10 +22,10 @@ _term()
 create_load_seed()
 {
 	[[ -n $SF_SEED ]] && return
-	[[ ! -f "/config/seed/seed.txt" ]] && {
-		head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
+	[[ ! -f "/config/etc/seed/seed.txt" ]] && {
+		head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/etc/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
 	}
-	SF_SEED="$(cat /config/seed/seed.txt)"
+	SF_SEED="$(cat /config/etc/seed/seed.txt)"
 	[[ -z $SF_SEED ]] && { echo -e >&2 "mount.sh: Failed to generated SF_SEED="; exit 254; }
 }
 
@@ -39,6 +39,10 @@ sf_server_init()
 	ENCFS_SERVER_PASS=$(echo -n "EncFS-SERVER-PASS-${SF_SEED}" | sha512sum | base64 | tr -dc '[:alpha:]' | head -c 24)
 }
 
+# The server needs to be initialized differently. All instances are started
+# from docker compose. Some are started before EncFS can mount the directory.
+# NgingX is a good example. Thus Nginx needs to check unti IS-ENCRYPTED.TXT
+# appears and exit otherwise.
 sf_server()
 {
 	sf_server_init
@@ -46,7 +50,14 @@ sf_server()
 	echo "THIS-IS-NOT-ENCRYPTED *** DO NOT USE *** " >/encfs/sec/IS-NOT-ENCRYPTED.txt
 	encfs --standard -o nonempty -o allow_other -f --extpass="echo \"${ENCFS_SERVER_PASS}\"" "/encfs/raw" "/encfs/sec" -- -o noexec,noatime &
 	cpid=$!
-	wait $cpid # SIGTERM will wake us
+
+	# Give it 5 seconds and check if it is encrypted.
+	sleep 5
+	[[ ! -e /encfs/sec/IS-NOT-ENCRYPTED.txt ]] && {
+		# We are encrypted!
+		touch /encfs/sec/IS-ENCRYPTED.txt
+		wait $cpid # SIGTERM will wake us
+	}
 	# SIGTERM or wrong SF_SEED
 	echo -e "${CR}[$cpid] EncFS EXITED with $?..."
 

gsnc/sf-gsnc.sh

@@ -3,15 +3,15 @@
 create_load_seed()
 {
 	[[ -n $SF_SEED ]] && return
-	[[ ! -f "/config/seed/seed.txt" ]] && {
-		head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
+	[[ ! -f "/config/etc/seed/seed.txt" ]] && {
+		head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/etc/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
 	}
-	SF_SEED="$(cat /config/seed/seed.txt)"
+	SF_SEED="$(cat /config/etc/seed/seed.txt)"
 	[[ -z $SF_SEED ]] && { echo >&2 "Failed to generated SF_SEED="; exit 254; }
 }
 
 [[ ! -d /sf/run/gsnc ]] && { echo >&2 "Forgot -v \${SF_SHMDIR:-/dev/shm/sf}/run/gsnc:/sf/run/gsnc?"; sleep 5; exit 253; }
-[[ ! -d /config/seed ]] && { echo >&2 "Forgot -v config/etc/seed:/config/seed?"; sleep 5; exit 252; }
+[[ ! -d /config/etc/seed ]] && { echo >&2 "Forgot -v config/etc/seed:/config/etc/seed?"; sleep 5; exit 252; }
 
 create_load_seed
 

host/fs-root/bin/docker_sshd.sh

@@ -6,7 +6,7 @@ CR="\e[1;31m" # red
 CN="\e[0m"    # none
 
 
-ERREXIT()
+SLEEPEXIT()
 {
 	local s
 	local code
@@ -25,10 +25,10 @@ create_load_seed()
 {
 	[[ -n $SF_SEED ]] && return
 	[[ ! -f "/config/etc/seed/seed.txt" ]] && {
-		head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
+		head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/etc/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
 	}
 	SF_SEED="$(cat /config/etc/seed/seed.txt)"
-	[[ -z $SF_SEED ]] && ERREXIT 254 "Failed to generated SF_SEED="
+	[[ -z $SF_SEED ]] && SLEEPEXIT 254 5 "Failed to generated SF_SEED="
 }
 
 setup_sshd()
@@ -54,7 +54,7 @@ setup_sshd()
 	done
 }
 
-[[ -d /config/db ]] || ERREXIT 255 5 "${CR}Not found: /config/db${CN}. Try -v \${SF_BASEDIR}/config:/config,ro -v \${SF_BASEDIR}/config/db:/config/db"
+[[ -d /config/db ]] || SLEEPEXIT 255 5 "${CR}Not found: /config/db${CN}. Try -v \${SF_BASEDIR}/config:/config,ro -v \${SF_BASEDIR}/config/db:/config/db"
 
 create_load_seed
 
@@ -63,15 +63,15 @@ setup_sshd
 # This is the entry point for SF-HOST (e.g. host/Dockerfile)
 # Fix ownership if mounted from within vbox
 [[ -e /config/etc/ssh/ssh_host_rsa_key ]] || {
-	[[ ! -d "/config/etc/ssh" ]] && { mkdir -p "/config/etc/ssh" || ERREXIT 255 5; }
+	[[ ! -d "/config/etc/ssh" ]] && { mkdir -p "/config/etc/ssh" || SLEEPEXIT 255 5; }
 
 	ssh-keygen -A -f "/config" 2>&1 # Always return 0, even on failure.
-	[[ ! -f "/config/etc/ssh/ssh_host_rsa_key" ]] && ERREXIT 255 5
+	[[ ! -f "/config/etc/ssh/ssh_host_rsa_key" ]] && SLEEPEXIT 255 5
 }
 
 [[ -e /config/etc/ssh/id_ed25519 ]] || {
 	ssh-keygen -q -t ed25519 -C "" -N "" -f /config/etc/ssh/id_ed25519 2>&1
-	[[ ! -f "/config/etc/ssh/id_ed25519" ]] && ERREXIT 255 5
+	[[ ! -f "/config/etc/ssh/id_ed25519" ]] && SLEEPEXIT 255 5
 }
 
 chmod 644 /config/etc/ssh/id_ed25519

host/fs-root/bin/segfaultsh

@@ -247,6 +247,7 @@ if [[ "$(exec_errnull docker container inspect "encfs-${LID}" -f '{{.State.Statu
 		--cpu-shares=256 \
 		--blkio-weight=10 \
 		--oom-score-adj=500 \
+		--rm \
 		--name "encfs-${LID}" \
 		--cap-add SYS_ADMIN \
 		--device /dev/fuse \

provision/init-ubuntu.sh

@@ -112,7 +112,7 @@ init_config_run()
   [[ ! -d "${SF_BASEDIR}/config/etc/tc" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/tc\" \"${SF_BASEDIR}/config/etc\""
 
   # Copy info directory 
-  [[ ! -d "${SF_BASEDIR}/config/etc/info" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/info\" \"${SF_BASEDIR}/config/info\""
+  [[ ! -d "${SF_BASEDIR}/config/etc/info" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/info\" \"${SF_BASEDIR}/config/etc\""
   
   # Create Master-SEED
   if [[ -z $SF_SEED ]]; then