From 0e408673472f50b0c60e569a3bc06b0735c054cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?=
 <6317548+theCalcaholic@users.noreply.github.com>
Date: Sat, 7 Sep 2024 02:51:44 +0200
Subject: [PATCH] nc-encrypt.sh: Fix detection of running encryption
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Tobias Knöppler <6317548+theCalcaholic@users.noreply.github.com>
---
 .github/workflows/build-sd-images.yml | 12 +++++------
 bin/ncp/SECURITY/nc-encrypt.sh        | 30 ++++++++++++++++++++++-----
 ncp.sh                                |  2 +-
 3 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/build-sd-images.yml b/.github/workflows/build-sd-images.yml
index 92ef05045..12a4490d0 100644
--- a/.github/workflows/build-sd-images.yml
+++ b/.github/workflows/build-sd-images.yml
@@ -282,20 +282,20 @@ jobs:
               echo -e "${LOG_DIAG} /etc/os-release:"
               "${CONTAINER_CMD[@]}" -q ncp /bin/bash -c 'cat /etc/os-release'
               echo -e "${LOG_DIAG} /usr/local/etc/ncp.cfg:"
-              "${CONTAINER_CMD[@]}" -q ncp /bin/bash -c 'cat /usr/local/etc/ncp.cfg'
+              "${CONTAINER_CMD[@]}" --pipe -q ncp /bin/bash -c 'cat /usr/local/etc/ncp.cfg'
               cat ./raspbian_root/usr/local/etc/ncp.cfg
-              echo -e "${LOG_DIAG} /home/ncp-app-bridge confi g ncp"
-              "${CONTAINER_CMD[@]}" -q ncp /bin/bash -c 'sudo -u www-data sudo /home/www/ncp-app-bridge.sh config ncp'
+              echo -e "${LOG_DIAG} /home/ncp-app-bridge config ncp"
               sudo ls -l ./raspbian_root/home/www/ncp-app-bridge.sh
+              "${CONTAINER_CMD[@]}" --pipe --uid=33 ncp /bin/bash -c 'sudo /home/www/ncp-app-bridge.sh config ncp'
               echo -e "{$LOG_DIAG} Geckodriver logs:"
               tail -n 20 geckodriver.log >&2 |& awk "{ print \"${LOG_DIAG} \" \$0 }" || true
               echo -e "${LOG_CICD} ================"
               echo -e "${LOG_DIAG} ncp.log: "
-              "${CONTAINER_CMD[@]}" -q ncp /bin/bash -c "tail -n20 /var/log/ncp.log" |& awk "{ print \"${LOG_DIAG} \" \$0 }" || true
+              "${CONTAINER_CMD[@]}" --pipe ncp /bin/bash -c "tail -n20 /var/log/ncp.log" |& awk "{ print \"${LOG_DIAG} \" \$0 }" || true
               echo "================"
               echo "${LOG_DIAG} Nextcloud log: "
-              "${CONTAINER_CMD[@]}" -q ncp /bin/bash -c 'ls -l /opt/ncdata/data/nextcloud.log' |& awk "{ print \"${LOG_DIAG} \" \$0 }" || true
-              "${CONTAINER_CMD[@]}" -q ncp /bin/bash -c 'cat /opt/ncdata/data/nextcloud.log' |& awk "{ print \"${LOG_DIAG} \" \$0 }" || true
+              "${CONTAINER_CMD[@]}" --pipe -q ncp /bin/bash -c 'ls -l /opt/ncdata/data/nextcloud.log' |& awk "{ print \"${LOG_DIAG} \" \$0 }" || true
+              "${CONTAINER_CMD[@]}" --pipe -q ncp /bin/bash -c 'cat /opt/ncdata/data/nextcloud.log' |& awk "{ print \"${LOG_DIAG} \" \$0 }" || true
               sudo cat ./raspbian_root/opt/ncdata/data/nextcloud.log |& awk "{ print \"${LOG_DIAG} \" \$0 }"
               sleep 12
               continue
diff --git a/bin/ncp/SECURITY/nc-encrypt.sh b/bin/ncp/SECURITY/nc-encrypt.sh
index 47b6c274f..efed4d9bb 100644
--- a/bin/ncp/SECURITY/nc-encrypt.sh
+++ b/bin/ncp/SECURITY/nc-encrypt.sh
@@ -20,14 +20,14 @@ install()
 
 configure()
 {
-(
+
   set -e -o pipefail
   local datadir parentdir encdir tmpdir
   datadir="$(get_ncpcfg datadir)"
   [[ "${datadir?}" == "null" ]] && datadir=/var/www/nextcloud/data
   parentdir="$(dirname "${datadir}")"
   encdir="${parentdir?}/ncdata_enc"
-  tmpdir="$(mktemp -u -p "${parentdir}" -t nc-data-crypt.XXXXXX))"
+  tmpdir="$(mktemp -u -p "${parentdir}" -t nc-data-crypt.XXXXXX)"
 
   [[ "${ACTIVE?}" != "yes" ]] && {
     if ! is_active; then
@@ -59,7 +59,7 @@ configure()
   # Just mount already encrypted data
   if [[ -f "${encdir?}"/gocryptfs.conf ]]; then
     systemctl reset-failed ncp-encrypt ||:
-    systemd-run -u ncp-encrypt -E PASSWORD bash -c "gocryptfs -allow_other -q '${encdir}' '${datadir}' <<<\"\${PASSWORD}\" 2>&1 | sed /^Switch/d |& tee /var/log/ncp-encrypt.log"
+    systemd-run -u ncp-encrypt -E PASSWORD bash -c "gocryptfs -fg -allow_other -q '${encdir}' '${datadir}' <<<\"\${PASSWORD}\" 2>&1 | sed /^Switch/d |& tee /var/log/ncp-encrypt.log"
 
     # switch to the regular virtual hosts after we decrypt, so we can access NC and ncp-web
     a2ensite ncp 001-nextcloud
@@ -72,13 +72,33 @@ configure()
   mkdir -p "${encdir?}"
   echo "${PASSWORD?}" | gocryptfs -init -q "${encdir}"
   save_maintenance_mode
+  cleanup() {
+    umount "${datadir}" ||:
+    [[ -f "${tmpdir}" ]] && {
+      rm -rf "${datadir?}" ||:
+      mv "${tmpdir}" "${datadir}"
+
+      chown -R www-data:www-data "${datadir}"
+    }
+  }
+
+  trap cleanup 1
   trap restore_maintenance_mode EXIT
 
   mv "${datadir?}" "${tmpdir?}"
 
   mkdir "${datadir}"
   systemctl reset-failed ncp-encrypt ||:
-  systemd-run -u ncp-encrypt -E PASSWORD bash -c "gocryptfs -allow_other -q '${encdir}' '${datadir}' <<<\"\${PASSWORD}\" 2>&1 | sed /^Switch/d |& tee /var/log/ncp-encrypt.log"
+  systemd-run -u ncp-encrypt -E PASSWORD bash -c "gocryptfs -fg -allow_other -q '${encdir}' '${datadir}' <<<\"\${PASSWORD}\" 2>&1 | sed /^Switch/d |& tee /var/log/ncp-encrypt.log"
+
+  maxtries=5
+  while [[ "$(systemctl is-active ncp-encrypt)" != "active" ]] || ! mount | grep -1 "${datadir}"
+  do
+    echo "Wating for encryption process to start... (${maxtries})"
+    sleep 3
+    maxtries=$((maxtries - 1))
+    [[ $maxtries -gt 0 ]] || return 1
+  done
 
   echo "Encrypting data..."
   mv "${tmpdir}"/* "${tmpdir}"/.[!.]* "${datadir}"
@@ -88,7 +108,7 @@ configure()
   set_ncpcfg datadir "${datadir}"
 
   echo "Data is now encrypted"
-)
+
 }
 
 # License
diff --git a/ncp.sh b/ncp.sh
index 875dbe3a1..c2caedcd3 100644
--- a/ncp.sh
+++ b/ncp.sh
@@ -128,7 +128,7 @@ EOF
 
   cat > /home/www/ncp-app-bridge.sh <<'EOF'
 #!/bin/bash
-set -ex
+set -e
 grep -q '[\\&#;`|*?~<>^()[{}$&]' <<< "$*" && exit 1
 action="${1?}"
 [[ "$action" == "config" ]] && {