feat: added crypttab setup with automount for LUKSv2 partitions, hide…

… PGP alerts from admins and suppress stack trace to instead show error message and alias username in full, fixed stripe fraud alert rate limiting issue
forwardemail · Dec 11, 2024 · c689e9a · c689e9a
1 parent 74d81bd
commit c689e9a
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -573,7 +573,7 @@ If you are provisioning servers after IPMI/VPN access, then you may need to take
    sudo deluser --remove-home ubuntu
    ```
 
-2. Resize the disk partiion to 100%:
+2. Resize the disk partition to 100%:
 
    ```sh
    df -h
@@ -583,10 +583,67 @@ If you are provisioning servers after IPMI/VPN access, then you may need to take
    df -h
    ```
 
-3. Setup crypttab for auto-mount of LUKS encrypted root volume.
+3. Setup `crypttab` for auto-mount of LUKS encrypted root volume:
+
+   > **Important:** if you have multiple LUKS devices you cannot use these steps below.
+   > Instead you will need to modify the one-liner commands below to specifically replace UUID value.
+   > This guide only accounts for one LUKS encrypted volume (e.g. use `sudo blkid | grep "crypto_LUKS"` or [refer to this guide](https://www.golinuxcloud.com/mount-luks-encrypted-disk-partition-linux/) to determine your values).
+
+   > Run the following commands individually:
+
+   ```sh
+   sudo mkdir /etc/luks
+   sudo dd if=/dev/urandom of=/etc/luks/root.keyfile bs=4096 count=1
+   sudo chmod 700 /etc/luks
+   sudo chmod 400 /etc/luks/root.keyfile
+   sudo cryptsetup luksAddKey $(sudo blkid | grep "crypto_LUKS" | cut -d ':' -f 1) /etc/luks/root.keyfile
+   echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" | sudo tee -a /etc/cryptsetup-initramfs/conf-hook
+   echo "UMASK=0077" | sudo tee -a /etc/initramfs-tools/initramfs.conf
+   sudo sed -i '/dm_crypt-0/d' /etc/crypttab
+   echo "dm_crypt-0 UUID=$(sudo blkid | grep "crypto_LUKS" | cut -d '"' -f 2) /etc/luks/root.keyfile luks,discard" | sudo tee -a /etc/crypttab > /dev/null
+   ```
+
+   ```sh
+   sudo vim /etc/initramfs-tools/hooks/cryptroot
+   ```
+
+   ```diff
+   +#!/bin/sh
+   +cp /etc/crypttab "${DESTDIR}/cryptroot/crypttab"
+   +sed -i 's/\/etc\/luks\/root\.keyfile/\/cryptroot\/keyfiles\/dm_crypt-0\.key/' "${DESTDIR}/cryptroot/crypttab"
+   +exit 0
+   ```
+
+   ```sh
+   sudo chmod +x /etc/initramfs-tools/hooks/cryptroot
+   sudo update-initramfs -c -k all
+   ```
+
+4. If you get sent to a `BusyBox` shell on reboot, then something in your configuration is wrong.
+
+   Fortunately you can regain access by running the following command ([source](https://unix.stackexchange.com/questions/708445/etc-crypttab-not-updating-in-initramfs#:\~:text=I%20was%20able%20to%20successfully%20boot%20the%20system%20again%20by%20entering%20the%20following%20commands%20at%20the%20BusyBox%20prompt%3A)):
+
+   Note that the path to `/dev/nvme0n1p3` will instead be the path to your device in `/dev` that uses LUKS encryption for mounting as the root volume (in our case it's a NVMe SSD, hence `nvme` in the name).
+
+   ```sh
+   sudo cryptsetup luksOpen /dev/nvme0n1p3 dm_crypt-0
+   exit
+   ```
+
+   Additionally, you can inspect your `initrd` image (the generated file from `sudo update-initramfs -c -k all`) using these commands ([source](https://unix.stackexchange.com/a/767065)):
+
+   ```sh
+   sudo update-initramfs -c -k all
+   ```
 
    ```sh
-   TODO
+   sudo -i
+   rm -rf /tmp/x
+   mkdir /tmp/x
+   cd /tmp/x
+   unmkinitramfs -v /boot/initrd.img-$(uname -r) .
+   cd /tmp/x/main/cryptroot/crypttab
+   ll
    ```
 
 

diff --git a/helpers/imap/on-append.js b/helpers/imap/on-append.js
@@ -19,7 +19,6 @@ const bytes = require('@forwardemail/bytes');
 const dayjs = require('dayjs-with-plugins');
 const isHTML = require('is-html');
 const mongoose = require('mongoose');
-const parseErr = require('parse-err');
 const splitLines = require('split-lines');
 const { IMAPConnection } = require('wildduck/imap-core/lib/imap-connection');
 const { convert } = require('html-to-text');
@@ -32,7 +31,6 @@ const Mailboxes = require('#models/mailboxes');
 const Messages = require('#models/messages');
 const Threads = require('#models/threads');
 const WKD = require('#helpers/wkd');
-const config = require('#config');
 const email = require('#helpers/email');
 const encryptMessage = require('#helpers/encrypt-message');
 const getFingerprint = require('#helpers/get-fingerprint');
@@ -252,18 +250,19 @@ async function onAppend(path, flags, date, raw, session, fn) {
                   template: 'alert',
                   message: {
                     to: session.user.owner_full_email,
-                    cc: config.email.message.from,
+                    // cc: config.email.message.from,
                     subject: i18n.translate(
                       'PGP_ENCRYPTION_ERROR',
                       session.user.locale
                     )
                   },
                   locals: {
-                    message: `<pre><code>${JSON.stringify(
-                      parseErr(err),
-                      null,
-                      2
-                    )}</code></pre>`,
+                    message: `<strong>${session.user.username}</strong> &ndash; ${err.message}`,
+                    // message: `<pre><code>${JSON.stringify(
+                    //   parseErr(err),
+                    //   null,
+                    //   2
+                    // )}</code></pre>`,
                     locale: session.user.locale
                   }
                 })

diff --git a/helpers/parse-payload.js b/helpers/parse-payload.js
@@ -1155,18 +1155,19 @@ async function parsePayload(data, ws) {
                               template: 'alert',
                               message: {
                                 to: session.user.owner_full_email,
-                                cc: config.email.message.from,
+                                // cc: config.email.message.from,
                                 subject: i18n.translate(
                                   'PGP_ENCRYPTION_ERROR',
                                   session.user.locale
                                 )
                               },
                               locals: {
-                                message: `<pre><code>${safeStringify(
-                                  parseErr(err),
-                                  null,
-                                  2
-                                )}</code></pre>`,
+                                message: `<strong>${session.user.username}</strong> &ndash; ${err.message}`,
+                                // message: `<pre><code>${safeStringify(
+                                //   parseErr(err),
+                                //   null,
+                                //   2
+                                // )}</code></pre>`,
                                 locale: session.user.locale
                               }
                             })

diff --git a/jobs/stripe/fraud-check.js b/jobs/stripe/fraud-check.js
@@ -71,7 +71,9 @@ async function fraudCheck() {
   logger.info('Fetching Stripe customers');
   const customers = await getAllStripeCustomers();
   logger.info(`Started checking ${customers.length} Stripe customers`);
-  await pMap(customers, mapper, { concurrency: config.concurrency });
+  await pMap(customers, mapper, {
+    concurrency: Math.floor(config.concurrency / 2)
+  });
   logger.info(`Finished checking ${customers.length} Stripe customers`);
 }