Add database encryption system with initial backup

.gitignore

@@ -307,3 +307,5 @@ dist
 cypress/videos
 cypress/screenshots
 .vscode/settings.json
+
+webui.db

.space/Dockerfile

@@ -1,14 +0,0 @@
-FROM ghcr.io/open-webui/open-webui:main
-
-# Install gpg
-USER root
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends gpg && \
-    rm -rf /var/lib/apt/lists/* && \
-    gpg --version  # Verify installation
-
-# Set correct permissions
-RUN mkdir -p /app/backend/db_backup && \
-    chown -R 1000:1000 /app/backend/db_backup
-
-USER 1000

backend/scripts/db_crypt.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+BACKEND_DIR="$(realpath "$SCRIPT_DIR/..")"
+SPACE_NAME="thryyyyy/open-webui"
+
+function check_requirements() {
+    if ! command -v gpg >/dev/null; then
+        echo "Error: gpg is not installed"
+        return 1
+    fi
+}
+
+function validate_secrets() {
+    if [ -z "$BACKUP_PASSPHRASE" ]; then
+        echo "Error: BACKUP_PASSPHRASE secret not set"
+        return 1
+    fi
+
+    if [ -z "$HF_TOKEN" ]; then
+        echo "Error: HF_TOKEN secret not set"
+        return 1
+    fi
+}
+
+function decrypt_database() {
+    validate_secrets || return 1
+
+    mkdir -p "$BACKEND_DIR/data"
+
+    if [ -f "$BACKEND_DIR/db_backup/webui.db.gpg" ]; then
+        echo "Decrypting database backup..."
+        gpg --batch --yes --passphrase "$BACKUP_PASSPHRASE" -d \
+            -o "$BACKEND_DIR/data/webui.db" "$BACKEND_DIR/db_backup/webui.db.gpg"
+
+        if [ $? -eq 0 ]; then
+            echo "Database decrypted successfully"
+            return 0
+        else
+            echo "Failed to decrypt database"
+            return 1
+        fi
+    else
+        echo "No encrypted backup found at db_backup/webui.db.gpg"
+        # Not an error, might be first run
+        return 0
+    fi
+}
+
+function encrypt_database() {
+    validate_secrets || return 1
+
+    if [ ! -f "$BACKEND_DIR/data/webui.db" ]; then
+        echo "Database not found at data/webui.db"
+        return 1
+    fi
+
+    mkdir -p "$BACKEND_DIR/db_backup"
+
+    echo "Encrypting database..."
+    gpg --batch --yes --passphrase "$BACKUP_PASSPHRASE" -c --cipher-algo AES256 \
+        -o "$BACKEND_DIR/db_backup/webui.db.gpg" "$BACKEND_DIR/data/webui.db"
+
+    if [ $? -eq 0 ]; then
+        echo "Database encrypted successfully"
+        cd "$BACKEND_DIR" || exit 1
+
+        # Configure Git for this operation
+        git config --local user.email "[email protected]"
+        git config --local user.name "Space Bot"
+
+        echo "Committing and pushing changes..."
+        git add db_backup/webui.db.gpg
+        git commit -m "Update encrypted database backup"
+
+        # Push using the token
+        REPO_URL="https://user:[email protected]/spaces/$SPACE_NAME"
+        if git push "$REPO_URL" main; then
+            echo "Successfully pushed backup to repository"
+            cd - >/dev/null
+            return 0
+        else
+            echo "Failed to push to repository"
+            cd - >/dev/null
+            return 1
+        fi
+    else
+        echo "Failed to encrypt database"
+        return 1
+    fi
+}
+
+# Check requirements first
+check_requirements || exit 1
+
+# If script is run directly, default to encryption
+# (equivalent to fish's: if test (status filename) = (status -f))
+if [ "${BASH_SOURCE[0]}" = "$0" ]; then
+    encrypt_database
+fi

backend/start.sh

@@ -2,6 +2,11 @@
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 cd "$SCRIPT_DIR" || exit
+# Source encryption functions
+source scripts/db_crypt.sh
+
+# Check requirements and decrypt database if backup exists
+check_requirements && decrypt_database
 
 KEY_FILE=.webui_secret_key