refactor(de-sudo): funnel genuine system commands through runSystem
Foundation for a scoped sudoers: route every genuine system-admin command (systemctl/ufw/ufw-docker/nft/apt/apt-get/pacman/sysctl/useradd/usermod/ service/wg/wg-quick/cscli/loginctl) through runSystem instead of raw sudo across 28 active scripts. runSystem is 'sudo "$@"' so this is byte-identical in every mode (safe on live installs) — it just collects all real-root use at one chokepoint that will define the eventual /etc/sudoers.d allowlist. Also: revert a crowdsec advice message the sweep wrongly rewrote (the admin types sudo, not runSystem), and give crontab_check_processor.sh the same startup bootstrap as the task processor — it runs standalone via cron and already used runFileOp/runFileWrite (undefined there), so it was silently broken; now it sources the helpers + docker-type config. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
ab505ac012
commit
014d8e5fcc
@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
appCrowdSecAlertsList() {
|
||||
sudo cscli alerts list
|
||||
runSystem cscli alerts list
|
||||
}
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
appCrowdSecConsoleDisable() {
|
||||
sudo cscli console disable -e all
|
||||
runSystem cscli console disable -e all
|
||||
checkSuccess "Console enrollment removed — no signals will leave this host"
|
||||
sudo systemctl reload crowdsec
|
||||
runSystem systemctl reload crowdsec
|
||||
}
|
||||
|
||||
@ -8,7 +8,7 @@ appCrowdSecConsoleEnroll() {
|
||||
isNotice "Get a token at https://app.crowdsec.net (free account). Enrolling shares attacker IPs + scenario names with CrowdSec SAS."
|
||||
return 1
|
||||
fi
|
||||
sudo cscli console enroll "$token"
|
||||
runSystem cscli console enroll "$token"
|
||||
checkSuccess "Enrolled with CrowdSec Console — community blocklists will start syncing"
|
||||
sudo systemctl reload crowdsec
|
||||
runSystem systemctl reload crowdsec
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
appCrowdSecDecisionsList() {
|
||||
sudo cscli decisions list
|
||||
runSystem cscli decisions list
|
||||
}
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
#!/bin/bash
|
||||
|
||||
appCrowdSecHubUpdate() {
|
||||
sudo cscli hub update
|
||||
runSystem cscli hub update
|
||||
checkSuccess "Hub index refreshed"
|
||||
sudo cscli hub upgrade
|
||||
runSystem cscli hub upgrade
|
||||
checkSuccess "Installed collections upgraded"
|
||||
sudo systemctl reload crowdsec
|
||||
runSystem systemctl reload crowdsec
|
||||
checkSuccess "Reloaded CrowdSec to apply changes"
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
appCrowdSecMetrics() {
|
||||
sudo cscli metrics
|
||||
runSystem cscli metrics
|
||||
}
|
||||
|
||||
@ -8,9 +8,9 @@ appCrowdSecStatus() {
|
||||
systemctl status crowdsec-firewall-bouncer --no-pager --lines=5 2>&1 | head -15
|
||||
echo
|
||||
echo "=== installed collections ==="
|
||||
sudo cscli collections list -o human 2>&1 | head -30
|
||||
runSystem cscli collections list -o human 2>&1 | head -30
|
||||
echo
|
||||
echo "=== machines + bouncers ==="
|
||||
sudo cscli machines list 2>&1
|
||||
sudo cscli bouncers list 2>&1
|
||||
runSystem cscli machines list 2>&1
|
||||
runSystem cscli bouncers list 2>&1
|
||||
}
|
||||
|
||||
@ -7,6 +7,6 @@ appCrowdSecUnban() {
|
||||
isNotice "No IP provided — pass ip=<address> via the Tools modal."
|
||||
return 1
|
||||
fi
|
||||
sudo cscli decisions delete --ip "$ip"
|
||||
runSystem cscli decisions delete --ip "$ip"
|
||||
checkSuccess "Removed decisions for $ip"
|
||||
}
|
||||
|
||||
@ -11,11 +11,11 @@ borgInstall()
|
||||
|
||||
isHeader "Installing BorgBackup"
|
||||
if command -v apt-get >/dev/null 2>&1; then
|
||||
sudo apt-get install -y borgbackup && return 0
|
||||
runSystem apt-get install -y borgbackup && return 0
|
||||
elif command -v dnf >/dev/null 2>&1; then
|
||||
sudo dnf install -y borgbackup && return 0
|
||||
elif command -v pacman >/dev/null 2>&1; then
|
||||
sudo pacman -S --noconfirm borg && return 0
|
||||
runSystem pacman -S --noconfirm borg && return 0
|
||||
fi
|
||||
|
||||
isError "Could not install BorgBackup — no supported package manager found."
|
||||
|
||||
@ -21,14 +21,14 @@ checkInstallTypeRequirement()
|
||||
{
|
||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||
ISCOMP=$( (docker compose -v ) 2>&1 )
|
||||
ISUFW=$( (sudo ufw status ) 2>&1 )
|
||||
ISUFW=$( (runSystem ufw status ) 2>&1 )
|
||||
ISUFWD=$( (sudo ufw-docker) 2>&1 )
|
||||
|
||||
resolveDockerInstallUser
|
||||
|
||||
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
|
||||
# Used for checking if rooted docket is active
|
||||
ISACT=$( (sudo systemctl is-active docker ) 2>&1 )
|
||||
ISACT=$( (runSystem systemctl is-active docker ) 2>&1 )
|
||||
elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
|
||||
# Used for checking the rootless user
|
||||
local ISUSER=$( (sudo id -u "$CFG_DOCKER_INSTALL_USER"))
|
||||
|
||||
@ -4,7 +4,7 @@ checkWebUISystemdRequirement()
|
||||
{
|
||||
if [[ $CFG_REQUIREMENT_WEBUI_SERVICE == "true" ]]; then
|
||||
### Check if systemd service is running
|
||||
if sudo systemctl is-active --quiet libreportal.service; then
|
||||
if runSystem systemctl is-active --quiet libreportal.service; then
|
||||
isSuccessful "LibrePortal task processor service is running."
|
||||
else
|
||||
isNotice "LibrePortal task processor service is not running."
|
||||
|
||||
@ -10,9 +10,9 @@ installCrontab()
|
||||
ISCRON=$( (sudo -u $sudo_user_name crontab -l) 2>&1 )
|
||||
if [[ "$ISCRON" == *"command not found"* ]]; then
|
||||
isNotice "Crontab is not installed, setting up now."
|
||||
local result=$(sudo apt update)
|
||||
local result=$(runSystem apt update)
|
||||
checkSuccess "Updating apt for post installation"
|
||||
local result=$(sudo apt install cron -y)
|
||||
local result=$(runSystem apt install cron -y)
|
||||
isSuccessful "Installing crontab application"
|
||||
local result=$(sudo -u $sudo_user_name crontab -l)
|
||||
isSuccessful "Enabling crontab on the system"
|
||||
|
||||
@ -10,6 +10,26 @@ script_check_processor_flag="$1"
|
||||
# Only run when executed directly, not when sourced
|
||||
if [[ "$script_check_processor_flag" == "start_script" ]]; then
|
||||
|
||||
# --- Load the privilege helpers + docker-type config -------------------------
|
||||
# cron runs this standalone, so the de-sudo helpers (runFileOp/runFileWrite/
|
||||
# runSystem) and the config they key off are NOT otherwise in scope — without
|
||||
# them every privileged op is "command not found". Same bootstrap as
|
||||
# crontab_task_processor.sh. These files are pure function/var defs, safe to
|
||||
# source.
|
||||
LP_SCRIPTS="${install_scripts_dir:-/docker/install/scripts/}"
|
||||
LP_DOCKER_CFG="/docker/configs/general/general_docker_install"
|
||||
[[ -f "$LP_DOCKER_CFG" ]] && \
|
||||
eval "$(grep -E '^CFG_DOCKER_INSTALL_(TYPE|USER)=' "$LP_DOCKER_CFG" | sed 's/[[:space:]]*#.*//')"
|
||||
: "${sudo_user_name:=libreportal}"
|
||||
: "${containers_dir:=/docker/containers/}"
|
||||
: "${docker_dir:=/docker}"
|
||||
for _lp_f in docker/command/run_privileged.sh \
|
||||
docker/command/docker_run_install.sh \
|
||||
checks/requirements/check_install_type.sh; do
|
||||
[[ -f "${LP_SCRIPTS}${_lp_f}" ]] && source "${LP_SCRIPTS}${_lp_f}"
|
||||
done
|
||||
command -v resolveDockerInstallUser >/dev/null 2>&1 && resolveDockerInstallUser
|
||||
|
||||
# ========================================
|
||||
# HEALTH CHECK CONFIGURATION
|
||||
# ========================================
|
||||
|
||||
@ -6,11 +6,11 @@ installDockerRootedCheck()
|
||||
#### Test if Docker Service is Running ###
|
||||
##########################################
|
||||
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
|
||||
ISACT=$( (sudo systemctl is-active docker ) 2>&1 )
|
||||
ISACT=$( (runSystem systemctl is-active docker ) 2>&1 )
|
||||
if [[ "$ISACT" != "active" ]]; then
|
||||
isNotice "Checking Docker service status. Waiting if not found."
|
||||
while [[ "$ISACT" != "active" ]] && [[ $X -le 10 ]]; do
|
||||
sudo systemctl start docker | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||
runSystem systemctl start docker | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||
sleep 10s &
|
||||
pid=$! # Process Id of the previous running command
|
||||
spin='-\|/'
|
||||
@ -22,7 +22,7 @@ installDockerRootedCheck()
|
||||
sleep .1
|
||||
done
|
||||
printf "\r"
|
||||
ISACT=`sudo systemctl is-active docker`
|
||||
ISACT=`runSystem systemctl is-active docker`
|
||||
let X=X+1
|
||||
echo "$X"
|
||||
done
|
||||
|
||||
@ -16,10 +16,10 @@ installDockerRootless()
|
||||
local docker_install_user_id=$(id -u "$CFG_DOCKER_INSTALL_USER")
|
||||
local docker_install_bashrc="/home/$CFG_DOCKER_INSTALL_USER/.bashrc"
|
||||
|
||||
local result=$(sudo apt-get install -y apt-transport-https ca-certificates curl gnupg software-properties-common uidmap dbus-user-session fuse-overlayfs passt)
|
||||
local result=$(runSystem apt-get install -y apt-transport-https ca-certificates curl gnupg software-properties-common uidmap dbus-user-session fuse-overlayfs passt)
|
||||
checkSuccess "Installing necessary packages"
|
||||
|
||||
local result=$(sudo systemctl disable --now docker.service docker.socket)
|
||||
local result=$(runSystem systemctl disable --now docker.service docker.socket)
|
||||
checkSuccess "Disabling Docker service & Socket"
|
||||
|
||||
((menu_number++))
|
||||
@ -30,7 +30,7 @@ installDockerRootless()
|
||||
# slirp4netns update and install
|
||||
if ! command -v slirp4netns &> /dev/null; then
|
||||
isNotice "slirp4netns is not installed. Installing..."
|
||||
local result=$(sudo apt-get install -y slirp4netns)
|
||||
local result=$(runSystem apt-get install -y slirp4netns)
|
||||
checkSuccess "Installing slirp4netns"
|
||||
else
|
||||
isNotice "slirp4netns is already installed"
|
||||
@ -39,9 +39,9 @@ installDockerRootless()
|
||||
if [[ "$installed_version" != "$latest_version" ]]; then
|
||||
isNotice "slirp4netns version $installed_version is outdated."
|
||||
isNotice "Installing version $latest_version..."
|
||||
local result=$(sudo apt-get update)
|
||||
local result=$(runSystem apt-get update)
|
||||
checkSuccess "Updating apt packages"
|
||||
local result=$(sudo apt-get install -y slirp4netns)
|
||||
local result=$(runSystem apt-get install -y slirp4netns)
|
||||
checkSuccess "Installing slirp4netns"
|
||||
else
|
||||
isSuccessful "slirp4netns version $installed_version is up to date"
|
||||
@ -58,7 +58,7 @@ installDockerRootless()
|
||||
else
|
||||
local result=$(echo "kernel.unprivileged_userns_clone=1" | sudo tee -a $sysctl > /dev/null)
|
||||
checkSuccess "Adding kernel.unprivileged_userns_clone=1 to $sysctl..."
|
||||
local result=$(sudo sysctl --system)
|
||||
local result=$(runSystem sysctl --system)
|
||||
checkSuccess "Running sudo -u $sudo_user_name sysctl --system..."
|
||||
fi
|
||||
fi
|
||||
@ -97,7 +97,7 @@ installDockerRootless()
|
||||
echo "---- $menu_number. Setting up Rootless Docker."
|
||||
echo ""
|
||||
|
||||
local result=$(sudo loginctl enable-linger $CFG_DOCKER_INSTALL_USER)
|
||||
local result=$(runSystem loginctl enable-linger $CFG_DOCKER_INSTALL_USER)
|
||||
checkSuccess "Adding automatic start (linger)"
|
||||
|
||||
# Rootless Install
|
||||
@ -216,7 +216,7 @@ net.core.bpf_jit_harden=2
|
||||
EOL
|
||||
checkSuccess "Writing kernel LPE-surface hardening to $hardening_conf"
|
||||
|
||||
local result=$(sudo sysctl --system)
|
||||
local result=$(runSystem sysctl --system)
|
||||
checkSuccess "Applying changes to sysctl"
|
||||
|
||||
menu_number=0
|
||||
|
||||
@ -12,7 +12,7 @@ installDockerRootlessUser()
|
||||
# -m makes its home; with SUB_UID/GID configured in login.defs,
|
||||
# useradd also assigns its subordinate uid/gid ranges (needed for
|
||||
# rootless). Run unmasked so checkSuccess sees real failures.
|
||||
sudo useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
|
||||
runSystem useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
|
||||
checkSuccess "Creating $CFG_DOCKER_INSTALL_USER User."
|
||||
updateDockerInstallPassword;
|
||||
fi
|
||||
|
||||
@ -3,16 +3,16 @@
|
||||
dockerServiceStart()
|
||||
{
|
||||
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
|
||||
local result=$(sudo systemctl start docker)
|
||||
local result=$(runSystem systemctl start docker)
|
||||
checkSuccess "Starting Docker Service"
|
||||
|
||||
local result=$(sudo systemctl enable docker)
|
||||
local result=$(runSystem systemctl enable docker)
|
||||
checkSuccess "Enabling Docker Service"
|
||||
|
||||
local result=$(sudo usermod -aG docker $sudo_user_name)
|
||||
local result=$(runSystem usermod -aG docker $sudo_user_name)
|
||||
checkSuccess "Adding user to 'docker' group"
|
||||
|
||||
local result=$(sudo systemctl restart docker)
|
||||
local result=$(runSystem systemctl restart docker)
|
||||
checkSuccess "Restarting Docker service after group addition."
|
||||
elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
|
||||
installDockerRootless;
|
||||
|
||||
@ -8,10 +8,10 @@ dockerServiceStop()
|
||||
if [[ "$docker_rooted_found" == "true" ]]; then
|
||||
isNotice "Stopping rooted Docker service...this may take a moment..."
|
||||
|
||||
local result=$(sudo systemctl stop docker)
|
||||
local result=$(runSystem systemctl stop docker)
|
||||
checkSuccess "Stopping Rooted Docker Service"
|
||||
|
||||
local result=$(sudo systemctl disable docker)
|
||||
local result=$(runSystem systemctl disable docker)
|
||||
checkSuccess "Disabling Rooted Docker Service"
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -75,10 +75,10 @@ installCrowdsecHost()
|
||||
echo "---- $menu_number. Enabling CrowdSec services."
|
||||
echo ""
|
||||
|
||||
local result=$(sudo systemctl enable --now crowdsec)
|
||||
local result=$(runSystem systemctl enable --now crowdsec)
|
||||
checkSuccess "Enabling CrowdSec agent"
|
||||
|
||||
local result=$(sudo systemctl enable --now crowdsec-firewall-bouncer)
|
||||
local result=$(runSystem systemctl enable --now crowdsec-firewall-bouncer)
|
||||
checkSuccess "Enabling CrowdSec firewall bouncer"
|
||||
|
||||
((menu_number++))
|
||||
@ -86,13 +86,13 @@ installCrowdsecHost()
|
||||
echo "---- $menu_number. Installing baseline collections."
|
||||
echo ""
|
||||
|
||||
local result=$(sudo cscli collections install crowdsecurity/linux)
|
||||
local result=$(runSystem cscli collections install crowdsecurity/linux)
|
||||
checkSuccess "Installing crowdsecurity/linux collection"
|
||||
|
||||
local result=$(sudo cscli collections install crowdsecurity/sshd)
|
||||
local result=$(runSystem cscli collections install crowdsecurity/sshd)
|
||||
checkSuccess "Installing crowdsecurity/sshd collection"
|
||||
|
||||
local result=$(sudo systemctl reload crowdsec)
|
||||
local result=$(runSystem systemctl reload crowdsec)
|
||||
checkSuccess "Reloading CrowdSec to pick up collections"
|
||||
|
||||
((menu_number++))
|
||||
@ -106,14 +106,14 @@ installCrowdsecHost()
|
||||
# unregistering. Idempotent on either branch.
|
||||
local community_blocklist="${CFG_CROWDSEC_COMMUNITY_BLOCKLIST:-true}"
|
||||
if [[ "$community_blocklist" == "true" ]]; then
|
||||
if sudo cscli capi status 2>&1 | grep -qi 'You can successfully'; then
|
||||
if runSystem cscli capi status 2>&1 | grep -qi 'You can successfully'; then
|
||||
isNotice "Community blocklist already registered."
|
||||
else
|
||||
local result=$(sudo cscli capi register 2>&1)
|
||||
local result=$(runSystem cscli capi register 2>&1)
|
||||
checkSuccess "Registered with CrowdSec Central API (community blocklist)"
|
||||
fi
|
||||
else
|
||||
local result=$(sudo cscli capi unregister 2>&1)
|
||||
local result=$(runSystem cscli capi unregister 2>&1)
|
||||
checkSuccess "Unregistered from CrowdSec Central API (community blocklist disabled)"
|
||||
fi
|
||||
|
||||
@ -129,19 +129,19 @@ installCrowdsecHost()
|
||||
local console_enroll="${CFG_CROWDSEC_CONSOLE_ENROLL:-false}"
|
||||
local console_token="${CFG_CROWDSEC_CONSOLE_TOKEN:-}"
|
||||
local enrolled=false
|
||||
sudo cscli console status 2>&1 | grep -qi 'enrolled' && enrolled=true
|
||||
runSystem cscli console status 2>&1 | grep -qi 'enrolled' && enrolled=true
|
||||
if [[ "$console_enroll" == "true" ]]; then
|
||||
if [[ -z "$console_token" ]]; then
|
||||
isNotice "Console enrollment ON but CFG_CROWDSEC_CONSOLE_TOKEN is empty — paste your token from app.crowdsec.net to complete."
|
||||
elif [[ "$enrolled" == true ]]; then
|
||||
isNotice "Already enrolled with the SaaS console — skipping."
|
||||
else
|
||||
local result=$(sudo cscli console enroll "$console_token" 2>&1)
|
||||
local result=$(runSystem cscli console enroll "$console_token" 2>&1)
|
||||
checkSuccess "Enrolled with app.crowdsec.net SaaS console"
|
||||
fi
|
||||
else
|
||||
if [[ "$enrolled" == true ]]; then
|
||||
local result=$(sudo cscli console disenroll 2>&1)
|
||||
local result=$(runSystem cscli console disenroll 2>&1)
|
||||
checkSuccess "Disenrolled from app.crowdsec.net SaaS console"
|
||||
else
|
||||
isNotice "SaaS console enrollment disabled — skipping."
|
||||
@ -161,7 +161,7 @@ installCrowdsecHost()
|
||||
if [[ -f "$lapi_cfg" ]] && ! sudo grep -qE 'listen_uri:[[:space:]]*0\.0\.0\.0:8080' "$lapi_cfg"; then
|
||||
sudo sed -i 's|listen_uri:.*|listen_uri: 0.0.0.0:8080|' "$lapi_cfg"
|
||||
checkSuccess "LAPI bound to 0.0.0.0:8080"
|
||||
sudo systemctl restart crowdsec
|
||||
runSystem systemctl restart crowdsec
|
||||
checkSuccess "CrowdSec restarted"
|
||||
else
|
||||
isNotice "LAPI already bound to 0.0.0.0:8080 — skipping."
|
||||
@ -189,7 +189,7 @@ installCrowdsecHost()
|
||||
s|listen_port:.*|listen_port: ${prom_port}|
|
||||
}" "$cs_cfg"
|
||||
checkSuccess "CrowdSec metrics endpoint bound to ${prom_listen}"
|
||||
sudo systemctl restart crowdsec
|
||||
runSystem systemctl restart crowdsec
|
||||
checkSuccess "CrowdSec restarted"
|
||||
else
|
||||
isNotice "CrowdSec metrics already bound to ${prom_addr} — skipping."
|
||||
@ -197,7 +197,7 @@ installCrowdsecHost()
|
||||
elif [[ -f "$cs_cfg" ]] && sudo grep -qE 'listen_addr:[[:space:]]*0\.0\.0\.0' "$cs_cfg"; then
|
||||
sudo sed -i "/^prometheus:/,/^[^[:space:]#]/ s|listen_addr:.*|listen_addr: 127.0.0.1|" "$cs_cfg"
|
||||
checkSuccess "CrowdSec metrics endpoint rebound to 127.0.0.1 (monitoring off)"
|
||||
sudo systemctl restart crowdsec
|
||||
runSystem systemctl restart crowdsec
|
||||
checkSuccess "CrowdSec restarted"
|
||||
else
|
||||
isNotice "Monitoring off — CrowdSec metrics endpoint left at its default."
|
||||
@ -217,9 +217,9 @@ installCrowdsecHost()
|
||||
local key_file="/etc/crowdsec/traefik_bouncer.key"
|
||||
local cfg_file="/docker/configs/security/security_crowdsec"
|
||||
|
||||
if ! sudo cscli bouncers list -o raw 2>/dev/null | grep -q '^traefik-bouncer'; then
|
||||
if ! runSystem cscli bouncers list -o raw 2>/dev/null | grep -q '^traefik-bouncer'; then
|
||||
local bouncer_key
|
||||
bouncer_key=$(sudo cscli bouncers add traefik-bouncer -o raw 2>&1 | tail -1)
|
||||
bouncer_key=$(runSystem cscli bouncers add traefik-bouncer -o raw 2>&1 | tail -1)
|
||||
if [[ -n "$bouncer_key" && "$bouncer_key" != *"error"* ]]; then
|
||||
echo "$bouncer_key" | sudo tee "$key_file" >/dev/null
|
||||
sudo chown libreportal:libreportal "$key_file"
|
||||
@ -250,16 +250,16 @@ installCrowdsecHost()
|
||||
# The firewall bouncer needs a moment to install its nftables table
|
||||
# after enable. Poll up to ~10s before deciding it's missing.
|
||||
local _wait=0
|
||||
until sudo nft list tables 2>/dev/null | grep -qiE 'crowdsec' || [[ $_wait -ge 10 ]]; do
|
||||
until runSystem nft list tables 2>/dev/null | grep -qiE 'crowdsec' || [[ $_wait -ge 10 ]]; do
|
||||
sleep 1; _wait=$((_wait+1))
|
||||
done
|
||||
|
||||
if ! sudo nft list tables 2>/dev/null | grep -qiE 'crowdsec'; then
|
||||
if ! runSystem nft list tables 2>/dev/null | grep -qiE 'crowdsec'; then
|
||||
isNotice "CrowdSec nftables table not yet present after ${_wait}s. Bouncer may still be starting; re-run the verification Tools action in a minute if rules don't appear."
|
||||
else
|
||||
local cs_prio ufw_prio
|
||||
cs_prio=$(sudo nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
||||
ufw_prio=$(sudo nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
||||
cs_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
||||
ufw_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
||||
|
||||
if [[ -z "$ufw_prio" ]]; then
|
||||
isSuccessful "UFW not in nftables — no ordering needed (CrowdSec prio: ${cs_prio:-?})."
|
||||
@ -291,10 +291,10 @@ installCrowdsecHost()
|
||||
echo "---- $menu_number. Re-enabling CrowdSec services."
|
||||
echo ""
|
||||
|
||||
local result=$(sudo systemctl enable --now crowdsec)
|
||||
local result=$(runSystem systemctl enable --now crowdsec)
|
||||
checkSuccess "Enabling CrowdSec agent"
|
||||
|
||||
local result=$(sudo systemctl enable --now crowdsec-firewall-bouncer)
|
||||
local result=$(runSystem systemctl enable --now crowdsec-firewall-bouncer)
|
||||
checkSuccess "Enabling CrowdSec firewall bouncer"
|
||||
|
||||
isSuccessful "CrowdSec services re-enabled."
|
||||
@ -312,10 +312,10 @@ installCrowdsecHost()
|
||||
echo "---- $menu_number. Stopping and disabling CrowdSec services."
|
||||
echo ""
|
||||
|
||||
local result=$(sudo systemctl disable --now crowdsec-firewall-bouncer 2>&1)
|
||||
local result=$(runSystem systemctl disable --now crowdsec-firewall-bouncer 2>&1)
|
||||
checkSuccess "Disabling CrowdSec firewall bouncer"
|
||||
|
||||
local result=$(sudo systemctl disable --now crowdsec 2>&1)
|
||||
local result=$(runSystem systemctl disable --now crowdsec 2>&1)
|
||||
checkSuccess "Disabling CrowdSec agent"
|
||||
|
||||
isSuccessful "CrowdSec disabled. Package remains installed — set CFG_CROWDSEC_ENABLED=true to re-enable, or uninstall via the Tools tab."
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
installUFW()
|
||||
{
|
||||
if [[ "$CFG_REQUIREMENT_UFW" == "true" ]]; then
|
||||
ISUFW=$( (sudo ufw status ) 2>&1 )
|
||||
ISUFW=$( (runSystem ufw status ) 2>&1 )
|
||||
if [[ "$ISUFW" == *"command not found"* ]]; then
|
||||
isHeader "Install UFW Firewall"
|
||||
|
||||
@ -12,7 +12,7 @@ installUFW()
|
||||
echo "---- $menu_number. Installing using linux package installer"
|
||||
echo ""
|
||||
|
||||
local result=$(yes | sudo apt-get install ufw )
|
||||
local result=$(yes | runSystem apt-get install ufw )
|
||||
checkSuccess "Installing UFW package"
|
||||
|
||||
# ((menu_number++))
|
||||
@ -27,9 +27,9 @@ installUFW()
|
||||
# ssh_port=${ssh_port:-22} # Default to 22 if not found
|
||||
# fi
|
||||
|
||||
# local result=$(sudo ufw allow $ssh_port)
|
||||
# local result=$(runSystem ufw allow $ssh_port)
|
||||
# checkSuccess "Enabling Port $ssh_port through the firewall"
|
||||
# local result=$(sudo ufw allow ssh)
|
||||
# local result=$(runSystem ufw allow ssh)
|
||||
# checkSuccess "Enabling SSH through the firewall"
|
||||
|
||||
# while true; do
|
||||
@ -42,13 +42,13 @@ installUFW()
|
||||
# done
|
||||
|
||||
# if [[ "$UFWSSH" == [nN] ]]; then
|
||||
# local result=$(sudo ufw deny $ssh_port)
|
||||
# local result=$(runSystem ufw deny $ssh_port)
|
||||
# checkSuccess "Blocking Port $ssh_port through the firewall"
|
||||
# local result=$(sudo ufw deny ssh)
|
||||
# local result=$(runSystem ufw deny ssh)
|
||||
# checkSuccess "Blocking SSH through the firewall"
|
||||
# fi
|
||||
|
||||
local result=$(sudo ufw --force enable)
|
||||
local result=$(runSystem ufw --force enable)
|
||||
checkSuccess "Enabling UFW Firewall"
|
||||
|
||||
((menu_number++))
|
||||
@ -56,7 +56,7 @@ installUFW()
|
||||
echo "---- $menu_number. Changing logging options"
|
||||
echo ""
|
||||
|
||||
local result=$(yes | sudo ufw logging $CFG_UFW_LOGGING)
|
||||
local result=$(yes | runSystem ufw logging $CFG_UFW_LOGGING)
|
||||
checkSuccess "Disabling UFW Firewall Logging"
|
||||
|
||||
isSuccessful "UFW Firewall has been installed, you can use ufw status to see the status"
|
||||
|
||||
@ -23,10 +23,10 @@ installUFWDocker()
|
||||
local result=$(sudo chmod +x $ufwpath)
|
||||
checkSuccess "Setting permissions for install files"
|
||||
|
||||
local result=$(sudo ufw-docker install > /dev/null 2>&1)
|
||||
local result=$(runSystem ufw-docker install > /dev/null 2>&1)
|
||||
checkSuccess "Installing UFW Docker"
|
||||
|
||||
local result=$(sudo systemctl restart ufw)
|
||||
local result=$(runSystem systemctl restart ufw)
|
||||
checkSuccess "Restarting UFW Firewall service"
|
||||
|
||||
isSuccessful "UFW-Docker has been installed, you can use ufw-docker to see the available commands"
|
||||
|
||||
@ -10,7 +10,7 @@ installDockerManagerUser()
|
||||
isNotice "User '$CFG_DOCKER_MANAGER_USER' does not exist, starting creation..."
|
||||
|
||||
# Create the User Account
|
||||
local result=$(sudo useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER")
|
||||
local result=$(runSystem useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER")
|
||||
checkSuccess "Adding user via useradd command"
|
||||
|
||||
local result=$(echo "$CFG_DOCKER_MANAGER_USER:$CFG_DOCKER_MANAGER_PASS" | sudo chpasswd)
|
||||
@ -66,7 +66,7 @@ EOL")
|
||||
checkSuccess "Updating SSH Server Configuration for the Manager User."
|
||||
|
||||
# Reload SSH Service
|
||||
local result=$(sudo service ssh reload)
|
||||
local result=$(runSystem service ssh reload)
|
||||
checkSuccess "Reloading SSH Service"
|
||||
fi
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ uninstallDockerManagerUser()
|
||||
checkSuccess "Removing the Docker Manager User from $sshd_config."
|
||||
|
||||
# Restart SSH Service
|
||||
local result=$(sudo service ssh restart)
|
||||
local result=$(runSystem service ssh restart)
|
||||
checkSuccess "Restarting SSH Service"
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -7,7 +7,7 @@ installArch()
|
||||
if [[ "$UPDARCH" == [yY] ]]; then
|
||||
isNotice "Installing System Updates... this may take a while...be patient."
|
||||
|
||||
(sudo pacman -Syu --noconfirm) > $logs_dir/$docker_log_file 2>&1 &
|
||||
(runSystem pacman -Syu --noconfirm) > $logs_dir/$docker_log_file 2>&1 &
|
||||
## Show a spinner for activity progress
|
||||
pid=$! # Process Id of the previous running command
|
||||
spin='-\|/'
|
||||
@ -25,12 +25,12 @@ installArch()
|
||||
|
||||
isNotice "Installing Prerequisite Packages..."
|
||||
|
||||
sudo pacman -Sy git curl wget --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||
runSystem pacman -Sy git curl wget --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||
|
||||
if [[ "$ISACT" != "active" ]]; then
|
||||
isNotice "Installing Docker-CE (Community Edition)..."
|
||||
|
||||
sudo pacman -Sy docker --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||
runSystem pacman -Sy docker --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||
|
||||
echo "- docker-ce version is now:"
|
||||
DOCKERV=$(docker -v)
|
||||
|
||||
@ -14,7 +14,7 @@ installDebianUbuntu()
|
||||
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt update -qq 2>&1 && DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt install sudo -yqq 2>&1 && apt-get autoclean 2>&1)
|
||||
checkSuccess "Updating System Operating system."
|
||||
|
||||
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo apt update -qq 2>&1)
|
||||
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 runSystem apt update -qq 2>&1)
|
||||
checkSuccess "Running application update"
|
||||
|
||||
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo $installed_apps -yqq 2>&1)
|
||||
|
||||
@ -78,7 +78,7 @@ EOF
|
||||
else
|
||||
# Unit already correct — ensure it's enabled + running, without a restart.
|
||||
runSystem systemctl enable libreportal.service >/dev/null 2>&1
|
||||
sudo systemctl is-active --quiet libreportal.service || runSystem systemctl start libreportal.service
|
||||
runSystem systemctl is-active --quiet libreportal.service || runSystem systemctl start libreportal.service
|
||||
isSuccessful "LibrePortal task processor service already up to date."
|
||||
fi
|
||||
|
||||
|
||||
@ -26,6 +26,6 @@ wireguardRevokeClient()
|
||||
result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf")
|
||||
checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME"
|
||||
|
||||
result=$(sudo wg syncconf "${CFG_WG_SERVER_NIC}" <(sudo wg-quick strip "${CFG_WG_SERVER_NIC}"))
|
||||
result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}"))
|
||||
checkSuccess "Restart wireguard to apply changes"
|
||||
}
|
||||
|
||||
@ -33,7 +33,7 @@ installStandaloneWireGuard()
|
||||
|
||||
# Install WireGuard tools and module
|
||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||
sudo apt-get install -y wireguard iptables resolvconf qrencode
|
||||
runSystem apt-get install -y wireguard iptables resolvconf qrencode
|
||||
|
||||
# Update DNS after installing resolvconf
|
||||
updateDNS "" standalonewireguard;
|
||||
@ -95,12 +95,12 @@ PostDown = iptables -t nat -D POSTROUTING -o ${server_nic} -j MASQUERADE" | sudo
|
||||
local result=$(echo '# WIREGUARD END' | sudo tee -a "$sysctl" > /dev/null)
|
||||
checkSuccess "Adding wireguard header to sysctl"
|
||||
|
||||
result=$(sudo systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||
result=$(sudo systemctl enable "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
result=$(runSystem systemctl enable "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
checkSuccess "Enabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||
|
||||
result=$(sudo sysctl --system)
|
||||
result=$(runSystem sysctl --system)
|
||||
checkSuccess "Reloaded sysctl"
|
||||
|
||||
portUse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
||||
@ -168,9 +168,9 @@ wireguardNewClient()
|
||||
fi
|
||||
|
||||
# Generate key pair for the client
|
||||
local WIREGUARD_CLIENT_PRIV_KEY=$(sudo wg genkey)
|
||||
local WIREGUARD_CLIENT_PUB_KEY=$(echo "${WIREGUARD_CLIENT_PRIV_KEY}" | sudo wg pubkey)
|
||||
local WIREGUARD_CLIENT_PRE_SHARED_KEY=$(sudo wg genpsk)
|
||||
local WIREGUARD_CLIENT_PRIV_KEY=$(runSystem wg genkey)
|
||||
local WIREGUARD_CLIENT_PUB_KEY=$(echo "${WIREGUARD_CLIENT_PRIV_KEY}" | runSystem wg pubkey)
|
||||
local WIREGUARD_CLIENT_PRE_SHARED_KEY=$(runSystem wg genpsk)
|
||||
local WIREGUARD_ENDPOINT="${public_ip_v4}:${CFG_WG_SERVER_PORT}"
|
||||
|
||||
# Create client file
|
||||
@ -195,12 +195,12 @@ PublicKey = ${WIREGUARD_CLIENT_PUB_KEY}
|
||||
PresharedKey = ${WIREGUARD_CLIENT_PRE_SHARED_KEY}
|
||||
AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | sudo tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null
|
||||
|
||||
#result=$(sudo wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf)
|
||||
#result=$(runSystem wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf)
|
||||
#checkSuccess "Syncing config file for $CFG_WG_SERVER_NIC"
|
||||
|
||||
#result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
#result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
#checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||
#result=$(sudo systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
#result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
#checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||
|
||||
# Generate QR code if qrencode is installed
|
||||
@ -248,7 +248,7 @@ wireguardRevokeClient()
|
||||
result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf")
|
||||
checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME"
|
||||
|
||||
result=$(sudo wg syncconf "${CFG_WG_SERVER_NIC}" <(sudo wg-quick strip "${CFG_WG_SERVER_NIC}"))
|
||||
result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}"))
|
||||
checkSuccess "Restart wireguard to apply changes"
|
||||
}
|
||||
|
||||
@ -274,14 +274,14 @@ wireguardUninstall()
|
||||
|
||||
if [[ $WIREGUARD_REMOVE == [yY] ]]; then
|
||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||
result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||
|
||||
result=$(sudo systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
result=$(runSystem systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||
|
||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||
result=$(sudo apt-get remove -y wireguard wireguard-tools qrencode)
|
||||
result=$(runSystem apt-get remove -y wireguard wireguard-tools qrencode)
|
||||
checkSuccess "Removed wireguard wireguard-tools qrencode"
|
||||
fi
|
||||
|
||||
@ -290,7 +290,7 @@ wireguardUninstall()
|
||||
result=$(sudo rm -f /etc/sysctl.d/wg.conf)
|
||||
checkSuccess "Delete /etc/sysctl.d/wg.conf file."
|
||||
|
||||
result=$(sudo sysctl --system)
|
||||
result=$(runSystem sysctl --system)
|
||||
checkSuccess "Reloaded sysctl"
|
||||
|
||||
portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
||||
|
||||
@ -11,14 +11,14 @@ wireguardUninstall()
|
||||
|
||||
if [[ $WIREGUARD_REMOVE == [yY] ]]; then
|
||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||
result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||
|
||||
result=$(sudo systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
result=$(runSystem systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||
checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||
|
||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||
result=$(sudo apt-get remove -y wireguard wireguard-tools qrencode)
|
||||
result=$(runSystem apt-get remove -y wireguard wireguard-tools qrencode)
|
||||
checkSuccess "Removed wireguard wireguard-tools qrencode"
|
||||
fi
|
||||
|
||||
@ -27,7 +27,7 @@ wireguardUninstall()
|
||||
result=$(sudo rm -f /etc/sysctl.d/wg.conf)
|
||||
checkSuccess "Delete /etc/sysctl.d/wg.conf file."
|
||||
|
||||
result=$(sudo sysctl --system)
|
||||
result=$(runSystem sysctl --system)
|
||||
checkSuccess "Reloaded sysctl"
|
||||
|
||||
portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user