refactor(de-sudo): funnel genuine system commands through runSystem
Foundation for a scoped sudoers: route every genuine system-admin command (systemctl/ufw/ufw-docker/nft/apt/apt-get/pacman/sysctl/useradd/usermod/ service/wg/wg-quick/cscli/loginctl) through runSystem instead of raw sudo across 28 active scripts. runSystem is 'sudo "$@"' so this is byte-identical in every mode (safe on live installs) — it just collects all real-root use at one chokepoint that will define the eventual /etc/sudoers.d allowlist. Also: revert a crowdsec advice message the sweep wrongly rewrote (the admin types sudo, not runSystem), and give crontab_check_processor.sh the same startup bootstrap as the task processor — it runs standalone via cron and already used runFileOp/runFileWrite (undefined there), so it was silently broken; now it sources the helpers + docker-type config. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
ab505ac012
commit
014d8e5fcc
@ -1,5 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
appCrowdSecAlertsList() {
|
appCrowdSecAlertsList() {
|
||||||
sudo cscli alerts list
|
runSystem cscli alerts list
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
appCrowdSecConsoleDisable() {
|
appCrowdSecConsoleDisable() {
|
||||||
sudo cscli console disable -e all
|
runSystem cscli console disable -e all
|
||||||
checkSuccess "Console enrollment removed — no signals will leave this host"
|
checkSuccess "Console enrollment removed — no signals will leave this host"
|
||||||
sudo systemctl reload crowdsec
|
runSystem systemctl reload crowdsec
|
||||||
}
|
}
|
||||||
|
|||||||
@ -8,7 +8,7 @@ appCrowdSecConsoleEnroll() {
|
|||||||
isNotice "Get a token at https://app.crowdsec.net (free account). Enrolling shares attacker IPs + scenario names with CrowdSec SAS."
|
isNotice "Get a token at https://app.crowdsec.net (free account). Enrolling shares attacker IPs + scenario names with CrowdSec SAS."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
sudo cscli console enroll "$token"
|
runSystem cscli console enroll "$token"
|
||||||
checkSuccess "Enrolled with CrowdSec Console — community blocklists will start syncing"
|
checkSuccess "Enrolled with CrowdSec Console — community blocklists will start syncing"
|
||||||
sudo systemctl reload crowdsec
|
runSystem systemctl reload crowdsec
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
appCrowdSecDecisionsList() {
|
appCrowdSecDecisionsList() {
|
||||||
sudo cscli decisions list
|
runSystem cscli decisions list
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,10 +1,10 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
appCrowdSecHubUpdate() {
|
appCrowdSecHubUpdate() {
|
||||||
sudo cscli hub update
|
runSystem cscli hub update
|
||||||
checkSuccess "Hub index refreshed"
|
checkSuccess "Hub index refreshed"
|
||||||
sudo cscli hub upgrade
|
runSystem cscli hub upgrade
|
||||||
checkSuccess "Installed collections upgraded"
|
checkSuccess "Installed collections upgraded"
|
||||||
sudo systemctl reload crowdsec
|
runSystem systemctl reload crowdsec
|
||||||
checkSuccess "Reloaded CrowdSec to apply changes"
|
checkSuccess "Reloaded CrowdSec to apply changes"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
appCrowdSecMetrics() {
|
appCrowdSecMetrics() {
|
||||||
sudo cscli metrics
|
runSystem cscli metrics
|
||||||
}
|
}
|
||||||
|
|||||||
@ -8,9 +8,9 @@ appCrowdSecStatus() {
|
|||||||
systemctl status crowdsec-firewall-bouncer --no-pager --lines=5 2>&1 | head -15
|
systemctl status crowdsec-firewall-bouncer --no-pager --lines=5 2>&1 | head -15
|
||||||
echo
|
echo
|
||||||
echo "=== installed collections ==="
|
echo "=== installed collections ==="
|
||||||
sudo cscli collections list -o human 2>&1 | head -30
|
runSystem cscli collections list -o human 2>&1 | head -30
|
||||||
echo
|
echo
|
||||||
echo "=== machines + bouncers ==="
|
echo "=== machines + bouncers ==="
|
||||||
sudo cscli machines list 2>&1
|
runSystem cscli machines list 2>&1
|
||||||
sudo cscli bouncers list 2>&1
|
runSystem cscli bouncers list 2>&1
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,6 +7,6 @@ appCrowdSecUnban() {
|
|||||||
isNotice "No IP provided — pass ip=<address> via the Tools modal."
|
isNotice "No IP provided — pass ip=<address> via the Tools modal."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
sudo cscli decisions delete --ip "$ip"
|
runSystem cscli decisions delete --ip "$ip"
|
||||||
checkSuccess "Removed decisions for $ip"
|
checkSuccess "Removed decisions for $ip"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -11,11 +11,11 @@ borgInstall()
|
|||||||
|
|
||||||
isHeader "Installing BorgBackup"
|
isHeader "Installing BorgBackup"
|
||||||
if command -v apt-get >/dev/null 2>&1; then
|
if command -v apt-get >/dev/null 2>&1; then
|
||||||
sudo apt-get install -y borgbackup && return 0
|
runSystem apt-get install -y borgbackup && return 0
|
||||||
elif command -v dnf >/dev/null 2>&1; then
|
elif command -v dnf >/dev/null 2>&1; then
|
||||||
sudo dnf install -y borgbackup && return 0
|
sudo dnf install -y borgbackup && return 0
|
||||||
elif command -v pacman >/dev/null 2>&1; then
|
elif command -v pacman >/dev/null 2>&1; then
|
||||||
sudo pacman -S --noconfirm borg && return 0
|
runSystem pacman -S --noconfirm borg && return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
isError "Could not install BorgBackup — no supported package manager found."
|
isError "Could not install BorgBackup — no supported package manager found."
|
||||||
|
|||||||
@ -21,14 +21,14 @@ checkInstallTypeRequirement()
|
|||||||
{
|
{
|
||||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||||
ISCOMP=$( (docker compose -v ) 2>&1 )
|
ISCOMP=$( (docker compose -v ) 2>&1 )
|
||||||
ISUFW=$( (sudo ufw status ) 2>&1 )
|
ISUFW=$( (runSystem ufw status ) 2>&1 )
|
||||||
ISUFWD=$( (sudo ufw-docker) 2>&1 )
|
ISUFWD=$( (sudo ufw-docker) 2>&1 )
|
||||||
|
|
||||||
resolveDockerInstallUser
|
resolveDockerInstallUser
|
||||||
|
|
||||||
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
|
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
|
||||||
# Used for checking if rooted docket is active
|
# Used for checking if rooted docket is active
|
||||||
ISACT=$( (sudo systemctl is-active docker ) 2>&1 )
|
ISACT=$( (runSystem systemctl is-active docker ) 2>&1 )
|
||||||
elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
|
elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
|
||||||
# Used for checking the rootless user
|
# Used for checking the rootless user
|
||||||
local ISUSER=$( (sudo id -u "$CFG_DOCKER_INSTALL_USER"))
|
local ISUSER=$( (sudo id -u "$CFG_DOCKER_INSTALL_USER"))
|
||||||
|
|||||||
@ -4,7 +4,7 @@ checkWebUISystemdRequirement()
|
|||||||
{
|
{
|
||||||
if [[ $CFG_REQUIREMENT_WEBUI_SERVICE == "true" ]]; then
|
if [[ $CFG_REQUIREMENT_WEBUI_SERVICE == "true" ]]; then
|
||||||
### Check if systemd service is running
|
### Check if systemd service is running
|
||||||
if sudo systemctl is-active --quiet libreportal.service; then
|
if runSystem systemctl is-active --quiet libreportal.service; then
|
||||||
isSuccessful "LibrePortal task processor service is running."
|
isSuccessful "LibrePortal task processor service is running."
|
||||||
else
|
else
|
||||||
isNotice "LibrePortal task processor service is not running."
|
isNotice "LibrePortal task processor service is not running."
|
||||||
|
|||||||
@ -10,9 +10,9 @@ installCrontab()
|
|||||||
ISCRON=$( (sudo -u $sudo_user_name crontab -l) 2>&1 )
|
ISCRON=$( (sudo -u $sudo_user_name crontab -l) 2>&1 )
|
||||||
if [[ "$ISCRON" == *"command not found"* ]]; then
|
if [[ "$ISCRON" == *"command not found"* ]]; then
|
||||||
isNotice "Crontab is not installed, setting up now."
|
isNotice "Crontab is not installed, setting up now."
|
||||||
local result=$(sudo apt update)
|
local result=$(runSystem apt update)
|
||||||
checkSuccess "Updating apt for post installation"
|
checkSuccess "Updating apt for post installation"
|
||||||
local result=$(sudo apt install cron -y)
|
local result=$(runSystem apt install cron -y)
|
||||||
isSuccessful "Installing crontab application"
|
isSuccessful "Installing crontab application"
|
||||||
local result=$(sudo -u $sudo_user_name crontab -l)
|
local result=$(sudo -u $sudo_user_name crontab -l)
|
||||||
isSuccessful "Enabling crontab on the system"
|
isSuccessful "Enabling crontab on the system"
|
||||||
|
|||||||
@ -10,6 +10,26 @@ script_check_processor_flag="$1"
|
|||||||
# Only run when executed directly, not when sourced
|
# Only run when executed directly, not when sourced
|
||||||
if [[ "$script_check_processor_flag" == "start_script" ]]; then
|
if [[ "$script_check_processor_flag" == "start_script" ]]; then
|
||||||
|
|
||||||
|
# --- Load the privilege helpers + docker-type config -------------------------
|
||||||
|
# cron runs this standalone, so the de-sudo helpers (runFileOp/runFileWrite/
|
||||||
|
# runSystem) and the config they key off are NOT otherwise in scope — without
|
||||||
|
# them every privileged op is "command not found". Same bootstrap as
|
||||||
|
# crontab_task_processor.sh. These files are pure function/var defs, safe to
|
||||||
|
# source.
|
||||||
|
LP_SCRIPTS="${install_scripts_dir:-/docker/install/scripts/}"
|
||||||
|
LP_DOCKER_CFG="/docker/configs/general/general_docker_install"
|
||||||
|
[[ -f "$LP_DOCKER_CFG" ]] && \
|
||||||
|
eval "$(grep -E '^CFG_DOCKER_INSTALL_(TYPE|USER)=' "$LP_DOCKER_CFG" | sed 's/[[:space:]]*#.*//')"
|
||||||
|
: "${sudo_user_name:=libreportal}"
|
||||||
|
: "${containers_dir:=/docker/containers/}"
|
||||||
|
: "${docker_dir:=/docker}"
|
||||||
|
for _lp_f in docker/command/run_privileged.sh \
|
||||||
|
docker/command/docker_run_install.sh \
|
||||||
|
checks/requirements/check_install_type.sh; do
|
||||||
|
[[ -f "${LP_SCRIPTS}${_lp_f}" ]] && source "${LP_SCRIPTS}${_lp_f}"
|
||||||
|
done
|
||||||
|
command -v resolveDockerInstallUser >/dev/null 2>&1 && resolveDockerInstallUser
|
||||||
|
|
||||||
# ========================================
|
# ========================================
|
||||||
# HEALTH CHECK CONFIGURATION
|
# HEALTH CHECK CONFIGURATION
|
||||||
# ========================================
|
# ========================================
|
||||||
|
|||||||
@ -6,11 +6,11 @@ installDockerRootedCheck()
|
|||||||
#### Test if Docker Service is Running ###
|
#### Test if Docker Service is Running ###
|
||||||
##########################################
|
##########################################
|
||||||
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
|
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
|
||||||
ISACT=$( (sudo systemctl is-active docker ) 2>&1 )
|
ISACT=$( (runSystem systemctl is-active docker ) 2>&1 )
|
||||||
if [[ "$ISACT" != "active" ]]; then
|
if [[ "$ISACT" != "active" ]]; then
|
||||||
isNotice "Checking Docker service status. Waiting if not found."
|
isNotice "Checking Docker service status. Waiting if not found."
|
||||||
while [[ "$ISACT" != "active" ]] && [[ $X -le 10 ]]; do
|
while [[ "$ISACT" != "active" ]] && [[ $X -le 10 ]]; do
|
||||||
sudo systemctl start docker | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
runSystem systemctl start docker | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||||
sleep 10s &
|
sleep 10s &
|
||||||
pid=$! # Process Id of the previous running command
|
pid=$! # Process Id of the previous running command
|
||||||
spin='-\|/'
|
spin='-\|/'
|
||||||
@ -22,7 +22,7 @@ installDockerRootedCheck()
|
|||||||
sleep .1
|
sleep .1
|
||||||
done
|
done
|
||||||
printf "\r"
|
printf "\r"
|
||||||
ISACT=`sudo systemctl is-active docker`
|
ISACT=`runSystem systemctl is-active docker`
|
||||||
let X=X+1
|
let X=X+1
|
||||||
echo "$X"
|
echo "$X"
|
||||||
done
|
done
|
||||||
|
|||||||
@ -16,10 +16,10 @@ installDockerRootless()
|
|||||||
local docker_install_user_id=$(id -u "$CFG_DOCKER_INSTALL_USER")
|
local docker_install_user_id=$(id -u "$CFG_DOCKER_INSTALL_USER")
|
||||||
local docker_install_bashrc="/home/$CFG_DOCKER_INSTALL_USER/.bashrc"
|
local docker_install_bashrc="/home/$CFG_DOCKER_INSTALL_USER/.bashrc"
|
||||||
|
|
||||||
local result=$(sudo apt-get install -y apt-transport-https ca-certificates curl gnupg software-properties-common uidmap dbus-user-session fuse-overlayfs passt)
|
local result=$(runSystem apt-get install -y apt-transport-https ca-certificates curl gnupg software-properties-common uidmap dbus-user-session fuse-overlayfs passt)
|
||||||
checkSuccess "Installing necessary packages"
|
checkSuccess "Installing necessary packages"
|
||||||
|
|
||||||
local result=$(sudo systemctl disable --now docker.service docker.socket)
|
local result=$(runSystem systemctl disable --now docker.service docker.socket)
|
||||||
checkSuccess "Disabling Docker service & Socket"
|
checkSuccess "Disabling Docker service & Socket"
|
||||||
|
|
||||||
((menu_number++))
|
((menu_number++))
|
||||||
@ -30,7 +30,7 @@ installDockerRootless()
|
|||||||
# slirp4netns update and install
|
# slirp4netns update and install
|
||||||
if ! command -v slirp4netns &> /dev/null; then
|
if ! command -v slirp4netns &> /dev/null; then
|
||||||
isNotice "slirp4netns is not installed. Installing..."
|
isNotice "slirp4netns is not installed. Installing..."
|
||||||
local result=$(sudo apt-get install -y slirp4netns)
|
local result=$(runSystem apt-get install -y slirp4netns)
|
||||||
checkSuccess "Installing slirp4netns"
|
checkSuccess "Installing slirp4netns"
|
||||||
else
|
else
|
||||||
isNotice "slirp4netns is already installed"
|
isNotice "slirp4netns is already installed"
|
||||||
@ -39,9 +39,9 @@ installDockerRootless()
|
|||||||
if [[ "$installed_version" != "$latest_version" ]]; then
|
if [[ "$installed_version" != "$latest_version" ]]; then
|
||||||
isNotice "slirp4netns version $installed_version is outdated."
|
isNotice "slirp4netns version $installed_version is outdated."
|
||||||
isNotice "Installing version $latest_version..."
|
isNotice "Installing version $latest_version..."
|
||||||
local result=$(sudo apt-get update)
|
local result=$(runSystem apt-get update)
|
||||||
checkSuccess "Updating apt packages"
|
checkSuccess "Updating apt packages"
|
||||||
local result=$(sudo apt-get install -y slirp4netns)
|
local result=$(runSystem apt-get install -y slirp4netns)
|
||||||
checkSuccess "Installing slirp4netns"
|
checkSuccess "Installing slirp4netns"
|
||||||
else
|
else
|
||||||
isSuccessful "slirp4netns version $installed_version is up to date"
|
isSuccessful "slirp4netns version $installed_version is up to date"
|
||||||
@ -58,7 +58,7 @@ installDockerRootless()
|
|||||||
else
|
else
|
||||||
local result=$(echo "kernel.unprivileged_userns_clone=1" | sudo tee -a $sysctl > /dev/null)
|
local result=$(echo "kernel.unprivileged_userns_clone=1" | sudo tee -a $sysctl > /dev/null)
|
||||||
checkSuccess "Adding kernel.unprivileged_userns_clone=1 to $sysctl..."
|
checkSuccess "Adding kernel.unprivileged_userns_clone=1 to $sysctl..."
|
||||||
local result=$(sudo sysctl --system)
|
local result=$(runSystem sysctl --system)
|
||||||
checkSuccess "Running sudo -u $sudo_user_name sysctl --system..."
|
checkSuccess "Running sudo -u $sudo_user_name sysctl --system..."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -97,7 +97,7 @@ installDockerRootless()
|
|||||||
echo "---- $menu_number. Setting up Rootless Docker."
|
echo "---- $menu_number. Setting up Rootless Docker."
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
local result=$(sudo loginctl enable-linger $CFG_DOCKER_INSTALL_USER)
|
local result=$(runSystem loginctl enable-linger $CFG_DOCKER_INSTALL_USER)
|
||||||
checkSuccess "Adding automatic start (linger)"
|
checkSuccess "Adding automatic start (linger)"
|
||||||
|
|
||||||
# Rootless Install
|
# Rootless Install
|
||||||
@ -216,7 +216,7 @@ net.core.bpf_jit_harden=2
|
|||||||
EOL
|
EOL
|
||||||
checkSuccess "Writing kernel LPE-surface hardening to $hardening_conf"
|
checkSuccess "Writing kernel LPE-surface hardening to $hardening_conf"
|
||||||
|
|
||||||
local result=$(sudo sysctl --system)
|
local result=$(runSystem sysctl --system)
|
||||||
checkSuccess "Applying changes to sysctl"
|
checkSuccess "Applying changes to sysctl"
|
||||||
|
|
||||||
menu_number=0
|
menu_number=0
|
||||||
|
|||||||
@ -12,7 +12,7 @@ installDockerRootlessUser()
|
|||||||
# -m makes its home; with SUB_UID/GID configured in login.defs,
|
# -m makes its home; with SUB_UID/GID configured in login.defs,
|
||||||
# useradd also assigns its subordinate uid/gid ranges (needed for
|
# useradd also assigns its subordinate uid/gid ranges (needed for
|
||||||
# rootless). Run unmasked so checkSuccess sees real failures.
|
# rootless). Run unmasked so checkSuccess sees real failures.
|
||||||
sudo useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
|
runSystem useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
|
||||||
checkSuccess "Creating $CFG_DOCKER_INSTALL_USER User."
|
checkSuccess "Creating $CFG_DOCKER_INSTALL_USER User."
|
||||||
updateDockerInstallPassword;
|
updateDockerInstallPassword;
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -3,16 +3,16 @@
|
|||||||
dockerServiceStart()
|
dockerServiceStart()
|
||||||
{
|
{
|
||||||
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
|
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
|
||||||
local result=$(sudo systemctl start docker)
|
local result=$(runSystem systemctl start docker)
|
||||||
checkSuccess "Starting Docker Service"
|
checkSuccess "Starting Docker Service"
|
||||||
|
|
||||||
local result=$(sudo systemctl enable docker)
|
local result=$(runSystem systemctl enable docker)
|
||||||
checkSuccess "Enabling Docker Service"
|
checkSuccess "Enabling Docker Service"
|
||||||
|
|
||||||
local result=$(sudo usermod -aG docker $sudo_user_name)
|
local result=$(runSystem usermod -aG docker $sudo_user_name)
|
||||||
checkSuccess "Adding user to 'docker' group"
|
checkSuccess "Adding user to 'docker' group"
|
||||||
|
|
||||||
local result=$(sudo systemctl restart docker)
|
local result=$(runSystem systemctl restart docker)
|
||||||
checkSuccess "Restarting Docker service after group addition."
|
checkSuccess "Restarting Docker service after group addition."
|
||||||
elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
|
elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
|
||||||
installDockerRootless;
|
installDockerRootless;
|
||||||
|
|||||||
@ -8,10 +8,10 @@ dockerServiceStop()
|
|||||||
if [[ "$docker_rooted_found" == "true" ]]; then
|
if [[ "$docker_rooted_found" == "true" ]]; then
|
||||||
isNotice "Stopping rooted Docker service...this may take a moment..."
|
isNotice "Stopping rooted Docker service...this may take a moment..."
|
||||||
|
|
||||||
local result=$(sudo systemctl stop docker)
|
local result=$(runSystem systemctl stop docker)
|
||||||
checkSuccess "Stopping Rooted Docker Service"
|
checkSuccess "Stopping Rooted Docker Service"
|
||||||
|
|
||||||
local result=$(sudo systemctl disable docker)
|
local result=$(runSystem systemctl disable docker)
|
||||||
checkSuccess "Disabling Rooted Docker Service"
|
checkSuccess "Disabling Rooted Docker Service"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -75,10 +75,10 @@ installCrowdsecHost()
|
|||||||
echo "---- $menu_number. Enabling CrowdSec services."
|
echo "---- $menu_number. Enabling CrowdSec services."
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
local result=$(sudo systemctl enable --now crowdsec)
|
local result=$(runSystem systemctl enable --now crowdsec)
|
||||||
checkSuccess "Enabling CrowdSec agent"
|
checkSuccess "Enabling CrowdSec agent"
|
||||||
|
|
||||||
local result=$(sudo systemctl enable --now crowdsec-firewall-bouncer)
|
local result=$(runSystem systemctl enable --now crowdsec-firewall-bouncer)
|
||||||
checkSuccess "Enabling CrowdSec firewall bouncer"
|
checkSuccess "Enabling CrowdSec firewall bouncer"
|
||||||
|
|
||||||
((menu_number++))
|
((menu_number++))
|
||||||
@ -86,13 +86,13 @@ installCrowdsecHost()
|
|||||||
echo "---- $menu_number. Installing baseline collections."
|
echo "---- $menu_number. Installing baseline collections."
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
local result=$(sudo cscli collections install crowdsecurity/linux)
|
local result=$(runSystem cscli collections install crowdsecurity/linux)
|
||||||
checkSuccess "Installing crowdsecurity/linux collection"
|
checkSuccess "Installing crowdsecurity/linux collection"
|
||||||
|
|
||||||
local result=$(sudo cscli collections install crowdsecurity/sshd)
|
local result=$(runSystem cscli collections install crowdsecurity/sshd)
|
||||||
checkSuccess "Installing crowdsecurity/sshd collection"
|
checkSuccess "Installing crowdsecurity/sshd collection"
|
||||||
|
|
||||||
local result=$(sudo systemctl reload crowdsec)
|
local result=$(runSystem systemctl reload crowdsec)
|
||||||
checkSuccess "Reloading CrowdSec to pick up collections"
|
checkSuccess "Reloading CrowdSec to pick up collections"
|
||||||
|
|
||||||
((menu_number++))
|
((menu_number++))
|
||||||
@ -106,14 +106,14 @@ installCrowdsecHost()
|
|||||||
# unregistering. Idempotent on either branch.
|
# unregistering. Idempotent on either branch.
|
||||||
local community_blocklist="${CFG_CROWDSEC_COMMUNITY_BLOCKLIST:-true}"
|
local community_blocklist="${CFG_CROWDSEC_COMMUNITY_BLOCKLIST:-true}"
|
||||||
if [[ "$community_blocklist" == "true" ]]; then
|
if [[ "$community_blocklist" == "true" ]]; then
|
||||||
if sudo cscli capi status 2>&1 | grep -qi 'You can successfully'; then
|
if runSystem cscli capi status 2>&1 | grep -qi 'You can successfully'; then
|
||||||
isNotice "Community blocklist already registered."
|
isNotice "Community blocklist already registered."
|
||||||
else
|
else
|
||||||
local result=$(sudo cscli capi register 2>&1)
|
local result=$(runSystem cscli capi register 2>&1)
|
||||||
checkSuccess "Registered with CrowdSec Central API (community blocklist)"
|
checkSuccess "Registered with CrowdSec Central API (community blocklist)"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
local result=$(sudo cscli capi unregister 2>&1)
|
local result=$(runSystem cscli capi unregister 2>&1)
|
||||||
checkSuccess "Unregistered from CrowdSec Central API (community blocklist disabled)"
|
checkSuccess "Unregistered from CrowdSec Central API (community blocklist disabled)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -129,19 +129,19 @@ installCrowdsecHost()
|
|||||||
local console_enroll="${CFG_CROWDSEC_CONSOLE_ENROLL:-false}"
|
local console_enroll="${CFG_CROWDSEC_CONSOLE_ENROLL:-false}"
|
||||||
local console_token="${CFG_CROWDSEC_CONSOLE_TOKEN:-}"
|
local console_token="${CFG_CROWDSEC_CONSOLE_TOKEN:-}"
|
||||||
local enrolled=false
|
local enrolled=false
|
||||||
sudo cscli console status 2>&1 | grep -qi 'enrolled' && enrolled=true
|
runSystem cscli console status 2>&1 | grep -qi 'enrolled' && enrolled=true
|
||||||
if [[ "$console_enroll" == "true" ]]; then
|
if [[ "$console_enroll" == "true" ]]; then
|
||||||
if [[ -z "$console_token" ]]; then
|
if [[ -z "$console_token" ]]; then
|
||||||
isNotice "Console enrollment ON but CFG_CROWDSEC_CONSOLE_TOKEN is empty — paste your token from app.crowdsec.net to complete."
|
isNotice "Console enrollment ON but CFG_CROWDSEC_CONSOLE_TOKEN is empty — paste your token from app.crowdsec.net to complete."
|
||||||
elif [[ "$enrolled" == true ]]; then
|
elif [[ "$enrolled" == true ]]; then
|
||||||
isNotice "Already enrolled with the SaaS console — skipping."
|
isNotice "Already enrolled with the SaaS console — skipping."
|
||||||
else
|
else
|
||||||
local result=$(sudo cscli console enroll "$console_token" 2>&1)
|
local result=$(runSystem cscli console enroll "$console_token" 2>&1)
|
||||||
checkSuccess "Enrolled with app.crowdsec.net SaaS console"
|
checkSuccess "Enrolled with app.crowdsec.net SaaS console"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [[ "$enrolled" == true ]]; then
|
if [[ "$enrolled" == true ]]; then
|
||||||
local result=$(sudo cscli console disenroll 2>&1)
|
local result=$(runSystem cscli console disenroll 2>&1)
|
||||||
checkSuccess "Disenrolled from app.crowdsec.net SaaS console"
|
checkSuccess "Disenrolled from app.crowdsec.net SaaS console"
|
||||||
else
|
else
|
||||||
isNotice "SaaS console enrollment disabled — skipping."
|
isNotice "SaaS console enrollment disabled — skipping."
|
||||||
@ -161,7 +161,7 @@ installCrowdsecHost()
|
|||||||
if [[ -f "$lapi_cfg" ]] && ! sudo grep -qE 'listen_uri:[[:space:]]*0\.0\.0\.0:8080' "$lapi_cfg"; then
|
if [[ -f "$lapi_cfg" ]] && ! sudo grep -qE 'listen_uri:[[:space:]]*0\.0\.0\.0:8080' "$lapi_cfg"; then
|
||||||
sudo sed -i 's|listen_uri:.*|listen_uri: 0.0.0.0:8080|' "$lapi_cfg"
|
sudo sed -i 's|listen_uri:.*|listen_uri: 0.0.0.0:8080|' "$lapi_cfg"
|
||||||
checkSuccess "LAPI bound to 0.0.0.0:8080"
|
checkSuccess "LAPI bound to 0.0.0.0:8080"
|
||||||
sudo systemctl restart crowdsec
|
runSystem systemctl restart crowdsec
|
||||||
checkSuccess "CrowdSec restarted"
|
checkSuccess "CrowdSec restarted"
|
||||||
else
|
else
|
||||||
isNotice "LAPI already bound to 0.0.0.0:8080 — skipping."
|
isNotice "LAPI already bound to 0.0.0.0:8080 — skipping."
|
||||||
@ -189,7 +189,7 @@ installCrowdsecHost()
|
|||||||
s|listen_port:.*|listen_port: ${prom_port}|
|
s|listen_port:.*|listen_port: ${prom_port}|
|
||||||
}" "$cs_cfg"
|
}" "$cs_cfg"
|
||||||
checkSuccess "CrowdSec metrics endpoint bound to ${prom_listen}"
|
checkSuccess "CrowdSec metrics endpoint bound to ${prom_listen}"
|
||||||
sudo systemctl restart crowdsec
|
runSystem systemctl restart crowdsec
|
||||||
checkSuccess "CrowdSec restarted"
|
checkSuccess "CrowdSec restarted"
|
||||||
else
|
else
|
||||||
isNotice "CrowdSec metrics already bound to ${prom_addr} — skipping."
|
isNotice "CrowdSec metrics already bound to ${prom_addr} — skipping."
|
||||||
@ -197,7 +197,7 @@ installCrowdsecHost()
|
|||||||
elif [[ -f "$cs_cfg" ]] && sudo grep -qE 'listen_addr:[[:space:]]*0\.0\.0\.0' "$cs_cfg"; then
|
elif [[ -f "$cs_cfg" ]] && sudo grep -qE 'listen_addr:[[:space:]]*0\.0\.0\.0' "$cs_cfg"; then
|
||||||
sudo sed -i "/^prometheus:/,/^[^[:space:]#]/ s|listen_addr:.*|listen_addr: 127.0.0.1|" "$cs_cfg"
|
sudo sed -i "/^prometheus:/,/^[^[:space:]#]/ s|listen_addr:.*|listen_addr: 127.0.0.1|" "$cs_cfg"
|
||||||
checkSuccess "CrowdSec metrics endpoint rebound to 127.0.0.1 (monitoring off)"
|
checkSuccess "CrowdSec metrics endpoint rebound to 127.0.0.1 (monitoring off)"
|
||||||
sudo systemctl restart crowdsec
|
runSystem systemctl restart crowdsec
|
||||||
checkSuccess "CrowdSec restarted"
|
checkSuccess "CrowdSec restarted"
|
||||||
else
|
else
|
||||||
isNotice "Monitoring off — CrowdSec metrics endpoint left at its default."
|
isNotice "Monitoring off — CrowdSec metrics endpoint left at its default."
|
||||||
@ -217,9 +217,9 @@ installCrowdsecHost()
|
|||||||
local key_file="/etc/crowdsec/traefik_bouncer.key"
|
local key_file="/etc/crowdsec/traefik_bouncer.key"
|
||||||
local cfg_file="/docker/configs/security/security_crowdsec"
|
local cfg_file="/docker/configs/security/security_crowdsec"
|
||||||
|
|
||||||
if ! sudo cscli bouncers list -o raw 2>/dev/null | grep -q '^traefik-bouncer'; then
|
if ! runSystem cscli bouncers list -o raw 2>/dev/null | grep -q '^traefik-bouncer'; then
|
||||||
local bouncer_key
|
local bouncer_key
|
||||||
bouncer_key=$(sudo cscli bouncers add traefik-bouncer -o raw 2>&1 | tail -1)
|
bouncer_key=$(runSystem cscli bouncers add traefik-bouncer -o raw 2>&1 | tail -1)
|
||||||
if [[ -n "$bouncer_key" && "$bouncer_key" != *"error"* ]]; then
|
if [[ -n "$bouncer_key" && "$bouncer_key" != *"error"* ]]; then
|
||||||
echo "$bouncer_key" | sudo tee "$key_file" >/dev/null
|
echo "$bouncer_key" | sudo tee "$key_file" >/dev/null
|
||||||
sudo chown libreportal:libreportal "$key_file"
|
sudo chown libreportal:libreportal "$key_file"
|
||||||
@ -250,16 +250,16 @@ installCrowdsecHost()
|
|||||||
# The firewall bouncer needs a moment to install its nftables table
|
# The firewall bouncer needs a moment to install its nftables table
|
||||||
# after enable. Poll up to ~10s before deciding it's missing.
|
# after enable. Poll up to ~10s before deciding it's missing.
|
||||||
local _wait=0
|
local _wait=0
|
||||||
until sudo nft list tables 2>/dev/null | grep -qiE 'crowdsec' || [[ $_wait -ge 10 ]]; do
|
until runSystem nft list tables 2>/dev/null | grep -qiE 'crowdsec' || [[ $_wait -ge 10 ]]; do
|
||||||
sleep 1; _wait=$((_wait+1))
|
sleep 1; _wait=$((_wait+1))
|
||||||
done
|
done
|
||||||
|
|
||||||
if ! sudo nft list tables 2>/dev/null | grep -qiE 'crowdsec'; then
|
if ! runSystem nft list tables 2>/dev/null | grep -qiE 'crowdsec'; then
|
||||||
isNotice "CrowdSec nftables table not yet present after ${_wait}s. Bouncer may still be starting; re-run the verification Tools action in a minute if rules don't appear."
|
isNotice "CrowdSec nftables table not yet present after ${_wait}s. Bouncer may still be starting; re-run the verification Tools action in a minute if rules don't appear."
|
||||||
else
|
else
|
||||||
local cs_prio ufw_prio
|
local cs_prio ufw_prio
|
||||||
cs_prio=$(sudo nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
cs_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
||||||
ufw_prio=$(sudo nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
ufw_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
||||||
|
|
||||||
if [[ -z "$ufw_prio" ]]; then
|
if [[ -z "$ufw_prio" ]]; then
|
||||||
isSuccessful "UFW not in nftables — no ordering needed (CrowdSec prio: ${cs_prio:-?})."
|
isSuccessful "UFW not in nftables — no ordering needed (CrowdSec prio: ${cs_prio:-?})."
|
||||||
@ -291,10 +291,10 @@ installCrowdsecHost()
|
|||||||
echo "---- $menu_number. Re-enabling CrowdSec services."
|
echo "---- $menu_number. Re-enabling CrowdSec services."
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
local result=$(sudo systemctl enable --now crowdsec)
|
local result=$(runSystem systemctl enable --now crowdsec)
|
||||||
checkSuccess "Enabling CrowdSec agent"
|
checkSuccess "Enabling CrowdSec agent"
|
||||||
|
|
||||||
local result=$(sudo systemctl enable --now crowdsec-firewall-bouncer)
|
local result=$(runSystem systemctl enable --now crowdsec-firewall-bouncer)
|
||||||
checkSuccess "Enabling CrowdSec firewall bouncer"
|
checkSuccess "Enabling CrowdSec firewall bouncer"
|
||||||
|
|
||||||
isSuccessful "CrowdSec services re-enabled."
|
isSuccessful "CrowdSec services re-enabled."
|
||||||
@ -312,10 +312,10 @@ installCrowdsecHost()
|
|||||||
echo "---- $menu_number. Stopping and disabling CrowdSec services."
|
echo "---- $menu_number. Stopping and disabling CrowdSec services."
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
local result=$(sudo systemctl disable --now crowdsec-firewall-bouncer 2>&1)
|
local result=$(runSystem systemctl disable --now crowdsec-firewall-bouncer 2>&1)
|
||||||
checkSuccess "Disabling CrowdSec firewall bouncer"
|
checkSuccess "Disabling CrowdSec firewall bouncer"
|
||||||
|
|
||||||
local result=$(sudo systemctl disable --now crowdsec 2>&1)
|
local result=$(runSystem systemctl disable --now crowdsec 2>&1)
|
||||||
checkSuccess "Disabling CrowdSec agent"
|
checkSuccess "Disabling CrowdSec agent"
|
||||||
|
|
||||||
isSuccessful "CrowdSec disabled. Package remains installed — set CFG_CROWDSEC_ENABLED=true to re-enable, or uninstall via the Tools tab."
|
isSuccessful "CrowdSec disabled. Package remains installed — set CFG_CROWDSEC_ENABLED=true to re-enable, or uninstall via the Tools tab."
|
||||||
|
|||||||
@ -3,7 +3,7 @@
|
|||||||
installUFW()
|
installUFW()
|
||||||
{
|
{
|
||||||
if [[ "$CFG_REQUIREMENT_UFW" == "true" ]]; then
|
if [[ "$CFG_REQUIREMENT_UFW" == "true" ]]; then
|
||||||
ISUFW=$( (sudo ufw status ) 2>&1 )
|
ISUFW=$( (runSystem ufw status ) 2>&1 )
|
||||||
if [[ "$ISUFW" == *"command not found"* ]]; then
|
if [[ "$ISUFW" == *"command not found"* ]]; then
|
||||||
isHeader "Install UFW Firewall"
|
isHeader "Install UFW Firewall"
|
||||||
|
|
||||||
@ -12,7 +12,7 @@ installUFW()
|
|||||||
echo "---- $menu_number. Installing using linux package installer"
|
echo "---- $menu_number. Installing using linux package installer"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
local result=$(yes | sudo apt-get install ufw )
|
local result=$(yes | runSystem apt-get install ufw )
|
||||||
checkSuccess "Installing UFW package"
|
checkSuccess "Installing UFW package"
|
||||||
|
|
||||||
# ((menu_number++))
|
# ((menu_number++))
|
||||||
@ -27,9 +27,9 @@ installUFW()
|
|||||||
# ssh_port=${ssh_port:-22} # Default to 22 if not found
|
# ssh_port=${ssh_port:-22} # Default to 22 if not found
|
||||||
# fi
|
# fi
|
||||||
|
|
||||||
# local result=$(sudo ufw allow $ssh_port)
|
# local result=$(runSystem ufw allow $ssh_port)
|
||||||
# checkSuccess "Enabling Port $ssh_port through the firewall"
|
# checkSuccess "Enabling Port $ssh_port through the firewall"
|
||||||
# local result=$(sudo ufw allow ssh)
|
# local result=$(runSystem ufw allow ssh)
|
||||||
# checkSuccess "Enabling SSH through the firewall"
|
# checkSuccess "Enabling SSH through the firewall"
|
||||||
|
|
||||||
# while true; do
|
# while true; do
|
||||||
@ -42,13 +42,13 @@ installUFW()
|
|||||||
# done
|
# done
|
||||||
|
|
||||||
# if [[ "$UFWSSH" == [nN] ]]; then
|
# if [[ "$UFWSSH" == [nN] ]]; then
|
||||||
# local result=$(sudo ufw deny $ssh_port)
|
# local result=$(runSystem ufw deny $ssh_port)
|
||||||
# checkSuccess "Blocking Port $ssh_port through the firewall"
|
# checkSuccess "Blocking Port $ssh_port through the firewall"
|
||||||
# local result=$(sudo ufw deny ssh)
|
# local result=$(runSystem ufw deny ssh)
|
||||||
# checkSuccess "Blocking SSH through the firewall"
|
# checkSuccess "Blocking SSH through the firewall"
|
||||||
# fi
|
# fi
|
||||||
|
|
||||||
local result=$(sudo ufw --force enable)
|
local result=$(runSystem ufw --force enable)
|
||||||
checkSuccess "Enabling UFW Firewall"
|
checkSuccess "Enabling UFW Firewall"
|
||||||
|
|
||||||
((menu_number++))
|
((menu_number++))
|
||||||
@ -56,7 +56,7 @@ installUFW()
|
|||||||
echo "---- $menu_number. Changing logging options"
|
echo "---- $menu_number. Changing logging options"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
local result=$(yes | sudo ufw logging $CFG_UFW_LOGGING)
|
local result=$(yes | runSystem ufw logging $CFG_UFW_LOGGING)
|
||||||
checkSuccess "Disabling UFW Firewall Logging"
|
checkSuccess "Disabling UFW Firewall Logging"
|
||||||
|
|
||||||
isSuccessful "UFW Firewall has been installed, you can use ufw status to see the status"
|
isSuccessful "UFW Firewall has been installed, you can use ufw status to see the status"
|
||||||
|
|||||||
@ -23,10 +23,10 @@ installUFWDocker()
|
|||||||
local result=$(sudo chmod +x $ufwpath)
|
local result=$(sudo chmod +x $ufwpath)
|
||||||
checkSuccess "Setting permissions for install files"
|
checkSuccess "Setting permissions for install files"
|
||||||
|
|
||||||
local result=$(sudo ufw-docker install > /dev/null 2>&1)
|
local result=$(runSystem ufw-docker install > /dev/null 2>&1)
|
||||||
checkSuccess "Installing UFW Docker"
|
checkSuccess "Installing UFW Docker"
|
||||||
|
|
||||||
local result=$(sudo systemctl restart ufw)
|
local result=$(runSystem systemctl restart ufw)
|
||||||
checkSuccess "Restarting UFW Firewall service"
|
checkSuccess "Restarting UFW Firewall service"
|
||||||
|
|
||||||
isSuccessful "UFW-Docker has been installed, you can use ufw-docker to see the available commands"
|
isSuccessful "UFW-Docker has been installed, you can use ufw-docker to see the available commands"
|
||||||
|
|||||||
@ -10,7 +10,7 @@ installDockerManagerUser()
|
|||||||
isNotice "User '$CFG_DOCKER_MANAGER_USER' does not exist, starting creation..."
|
isNotice "User '$CFG_DOCKER_MANAGER_USER' does not exist, starting creation..."
|
||||||
|
|
||||||
# Create the User Account
|
# Create the User Account
|
||||||
local result=$(sudo useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER")
|
local result=$(runSystem useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER")
|
||||||
checkSuccess "Adding user via useradd command"
|
checkSuccess "Adding user via useradd command"
|
||||||
|
|
||||||
local result=$(echo "$CFG_DOCKER_MANAGER_USER:$CFG_DOCKER_MANAGER_PASS" | sudo chpasswd)
|
local result=$(echo "$CFG_DOCKER_MANAGER_USER:$CFG_DOCKER_MANAGER_PASS" | sudo chpasswd)
|
||||||
@ -66,7 +66,7 @@ EOL")
|
|||||||
checkSuccess "Updating SSH Server Configuration for the Manager User."
|
checkSuccess "Updating SSH Server Configuration for the Manager User."
|
||||||
|
|
||||||
# Reload SSH Service
|
# Reload SSH Service
|
||||||
local result=$(sudo service ssh reload)
|
local result=$(runSystem service ssh reload)
|
||||||
checkSuccess "Reloading SSH Service"
|
checkSuccess "Reloading SSH Service"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@ -14,7 +14,7 @@ uninstallDockerManagerUser()
|
|||||||
checkSuccess "Removing the Docker Manager User from $sshd_config."
|
checkSuccess "Removing the Docker Manager User from $sshd_config."
|
||||||
|
|
||||||
# Restart SSH Service
|
# Restart SSH Service
|
||||||
local result=$(sudo service ssh restart)
|
local result=$(runSystem service ssh restart)
|
||||||
checkSuccess "Restarting SSH Service"
|
checkSuccess "Restarting SSH Service"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -7,7 +7,7 @@ installArch()
|
|||||||
if [[ "$UPDARCH" == [yY] ]]; then
|
if [[ "$UPDARCH" == [yY] ]]; then
|
||||||
isNotice "Installing System Updates... this may take a while...be patient."
|
isNotice "Installing System Updates... this may take a while...be patient."
|
||||||
|
|
||||||
(sudo pacman -Syu --noconfirm) > $logs_dir/$docker_log_file 2>&1 &
|
(runSystem pacman -Syu --noconfirm) > $logs_dir/$docker_log_file 2>&1 &
|
||||||
## Show a spinner for activity progress
|
## Show a spinner for activity progress
|
||||||
pid=$! # Process Id of the previous running command
|
pid=$! # Process Id of the previous running command
|
||||||
spin='-\|/'
|
spin='-\|/'
|
||||||
@ -25,12 +25,12 @@ installArch()
|
|||||||
|
|
||||||
isNotice "Installing Prerequisite Packages..."
|
isNotice "Installing Prerequisite Packages..."
|
||||||
|
|
||||||
sudo pacman -Sy git curl wget --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
runSystem pacman -Sy git curl wget --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||||
|
|
||||||
if [[ "$ISACT" != "active" ]]; then
|
if [[ "$ISACT" != "active" ]]; then
|
||||||
isNotice "Installing Docker-CE (Community Edition)..."
|
isNotice "Installing Docker-CE (Community Edition)..."
|
||||||
|
|
||||||
sudo pacman -Sy docker --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
runSystem pacman -Sy docker --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
|
||||||
|
|
||||||
echo "- docker-ce version is now:"
|
echo "- docker-ce version is now:"
|
||||||
DOCKERV=$(docker -v)
|
DOCKERV=$(docker -v)
|
||||||
|
|||||||
@ -14,7 +14,7 @@ installDebianUbuntu()
|
|||||||
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt update -qq 2>&1 && DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt install sudo -yqq 2>&1 && apt-get autoclean 2>&1)
|
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt update -qq 2>&1 && DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt install sudo -yqq 2>&1 && apt-get autoclean 2>&1)
|
||||||
checkSuccess "Updating System Operating system."
|
checkSuccess "Updating System Operating system."
|
||||||
|
|
||||||
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo apt update -qq 2>&1)
|
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 runSystem apt update -qq 2>&1)
|
||||||
checkSuccess "Running application update"
|
checkSuccess "Running application update"
|
||||||
|
|
||||||
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo $installed_apps -yqq 2>&1)
|
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo $installed_apps -yqq 2>&1)
|
||||||
|
|||||||
@ -78,7 +78,7 @@ EOF
|
|||||||
else
|
else
|
||||||
# Unit already correct — ensure it's enabled + running, without a restart.
|
# Unit already correct — ensure it's enabled + running, without a restart.
|
||||||
runSystem systemctl enable libreportal.service >/dev/null 2>&1
|
runSystem systemctl enable libreportal.service >/dev/null 2>&1
|
||||||
sudo systemctl is-active --quiet libreportal.service || runSystem systemctl start libreportal.service
|
runSystem systemctl is-active --quiet libreportal.service || runSystem systemctl start libreportal.service
|
||||||
isSuccessful "LibrePortal task processor service already up to date."
|
isSuccessful "LibrePortal task processor service already up to date."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@ -26,6 +26,6 @@ wireguardRevokeClient()
|
|||||||
result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf")
|
result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf")
|
||||||
checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME"
|
checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME"
|
||||||
|
|
||||||
result=$(sudo wg syncconf "${CFG_WG_SERVER_NIC}" <(sudo wg-quick strip "${CFG_WG_SERVER_NIC}"))
|
result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}"))
|
||||||
checkSuccess "Restart wireguard to apply changes"
|
checkSuccess "Restart wireguard to apply changes"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -33,7 +33,7 @@ installStandaloneWireGuard()
|
|||||||
|
|
||||||
# Install WireGuard tools and module
|
# Install WireGuard tools and module
|
||||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||||
sudo apt-get install -y wireguard iptables resolvconf qrencode
|
runSystem apt-get install -y wireguard iptables resolvconf qrencode
|
||||||
|
|
||||||
# Update DNS after installing resolvconf
|
# Update DNS after installing resolvconf
|
||||||
updateDNS "" standalonewireguard;
|
updateDNS "" standalonewireguard;
|
||||||
@ -95,12 +95,12 @@ PostDown = iptables -t nat -D POSTROUTING -o ${server_nic} -j MASQUERADE" | sudo
|
|||||||
local result=$(echo '# WIREGUARD END' | sudo tee -a "$sysctl" > /dev/null)
|
local result=$(echo '# WIREGUARD END' | sudo tee -a "$sysctl" > /dev/null)
|
||||||
checkSuccess "Adding wireguard header to sysctl"
|
checkSuccess "Adding wireguard header to sysctl"
|
||||||
|
|
||||||
result=$(sudo systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
|
result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||||
checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service."
|
checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||||
result=$(sudo systemctl enable "wg-quick@${CFG_WG_SERVER_NIC}")
|
result=$(runSystem systemctl enable "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||||
checkSuccess "Enabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
checkSuccess "Enabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||||
|
|
||||||
result=$(sudo sysctl --system)
|
result=$(runSystem sysctl --system)
|
||||||
checkSuccess "Reloaded sysctl"
|
checkSuccess "Reloaded sysctl"
|
||||||
|
|
||||||
portUse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
portUse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
||||||
@ -168,9 +168,9 @@ wireguardNewClient()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Generate key pair for the client
|
# Generate key pair for the client
|
||||||
local WIREGUARD_CLIENT_PRIV_KEY=$(sudo wg genkey)
|
local WIREGUARD_CLIENT_PRIV_KEY=$(runSystem wg genkey)
|
||||||
local WIREGUARD_CLIENT_PUB_KEY=$(echo "${WIREGUARD_CLIENT_PRIV_KEY}" | sudo wg pubkey)
|
local WIREGUARD_CLIENT_PUB_KEY=$(echo "${WIREGUARD_CLIENT_PRIV_KEY}" | runSystem wg pubkey)
|
||||||
local WIREGUARD_CLIENT_PRE_SHARED_KEY=$(sudo wg genpsk)
|
local WIREGUARD_CLIENT_PRE_SHARED_KEY=$(runSystem wg genpsk)
|
||||||
local WIREGUARD_ENDPOINT="${public_ip_v4}:${CFG_WG_SERVER_PORT}"
|
local WIREGUARD_ENDPOINT="${public_ip_v4}:${CFG_WG_SERVER_PORT}"
|
||||||
|
|
||||||
# Create client file
|
# Create client file
|
||||||
@ -195,12 +195,12 @@ PublicKey = ${WIREGUARD_CLIENT_PUB_KEY}
|
|||||||
PresharedKey = ${WIREGUARD_CLIENT_PRE_SHARED_KEY}
|
PresharedKey = ${WIREGUARD_CLIENT_PRE_SHARED_KEY}
|
||||||
AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | sudo tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null
|
AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | sudo tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null
|
||||||
|
|
||||||
#result=$(sudo wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf)
|
#result=$(runSystem wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf)
|
||||||
#checkSuccess "Syncing config file for $CFG_WG_SERVER_NIC"
|
#checkSuccess "Syncing config file for $CFG_WG_SERVER_NIC"
|
||||||
|
|
||||||
#result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
#result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||||
#checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
#checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||||
#result=$(sudo systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
|
#result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||||
#checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service."
|
#checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||||
|
|
||||||
# Generate QR code if qrencode is installed
|
# Generate QR code if qrencode is installed
|
||||||
@ -248,7 +248,7 @@ wireguardRevokeClient()
|
|||||||
result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf")
|
result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf")
|
||||||
checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME"
|
checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME"
|
||||||
|
|
||||||
result=$(sudo wg syncconf "${CFG_WG_SERVER_NIC}" <(sudo wg-quick strip "${CFG_WG_SERVER_NIC}"))
|
result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}"))
|
||||||
checkSuccess "Restart wireguard to apply changes"
|
checkSuccess "Restart wireguard to apply changes"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -274,14 +274,14 @@ wireguardUninstall()
|
|||||||
|
|
||||||
if [[ $WIREGUARD_REMOVE == [yY] ]]; then
|
if [[ $WIREGUARD_REMOVE == [yY] ]]; then
|
||||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||||
result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||||
checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||||
|
|
||||||
result=$(sudo systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
|
result=$(runSystem systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||||
checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||||
|
|
||||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||||
result=$(sudo apt-get remove -y wireguard wireguard-tools qrencode)
|
result=$(runSystem apt-get remove -y wireguard wireguard-tools qrencode)
|
||||||
checkSuccess "Removed wireguard wireguard-tools qrencode"
|
checkSuccess "Removed wireguard wireguard-tools qrencode"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -290,7 +290,7 @@ wireguardUninstall()
|
|||||||
result=$(sudo rm -f /etc/sysctl.d/wg.conf)
|
result=$(sudo rm -f /etc/sysctl.d/wg.conf)
|
||||||
checkSuccess "Delete /etc/sysctl.d/wg.conf file."
|
checkSuccess "Delete /etc/sysctl.d/wg.conf file."
|
||||||
|
|
||||||
result=$(sudo sysctl --system)
|
result=$(runSystem sysctl --system)
|
||||||
checkSuccess "Reloaded sysctl"
|
checkSuccess "Reloaded sysctl"
|
||||||
|
|
||||||
portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
||||||
|
|||||||
@ -11,14 +11,14 @@ wireguardUninstall()
|
|||||||
|
|
||||||
if [[ $WIREGUARD_REMOVE == [yY] ]]; then
|
if [[ $WIREGUARD_REMOVE == [yY] ]]; then
|
||||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||||
result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||||
checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||||
|
|
||||||
result=$(sudo systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
|
result=$(runSystem systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
|
||||||
checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
||||||
|
|
||||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||||
result=$(sudo apt-get remove -y wireguard wireguard-tools qrencode)
|
result=$(runSystem apt-get remove -y wireguard wireguard-tools qrencode)
|
||||||
checkSuccess "Removed wireguard wireguard-tools qrencode"
|
checkSuccess "Removed wireguard wireguard-tools qrencode"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -27,7 +27,7 @@ wireguardUninstall()
|
|||||||
result=$(sudo rm -f /etc/sysctl.d/wg.conf)
|
result=$(sudo rm -f /etc/sysctl.d/wg.conf)
|
||||||
checkSuccess "Delete /etc/sysctl.d/wg.conf file."
|
checkSuccess "Delete /etc/sysctl.d/wg.conf file."
|
||||||
|
|
||||||
result=$(sudo sysctl --system)
|
result=$(runSystem sysctl --system)
|
||||||
checkSuccess "Reloaded sysctl"
|
checkSuccess "Reloaded sysctl"
|
||||||
|
|
||||||
portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user