refactor(de-sudo): funnel genuine system commands through runSystem

Foundation for a scoped sudoers: route every genuine system-admin command
(systemctl/ufw/ufw-docker/nft/apt/apt-get/pacman/sysctl/useradd/usermod/
service/wg/wg-quick/cscli/loginctl) through runSystem instead of raw sudo
across 28 active scripts. runSystem is 'sudo "$@"' so this is byte-identical
in every mode (safe on live installs) — it just collects all real-root use at
one chokepoint that will define the eventual /etc/sudoers.d allowlist.

Also: revert a crowdsec advice message the sweep wrongly rewrote (the admin
types sudo, not runSystem), and give crontab_check_processor.sh the same
startup bootstrap as the task processor — it runs standalone via cron and
already used runFileOp/runFileWrite (undefined there), so it was silently
broken; now it sources the helpers + docker-type config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
librelad 2026-05-24 15:21:53 +01:00
parent ab505ac012
commit 014d8e5fcc
29 changed files with 121 additions and 101 deletions

View File

@ -1,5 +1,5 @@
#!/bin/bash
appCrowdSecAlertsList() {
sudo cscli alerts list
runSystem cscli alerts list
}

View File

@ -1,7 +1,7 @@
#!/bin/bash
appCrowdSecConsoleDisable() {
sudo cscli console disable -e all
runSystem cscli console disable -e all
checkSuccess "Console enrollment removed — no signals will leave this host"
sudo systemctl reload crowdsec
runSystem systemctl reload crowdsec
}

View File

@ -8,7 +8,7 @@ appCrowdSecConsoleEnroll() {
isNotice "Get a token at https://app.crowdsec.net (free account). Enrolling shares attacker IPs + scenario names with CrowdSec SAS."
return 1
fi
sudo cscli console enroll "$token"
runSystem cscli console enroll "$token"
checkSuccess "Enrolled with CrowdSec Console — community blocklists will start syncing"
sudo systemctl reload crowdsec
runSystem systemctl reload crowdsec
}

View File

@ -1,5 +1,5 @@
#!/bin/bash
appCrowdSecDecisionsList() {
sudo cscli decisions list
runSystem cscli decisions list
}

View File

@ -1,10 +1,10 @@
#!/bin/bash
appCrowdSecHubUpdate() {
sudo cscli hub update
runSystem cscli hub update
checkSuccess "Hub index refreshed"
sudo cscli hub upgrade
runSystem cscli hub upgrade
checkSuccess "Installed collections upgraded"
sudo systemctl reload crowdsec
runSystem systemctl reload crowdsec
checkSuccess "Reloaded CrowdSec to apply changes"
}

View File

@ -1,5 +1,5 @@
#!/bin/bash
appCrowdSecMetrics() {
sudo cscli metrics
runSystem cscli metrics
}

View File

@ -8,9 +8,9 @@ appCrowdSecStatus() {
systemctl status crowdsec-firewall-bouncer --no-pager --lines=5 2>&1 | head -15
echo
echo "=== installed collections ==="
sudo cscli collections list -o human 2>&1 | head -30
runSystem cscli collections list -o human 2>&1 | head -30
echo
echo "=== machines + bouncers ==="
sudo cscli machines list 2>&1
sudo cscli bouncers list 2>&1
runSystem cscli machines list 2>&1
runSystem cscli bouncers list 2>&1
}

View File

@ -7,6 +7,6 @@ appCrowdSecUnban() {
isNotice "No IP provided — pass ip=<address> via the Tools modal."
return 1
fi
sudo cscli decisions delete --ip "$ip"
runSystem cscli decisions delete --ip "$ip"
checkSuccess "Removed decisions for $ip"
}

View File

@ -11,11 +11,11 @@ borgInstall()
isHeader "Installing BorgBackup"
if command -v apt-get >/dev/null 2>&1; then
sudo apt-get install -y borgbackup && return 0
runSystem apt-get install -y borgbackup && return 0
elif command -v dnf >/dev/null 2>&1; then
sudo dnf install -y borgbackup && return 0
elif command -v pacman >/dev/null 2>&1; then
sudo pacman -S --noconfirm borg && return 0
runSystem pacman -S --noconfirm borg && return 0
fi
isError "Could not install BorgBackup — no supported package manager found."

View File

@ -21,14 +21,14 @@ checkInstallTypeRequirement()
{
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
ISCOMP=$( (docker compose -v ) 2>&1 )
ISUFW=$( (sudo ufw status ) 2>&1 )
ISUFW=$( (runSystem ufw status ) 2>&1 )
ISUFWD=$( (sudo ufw-docker) 2>&1 )
resolveDockerInstallUser
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
# Used for checking if rooted docket is active
ISACT=$( (sudo systemctl is-active docker ) 2>&1 )
ISACT=$( (runSystem systemctl is-active docker ) 2>&1 )
elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
# Used for checking the rootless user
local ISUSER=$( (sudo id -u "$CFG_DOCKER_INSTALL_USER"))

View File

@ -4,7 +4,7 @@ checkWebUISystemdRequirement()
{
if [[ $CFG_REQUIREMENT_WEBUI_SERVICE == "true" ]]; then
### Check if systemd service is running
if sudo systemctl is-active --quiet libreportal.service; then
if runSystem systemctl is-active --quiet libreportal.service; then
isSuccessful "LibrePortal task processor service is running."
else
isNotice "LibrePortal task processor service is not running."

View File

@ -10,9 +10,9 @@ installCrontab()
ISCRON=$( (sudo -u $sudo_user_name crontab -l) 2>&1 )
if [[ "$ISCRON" == *"command not found"* ]]; then
isNotice "Crontab is not installed, setting up now."
local result=$(sudo apt update)
local result=$(runSystem apt update)
checkSuccess "Updating apt for post installation"
local result=$(sudo apt install cron -y)
local result=$(runSystem apt install cron -y)
isSuccessful "Installing crontab application"
local result=$(sudo -u $sudo_user_name crontab -l)
isSuccessful "Enabling crontab on the system"

View File

@ -10,6 +10,26 @@ script_check_processor_flag="$1"
# Only run when executed directly, not when sourced
if [[ "$script_check_processor_flag" == "start_script" ]]; then
# --- Load the privilege helpers + docker-type config -------------------------
# cron runs this standalone, so the de-sudo helpers (runFileOp/runFileWrite/
# runSystem) and the config they key off are NOT otherwise in scope — without
# them every privileged op is "command not found". Same bootstrap as
# crontab_task_processor.sh. These files are pure function/var defs, safe to
# source.
LP_SCRIPTS="${install_scripts_dir:-/docker/install/scripts/}"
LP_DOCKER_CFG="/docker/configs/general/general_docker_install"
[[ -f "$LP_DOCKER_CFG" ]] && \
eval "$(grep -E '^CFG_DOCKER_INSTALL_(TYPE|USER)=' "$LP_DOCKER_CFG" | sed 's/[[:space:]]*#.*//')"
: "${sudo_user_name:=libreportal}"
: "${containers_dir:=/docker/containers/}"
: "${docker_dir:=/docker}"
for _lp_f in docker/command/run_privileged.sh \
docker/command/docker_run_install.sh \
checks/requirements/check_install_type.sh; do
[[ -f "${LP_SCRIPTS}${_lp_f}" ]] && source "${LP_SCRIPTS}${_lp_f}"
done
command -v resolveDockerInstallUser >/dev/null 2>&1 && resolveDockerInstallUser
# ========================================
# HEALTH CHECK CONFIGURATION
# ========================================

View File

@ -6,11 +6,11 @@ installDockerRootedCheck()
#### Test if Docker Service is Running ###
##########################################
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
ISACT=$( (sudo systemctl is-active docker ) 2>&1 )
ISACT=$( (runSystem systemctl is-active docker ) 2>&1 )
if [[ "$ISACT" != "active" ]]; then
isNotice "Checking Docker service status. Waiting if not found."
while [[ "$ISACT" != "active" ]] && [[ $X -le 10 ]]; do
sudo systemctl start docker | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
runSystem systemctl start docker | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
sleep 10s &
pid=$! # Process Id of the previous running command
spin='-\|/'
@ -22,7 +22,7 @@ installDockerRootedCheck()
sleep .1
done
printf "\r"
ISACT=`sudo systemctl is-active docker`
ISACT=`runSystem systemctl is-active docker`
let X=X+1
echo "$X"
done

View File

@ -16,10 +16,10 @@ installDockerRootless()
local docker_install_user_id=$(id -u "$CFG_DOCKER_INSTALL_USER")
local docker_install_bashrc="/home/$CFG_DOCKER_INSTALL_USER/.bashrc"
local result=$(sudo apt-get install -y apt-transport-https ca-certificates curl gnupg software-properties-common uidmap dbus-user-session fuse-overlayfs passt)
local result=$(runSystem apt-get install -y apt-transport-https ca-certificates curl gnupg software-properties-common uidmap dbus-user-session fuse-overlayfs passt)
checkSuccess "Installing necessary packages"
local result=$(sudo systemctl disable --now docker.service docker.socket)
local result=$(runSystem systemctl disable --now docker.service docker.socket)
checkSuccess "Disabling Docker service & Socket"
((menu_number++))
@ -30,7 +30,7 @@ installDockerRootless()
# slirp4netns update and install
if ! command -v slirp4netns &> /dev/null; then
isNotice "slirp4netns is not installed. Installing..."
local result=$(sudo apt-get install -y slirp4netns)
local result=$(runSystem apt-get install -y slirp4netns)
checkSuccess "Installing slirp4netns"
else
isNotice "slirp4netns is already installed"
@ -39,9 +39,9 @@ installDockerRootless()
if [[ "$installed_version" != "$latest_version" ]]; then
isNotice "slirp4netns version $installed_version is outdated."
isNotice "Installing version $latest_version..."
local result=$(sudo apt-get update)
local result=$(runSystem apt-get update)
checkSuccess "Updating apt packages"
local result=$(sudo apt-get install -y slirp4netns)
local result=$(runSystem apt-get install -y slirp4netns)
checkSuccess "Installing slirp4netns"
else
isSuccessful "slirp4netns version $installed_version is up to date"
@ -58,7 +58,7 @@ installDockerRootless()
else
local result=$(echo "kernel.unprivileged_userns_clone=1" | sudo tee -a $sysctl > /dev/null)
checkSuccess "Adding kernel.unprivileged_userns_clone=1 to $sysctl..."
local result=$(sudo sysctl --system)
local result=$(runSystem sysctl --system)
checkSuccess "Running sudo -u $sudo_user_name sysctl --system..."
fi
fi
@ -97,7 +97,7 @@ installDockerRootless()
echo "---- $menu_number. Setting up Rootless Docker."
echo ""
local result=$(sudo loginctl enable-linger $CFG_DOCKER_INSTALL_USER)
local result=$(runSystem loginctl enable-linger $CFG_DOCKER_INSTALL_USER)
checkSuccess "Adding automatic start (linger)"
# Rootless Install
@ -216,7 +216,7 @@ net.core.bpf_jit_harden=2
EOL
checkSuccess "Writing kernel LPE-surface hardening to $hardening_conf"
local result=$(sudo sysctl --system)
local result=$(runSystem sysctl --system)
checkSuccess "Applying changes to sysctl"
menu_number=0

View File

@ -12,7 +12,7 @@ installDockerRootlessUser()
# -m makes its home; with SUB_UID/GID configured in login.defs,
# useradd also assigns its subordinate uid/gid ranges (needed for
# rootless). Run unmasked so checkSuccess sees real failures.
sudo useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
runSystem useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
checkSuccess "Creating $CFG_DOCKER_INSTALL_USER User."
updateDockerInstallPassword;
fi

View File

@ -3,16 +3,16 @@
dockerServiceStart()
{
if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then
local result=$(sudo systemctl start docker)
local result=$(runSystem systemctl start docker)
checkSuccess "Starting Docker Service"
local result=$(sudo systemctl enable docker)
local result=$(runSystem systemctl enable docker)
checkSuccess "Enabling Docker Service"
local result=$(sudo usermod -aG docker $sudo_user_name)
local result=$(runSystem usermod -aG docker $sudo_user_name)
checkSuccess "Adding user to 'docker' group"
local result=$(sudo systemctl restart docker)
local result=$(runSystem systemctl restart docker)
checkSuccess "Restarting Docker service after group addition."
elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
installDockerRootless;

View File

@ -8,10 +8,10 @@ dockerServiceStop()
if [[ "$docker_rooted_found" == "true" ]]; then
isNotice "Stopping rooted Docker service...this may take a moment..."
local result=$(sudo systemctl stop docker)
local result=$(runSystem systemctl stop docker)
checkSuccess "Stopping Rooted Docker Service"
local result=$(sudo systemctl disable docker)
local result=$(runSystem systemctl disable docker)
checkSuccess "Disabling Rooted Docker Service"
fi
fi

View File

@ -75,10 +75,10 @@ installCrowdsecHost()
echo "---- $menu_number. Enabling CrowdSec services."
echo ""
local result=$(sudo systemctl enable --now crowdsec)
local result=$(runSystem systemctl enable --now crowdsec)
checkSuccess "Enabling CrowdSec agent"
local result=$(sudo systemctl enable --now crowdsec-firewall-bouncer)
local result=$(runSystem systemctl enable --now crowdsec-firewall-bouncer)
checkSuccess "Enabling CrowdSec firewall bouncer"
((menu_number++))
@ -86,13 +86,13 @@ installCrowdsecHost()
echo "---- $menu_number. Installing baseline collections."
echo ""
local result=$(sudo cscli collections install crowdsecurity/linux)
local result=$(runSystem cscli collections install crowdsecurity/linux)
checkSuccess "Installing crowdsecurity/linux collection"
local result=$(sudo cscli collections install crowdsecurity/sshd)
local result=$(runSystem cscli collections install crowdsecurity/sshd)
checkSuccess "Installing crowdsecurity/sshd collection"
local result=$(sudo systemctl reload crowdsec)
local result=$(runSystem systemctl reload crowdsec)
checkSuccess "Reloading CrowdSec to pick up collections"
((menu_number++))
@ -106,14 +106,14 @@ installCrowdsecHost()
# unregistering. Idempotent on either branch.
local community_blocklist="${CFG_CROWDSEC_COMMUNITY_BLOCKLIST:-true}"
if [[ "$community_blocklist" == "true" ]]; then
if sudo cscli capi status 2>&1 | grep -qi 'You can successfully'; then
if runSystem cscli capi status 2>&1 | grep -qi 'You can successfully'; then
isNotice "Community blocklist already registered."
else
local result=$(sudo cscli capi register 2>&1)
local result=$(runSystem cscli capi register 2>&1)
checkSuccess "Registered with CrowdSec Central API (community blocklist)"
fi
else
local result=$(sudo cscli capi unregister 2>&1)
local result=$(runSystem cscli capi unregister 2>&1)
checkSuccess "Unregistered from CrowdSec Central API (community blocklist disabled)"
fi
@ -129,19 +129,19 @@ installCrowdsecHost()
local console_enroll="${CFG_CROWDSEC_CONSOLE_ENROLL:-false}"
local console_token="${CFG_CROWDSEC_CONSOLE_TOKEN:-}"
local enrolled=false
sudo cscli console status 2>&1 | grep -qi 'enrolled' && enrolled=true
runSystem cscli console status 2>&1 | grep -qi 'enrolled' && enrolled=true
if [[ "$console_enroll" == "true" ]]; then
if [[ -z "$console_token" ]]; then
isNotice "Console enrollment ON but CFG_CROWDSEC_CONSOLE_TOKEN is empty — paste your token from app.crowdsec.net to complete."
elif [[ "$enrolled" == true ]]; then
isNotice "Already enrolled with the SaaS console — skipping."
else
local result=$(sudo cscli console enroll "$console_token" 2>&1)
local result=$(runSystem cscli console enroll "$console_token" 2>&1)
checkSuccess "Enrolled with app.crowdsec.net SaaS console"
fi
else
if [[ "$enrolled" == true ]]; then
local result=$(sudo cscli console disenroll 2>&1)
local result=$(runSystem cscli console disenroll 2>&1)
checkSuccess "Disenrolled from app.crowdsec.net SaaS console"
else
isNotice "SaaS console enrollment disabled — skipping."
@ -161,7 +161,7 @@ installCrowdsecHost()
if [[ -f "$lapi_cfg" ]] && ! sudo grep -qE 'listen_uri:[[:space:]]*0\.0\.0\.0:8080' "$lapi_cfg"; then
sudo sed -i 's|listen_uri:.*|listen_uri: 0.0.0.0:8080|' "$lapi_cfg"
checkSuccess "LAPI bound to 0.0.0.0:8080"
sudo systemctl restart crowdsec
runSystem systemctl restart crowdsec
checkSuccess "CrowdSec restarted"
else
isNotice "LAPI already bound to 0.0.0.0:8080 — skipping."
@ -189,7 +189,7 @@ installCrowdsecHost()
s|listen_port:.*|listen_port: ${prom_port}|
}" "$cs_cfg"
checkSuccess "CrowdSec metrics endpoint bound to ${prom_listen}"
sudo systemctl restart crowdsec
runSystem systemctl restart crowdsec
checkSuccess "CrowdSec restarted"
else
isNotice "CrowdSec metrics already bound to ${prom_addr} — skipping."
@ -197,7 +197,7 @@ installCrowdsecHost()
elif [[ -f "$cs_cfg" ]] && sudo grep -qE 'listen_addr:[[:space:]]*0\.0\.0\.0' "$cs_cfg"; then
sudo sed -i "/^prometheus:/,/^[^[:space:]#]/ s|listen_addr:.*|listen_addr: 127.0.0.1|" "$cs_cfg"
checkSuccess "CrowdSec metrics endpoint rebound to 127.0.0.1 (monitoring off)"
sudo systemctl restart crowdsec
runSystem systemctl restart crowdsec
checkSuccess "CrowdSec restarted"
else
isNotice "Monitoring off — CrowdSec metrics endpoint left at its default."
@ -217,9 +217,9 @@ installCrowdsecHost()
local key_file="/etc/crowdsec/traefik_bouncer.key"
local cfg_file="/docker/configs/security/security_crowdsec"
if ! sudo cscli bouncers list -o raw 2>/dev/null | grep -q '^traefik-bouncer'; then
if ! runSystem cscli bouncers list -o raw 2>/dev/null | grep -q '^traefik-bouncer'; then
local bouncer_key
bouncer_key=$(sudo cscli bouncers add traefik-bouncer -o raw 2>&1 | tail -1)
bouncer_key=$(runSystem cscli bouncers add traefik-bouncer -o raw 2>&1 | tail -1)
if [[ -n "$bouncer_key" && "$bouncer_key" != *"error"* ]]; then
echo "$bouncer_key" | sudo tee "$key_file" >/dev/null
sudo chown libreportal:libreportal "$key_file"
@ -250,16 +250,16 @@ installCrowdsecHost()
# The firewall bouncer needs a moment to install its nftables table
# after enable. Poll up to ~10s before deciding it's missing.
local _wait=0
until sudo nft list tables 2>/dev/null | grep -qiE 'crowdsec' || [[ $_wait -ge 10 ]]; do
until runSystem nft list tables 2>/dev/null | grep -qiE 'crowdsec' || [[ $_wait -ge 10 ]]; do
sleep 1; _wait=$((_wait+1))
done
if ! sudo nft list tables 2>/dev/null | grep -qiE 'crowdsec'; then
if ! runSystem nft list tables 2>/dev/null | grep -qiE 'crowdsec'; then
isNotice "CrowdSec nftables table not yet present after ${_wait}s. Bouncer may still be starting; re-run the verification Tools action in a minute if rules don't appear."
else
local cs_prio ufw_prio
cs_prio=$(sudo nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
ufw_prio=$(sudo nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
cs_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
ufw_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
if [[ -z "$ufw_prio" ]]; then
isSuccessful "UFW not in nftables — no ordering needed (CrowdSec prio: ${cs_prio:-?})."
@ -291,10 +291,10 @@ installCrowdsecHost()
echo "---- $menu_number. Re-enabling CrowdSec services."
echo ""
local result=$(sudo systemctl enable --now crowdsec)
local result=$(runSystem systemctl enable --now crowdsec)
checkSuccess "Enabling CrowdSec agent"
local result=$(sudo systemctl enable --now crowdsec-firewall-bouncer)
local result=$(runSystem systemctl enable --now crowdsec-firewall-bouncer)
checkSuccess "Enabling CrowdSec firewall bouncer"
isSuccessful "CrowdSec services re-enabled."
@ -312,10 +312,10 @@ installCrowdsecHost()
echo "---- $menu_number. Stopping and disabling CrowdSec services."
echo ""
local result=$(sudo systemctl disable --now crowdsec-firewall-bouncer 2>&1)
local result=$(runSystem systemctl disable --now crowdsec-firewall-bouncer 2>&1)
checkSuccess "Disabling CrowdSec firewall bouncer"
local result=$(sudo systemctl disable --now crowdsec 2>&1)
local result=$(runSystem systemctl disable --now crowdsec 2>&1)
checkSuccess "Disabling CrowdSec agent"
isSuccessful "CrowdSec disabled. Package remains installed — set CFG_CROWDSEC_ENABLED=true to re-enable, or uninstall via the Tools tab."

View File

@ -3,7 +3,7 @@
installUFW()
{
if [[ "$CFG_REQUIREMENT_UFW" == "true" ]]; then
ISUFW=$( (sudo ufw status ) 2>&1 )
ISUFW=$( (runSystem ufw status ) 2>&1 )
if [[ "$ISUFW" == *"command not found"* ]]; then
isHeader "Install UFW Firewall"
@ -12,7 +12,7 @@ installUFW()
echo "---- $menu_number. Installing using linux package installer"
echo ""
local result=$(yes | sudo apt-get install ufw )
local result=$(yes | runSystem apt-get install ufw )
checkSuccess "Installing UFW package"
# ((menu_number++))
@ -27,9 +27,9 @@ installUFW()
# ssh_port=${ssh_port:-22} # Default to 22 if not found
# fi
# local result=$(sudo ufw allow $ssh_port)
# local result=$(runSystem ufw allow $ssh_port)
# checkSuccess "Enabling Port $ssh_port through the firewall"
# local result=$(sudo ufw allow ssh)
# local result=$(runSystem ufw allow ssh)
# checkSuccess "Enabling SSH through the firewall"
# while true; do
@ -42,13 +42,13 @@ installUFW()
# done
# if [[ "$UFWSSH" == [nN] ]]; then
# local result=$(sudo ufw deny $ssh_port)
# local result=$(runSystem ufw deny $ssh_port)
# checkSuccess "Blocking Port $ssh_port through the firewall"
# local result=$(sudo ufw deny ssh)
# local result=$(runSystem ufw deny ssh)
# checkSuccess "Blocking SSH through the firewall"
# fi
local result=$(sudo ufw --force enable)
local result=$(runSystem ufw --force enable)
checkSuccess "Enabling UFW Firewall"
((menu_number++))
@ -56,7 +56,7 @@ installUFW()
echo "---- $menu_number. Changing logging options"
echo ""
local result=$(yes | sudo ufw logging $CFG_UFW_LOGGING)
local result=$(yes | runSystem ufw logging $CFG_UFW_LOGGING)
checkSuccess "Disabling UFW Firewall Logging"
isSuccessful "UFW Firewall has been installed, you can use ufw status to see the status"

View File

@ -23,10 +23,10 @@ installUFWDocker()
local result=$(sudo chmod +x $ufwpath)
checkSuccess "Setting permissions for install files"
local result=$(sudo ufw-docker install > /dev/null 2>&1)
local result=$(runSystem ufw-docker install > /dev/null 2>&1)
checkSuccess "Installing UFW Docker"
local result=$(sudo systemctl restart ufw)
local result=$(runSystem systemctl restart ufw)
checkSuccess "Restarting UFW Firewall service"
isSuccessful "UFW-Docker has been installed, you can use ufw-docker to see the available commands"

View File

@ -10,7 +10,7 @@ installDockerManagerUser()
isNotice "User '$CFG_DOCKER_MANAGER_USER' does not exist, starting creation..."
# Create the User Account
local result=$(sudo useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER")
local result=$(runSystem useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER")
checkSuccess "Adding user via useradd command"
local result=$(echo "$CFG_DOCKER_MANAGER_USER:$CFG_DOCKER_MANAGER_PASS" | sudo chpasswd)
@ -66,7 +66,7 @@ EOL")
checkSuccess "Updating SSH Server Configuration for the Manager User."
# Reload SSH Service
local result=$(sudo service ssh reload)
local result=$(runSystem service ssh reload)
checkSuccess "Reloading SSH Service"
fi

View File

@ -14,7 +14,7 @@ uninstallDockerManagerUser()
checkSuccess "Removing the Docker Manager User from $sshd_config."
# Restart SSH Service
local result=$(sudo service ssh restart)
local result=$(runSystem service ssh restart)
checkSuccess "Restarting SSH Service"
fi
fi

View File

@ -7,7 +7,7 @@ installArch()
if [[ "$UPDARCH" == [yY] ]]; then
isNotice "Installing System Updates... this may take a while...be patient."
(sudo pacman -Syu --noconfirm) > $logs_dir/$docker_log_file 2>&1 &
(runSystem pacman -Syu --noconfirm) > $logs_dir/$docker_log_file 2>&1 &
## Show a spinner for activity progress
pid=$! # Process Id of the previous running command
spin='-\|/'
@ -25,12 +25,12 @@ installArch()
isNotice "Installing Prerequisite Packages..."
sudo pacman -Sy git curl wget --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
runSystem pacman -Sy git curl wget --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
if [[ "$ISACT" != "active" ]]; then
isNotice "Installing Docker-CE (Community Edition)..."
sudo pacman -Sy docker --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
runSystem pacman -Sy docker --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
echo "- docker-ce version is now:"
DOCKERV=$(docker -v)

View File

@ -14,7 +14,7 @@ installDebianUbuntu()
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt update -qq 2>&1 && DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt install sudo -yqq 2>&1 && apt-get autoclean 2>&1)
checkSuccess "Updating System Operating system."
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo apt update -qq 2>&1)
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 runSystem apt update -qq 2>&1)
checkSuccess "Running application update"
local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo $installed_apps -yqq 2>&1)

View File

@ -78,7 +78,7 @@ EOF
else
# Unit already correct — ensure it's enabled + running, without a restart.
runSystem systemctl enable libreportal.service >/dev/null 2>&1
sudo systemctl is-active --quiet libreportal.service || runSystem systemctl start libreportal.service
runSystem systemctl is-active --quiet libreportal.service || runSystem systemctl start libreportal.service
isSuccessful "LibrePortal task processor service already up to date."
fi

View File

@ -26,6 +26,6 @@ wireguardRevokeClient()
result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf")
checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME"
result=$(sudo wg syncconf "${CFG_WG_SERVER_NIC}" <(sudo wg-quick strip "${CFG_WG_SERVER_NIC}"))
result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}"))
checkSuccess "Restart wireguard to apply changes"
}

View File

@ -33,7 +33,7 @@ installStandaloneWireGuard()
# Install WireGuard tools and module
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
sudo apt-get install -y wireguard iptables resolvconf qrencode
runSystem apt-get install -y wireguard iptables resolvconf qrencode
# Update DNS after installing resolvconf
updateDNS "" standalonewireguard;
@ -95,12 +95,12 @@ PostDown = iptables -t nat -D POSTROUTING -o ${server_nic} -j MASQUERADE" | sudo
local result=$(echo '# WIREGUARD END' | sudo tee -a "$sysctl" > /dev/null)
checkSuccess "Adding wireguard header to sysctl"
result=$(sudo systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service."
result=$(sudo systemctl enable "wg-quick@${CFG_WG_SERVER_NIC}")
result=$(runSystem systemctl enable "wg-quick@${CFG_WG_SERVER_NIC}")
checkSuccess "Enabled wg-quick@${CFG_WG_SERVER_NIC} service."
result=$(sudo sysctl --system)
result=$(runSystem sysctl --system)
checkSuccess "Reloaded sysctl"
portUse wireguardstandalone $CFG_WG_SERVER_PORT install;
@ -168,9 +168,9 @@ wireguardNewClient()
fi
# Generate key pair for the client
local WIREGUARD_CLIENT_PRIV_KEY=$(sudo wg genkey)
local WIREGUARD_CLIENT_PUB_KEY=$(echo "${WIREGUARD_CLIENT_PRIV_KEY}" | sudo wg pubkey)
local WIREGUARD_CLIENT_PRE_SHARED_KEY=$(sudo wg genpsk)
local WIREGUARD_CLIENT_PRIV_KEY=$(runSystem wg genkey)
local WIREGUARD_CLIENT_PUB_KEY=$(echo "${WIREGUARD_CLIENT_PRIV_KEY}" | runSystem wg pubkey)
local WIREGUARD_CLIENT_PRE_SHARED_KEY=$(runSystem wg genpsk)
local WIREGUARD_ENDPOINT="${public_ip_v4}:${CFG_WG_SERVER_PORT}"
# Create client file
@ -195,12 +195,12 @@ PublicKey = ${WIREGUARD_CLIENT_PUB_KEY}
PresharedKey = ${WIREGUARD_CLIENT_PRE_SHARED_KEY}
AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | sudo tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null
#result=$(sudo wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf)
#result=$(runSystem wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf)
#checkSuccess "Syncing config file for $CFG_WG_SERVER_NIC"
#result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
#result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
#checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
#result=$(sudo systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
#result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
#checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service."
# Generate QR code if qrencode is installed
@ -248,7 +248,7 @@ wireguardRevokeClient()
result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf")
checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME"
result=$(sudo wg syncconf "${CFG_WG_SERVER_NIC}" <(sudo wg-quick strip "${CFG_WG_SERVER_NIC}"))
result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}"))
checkSuccess "Restart wireguard to apply changes"
}
@ -274,14 +274,14 @@ wireguardUninstall()
if [[ $WIREGUARD_REMOVE == [yY] ]]; then
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
result=$(sudo systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
result=$(runSystem systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service."
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
result=$(sudo apt-get remove -y wireguard wireguard-tools qrencode)
result=$(runSystem apt-get remove -y wireguard wireguard-tools qrencode)
checkSuccess "Removed wireguard wireguard-tools qrencode"
fi
@ -290,7 +290,7 @@ wireguardUninstall()
result=$(sudo rm -f /etc/sysctl.d/wg.conf)
checkSuccess "Delete /etc/sysctl.d/wg.conf file."
result=$(sudo sysctl --system)
result=$(runSystem sysctl --system)
checkSuccess "Reloaded sysctl"
portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;

View File

@ -11,14 +11,14 @@ wireguardUninstall()
if [[ $WIREGUARD_REMOVE == [yY] ]]; then
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
result=$(sudo systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
result=$(runSystem systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service."
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
result=$(sudo apt-get remove -y wireguard wireguard-tools qrencode)
result=$(runSystem apt-get remove -y wireguard wireguard-tools qrencode)
checkSuccess "Removed wireguard wireguard-tools qrencode"
fi
@ -27,7 +27,7 @@ wireguardUninstall()
result=$(sudo rm -f /etc/sysctl.d/wg.conf)
checkSuccess "Delete /etc/sysctl.d/wg.conf file."
result=$(sudo sysctl --system)
result=$(runSystem sysctl --system)
checkSuccess "Reloaded sysctl"
portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;