fix(apps): de-sudo the remaining per-app .sh file ops via runFileOp

Sweep of every containers/<app>/<app>.sh after the install-side fix that
went into config_file_setup_data.sh — these were the same class of bug:
bare `sudo sed -i` / `sudo docker exec` calls left over from when the
manager carried NOPASSWD:ALL. After the rootless+de-sudo hardening (Model
A, sudoers scoped to LP_HELPERS + LP_SYSTEM only) those calls fail at
runtime, so every per-app routine that uses one would refuse on install
or in its post-install tweak step.

Each call routes through the existing `runFileOp` shim, which picks the
right path per CFG_DOCKER_INSTALL_TYPE (dockerinstall in rootless, manager
in rootful) — same pattern setup_dns.sh / authelia.sh / config_file_setup_data.sh
already use.

Fixed:
  gitea.sh:65       — sync GITEA_METRICS_TOKEN into prometheus-scrape.yml
  owncloud.sh:88    — fill OWNCLOUD_SETUP_* in the setup-webform html
  searxng.sh:87     — flip simple_style: auto → CFG_SEARXNG_THEME
  trilium.sh:89     — rewrite trilium-data/config.ini port=
  bookstack.sh:139  — bookstack:create-admin via `docker exec`
  bookstack.sh:148  — admin@admin.com cleanup via `docker exec ... tinker`

`bash -n` clean on every touched file. Untested live (none of these apps
are installed on the verify VM) but mechanically equivalent to the
already-validated config_file_setup_data.sh fix.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
librelad 2026-05-26 17:48:00 +01:00
parent b185862252
commit 4430edc40e
5 changed files with 7 additions and 7 deletions

View File

@ -136,7 +136,7 @@ installBookstack()
else
isSuccessful "Bookstack is online (HTTP ${bookstack_http_code})."
bookstack_create_output=$(sudo docker exec \
bookstack_create_output=$(runFileOp docker exec \
-e EZ_BS_NEW_EMAIL="$bookstack_target_email" \
-e EZ_BS_NEW_PASS="$bookstack_target_pass" \
bookstack sh -c 'cd /app/www && s6-setuidgid abc php artisan bookstack:create-admin --no-ansi --email="$EZ_BS_NEW_EMAIL" --name=Admin --password="$EZ_BS_NEW_PASS" 2>&1')
@ -145,7 +145,7 @@ installBookstack()
isSuccessful "Bookstack admin account created (email: $bookstack_target_email)."
if [[ "$bookstack_target_email" != "admin@admin.com" ]]; then
sudo docker exec -i bookstack php /app/www/artisan tinker --no-ansi >/dev/null 2>&1 <<'PHP'
runFileOp docker exec -i bookstack php /app/www/artisan tinker --no-ansi >/dev/null 2>&1 <<'PHP'
$c = class_exists('\BookStack\Users\Models\User') ? '\BookStack\Users\Models\User' : '\BookStack\Auth\User';
optional($c::where('email', 'admin@admin.com')->first())->delete();
PHP

View File

@ -62,8 +62,8 @@ installGitea()
# that same value into the Prometheus scrape fragment so the two agree.
if monitoringAppEnabled "$app_name"; then
if [[ -n "$CFG_GITEA_METRICS_TOKEN" ]]; then
sudo sed -i "s|GITEA_METRICS_TOKEN_PLACEHOLDER|${CFG_GITEA_METRICS_TOKEN}|g" \
"$containers_dir$app_name/resources/monitoring/prometheus-scrape.yml"
local result=$(runFileOp sed -i "s|GITEA_METRICS_TOKEN_PLACEHOLDER|${CFG_GITEA_METRICS_TOKEN}|g" \
"$containers_dir$app_name/resources/monitoring/prometheus-scrape.yml")
checkSuccess "Synced Gitea /metrics token to the Prometheus scrape config"
else
isNotice "CFG_GITEA_METRICS_TOKEN is empty — Gitea /metrics scrape may 401."

View File

@ -85,7 +85,7 @@ installOwncloud()
isNotice "Failed to retrieve the web page."
fi
local result=$(sudo sed -i \
local result=$(runFileOp sed -i \
-e "s|OWNCLOUD_SETUP_VERSION|$owncloud_version|g" \
-e "s|OWNCLOUD_SETUP_ADMIN_USERNAME|$CFG_OWNCLOUD_ADMIN_USERNAME|g" \
-e "s|OWNCLOUD_SETUP_ADMIN_PASSWORD|$CFG_OWNCLOUD_ADMIN_PASSWORD|g" \

View File

@ -84,7 +84,7 @@ installSearxng()
# Check if the file was found or if we timed out
if [ -f "$containers_dir$app_name/searxng-data/settings.yml" ]; then
# Perform the required operation on the file once it exists
local result=$(sudo sed -i "s/simple_style: auto/simple_style: $CFG_SEARXNG_THEME/" "$containers_dir$app_name/searxng-data/settings.yml")
local result=$(runFileOp sed -i "s/simple_style: auto/simple_style: $CFG_SEARXNG_THEME/" "$containers_dir$app_name/searxng-data/settings.yml")
checkSuccess "Changing from light mode to dark mode to avoid eye strain installs"
dockerComposeRestart $app_name;

View File

@ -86,7 +86,7 @@ installTrilium()
local trilium_counter=$((trilium_counter + 1))
done
result=$(sudo sed -i "s|port=8080|port=$usedport1|g" "$containers_dir$app_name/trilium-data/config.ini")
result=$(runFileOp sed -i "s|port=8080|port=$usedport1|g" "$containers_dir$app_name/trilium-data/config.ini")
checkSuccess "Configured $app_name from default 8080 to $usedport1"
dockerComposeRestart $app_name;