From 4ee231ae9fc11f27984a3040fecb082ab93234cc Mon Sep 17 00:00:00 2001 From: librelad Date: Sun, 24 May 2026 17:37:14 +0100 Subject: [PATCH] refactor(de-sudo): wireguard -> runSystem, traefik -> runFileOp Wireguard standalone touches /etc/wireguard + sysctl exclusively (genuine root) -> runSystem for all its mkdir/chmod/sed/rm/grep/tee/qrencode. Traefik dynamic configs live under containers/traefik (docker-install-owned) -> runFileOp/runFileWrite (whitelist.yml, protectionauth.yml, the router-rewrite awk|tee|mv in port_subdomains). sudo -u drops left. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- .../traefik/traefik_login_credentials.sh | 4 +- .../traefik/traefik_port_subdomains.sh | 6 +-- scripts/network/traefik/traefik_whitelist.sh | 2 +- scripts/wireguard/client/list_clients.sh | 2 +- scripts/wireguard/client/revoke_client.sh | 8 ++-- scripts/wireguard/install_standalone.sh | 46 +++++++++---------- scripts/wireguard/uninstall_standalone.sh | 4 +- 7 files changed, 36 insertions(+), 36 deletions(-) diff --git a/scripts/network/traefik/traefik_login_credentials.sh b/scripts/network/traefik/traefik_login_credentials.sh index 667e2cd..0096e22 100755 --- a/scripts/network/traefik/traefik_login_credentials.sh +++ b/scripts/network/traefik/traefik_login_credentials.sh @@ -16,9 +16,9 @@ traefikSetupLoginCredentials() # Setup BasicAuth credentials local login_credentials=$(htpasswd -Bbn "$CFG_TRAEFIK_USER" "$CFG_TRAEFIK_PASS") - local result=$(sudo sed -i '/#protection credentials/d' "$protectionauth_file") + local result=$(runFileOp sed -i '/#protection credentials/d' "$protectionauth_file") checkSuccess "Delete the line containing protection credentials" - local result=$(sudo sed -i "/users:/a\\ - '$login_credentials' #protection credentials" "$protectionauth_file") + local result=$(runFileOp sed -i "/users:/a\\ - '$login_credentials' #protection credentials" "$protectionauth_file") checkSuccess "Add the new line with new protection credentials" fi } \ No newline at end of file diff --git a/scripts/network/traefik/traefik_port_subdomains.sh b/scripts/network/traefik/traefik_port_subdomains.sh index 1bae42d..b56e6ac 100644 --- a/scripts/network/traefik/traefik_port_subdomains.sh +++ b/scripts/network/traefik/traefik_port_subdomains.sh @@ -72,7 +72,7 @@ tagsProcessorPortRouterBlocks() done local tmp="${file}.routers.$$" - sudo awk -v active="$active" ' + runFileOp awk -v active="$active" ' BEGIN { off = 0 } /#[[:space:]]*TRAEFIK_PORT_[0-9]+_BEGIN/ { match($0, /TRAEFIK_PORT_[0-9]+/); key = substr($0, RSTART, RLENGTH) @@ -91,6 +91,6 @@ tagsProcessorPortRouterBlocks() } print } - ' "$file" | sudo tee "$tmp" >/dev/null - sudo mv "$tmp" "$file" + ' "$file" | runFileWrite "$tmp" >/dev/null + runFileOp mv "$tmp" "$file" } diff --git a/scripts/network/traefik/traefik_whitelist.sh b/scripts/network/traefik/traefik_whitelist.sh index 64170fd..35fe544 100755 --- a/scripts/network/traefik/traefik_whitelist.sh +++ b/scripts/network/traefik/traefik_whitelist.sh @@ -22,7 +22,7 @@ traefikUpdateWhitelist() YAML_CONTENT+="\n - \"$CFG_NETWORK_SUBNET\"" # Now update the YAML file with the new content using sudo - echo -e "$YAML_CONTENT" | sudo tee "$whitelist_file" > /dev/null + echo -e "$YAML_CONTENT" | runFileWrite "$whitelist_file" > /dev/null isSuccessful "Traefik has been updated with the latest whitelist IPs." fi } diff --git a/scripts/wireguard/client/list_clients.sh b/scripts/wireguard/client/list_clients.sh index 606cab8..b4e8c9e 100755 --- a/scripts/wireguard/client/list_clients.sh +++ b/scripts/wireguard/client/list_clients.sh @@ -6,5 +6,5 @@ wireguardListClients() wireguardCheckClients; - sudo grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' + runSystem grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' } diff --git a/scripts/wireguard/client/revoke_client.sh b/scripts/wireguard/client/revoke_client.sh index c19155e..2eced92 100755 --- a/scripts/wireguard/client/revoke_client.sh +++ b/scripts/wireguard/client/revoke_client.sh @@ -8,7 +8,7 @@ wireguardRevokeClient() echo "" echo "Select the existing client you want to revoke" - sudo grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' + runSystem grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' until [[ ${WIREGUARD_CLIENT_NUMBER} -ge 1 && ${WIREGUARD_CLIENT_NUMBER} -le ${WIREGUARD_NUMBER_OF_CLIENTS} ]]; do if [[ ${WIREGUARD_CLIENT_NUMBER} == '1' ]]; then read -rp "Select one client [1]: " WIREGUARD_CLIENT_NUMBER @@ -18,12 +18,12 @@ wireguardRevokeClient() done # match the selected number to a client name - local WIREGUARD_CLIENT_NAME=$(sudo grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${WIREGUARD_CLIENT_NUMBER}"p) + local WIREGUARD_CLIENT_NAME=$(runSystem grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${WIREGUARD_CLIENT_NUMBER}"p) - result=$(sudo sed -i "/^### Client ${WIREGUARD_CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf") + result=$(runSystem sed -i "/^### Client ${WIREGUARD_CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf") checkSuccess "Removed [Peer] block matching $WIREGUARD_CLIENT_NAME" - result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf") + result=$(runSystem rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf") checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME" result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}")) diff --git a/scripts/wireguard/install_standalone.sh b/scripts/wireguard/install_standalone.sh index 208e15e..afd0451 100755 --- a/scripts/wireguard/install_standalone.sh +++ b/scripts/wireguard/install_standalone.sh @@ -40,11 +40,11 @@ installStandaloneWireGuard() # Check if the directory exists; if not, create it if [ ! -d "/etc/wireguard" ]; then - result=$(sudo mkdir /etc/wireguard) + result=$(runSystem mkdir /etc/wireguard) checkSuccess "Created the WireGuard folder" fi - result=$(sudo chmod 600 -R /etc/wireguard/) + result=$(runSystem chmod 600 -R /etc/wireguard/) checkSuccess "Updated permissions for /etc/wireguard" local SERVER_PRIV_KEY=$(wg genkey) @@ -60,16 +60,16 @@ SERVER_PRIV_KEY=${SERVER_PRIV_KEY} SERVER_PUB_KEY=${SERVER_PUB_KEY} CLIENT_DNS_1=${CFG_DNS_SERVER_1} CLIENT_DNS_2=${CFG_DNS_SERVER_2} -ALLOWED_IPS=${CFG_WG_ALLOWED_IPS}" | sudo tee /etc/wireguard/params >/dev/null +ALLOWED_IPS=${CFG_WG_ALLOWED_IPS}" | runSystem tee /etc/wireguard/params >/dev/null - result=$(sudo chmod 644 /etc/wireguard/params) + result=$(runSystem chmod 644 /etc/wireguard/params) checkSuccess "Updating permissions for /etc/wireguard/params" # Add server interface echo "[Interface] Address = ${CFG_WG_SERVER_IPV4}/32 ListenPort = ${CFG_WG_SERVER_PORT} -PrivateKey = ${SERVER_PRIV_KEY}" | sudo tee "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null +PrivateKey = ${SERVER_PRIV_KEY}" | runSystem tee "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null echo "PostUp = iptables -I INPUT -p udp --dport ${CFG_WG_SERVER_PORT} -j ACCEPT PostUp = iptables -I FORWARD -i ${server_nic} -o ${CFG_WG_SERVER_NIC} -j ACCEPT @@ -78,21 +78,21 @@ PostUp = iptables -t nat -A POSTROUTING -o ${server_nic} -j MASQUERADE PostDown = iptables -D INPUT -p udp --dport ${CFG_WG_SERVER_PORT} -j ACCEPT PostDown = iptables -D FORWARD -i ${server_nic} -o ${CFG_WG_SERVER_NIC} -j ACCEPT PostDown = iptables -D FORWARD -i ${CFG_WG_SERVER_NIC} -j ACCEPT -PostDown = iptables -t nat -D POSTROUTING -o ${server_nic} -j MASQUERADE" | sudo tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null +PostDown = iptables -t nat -D POSTROUTING -o ${server_nic} -j MASQUERADE" | runSystem tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null - result=$(sudo chmod 644 /etc/wireguard/${CFG_WG_SERVER_NIC}.conf) + result=$(runSystem chmod 644 /etc/wireguard/${CFG_WG_SERVER_NIC}.conf) checkSuccess "Updating permissions for /etc/wireguard/${CFG_WG_SERVER_NIC}.conf" - result=$(sudo sed -i '/^net.ipv4.ip_forward/d' /etc/sysctl.conf) + result=$(runSystem sed -i '/^net.ipv4.ip_forward/d' /etc/sysctl.conf) checkSuccess "Removing all instances of net.ipv4.ip_forward from sysctl.conf" - local result=$(echo '# WIREGUARD START' | sudo tee -a "$sysctl" > /dev/null) + local result=$(echo '# WIREGUARD START' | runSystem tee -a "$sysctl" > /dev/null) checkSuccess "Adding wireguard header to sysctl" - result=$(echo "net.ipv4.ip_forward = 1" | sudo tee -a $sysctl) + result=$(echo "net.ipv4.ip_forward = 1" | runSystem tee -a $sysctl) checkSuccess "Add the configuration for IPv4 IP forwarding" - local result=$(echo '# WIREGUARD END' | sudo tee -a "$sysctl" > /dev/null) + local result=$(echo '# WIREGUARD END' | runSystem tee -a "$sysctl" > /dev/null) checkSuccess "Adding wireguard header to sysctl" result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}") @@ -145,7 +145,7 @@ wireguardNewClient() else read -rp "Client name: " -e WIREGUARD_CLIENT_NAME fi - local WIREGUARD_CLIENT_EXISTS=$(sudo grep -c -E "^### Client ${WIREGUARD_CLIENT_NAME}\$" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf") + local WIREGUARD_CLIENT_EXISTS=$(runSystem grep -c -E "^### Client ${WIREGUARD_CLIENT_NAME}\$" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf") if [[ ${WIREGUARD_CLIENT_EXISTS} != 0 ]]; then echo "" @@ -155,7 +155,7 @@ wireguardNewClient() done for WIREGUARD_DOT_IP in {2..254}; do - local WIREGUARD_DOT_EXISTS=$(sudo grep -c "${CFG_WG_SERVER_IPV4::-1}${WIREGUARD_DOT_IP}" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf") + local WIREGUARD_DOT_EXISTS=$(runSystem grep -c "${CFG_WG_SERVER_IPV4::-1}${WIREGUARD_DOT_IP}" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf") if [[ ${WIREGUARD_DOT_EXISTS} == '0' ]]; then break fi @@ -186,14 +186,14 @@ DNS = ${CFG_DNS_SERVER_1},${CFG_DNS_SERVER_2} PublicKey = ${SERVER_PUB_KEY} PresharedKey = ${WIREGUARD_CLIENT_PRE_SHARED_KEY} Endpoint = ${WIREGUARD_ENDPOINT} -AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | sudo tee "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf" >/dev/null +AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | runSystem tee "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf" >/dev/null # Add the client as a peer to the server echo -e "\n### Client ${WIREGUARD_CLIENT_NAME} [Peer] PublicKey = ${WIREGUARD_CLIENT_PUB_KEY} PresharedKey = ${WIREGUARD_CLIENT_PRE_SHARED_KEY} -AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | sudo tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null +AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | runSystem tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null #result=$(runSystem wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf) #checkSuccess "Syncing config file for $CFG_WG_SERVER_NIC" @@ -206,7 +206,7 @@ AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | sudo tee -a "/etc/wireguard/${CFG_WG_SERVE # Generate QR code if qrencode is installed if command -v qrencode &>/dev/null; then isNotice "Here is your client config file as a QR Code:" - sudo qrencode -t ansiutf8 -l L <"${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf" + runSystem qrencode -t ansiutf8 -l L <"${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf" echo "" fi @@ -219,7 +219,7 @@ wireguardListClients() wireguardCheckClients; - sudo grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' + runSystem grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' } wireguardRevokeClient() @@ -230,7 +230,7 @@ wireguardRevokeClient() echo "" echo "Select the existing client you want to revoke" - sudo grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' + runSystem grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' until [[ ${WIREGUARD_CLIENT_NUMBER} -ge 1 && ${WIREGUARD_CLIENT_NUMBER} -le ${WIREGUARD_NUMBER_OF_CLIENTS} ]]; do if [[ ${WIREGUARD_CLIENT_NUMBER} == '1' ]]; then read -rp "Select one client [1]: " WIREGUARD_CLIENT_NUMBER @@ -240,12 +240,12 @@ wireguardRevokeClient() done # match the selected number to a client name - local WIREGUARD_CLIENT_NAME=$(sudo grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${WIREGUARD_CLIENT_NUMBER}"p) + local WIREGUARD_CLIENT_NAME=$(runSystem grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${WIREGUARD_CLIENT_NUMBER}"p) - result=$(sudo sed -i "/^### Client ${WIREGUARD_CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf") + result=$(runSystem sed -i "/^### Client ${WIREGUARD_CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf") checkSuccess "Removed [Peer] block matching $WIREGUARD_CLIENT_NAME" - result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf") + result=$(runSystem rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf") checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME" result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}")) @@ -285,9 +285,9 @@ wireguardUninstall() checkSuccess "Removed wireguard wireguard-tools qrencode" fi - result=$(sudo rm -rf /etc/wireguard) + result=$(runSystem rm -rf /etc/wireguard) checkSuccess "Deleted /etc/wireguard folder." - result=$(sudo rm -f /etc/sysctl.d/wg.conf) + result=$(runSystem rm -f /etc/sysctl.d/wg.conf) checkSuccess "Delete /etc/sysctl.d/wg.conf file." result=$(runSystem sysctl --system) diff --git a/scripts/wireguard/uninstall_standalone.sh b/scripts/wireguard/uninstall_standalone.sh index 1f41227..46011b7 100755 --- a/scripts/wireguard/uninstall_standalone.sh +++ b/scripts/wireguard/uninstall_standalone.sh @@ -22,9 +22,9 @@ wireguardUninstall() checkSuccess "Removed wireguard wireguard-tools qrencode" fi - result=$(sudo rm -rf /etc/wireguard) + result=$(runSystem rm -rf /etc/wireguard) checkSuccess "Deleted /etc/wireguard folder." - result=$(sudo rm -f /etc/sysctl.d/wg.conf) + result=$(runSystem rm -f /etc/sysctl.d/wg.conf) checkSuccess "Delete /etc/sysctl.d/wg.conf file." result=$(runSystem sysctl --system)