Merge claude/1

This commit is contained in:
librelad 2026-05-23 23:48:23 +01:00
commit 5741fe6ee9
6 changed files with 28 additions and 28 deletions

View File

@ -9,14 +9,14 @@ appCrowdSecFixPriority() {
local target_priority="-100"
sudo cp "$cfg" "${cfg}.bak.$(date +%Y%m%d-%H%M%S)"
runSystem cp "$cfg" "${cfg}.bak.$(date +%Y%m%d-%H%M%S)"
checkSuccess "Backed up $cfg"
# nftables section in the yaml has ipv4: and ipv6: subsections; each may
# carry a priority: line. Set both to target_priority, inserting the key
# if it isn't present. We hand the file to a small awk pass so the YAML
# indentation is preserved.
sudo awk -v p="$target_priority" '
runSystem awk -v p="$target_priority" '
BEGIN { in_v4=0; in_v6=0; v4_done=0; v6_done=0 }
/^[[:space:]]*ipv4:/ { in_v4=1; in_v6=0; print; next }
/^[[:space:]]*ipv6:/ { in_v6=1; in_v4=0; print; next }
@ -28,11 +28,11 @@ appCrowdSecFixPriority() {
in_v4 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v4_done=1 }
in_v6 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v6_done=1 }
{ print }
' "$cfg" | sudo tee "${cfg}.new" >/dev/null
sudo mv "${cfg}.new" "$cfg"
' "$cfg" | runSystem tee "${cfg}.new" >/dev/null
runSystem mv "${cfg}.new" "$cfg"
checkSuccess "Patched nftables priority to $target_priority in $cfg"
sudo systemctl restart crowdsec-firewall-bouncer
runSystem systemctl restart crowdsec-firewall-bouncer
checkSuccess "Restarted crowdsec-firewall-bouncer"
isSuccessful "Priority updated. Run 'crowdsec_verify_firewall' to confirm CrowdSec now runs before UFW."

View File

@ -7,32 +7,32 @@ appCrowdSecUpdate() {
echo ""
echo "---- $menu_number. Updating apt package index."
echo ""
local result=$(sudo apt-get update)
local result=$(runSystem apt-get update)
checkSuccess "apt-get update"
((menu_number++))
echo ""
echo "---- $menu_number. Upgrading CrowdSec packages."
echo ""
local result=$(sudo apt-get install -y --only-upgrade crowdsec crowdsec-firewall-bouncer-nftables)
local result=$(runSystem apt-get install -y --only-upgrade crowdsec crowdsec-firewall-bouncer-nftables)
checkSuccess "Upgraded crowdsec + crowdsec-firewall-bouncer-nftables"
((menu_number++))
echo ""
echo "---- $menu_number. Refreshing hub collections."
echo ""
local result=$(sudo cscli hub update)
local result=$(runSystem cscli hub update)
checkSuccess "Refreshed hub index"
local result=$(sudo cscli hub upgrade)
local result=$(runSystem cscli hub upgrade)
checkSuccess "Upgraded installed collections"
((menu_number++))
echo ""
echo "---- $menu_number. Reloading services."
echo ""
local result=$(sudo systemctl reload crowdsec)
local result=$(runSystem systemctl reload crowdsec)
checkSuccess "Reloaded crowdsec agent"
local result=$(sudo systemctl restart crowdsec-firewall-bouncer)
local result=$(runSystem systemctl restart crowdsec-firewall-bouncer)
checkSuccess "Restarted crowdsec-firewall-bouncer"
isSuccessful "CrowdSec updated. Run 'crowdsec_verify_firewall' if you want to re-check nftables priorities."

View File

@ -2,22 +2,22 @@
appCrowdSecVerifyFirewall() {
echo "=== nftables tables present ==="
sudo nft list tables 2>&1
runSystem nft list tables 2>&1
echo
echo "=== chain priorities (input hook) ==="
sudo nft list ruleset 2>/dev/null | grep -E 'chain |hook input.*priority' | head -30
runSystem nft list ruleset 2>/dev/null | grep -E 'chain |hook input.*priority' | head -30
echo
echo "=== priority comparison ==="
local cs_prio ufw_prio
cs_prio=$(sudo nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
ufw_prio=$(sudo nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
cs_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
ufw_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
echo "CrowdSec priority: ${cs_prio:-not present}"
echo "UFW priority: ${ufw_prio:-not present}"
if [[ -z "$cs_prio" ]]; then
isNotice "CrowdSec nftables table missing — bouncer may not be running."
sudo systemctl is-active crowdsec-firewall-bouncer
runSystem systemctl is-active crowdsec-firewall-bouncer
return 1
fi
if [[ -z "$ufw_prio" ]]; then

View File

@ -13,7 +13,7 @@ borgRestoreSnapshot()
fi
borgEnvExport "$idx" || return 1
sudo mkdir -p "$target_dir"
runFileOp mkdir -p "$target_dir"
isNotice "Restoring $snapshot_id from $(resticLocationName "$idx")$target_dir"
local rc
@ -39,7 +39,7 @@ borgDumpFile()
borgEnvExport "$idx" || return 1
local stripped="${file_path#/}"
if [[ -n "$target_file" ]]; then
sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped" | sudo tee "$target_file" >/dev/null
sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped" | runFileWrite "$target_file"
else
sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped"
fi

View File

@ -30,13 +30,13 @@ kopiaBackupAppToLocation()
local wrote_ignore=false
if [[ -n "${backup_exclude_paths:-}" ]]; then
local rel
: | sudo tee "$ignore_file" >/dev/null
: | runFileWrite "$ignore_file"
while IFS= read -r p; do
[[ -z "$p" ]] && continue
rel="/${p#"$source_path"/}"
echo "$rel" | sudo tee -a "$ignore_file" >/dev/null
echo "$rel" | runFileWrite -a "$ignore_file"
done <<< "$backup_exclude_paths"
sudo chown "$docker_install_user":"$docker_install_user" "$ignore_file" 2>/dev/null
runFileOp chown "$docker_install_user":"$docker_install_user" "$ignore_file" 2>/dev/null
wrote_ignore=true
fi
@ -44,7 +44,7 @@ kopiaBackupAppToLocation()
output=$(sudo -E -u "$docker_install_user" kopia snapshot create "$source_path" "${tags[@]}" --json 2>&1)
local rc=$?
[[ "$wrote_ignore" == true ]] && sudo rm -f "$ignore_file"
[[ "$wrote_ignore" == true ]] && runFileOp rm -f "$ignore_file"
local snapshot_id
snapshot_id=$(echo "$output" | grep -oE '"id":\s*"[^"]+"' | head -1 | cut -d'"' -f4)

View File

@ -12,16 +12,16 @@ resticInstall()
isHeader "Installing restic"
if command -v apt-get >/dev/null 2>&1; then
sudo apt-get update -qq >/dev/null
if sudo apt-get install -y restic >/dev/null 2>&1; then
runSystem apt-get update -qq >/dev/null
if runSystem apt-get install -y restic >/dev/null 2>&1; then
checkSuccess "restic installed via apt"
sudo restic self-update >/dev/null 2>&1 || true
runSystem restic self-update >/dev/null 2>&1 || true
return 0
fi
elif command -v dnf >/dev/null 2>&1; then
sudo dnf install -y restic && return 0
runSystem dnf install -y restic && return 0
elif command -v pacman >/dev/null 2>&1; then
sudo pacman -S --noconfirm restic && return 0
runSystem pacman -S --noconfirm restic && return 0
fi
isNotice "Package manager install unavailable — downloading restic binary"
@ -38,7 +38,7 @@ resticInstall()
tmp=$(mktemp -d)
if curl -sL "https://github.com/restic/restic/releases/latest/download/restic_linux_${arch}.bz2" -o "$tmp/restic.bz2"; then
bunzip2 "$tmp/restic.bz2"
sudo install -m 0755 "$tmp/restic" /usr/local/bin/restic
runSystem install -m 0755 "$tmp/restic" /usr/local/bin/restic
rm -rf "$tmp"
checkSuccess "restic installed to /usr/local/bin/restic"
else