Merge claude/1

This commit is contained in:
librelad 2026-05-23 23:48:23 +01:00
commit 5741fe6ee9
6 changed files with 28 additions and 28 deletions

View File

@ -9,14 +9,14 @@ appCrowdSecFixPriority() {
local target_priority="-100" local target_priority="-100"
sudo cp "$cfg" "${cfg}.bak.$(date +%Y%m%d-%H%M%S)" runSystem cp "$cfg" "${cfg}.bak.$(date +%Y%m%d-%H%M%S)"
checkSuccess "Backed up $cfg" checkSuccess "Backed up $cfg"
# nftables section in the yaml has ipv4: and ipv6: subsections; each may # nftables section in the yaml has ipv4: and ipv6: subsections; each may
# carry a priority: line. Set both to target_priority, inserting the key # carry a priority: line. Set both to target_priority, inserting the key
# if it isn't present. We hand the file to a small awk pass so the YAML # if it isn't present. We hand the file to a small awk pass so the YAML
# indentation is preserved. # indentation is preserved.
sudo awk -v p="$target_priority" ' runSystem awk -v p="$target_priority" '
BEGIN { in_v4=0; in_v6=0; v4_done=0; v6_done=0 } BEGIN { in_v4=0; in_v6=0; v4_done=0; v6_done=0 }
/^[[:space:]]*ipv4:/ { in_v4=1; in_v6=0; print; next } /^[[:space:]]*ipv4:/ { in_v4=1; in_v6=0; print; next }
/^[[:space:]]*ipv6:/ { in_v6=1; in_v4=0; print; next } /^[[:space:]]*ipv6:/ { in_v6=1; in_v4=0; print; next }
@ -28,11 +28,11 @@ appCrowdSecFixPriority() {
in_v4 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v4_done=1 } in_v4 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v4_done=1 }
in_v6 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v6_done=1 } in_v6 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v6_done=1 }
{ print } { print }
' "$cfg" | sudo tee "${cfg}.new" >/dev/null ' "$cfg" | runSystem tee "${cfg}.new" >/dev/null
sudo mv "${cfg}.new" "$cfg" runSystem mv "${cfg}.new" "$cfg"
checkSuccess "Patched nftables priority to $target_priority in $cfg" checkSuccess "Patched nftables priority to $target_priority in $cfg"
sudo systemctl restart crowdsec-firewall-bouncer runSystem systemctl restart crowdsec-firewall-bouncer
checkSuccess "Restarted crowdsec-firewall-bouncer" checkSuccess "Restarted crowdsec-firewall-bouncer"
isSuccessful "Priority updated. Run 'crowdsec_verify_firewall' to confirm CrowdSec now runs before UFW." isSuccessful "Priority updated. Run 'crowdsec_verify_firewall' to confirm CrowdSec now runs before UFW."

View File

@ -7,32 +7,32 @@ appCrowdSecUpdate() {
echo "" echo ""
echo "---- $menu_number. Updating apt package index." echo "---- $menu_number. Updating apt package index."
echo "" echo ""
local result=$(sudo apt-get update) local result=$(runSystem apt-get update)
checkSuccess "apt-get update" checkSuccess "apt-get update"
((menu_number++)) ((menu_number++))
echo "" echo ""
echo "---- $menu_number. Upgrading CrowdSec packages." echo "---- $menu_number. Upgrading CrowdSec packages."
echo "" echo ""
local result=$(sudo apt-get install -y --only-upgrade crowdsec crowdsec-firewall-bouncer-nftables) local result=$(runSystem apt-get install -y --only-upgrade crowdsec crowdsec-firewall-bouncer-nftables)
checkSuccess "Upgraded crowdsec + crowdsec-firewall-bouncer-nftables" checkSuccess "Upgraded crowdsec + crowdsec-firewall-bouncer-nftables"
((menu_number++)) ((menu_number++))
echo "" echo ""
echo "---- $menu_number. Refreshing hub collections." echo "---- $menu_number. Refreshing hub collections."
echo "" echo ""
local result=$(sudo cscli hub update) local result=$(runSystem cscli hub update)
checkSuccess "Refreshed hub index" checkSuccess "Refreshed hub index"
local result=$(sudo cscli hub upgrade) local result=$(runSystem cscli hub upgrade)
checkSuccess "Upgraded installed collections" checkSuccess "Upgraded installed collections"
((menu_number++)) ((menu_number++))
echo "" echo ""
echo "---- $menu_number. Reloading services." echo "---- $menu_number. Reloading services."
echo "" echo ""
local result=$(sudo systemctl reload crowdsec) local result=$(runSystem systemctl reload crowdsec)
checkSuccess "Reloaded crowdsec agent" checkSuccess "Reloaded crowdsec agent"
local result=$(sudo systemctl restart crowdsec-firewall-bouncer) local result=$(runSystem systemctl restart crowdsec-firewall-bouncer)
checkSuccess "Restarted crowdsec-firewall-bouncer" checkSuccess "Restarted crowdsec-firewall-bouncer"
isSuccessful "CrowdSec updated. Run 'crowdsec_verify_firewall' if you want to re-check nftables priorities." isSuccessful "CrowdSec updated. Run 'crowdsec_verify_firewall' if you want to re-check nftables priorities."

View File

@ -2,22 +2,22 @@
appCrowdSecVerifyFirewall() { appCrowdSecVerifyFirewall() {
echo "=== nftables tables present ===" echo "=== nftables tables present ==="
sudo nft list tables 2>&1 runSystem nft list tables 2>&1
echo echo
echo "=== chain priorities (input hook) ===" echo "=== chain priorities (input hook) ==="
sudo nft list ruleset 2>/dev/null | grep -E 'chain |hook input.*priority' | head -30 runSystem nft list ruleset 2>/dev/null | grep -E 'chain |hook input.*priority' | head -30
echo echo
echo "=== priority comparison ===" echo "=== priority comparison ==="
local cs_prio ufw_prio local cs_prio ufw_prio
cs_prio=$(sudo nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}') cs_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
ufw_prio=$(sudo nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}') ufw_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
echo "CrowdSec priority: ${cs_prio:-not present}" echo "CrowdSec priority: ${cs_prio:-not present}"
echo "UFW priority: ${ufw_prio:-not present}" echo "UFW priority: ${ufw_prio:-not present}"
if [[ -z "$cs_prio" ]]; then if [[ -z "$cs_prio" ]]; then
isNotice "CrowdSec nftables table missing — bouncer may not be running." isNotice "CrowdSec nftables table missing — bouncer may not be running."
sudo systemctl is-active crowdsec-firewall-bouncer runSystem systemctl is-active crowdsec-firewall-bouncer
return 1 return 1
fi fi
if [[ -z "$ufw_prio" ]]; then if [[ -z "$ufw_prio" ]]; then

View File

@ -13,7 +13,7 @@ borgRestoreSnapshot()
fi fi
borgEnvExport "$idx" || return 1 borgEnvExport "$idx" || return 1
sudo mkdir -p "$target_dir" runFileOp mkdir -p "$target_dir"
isNotice "Restoring $snapshot_id from $(resticLocationName "$idx")$target_dir" isNotice "Restoring $snapshot_id from $(resticLocationName "$idx")$target_dir"
local rc local rc
@ -39,7 +39,7 @@ borgDumpFile()
borgEnvExport "$idx" || return 1 borgEnvExport "$idx" || return 1
local stripped="${file_path#/}" local stripped="${file_path#/}"
if [[ -n "$target_file" ]]; then if [[ -n "$target_file" ]]; then
sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped" | sudo tee "$target_file" >/dev/null sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped" | runFileWrite "$target_file"
else else
sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped" sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped"
fi fi

View File

@ -30,13 +30,13 @@ kopiaBackupAppToLocation()
local wrote_ignore=false local wrote_ignore=false
if [[ -n "${backup_exclude_paths:-}" ]]; then if [[ -n "${backup_exclude_paths:-}" ]]; then
local rel local rel
: | sudo tee "$ignore_file" >/dev/null : | runFileWrite "$ignore_file"
while IFS= read -r p; do while IFS= read -r p; do
[[ -z "$p" ]] && continue [[ -z "$p" ]] && continue
rel="/${p#"$source_path"/}" rel="/${p#"$source_path"/}"
echo "$rel" | sudo tee -a "$ignore_file" >/dev/null echo "$rel" | runFileWrite -a "$ignore_file"
done <<< "$backup_exclude_paths" done <<< "$backup_exclude_paths"
sudo chown "$docker_install_user":"$docker_install_user" "$ignore_file" 2>/dev/null runFileOp chown "$docker_install_user":"$docker_install_user" "$ignore_file" 2>/dev/null
wrote_ignore=true wrote_ignore=true
fi fi
@ -44,7 +44,7 @@ kopiaBackupAppToLocation()
output=$(sudo -E -u "$docker_install_user" kopia snapshot create "$source_path" "${tags[@]}" --json 2>&1) output=$(sudo -E -u "$docker_install_user" kopia snapshot create "$source_path" "${tags[@]}" --json 2>&1)
local rc=$? local rc=$?
[[ "$wrote_ignore" == true ]] && sudo rm -f "$ignore_file" [[ "$wrote_ignore" == true ]] && runFileOp rm -f "$ignore_file"
local snapshot_id local snapshot_id
snapshot_id=$(echo "$output" | grep -oE '"id":\s*"[^"]+"' | head -1 | cut -d'"' -f4) snapshot_id=$(echo "$output" | grep -oE '"id":\s*"[^"]+"' | head -1 | cut -d'"' -f4)

View File

@ -12,16 +12,16 @@ resticInstall()
isHeader "Installing restic" isHeader "Installing restic"
if command -v apt-get >/dev/null 2>&1; then if command -v apt-get >/dev/null 2>&1; then
sudo apt-get update -qq >/dev/null runSystem apt-get update -qq >/dev/null
if sudo apt-get install -y restic >/dev/null 2>&1; then if runSystem apt-get install -y restic >/dev/null 2>&1; then
checkSuccess "restic installed via apt" checkSuccess "restic installed via apt"
sudo restic self-update >/dev/null 2>&1 || true runSystem restic self-update >/dev/null 2>&1 || true
return 0 return 0
fi fi
elif command -v dnf >/dev/null 2>&1; then elif command -v dnf >/dev/null 2>&1; then
sudo dnf install -y restic && return 0 runSystem dnf install -y restic && return 0
elif command -v pacman >/dev/null 2>&1; then elif command -v pacman >/dev/null 2>&1; then
sudo pacman -S --noconfirm restic && return 0 runSystem pacman -S --noconfirm restic && return 0
fi fi
isNotice "Package manager install unavailable — downloading restic binary" isNotice "Package manager install unavailable — downloading restic binary"
@ -38,7 +38,7 @@ resticInstall()
tmp=$(mktemp -d) tmp=$(mktemp -d)
if curl -sL "https://github.com/restic/restic/releases/latest/download/restic_linux_${arch}.bz2" -o "$tmp/restic.bz2"; then if curl -sL "https://github.com/restic/restic/releases/latest/download/restic_linux_${arch}.bz2" -o "$tmp/restic.bz2"; then
bunzip2 "$tmp/restic.bz2" bunzip2 "$tmp/restic.bz2"
sudo install -m 0755 "$tmp/restic" /usr/local/bin/restic runSystem install -m 0755 "$tmp/restic" /usr/local/bin/restic
rm -rf "$tmp" rm -rf "$tmp"
checkSuccess "restic installed to /usr/local/bin/restic" checkSuccess "restic installed to /usr/local/bin/restic"
else else