Merge claude/1
This commit is contained in:
commit
5741fe6ee9
@ -9,14 +9,14 @@ appCrowdSecFixPriority() {
|
|||||||
|
|
||||||
local target_priority="-100"
|
local target_priority="-100"
|
||||||
|
|
||||||
sudo cp "$cfg" "${cfg}.bak.$(date +%Y%m%d-%H%M%S)"
|
runSystem cp "$cfg" "${cfg}.bak.$(date +%Y%m%d-%H%M%S)"
|
||||||
checkSuccess "Backed up $cfg"
|
checkSuccess "Backed up $cfg"
|
||||||
|
|
||||||
# nftables section in the yaml has ipv4: and ipv6: subsections; each may
|
# nftables section in the yaml has ipv4: and ipv6: subsections; each may
|
||||||
# carry a priority: line. Set both to target_priority, inserting the key
|
# carry a priority: line. Set both to target_priority, inserting the key
|
||||||
# if it isn't present. We hand the file to a small awk pass so the YAML
|
# if it isn't present. We hand the file to a small awk pass so the YAML
|
||||||
# indentation is preserved.
|
# indentation is preserved.
|
||||||
sudo awk -v p="$target_priority" '
|
runSystem awk -v p="$target_priority" '
|
||||||
BEGIN { in_v4=0; in_v6=0; v4_done=0; v6_done=0 }
|
BEGIN { in_v4=0; in_v6=0; v4_done=0; v6_done=0 }
|
||||||
/^[[:space:]]*ipv4:/ { in_v4=1; in_v6=0; print; next }
|
/^[[:space:]]*ipv4:/ { in_v4=1; in_v6=0; print; next }
|
||||||
/^[[:space:]]*ipv6:/ { in_v6=1; in_v4=0; print; next }
|
/^[[:space:]]*ipv6:/ { in_v6=1; in_v4=0; print; next }
|
||||||
@ -28,11 +28,11 @@ appCrowdSecFixPriority() {
|
|||||||
in_v4 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v4_done=1 }
|
in_v4 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v4_done=1 }
|
||||||
in_v6 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v6_done=1 }
|
in_v6 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v6_done=1 }
|
||||||
{ print }
|
{ print }
|
||||||
' "$cfg" | sudo tee "${cfg}.new" >/dev/null
|
' "$cfg" | runSystem tee "${cfg}.new" >/dev/null
|
||||||
sudo mv "${cfg}.new" "$cfg"
|
runSystem mv "${cfg}.new" "$cfg"
|
||||||
checkSuccess "Patched nftables priority to $target_priority in $cfg"
|
checkSuccess "Patched nftables priority to $target_priority in $cfg"
|
||||||
|
|
||||||
sudo systemctl restart crowdsec-firewall-bouncer
|
runSystem systemctl restart crowdsec-firewall-bouncer
|
||||||
checkSuccess "Restarted crowdsec-firewall-bouncer"
|
checkSuccess "Restarted crowdsec-firewall-bouncer"
|
||||||
|
|
||||||
isSuccessful "Priority updated. Run 'crowdsec_verify_firewall' to confirm CrowdSec now runs before UFW."
|
isSuccessful "Priority updated. Run 'crowdsec_verify_firewall' to confirm CrowdSec now runs before UFW."
|
||||||
|
|||||||
@ -7,32 +7,32 @@ appCrowdSecUpdate() {
|
|||||||
echo ""
|
echo ""
|
||||||
echo "---- $menu_number. Updating apt package index."
|
echo "---- $menu_number. Updating apt package index."
|
||||||
echo ""
|
echo ""
|
||||||
local result=$(sudo apt-get update)
|
local result=$(runSystem apt-get update)
|
||||||
checkSuccess "apt-get update"
|
checkSuccess "apt-get update"
|
||||||
|
|
||||||
((menu_number++))
|
((menu_number++))
|
||||||
echo ""
|
echo ""
|
||||||
echo "---- $menu_number. Upgrading CrowdSec packages."
|
echo "---- $menu_number. Upgrading CrowdSec packages."
|
||||||
echo ""
|
echo ""
|
||||||
local result=$(sudo apt-get install -y --only-upgrade crowdsec crowdsec-firewall-bouncer-nftables)
|
local result=$(runSystem apt-get install -y --only-upgrade crowdsec crowdsec-firewall-bouncer-nftables)
|
||||||
checkSuccess "Upgraded crowdsec + crowdsec-firewall-bouncer-nftables"
|
checkSuccess "Upgraded crowdsec + crowdsec-firewall-bouncer-nftables"
|
||||||
|
|
||||||
((menu_number++))
|
((menu_number++))
|
||||||
echo ""
|
echo ""
|
||||||
echo "---- $menu_number. Refreshing hub collections."
|
echo "---- $menu_number. Refreshing hub collections."
|
||||||
echo ""
|
echo ""
|
||||||
local result=$(sudo cscli hub update)
|
local result=$(runSystem cscli hub update)
|
||||||
checkSuccess "Refreshed hub index"
|
checkSuccess "Refreshed hub index"
|
||||||
local result=$(sudo cscli hub upgrade)
|
local result=$(runSystem cscli hub upgrade)
|
||||||
checkSuccess "Upgraded installed collections"
|
checkSuccess "Upgraded installed collections"
|
||||||
|
|
||||||
((menu_number++))
|
((menu_number++))
|
||||||
echo ""
|
echo ""
|
||||||
echo "---- $menu_number. Reloading services."
|
echo "---- $menu_number. Reloading services."
|
||||||
echo ""
|
echo ""
|
||||||
local result=$(sudo systemctl reload crowdsec)
|
local result=$(runSystem systemctl reload crowdsec)
|
||||||
checkSuccess "Reloaded crowdsec agent"
|
checkSuccess "Reloaded crowdsec agent"
|
||||||
local result=$(sudo systemctl restart crowdsec-firewall-bouncer)
|
local result=$(runSystem systemctl restart crowdsec-firewall-bouncer)
|
||||||
checkSuccess "Restarted crowdsec-firewall-bouncer"
|
checkSuccess "Restarted crowdsec-firewall-bouncer"
|
||||||
|
|
||||||
isSuccessful "CrowdSec updated. Run 'crowdsec_verify_firewall' if you want to re-check nftables priorities."
|
isSuccessful "CrowdSec updated. Run 'crowdsec_verify_firewall' if you want to re-check nftables priorities."
|
||||||
|
|||||||
@ -2,22 +2,22 @@
|
|||||||
|
|
||||||
appCrowdSecVerifyFirewall() {
|
appCrowdSecVerifyFirewall() {
|
||||||
echo "=== nftables tables present ==="
|
echo "=== nftables tables present ==="
|
||||||
sudo nft list tables 2>&1
|
runSystem nft list tables 2>&1
|
||||||
echo
|
echo
|
||||||
echo "=== chain priorities (input hook) ==="
|
echo "=== chain priorities (input hook) ==="
|
||||||
sudo nft list ruleset 2>/dev/null | grep -E 'chain |hook input.*priority' | head -30
|
runSystem nft list ruleset 2>/dev/null | grep -E 'chain |hook input.*priority' | head -30
|
||||||
echo
|
echo
|
||||||
echo "=== priority comparison ==="
|
echo "=== priority comparison ==="
|
||||||
local cs_prio ufw_prio
|
local cs_prio ufw_prio
|
||||||
cs_prio=$(sudo nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
cs_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
||||||
ufw_prio=$(sudo nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
ufw_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}')
|
||||||
|
|
||||||
echo "CrowdSec priority: ${cs_prio:-not present}"
|
echo "CrowdSec priority: ${cs_prio:-not present}"
|
||||||
echo "UFW priority: ${ufw_prio:-not present}"
|
echo "UFW priority: ${ufw_prio:-not present}"
|
||||||
|
|
||||||
if [[ -z "$cs_prio" ]]; then
|
if [[ -z "$cs_prio" ]]; then
|
||||||
isNotice "CrowdSec nftables table missing — bouncer may not be running."
|
isNotice "CrowdSec nftables table missing — bouncer may not be running."
|
||||||
sudo systemctl is-active crowdsec-firewall-bouncer
|
runSystem systemctl is-active crowdsec-firewall-bouncer
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
if [[ -z "$ufw_prio" ]]; then
|
if [[ -z "$ufw_prio" ]]; then
|
||||||
|
|||||||
@ -13,7 +13,7 @@ borgRestoreSnapshot()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
borgEnvExport "$idx" || return 1
|
borgEnvExport "$idx" || return 1
|
||||||
sudo mkdir -p "$target_dir"
|
runFileOp mkdir -p "$target_dir"
|
||||||
|
|
||||||
isNotice "Restoring $snapshot_id from $(resticLocationName "$idx") → $target_dir"
|
isNotice "Restoring $snapshot_id from $(resticLocationName "$idx") → $target_dir"
|
||||||
local rc
|
local rc
|
||||||
@ -39,7 +39,7 @@ borgDumpFile()
|
|||||||
borgEnvExport "$idx" || return 1
|
borgEnvExport "$idx" || return 1
|
||||||
local stripped="${file_path#/}"
|
local stripped="${file_path#/}"
|
||||||
if [[ -n "$target_file" ]]; then
|
if [[ -n "$target_file" ]]; then
|
||||||
sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped" | sudo tee "$target_file" >/dev/null
|
sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped" | runFileWrite "$target_file"
|
||||||
else
|
else
|
||||||
sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped"
|
sudo -E -u "$docker_install_user" borg extract --stdout "::$snapshot_id" "$stripped"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -30,13 +30,13 @@ kopiaBackupAppToLocation()
|
|||||||
local wrote_ignore=false
|
local wrote_ignore=false
|
||||||
if [[ -n "${backup_exclude_paths:-}" ]]; then
|
if [[ -n "${backup_exclude_paths:-}" ]]; then
|
||||||
local rel
|
local rel
|
||||||
: | sudo tee "$ignore_file" >/dev/null
|
: | runFileWrite "$ignore_file"
|
||||||
while IFS= read -r p; do
|
while IFS= read -r p; do
|
||||||
[[ -z "$p" ]] && continue
|
[[ -z "$p" ]] && continue
|
||||||
rel="/${p#"$source_path"/}"
|
rel="/${p#"$source_path"/}"
|
||||||
echo "$rel" | sudo tee -a "$ignore_file" >/dev/null
|
echo "$rel" | runFileWrite -a "$ignore_file"
|
||||||
done <<< "$backup_exclude_paths"
|
done <<< "$backup_exclude_paths"
|
||||||
sudo chown "$docker_install_user":"$docker_install_user" "$ignore_file" 2>/dev/null
|
runFileOp chown "$docker_install_user":"$docker_install_user" "$ignore_file" 2>/dev/null
|
||||||
wrote_ignore=true
|
wrote_ignore=true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -44,7 +44,7 @@ kopiaBackupAppToLocation()
|
|||||||
output=$(sudo -E -u "$docker_install_user" kopia snapshot create "$source_path" "${tags[@]}" --json 2>&1)
|
output=$(sudo -E -u "$docker_install_user" kopia snapshot create "$source_path" "${tags[@]}" --json 2>&1)
|
||||||
local rc=$?
|
local rc=$?
|
||||||
|
|
||||||
[[ "$wrote_ignore" == true ]] && sudo rm -f "$ignore_file"
|
[[ "$wrote_ignore" == true ]] && runFileOp rm -f "$ignore_file"
|
||||||
|
|
||||||
local snapshot_id
|
local snapshot_id
|
||||||
snapshot_id=$(echo "$output" | grep -oE '"id":\s*"[^"]+"' | head -1 | cut -d'"' -f4)
|
snapshot_id=$(echo "$output" | grep -oE '"id":\s*"[^"]+"' | head -1 | cut -d'"' -f4)
|
||||||
|
|||||||
@ -12,16 +12,16 @@ resticInstall()
|
|||||||
isHeader "Installing restic"
|
isHeader "Installing restic"
|
||||||
|
|
||||||
if command -v apt-get >/dev/null 2>&1; then
|
if command -v apt-get >/dev/null 2>&1; then
|
||||||
sudo apt-get update -qq >/dev/null
|
runSystem apt-get update -qq >/dev/null
|
||||||
if sudo apt-get install -y restic >/dev/null 2>&1; then
|
if runSystem apt-get install -y restic >/dev/null 2>&1; then
|
||||||
checkSuccess "restic installed via apt"
|
checkSuccess "restic installed via apt"
|
||||||
sudo restic self-update >/dev/null 2>&1 || true
|
runSystem restic self-update >/dev/null 2>&1 || true
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
elif command -v dnf >/dev/null 2>&1; then
|
elif command -v dnf >/dev/null 2>&1; then
|
||||||
sudo dnf install -y restic && return 0
|
runSystem dnf install -y restic && return 0
|
||||||
elif command -v pacman >/dev/null 2>&1; then
|
elif command -v pacman >/dev/null 2>&1; then
|
||||||
sudo pacman -S --noconfirm restic && return 0
|
runSystem pacman -S --noconfirm restic && return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
isNotice "Package manager install unavailable — downloading restic binary"
|
isNotice "Package manager install unavailable — downloading restic binary"
|
||||||
@ -38,7 +38,7 @@ resticInstall()
|
|||||||
tmp=$(mktemp -d)
|
tmp=$(mktemp -d)
|
||||||
if curl -sL "https://github.com/restic/restic/releases/latest/download/restic_linux_${arch}.bz2" -o "$tmp/restic.bz2"; then
|
if curl -sL "https://github.com/restic/restic/releases/latest/download/restic_linux_${arch}.bz2" -o "$tmp/restic.bz2"; then
|
||||||
bunzip2 "$tmp/restic.bz2"
|
bunzip2 "$tmp/restic.bz2"
|
||||||
sudo install -m 0755 "$tmp/restic" /usr/local/bin/restic
|
runSystem install -m 0755 "$tmp/restic" /usr/local/bin/restic
|
||||||
rm -rf "$tmp"
|
rm -rf "$tmp"
|
||||||
checkSuccess "restic installed to /usr/local/bin/restic"
|
checkSuccess "restic installed to /usr/local/bin/restic"
|
||||||
else
|
else
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user