diff --git a/docs/FOOTPRINT.md b/docs/FOOTPRINT.md index ff02fbe..078bfeb 100644 --- a/docs/FOOTPRINT.md +++ b/docs/FOOTPRINT.md @@ -50,7 +50,7 @@ quick-deploy). | `/usr/local/bin/libreportal` | root | **symlink** → `/usr/local/lib/libreportal/libreportal` (puts the CLI on `$PATH`) | | `/usr/local/bin/libreportal-uninstall` | root | **symlink** → `/usr/local/lib/libreportal/uninstall.sh` (location-agnostic uninstall command) | | `/etc/sudoers.d/` | root | scoped least-privilege grant for the manager (drop-in named after the manager user) | -| `/etc/systemd/system/libreportal-taskprocessor.service` | root | the task-processor service (`User=`; bakes the roots as `Environment=LP_*_DIR`; also drives the periodic `regen` poll) | +| `/etc/systemd/system/libreportal.service` | root | the task-processor service (`User=`; bakes the roots as `Environment=LP_*_DIR`; also drives the periodic `regen` poll) | | `/etc/sysctl.d/99-libreportal-hardening.conf` | root | kernel LPE-surface hardening | | `/etc/sysctl.d/99-libreportal-rootless.conf` | root | rootless sysctl settings + "rootless configured" marker | @@ -72,8 +72,8 @@ config lives at `~/.config/docker/daemon.json`. `init.sh uninstall` does all of this; the sketch (with default roots/manager): ``` -sudo systemctl disable --now libreportal-taskprocessor.service -sudo rm -f /etc/systemd/system/libreportal-taskprocessor.service /etc/sudoers.d/libreportal +sudo systemctl disable --now libreportal.service +sudo rm -f /etc/systemd/system/libreportal.service /etc/sudoers.d/libreportal sudo rm -f /etc/sysctl.d/99-libreportal-*.conf sudo rm -rf /usr/local/lib/libreportal /usr/local/bin/libreportal /usr/local/bin/libreportal-uninstall sudo rm -rf /libreportal-system /libreportal-containers /libreportal-backups diff --git a/init.sh b/init.sh index f237181..73b46c8 100755 --- a/init.sh +++ b/init.sh @@ -130,7 +130,7 @@ command_symlink="/usr/local/bin/libreportal" # `update apply` runs as the manager and CANNOT rewrite root-owned files, so a bump # tells the updater the new release needs a root re-install (which re-bakes them). # Recorded at install in $lp_lib_dir/.footprint_version. See docs/DEVELOPMENT.md. -footprint_version=3 +footprint_version=2 footprint_marker="$lp_lib_dir/.footprint_version" # Directories — three independently-relocatable roots (see scripts/source/paths.sh @@ -1588,8 +1588,7 @@ completeInitMessage() # the real locations; silently no-ops on a legacy unit (then the derive defaults / # /docker compat shim apply). libreportalReadBakedRoots() { - local unit=/etc/systemd/system/libreportal-taskprocessor.service - [[ -f "$unit" ]] || unit=/etc/systemd/system/libreportal.service # pre-rename fallback + local unit=/etc/systemd/system/libreportal.service [[ -f "$unit" ]] || return 0 local s c b m s=$(grep -oE 'LP_SYSTEM_DIR=\S+' "$unit" | head -1 | cut -d= -f2) @@ -1651,10 +1650,9 @@ runFullUninstall() isHeader "Tearing down LibrePortal" - # 1. Stop + remove the task-processor service (current + pre-rename name). - systemctl disable --now libreportal-taskprocessor.service >/dev/null 2>&1 + # 1. Stop + remove the task-processor service. systemctl disable --now libreportal.service >/dev/null 2>&1 - rm -f /etc/systemd/system/libreportal-taskprocessor.service /etc/systemd/system/libreportal.service + rm -f /etc/systemd/system/libreportal.service systemctl daemon-reload >/dev/null 2>&1 isSuccessful "Stopped + removed the task-processor service" diff --git a/scripts/checks/requirements/check_webui_systemd.sh b/scripts/checks/requirements/check_webui_systemd.sh index 2c2623f..fed3cc7 100755 --- a/scripts/checks/requirements/check_webui_systemd.sh +++ b/scripts/checks/requirements/check_webui_systemd.sh @@ -3,9 +3,8 @@ checkWebUISystemdRequirement() { if [[ $CFG_REQUIREMENT_WEBUI_SERVICE == "true" ]]; then - ### Check if systemd service is running (accept the pre-rename name too) - if runSystem systemctl is-active --quiet libreportal-taskprocessor.service \ - || runSystem systemctl is-active --quiet libreportal.service; then + ### Check if systemd service is running + if runSystem systemctl is-active --quiet libreportal.service; then isSuccessful "LibrePortal task processor service is running." else isNotice "LibrePortal task processor service is not running." diff --git a/scripts/system/libreportal-svc b/scripts/system/libreportal-svc index a9b1f1f..c06c663 100644 --- a/scripts/system/libreportal-svc +++ b/scripts/system/libreportal-svc @@ -1,6 +1,6 @@ #!/bin/bash # LibrePortal task-processor systemd helper — the only root-privileged management -# of the libreportal-taskprocessor.service unit the manager may trigger. Installed root:root +# of the libreportal.service unit the manager may trigger. Installed root:root # 0755 to /usr/local/sbin by init.sh. Self-contained: it GENERATES the unit from # config (mode + install-user uid + the baked manager name + fixed script paths) # — it does NOT accept unit content from the caller (that would be root: an @@ -25,12 +25,7 @@ BACKUPS_DIR="__BACKUPS_DIR__" [[ "$CONTAINERS_DIR" == *"__"* || -z "$CONTAINERS_DIR" ]] && CONTAINERS_DIR="/libreportal-containers" [[ "$BACKUPS_DIR" == *"__"* || -z "$BACKUPS_DIR" ]] && BACKUPS_DIR="/libreportal-backups" -SERVICE_NAME="libreportal-taskprocessor.service" -SERVICE_FILE="/etc/systemd/system/$SERVICE_NAME" -# Pre-rename unit name — removed on install so an upgraded box doesn't keep a -# duplicate/orphan processor running under the old name. -LEGACY_SERVICE_NAME="libreportal.service" -LEGACY_SERVICE_FILE="/etc/systemd/system/$LEGACY_SERVICE_NAME" +SERVICE_FILE="/etc/systemd/system/libreportal.service" INSTALL_SCRIPTS_DIR="$SYSTEM_DIR/install/scripts" TASK_PROCESSOR="$INSTALL_SCRIPTS_DIR/crontab/task/crontab_task_processor.sh" DB_CFG="$SYSTEM_DIR/configs/general/general_docker_install" @@ -83,29 +78,19 @@ WantedBy=multi-user.target EOF } -# Remove the pre-rename unit if it's still around (idempotent migration). -_drop_legacy() { - if [[ -f "$LEGACY_SERVICE_FILE" ]]; then - systemctl disable --now "$LEGACY_SERVICE_NAME" >/dev/null 2>&1 - rm -f "$LEGACY_SERVICE_FILE" - systemctl daemon-reload - fi -} - install_unit() { - _drop_legacy local desired current="" desired="$(_gen_unit)" [[ -f "$SERVICE_FILE" ]] && current="$(cat "$SERVICE_FILE" 2>/dev/null)" if [[ "$desired" != "$current" ]]; then printf '%s\n' "$desired" > "$SERVICE_FILE" systemctl daemon-reload - systemctl enable "$SERVICE_NAME" >/dev/null 2>&1 - systemctl restart "$SERVICE_NAME" + systemctl enable libreportal.service >/dev/null 2>&1 + systemctl restart libreportal.service echo "updated" else - systemctl enable "$SERVICE_NAME" >/dev/null 2>&1 - systemctl is-active --quiet "$SERVICE_NAME" || systemctl start "$SERVICE_NAME" + systemctl enable libreportal.service >/dev/null 2>&1 + systemctl is-active --quiet libreportal.service || systemctl start libreportal.service echo "unchanged" fi } @@ -113,9 +98,9 @@ install_unit() { action="${1:-}" case "$action" in install) install_unit ;; - enable) systemctl enable "$SERVICE_NAME" >/dev/null 2>&1 ;; - restart) systemctl restart "$SERVICE_NAME" ;; - start) systemctl start "$SERVICE_NAME" ;; - status) systemctl is-active "$SERVICE_NAME" ;; + enable) systemctl enable libreportal.service >/dev/null 2>&1 ;; + restart) systemctl restart libreportal.service ;; + start) systemctl start libreportal.service ;; + status) systemctl is-active libreportal.service ;; *) echo "usage: libreportal-svc {install|enable|restart|start|status}" >&2; exit 2 ;; esac