168 Commits

Author SHA1 Message Date
librelad
a5cdbc4656 Merge claude/1 2026-05-23 23:22:46 +01:00
librelad
82839abea6 harden(desudo): arg-safe runFileOp + convert DNS subsystem off raw sudo
Give dockerCommandRunInstallUser an --argv mode that execs arguments
verbatim (sudo -u <user> env ... "$@") instead of bash -c "$*", and
point runFileOp at it. The old $*+bash -c re-parse silently mangled
backslashes/quotes in args — e.g. sed scripts (\1, \( become 1, ( ) and
the sqlite3 .backup arg — so rootless data-plane ops with regex were
broken. Verified: the WG_DEFAULT_DNS sed now applies correctly as the
install user. All existing runFileOp callers pass plain commands, so the
switch is safe (and fixes the latent sqlite3 case).

Convert scripts/network/dns/setup_dns.sh: /etc/resolv.conf edits and
ping -> runSystem; the WG_DEFAULT_DNS compose-file sed -> runFileOp.
Byte-identical in rooted; correct in rootless.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 23:22:46 +01:00
librelad
5e8e28f33d Merge claude/1 2026-05-23 22:59:18 +01:00
librelad
0bf9c41c51 harden(rootless): offset userns surface with kptr/ptrace/bpf-jit sysctls
Enabling unprivileged user namespaces for rootless widens the kernel
attack surface reachable by unprivileged users (a known source of LPE
CVEs). Pair it with three distro-portable, low-impact sysctls that close
the surfaces those exploit chains rely on: kernel.kptr_restrict=2 (hide
kernel pointers), kernel.yama.ptrace_scope=1 (block cross-process
ptrace), net.core.bpf_jit_harden=2 (harden the JIT). Added as a separate
guarded LIBREPORTAL KERNEL HARDENING block so it's clearly deliberate and
independently idempotent.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 22:59:18 +01:00
librelad
6d781b66a8 Merge claude/1 2026-05-23 22:54:55 +01:00
librelad
f65ecfc5ed refactor(config): move CFG_ROOTLESS_NET to its own advanced network_rootless file
Split the rootless network-driver knob out of network_docker into a
dedicated advanced subcategory (configs/network/network_rootless), marked
**ADVANCED** at both the file-header and field level so it's hidden behind
the advanced toggle in the WebUI. Registered in the network .category
order after network_docker. Pure config relocation — the install script
reads CFG_ROOTLESS_NET as a sourced var, so no script change needed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 22:54:55 +01:00
librelad
5bf2011b1a Merge claude/1 2026-05-23 22:52:44 +01:00
librelad
829816b826 feat(rootless): default to pasta+implicit, disable userland-proxy, make net driver switchable
Switch the rootless network stack from slirp4netns+builtin to pasta+
implicit (faster and propagates the real client source IP). The earlier
pasta+builtin attempt bricked the daemon because rootlesskit rejects
mismatched net/port-driver pairs; expose a single CFG_ROOTLESS_NET knob
(pasta default, slirp4netns fallback) and derive the matching port
driver in-script so an invalid combo can't be configured. Disable
userland-proxy in the rootless daemon.json (merged, not clobbered) so
containers see the real source IP. Both driver binaries are always
installed, so switching is a config flip + rootless re-setup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 22:52:44 +01:00
librelad
caa197f2fa Merge claude/2 2026-05-23 22:24:43 +01:00
librelad
f6a51f9a19 fix(rootless): run WebUI container as userns-root with socket gid 0
In rootless the container was set to user: <host-uid> (e.g. 1002:1002) with
group_add: <host-sub-gid> (e.g. 166528). Inside the daemon's user namespace
those are out of range — group_add made runc call setgroups() with an unmapped
GID ('setgroups: invalid argument'), so the WebUI container never started.
In rootless the container now runs as 0:0 (userns-root == the install user, which
owns the bind-mounts and the rootless socket) with socket gid 0. Rooted is
unchanged. Verified: libreportal-service comes up and talks to the rootless
socket.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 22:24:43 +01:00
librelad
e52938bba5 Merge claude/2 2026-05-23 22:02:43 +01:00
librelad
049d5de6a8 fix(rootless): start daemon with slirp4netns, not invalid pasta+builtin
The rootless dockerd override forced NET=pasta + PORT_DRIVER=builtin, which
rootlesskit rejects ('pasta requires port driver none or implicit'), so the
daemon failed to start every time (the real cause behind 'rootless socket not
found'). Use slirp4netns + builtin (valid, still skips the userspace
port-handler). Verified: daemon now comes up, docker Server 29.5.2 responds.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 22:02:42 +01:00
librelad
7a277384f0 Merge claude/2 2026-05-23 21:42:29 +01:00
librelad
49c1a23221 fix(rootless): run install-user commands via sudo -u, not SSH
dockerCommandRunInstallUser ssh'd to <user>@localhost, but nothing set up an
SSH server/keys/authorized_keys, so every rootless setup command (daemon
install, systemctl --user) silently no-op'd. Replace with 'sudo -u <user> env
…' that sets XDG_RUNTIME_DIR / DBUS_SESSION_BUS_ADDRESS / DOCKER_HOST / PATH
explicitly; linger keeps the user systemd + /run/user/<uid> alive so
systemctl --user works. No SSH server, no keys, less attack surface, and
sudo -u to an unprivileged user is not a root escalation.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 21:42:29 +01:00
librelad
67cda1c955 Merge claude/2 2026-05-23 21:23:12 +01:00
librelad
90584f0b30 fix(rootless): actually create the docker install user
useradd was missing its login-name argument (and -m), so it failed — silently,
because local result=$(...) swallowed the exit code and checkSuccess reported
success. The rootless install user was therefore never created, which cascaded
into 'invalid user dockerinstall' and a daemon that never came up. Pass the
username + -m (subordinate uid/gid ranges come from login.defs), unmasked.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 21:23:12 +01:00
librelad
8f6f4c65ed Merge claude/2 2026-05-23 20:56:56 +01:00
librelad
48d9bd0a13 fix(init): never clobber live config values on deploy/reinstall
setupConfigsFromRepo / sync_configs_from_install used 'cp -a' of the template
over /docker/configs, so any fast/full deploy (which runs init.sh) silently
reset user config to template defaults — e.g. it flipped a live rooted box to
the new rootless template default and broke it. Use 'cp -an' (no-clobber):
fresh installs still get the full template, existing installs keep their values,
and new keys are still added by the add-only reconcile pass. This is also what
makes a rootless template default safe for existing rooted boxes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 20:56:56 +01:00
librelad
8f21fe5fdf Merge claude/2 2026-05-23 20:45:28 +01:00
librelad
d5acb7e169 refactor(backup): route /docker ops through mode-aware helper
Convert the backup/restore data-plane sudo calls (mkdir/chown/rm/sqlite3/tar/
gzip|tee) to runFileOp/runFileWrite. Rooted behaviour is identical (helper runs
sudo); rootless will run them as the unprivileged install user. Pilot subsystem
for the wider de-sudo. verify.sh's /tmp scratch ops left as-is (different
ownership domain, handled separately).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 20:45:28 +01:00
librelad
e89ce25a19 Merge claude/2 2026-05-23 20:35:18 +01:00
librelad
5c928fe9c0 feat(privilege): mode-aware privileged-op helper
Single place that decides how a privileged op runs by Docker mode:
- runFileOp / runFileWrite: /docker data-plane ops — rooted uses sudo (identical
  to today), rootless runs as the unprivileged install user (no root).
- runSystem: genuine system-admin ops, sudo in both modes, funnelled here so it
  can later be confined to a scoped sudoers allowlist.
Call sites converted to these are byte-for-byte unchanged under rooted, so
existing/live boxes can't regress; rootless gets the de-privileged path.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 20:35:18 +01:00
librelad
14efcc579b Merge claude/2 2026-05-23 20:31:52 +01:00
librelad
9104c1770e chore: regen source arrays to include files_ssh.sh
The SSH-access feature's files_ssh.sh array was never registered in
files_source.sh, leaving it unsourced and blocking the deploy auto-merge.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 20:31:52 +01:00
librelad
6a2ba02647 security(init): manage manager-user sudo via validated sudoers.d drop-in
init.sh appended 'libreportal ALL=(ALL) NOPASSWD: ALL' straight to /etc/sudoers
— a malformed line there locks out sudo entirely. Move it to a validated
/etc/sudoers.d/libreportal drop-in (visudo -cf before install, 0440 root:root).
The grant is still broad; this is the single managed file we tighten to a
scoped command allowlist once the runtime no longer needs broad root. Only runs
at install, so existing boxes are untouched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 20:26:43 +01:00
librelad
812e09c044 Merge claude/2 2026-05-23 20:16:13 +01:00
librelad
c8e3a152a6 security: default fresh installs to rootless Docker
Containers now run unprivileged by default — a container breakout maps to a
sub-UID, not host root. Rooted remains available as a legacy opt-in. Existing
installs keep their current mode (config reconciliation is add-only); fresh
installs get rootless. The rootless path already handles unprivileged ports
(ip_unprivileged_port_start=0) and userns.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 20:16:13 +01:00
librelad
7e7a7f524c Merge claude/1 2026-05-23 19:03:54 +01:00
librelad
a103aa6864 refactor(webui): path-based URLs for apps, app, tasks, backup
Convert the remaining sections off the legacy ?= query form to clean paths,
matching the Admin area:
  /apps/<category>           (was /apps?=<category>)
  /app/<name>?tab=&task=     (was /app?=<name>&tab=&task=)
  /tasks/<category>?task=    (was /tasks?=<category>&task=)
  /backup/<tab>              (was /backup?=<tab>)

Builders updated everywhere (sidebar, dashboard, notifications, tasks, apps,
app tabs, task-actions, setup watcher); parsers now read the resource from the
path with the legacy ?= kept as a fallback so old links/bookmarks still work
(server already serves index.html at any depth). Route table gains /apps* and
orders it before /app* (since '/apps' startsWith '/app'); active-nav and
config/apps data-loading recognise the new paths.

Tab/task remain ordinary query params (modifiers, not the primary resource).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 19:03:54 +01:00
librelad
a511ed9e8d Merge claude/1 2026-05-23 18:36:06 +01:00
librelad
fab6997cd7 refactor(webui): path-based Admin routing (/admin/config/<x>, /admin/tools/ssh-access)
Replace the Admin area's ?= query URLs with clean, hierarchical paths that
mirror the breadcrumb:
  /admin                  -> Overview
  /admin/config/<category>-> Config / <category>
  /admin/tools/ssh-access -> Tools / SSH Access

New /admin (+ /admin*) SPA route -> handleAdmin, which parses the path via the
shared window.adminPath / window.adminCategoryFromPath helpers and renders
through the existing ConfigManager. Legacy /config, /config?=<x> and /ssh now
redirect into the matching /admin path, so old links/bookmarks keep working
(server already serves index.html for any depth). Sidebar, Admin Overview,
dashboard link and top-nav now build /admin paths; active-nav + config data
loading recognise /admin across spa.js, topbar.js, router.js, data-loader.js.

Scope: Admin area only — /app, /apps, /tasks, /backup keep their existing ?=
URLs.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 18:36:06 +01:00
librelad
8315a58226 Merge claude/2 2026-05-23 18:27:28 +01:00
librelad
036f72d3c2 fix(backup): verify against snapshot restorability, not the live dir
With live dumps + container-side file captures the live app dir intentionally
differs from the snapshot (raw DB dirs and private trees are excluded, replaced
by dumps/captures), so the old source-vs-restored file-count check false-failed.
The scratch restore succeeding already proves restorability (restic hash-checks
every blob); keep a non-empty sanity check instead.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 18:27:28 +01:00
librelad
3d7fc0a3f6 Merge claude/2 2026-05-23 18:23:03 +01:00
librelad
3a1cd8464e fix(backup): make captured file staging readable by the backup user
The container capture preserved the app's ownership (e.g. www-data 0640), so
restic still hit permission denied on the staging copy. chown the staging tree
to the backup user after capture (modes unchanged, so the owner reads fine);
real ownership is reapplied from the descriptor on restore.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 18:23:03 +01:00
librelad
c460f7afcb Merge claude/1 2026-05-23 18:19:25 +01:00
librelad
23a15345fb refactor(admin): sidebar Config/Tools groups, per-group breadcrumbs, SSH matches config layout
- Sidebar now groups items: Overview at top, a 'Config' heading over the config
  categories, and the existing 'Tools' heading over SSH Access.
- Breadcrumb reflects the group: config pages read 'Config' (was 'Admin'), SSH
  reads 'Tools', Overview stays 'Admin'.
- SSH Access page restyled to the config page's section layout
  (.config-category/.domains-wrapper sections) instead of backup-style cards, so
  it matches the other Admin config pages.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 18:19:25 +01:00
librelad
b1c84a9b3c Merge claude/2 2026-05-23 18:15:53 +01:00
librelad
94c9e83c42 feat(backup): container-side capture of private app files
Reads files the backup user can't see from the host (container-owned, e.g.
Nextcloud's www-data data dir) by streaming them out THROUGH the container
(docker exec tar) — no host root, no host read perms, works rooted + rootless.
Extracts to staging as plain files so restic keeps full dedup + per-file
restore (not a piped tar blob); the live path is excluded from the snapshot.
Restore streams the staging copy back through a throwaway in-namespace
container that recreates the tree with the app's uid:gid.

Declared via a libreportal.backup.files compose label; Nextcloud (html, 33:33)
is the first to use it. Live capture failure falls back to stop-snapshot-start.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 18:15:53 +01:00
librelad
0d7cab8c97 Merge claude/1 2026-05-23 17:57:22 +01:00
librelad
b5107e30cc feat(admin): Admin Overview landing + unified Admin page headers
Add an Admin Overview as the Admin landing (default when you open Admin): an
ops/health board distinct from the user Dashboard. Four cards built from data
we already generate — Updates (update_status.json, with one-click update),
Backups (backup dashboard.json), SSH & Security (access.json), System
(disk/memory/system_info) — each with a Manage link into the right section.
Styled like the backup dashboard (tiles/status dots).

Wire-up: 'Overview' is the top sidebar item and the default category
(handleConfig + sidebar), rendered by AdminOverview into #config-section via a
renderConfig('overview') special case. Every Admin page now shows the same
'Admin' breadcrumb header (Overview, SSH Access, and the config categories) for
a consistent Admin → Section feel. User Dashboard gets an 'Admin overview →'
link.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 17:57:21 +01:00
librelad
193206cbf5 Merge claude/1 2026-05-23 17:31:27 +01:00
librelad
4fd043a852 refactor(webui): fold SSH Access into an Admin area
Rename the Config top-nav to 'Admin' and move SSH Access into its sidebar
under a 'Tools' group, instead of a separate top-level nav item. SSH Access is
rendered by SshPage into the config main pane via a renderConfig('ssh-access')
special case; the sidebar item (config-sidebar.js) routes there. SshPage now
mounts into any container (defaults to #config-section). /ssh redirects to
/config?=ssh-access for old links; the standalone ssh-content.html is removed.

Declutters the top bar and gives system/admin features one home that scales
(updates, users, Connect settings can become sidebar entries later).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 17:31:26 +01:00
librelad
403b7055c8 Merge claude/2 2026-05-23 17:18:01 +01:00
librelad
d0ec43e3ca fix(focalboard): chown data dir to runtime uid so db persists
Focalboard runs as nobody (65534) but fixPermissionsBeforeStart hands the app
dir to the install user, so the server couldn't open its sqlite db on the newly
mounted data dir. Chown data/ to 65534 in appUpdateSpecifics and restart.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 17:18:00 +01:00
librelad
9e4ebdf360 Merge claude/2 2026-05-23 17:12:09 +01:00
librelad
d0a53d4c7a fix(focalboard): persist database + enable live backup
Focalboard writes its sqlite db and uploads under /opt/focalboard/data (its
working dir), but the compose mounted ./data:/data — an unused path — so the
database was never persisted and was lost on every container recreation. Mount
./data:/opt/focalboard/data so db + files survive, and declare the db for live
backup (data/focalboard.db).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 17:12:09 +01:00
librelad
f440dc548d Merge claude/2 2026-05-23 17:04:49 +01:00
librelad
fd3f652fb9 feat(backup): declare gitea sqlite database for live backup
Verified on a live install: gitea's app.ini sets [database] PATH=/data/gitea/
gitea.db with mount ./data/gitea:/data, so the host path is data/gitea/gitea/
gitea.db. (Created only after gitea's web setup completes; until then live
backup safely falls back to stop.)

focalboard intentionally still omitted — its db lives at /opt/focalboard/data/
focalboard.db inside the container, which the compose does not mount, so it
isn't persisted to the app dir and can't be backed up until that's fixed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 17:04:49 +01:00
librelad
a517bd9889 Merge claude/2 2026-05-23 16:55:58 +01:00