Compare commits

...

2 Commits

Author SHA1 Message Date
librelad
6e0dc04dd7 Merge claude/1 2026-05-23 23:33:51 +01:00
librelad
a8248ccf7f harden(desudo): convert monitoring subsystem + global log-append idiom
- Global uniform pass: the $logs_dir/$docker_log_file log-append idiom
  (always /docker/logs, data-plane) -> runFileWrite -a across runtime
  files (check_success.sh logging backbone + several app scripts).
- monitoring.sh fully converted: containers_dir/docker_dir file ops
  (sqlite3/sed/mkdir/cp/rm/chmod/find, grafana tee-heredocs) -> runFileOp/
  runFileWrite; prometheus/grafana docker ps/kill/restart -> dockerCommandRun.
Byte-identical in rooted (all helpers reduce to sudo there).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 23:33:51 +01:00
8 changed files with 32 additions and 32 deletions

View File

@ -60,10 +60,10 @@ installAuthelia()
dockerComposeSetupFile $app_name;
local result=$(copyResource "$app_name" "configuration.yml" "config" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
local result=$(copyResource "$app_name" "configuration.yml" "config" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
checkSuccess "Copying configuration.yml to $containers_dir$app_name/config"
local result=$(copyResource "$app_name" "users_database.yml" "config" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
local result=$(copyResource "$app_name" "users_database.yml" "config" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
checkSuccess "Copying users_database.yml to $containers_dir$app_name/config"
local authelia_config_file="$containers_dir$app_name/config/configuration.yml"

View File

@ -54,7 +54,7 @@ installHeadscale()
local result=$(createFolders "loud" $docker_install_user $containers_dir$app_name/config)
checkSuccess "Create config folder"
local result=$(copyResource "$app_name" "config.yaml" "config" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
local result=$(copyResource "$app_name" "config.yaml" "config" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
checkSuccess "Copying config.yaml to config folder."
configSetupFileWithData $app_name "config.yaml" "config";

View File

@ -57,7 +57,7 @@ installPrometheus()
local result=$(createTouch "$containers_dir$app_name/$app_name/$app_name.yml" $docker_install_user)
checkSuccess "Created $app_name.yml file for $app_name"
local result=$(copyResource "$app_name" "$app_name.yml" "$app_name" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
local result=$(copyResource "$app_name" "$app_name.yml" "$app_name" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
checkSuccess "Copying $app_name.yml to containers folder."
((menu_number++))

View File

@ -53,7 +53,7 @@ installUnbound()
monitoringToggleAppConfig "$app_name" "docker-compose.yml";
local result=$(copyResource "$app_name" "unbound.conf" "etc" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
local result=$(copyResource "$app_name" "unbound.conf" "etc" | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1)
checkSuccess "Copying unbound.conf to containers folder."
monitoringToggleAppConfig "$app_name" "etc/unbound.conf";

View File

@ -40,7 +40,7 @@ dockerComposeSetupFile()
isError "The source file '$source_file' does not exist."
fi
copyFile "loud" "$source_file" "$target_file" $docker_install_user | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
copyFile "loud" "$source_file" "$target_file" $docker_install_user | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1
if [ $? -ne 0 ]; then
isError "Failed to copy the source file to '$target_path'. Check '$docker_log_file' for more details."

View File

@ -5,7 +5,7 @@ function checkSuccess()
if [ $? -eq 0 ]; then
isSuccessful "$1"
if [ -f "$logs_dir/$docker_log_file" ]; then
echo "✓ Success $1" | sudo tee -a "$logs_dir/$docker_log_file" >/dev/null
echo "✓ Success $1" | runFileWrite -a "$logs_dir/$docker_log_file" >/dev/null
fi
else
isError "$1"
@ -14,8 +14,8 @@ function checkSuccess()
# blocking on read.
if [[ "$LIBREPORTAL_NONINTERACTIVE" == "1" ]] || [ ! -t 0 ]; then
if [ -f "$logs_dir/$docker_log_file" ]; then
isError " $1" | sudo tee -a "$logs_dir/$docker_log_file" >/dev/null
echo "===================================" | sudo tee -a "$logs_dir/$docker_log_file" >/dev/null
isError " $1" | runFileWrite -a "$logs_dir/$docker_log_file" >/dev/null
echo "===================================" | runFileWrite -a "$logs_dir/$docker_log_file" >/dev/null
fi
isNotice "Non-interactive mode: aborting on error."
exit 1
@ -36,15 +36,15 @@ function checkSuccess()
if [[ "$error_occurred" == [xX] ]]; then
# Log the error output to the log file
isError " $1" | sudo tee -a "$logs_dir/$docker_log_file"
echo "===================================" | sudo tee -a "$logs_dir/$docker_log_file"
isError " $1" | runFileWrite -a "$logs_dir/$docker_log_file"
echo "===================================" | runFileWrite -a "$logs_dir/$docker_log_file"
exit 1 # Exit the script with a non-zero status to stop the current action
fi
if [[ "$error_occurred" == [mM] ]]; then
# Log the error output to the log file
isError " $1" | sudo tee -a "$logs_dir/$docker_log_file"
echo "===================================" | sudo tee -a "$logs_dir/$docker_log_file"
isError " $1" | runFileWrite -a "$logs_dir/$docker_log_file"
echo "===================================" | runFileWrite -a "$logs_dir/$docker_log_file"
if [[ "$initial_command2" == "terminal" ]]; then
resetToMenu;
fi

View File

@ -8,7 +8,7 @@ tailscaleInstallToContainer()
local result=$(createFolders "loud" $docker_install_user $containers_dir$app_name/tailscale)
checkSuccess "Creating Tailscale folder"
copyFile "loud" "${install_scripts_dir}tailscale.sh" "$containers_dir$app_name/tailscale/tailscale.sh" $docker_install_user | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
copyFile "loud" "${install_scripts_dir}tailscale.sh" "$containers_dir$app_name/tailscale/tailscale.sh" $docker_install_user | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1
if [[ "$type" != "install" ]]; then
dockerComposeRestart $app_name;

View File

@ -17,7 +17,7 @@
monitoringInstalledApps()
{
[[ -f "$docker_dir/$db_file" ]] || return 0
sudo sqlite3 "$docker_dir/$db_file" \
runFileOp sqlite3 "$docker_dir/$db_file" \
"SELECT name FROM apps WHERE status = 1 ORDER BY name;" 2>/dev/null
}
@ -26,7 +26,7 @@ monitoringIsInstalled()
{
[[ -f "$docker_dir/$db_file" ]] || return 1
local n
n="$(sudo sqlite3 "$docker_dir/$db_file" \
n="$(runFileOp sqlite3 "$docker_dir/$db_file" \
"SELECT COUNT(*) FROM apps WHERE name = '$1' AND status = 1;" 2>/dev/null)"
[[ -n "$n" && "$n" -gt 0 ]]
}
@ -62,13 +62,13 @@ monitoringToggleAppConfig()
if monitoringAppEnabled "$app_name"; then
# Uncomment: strip the leading # from every non-marker line in range.
sudo sed -i '/# >>> libreportal-monitoring >>>/,/# <<< libreportal-monitoring <<</ {
runFileOp sed -i '/# >>> libreportal-monitoring >>>/,/# <<< libreportal-monitoring <<</ {
/libreportal-monitoring/! s/^\([[:space:]]*\)#/\1/
}' "$file"
isSuccessful "Monitoring config enabled in $rel_path"
else
# Comment: prefix # to every non-marker line in range not already so.
sudo sed -i '/# >>> libreportal-monitoring >>>/,/# <<< libreportal-monitoring <<</ {
runFileOp sed -i '/# >>> libreportal-monitoring >>>/,/# <<< libreportal-monitoring <<</ {
/libreportal-monitoring/! { /^[[:space:]]*#/! s/^\([[:space:]]*\)/\1#/ }
}' "$file"
isNotice "Monitoring config left disabled in $rel_path (CFG_${app_name^^}_MONITORING not true)."
@ -123,24 +123,24 @@ monitoringRefreshPrometheus()
fi
local scrape_dir="${containers_dir}prometheus/prometheus/scrape.d"
sudo mkdir -p "$scrape_dir"
runFileOp mkdir -p "$scrape_dir"
local count=0 app_name fragment
for app_name in $(monitoringInstalledApps); do
fragment="${containers_dir}${app_name}/resources/monitoring/prometheus-scrape.yml"
if monitoringAppEnabled "$app_name" && [[ -f "$fragment" ]]; then
sudo cp "$fragment" "$scrape_dir/${app_name}.yml"
runFileOp cp "$fragment" "$scrape_dir/${app_name}.yml"
monitoringResolveScrapeTags "$scrape_dir/${app_name}.yml" "${containers_dir}${app_name}/docker-compose.yml" "$app_name"
count=$((count + 1))
else
sudo rm -f "$scrape_dir/${app_name}.yml"
runFileOp rm -f "$scrape_dir/${app_name}.yml"
fi
done
sudo chmod -R a+rX "$scrape_dir" 2>/dev/null
runFileOp chmod -R a+rX "$scrape_dir" 2>/dev/null
if sudo docker ps --format '{{.Names}}' 2>/dev/null | grep -q '^prometheus-service$'; then
local result=$(sudo docker kill --signal=HUP prometheus-service 2>&1)
if dockerCommandRun "docker ps --format '{{.Names}}'" "sudo" 2>/dev/null | grep -q '^prometheus-service$'; then
local result=$(dockerCommandRun "docker kill --signal=HUP prometheus-service" "sudo" 2>&1)
checkSuccess "Reloaded Prometheus ($count monitored app(s))"
else
isNotice "Prometheus container not running — scrape.d updated, applied on next start ($count app(s))."
@ -160,11 +160,11 @@ monitoringRefreshGrafana()
local ds_dir="$prov/datasources"
local dash_provider_dir="$prov/dashboards"
local dash_dir="$prov/dashboards/libreportal"
sudo mkdir -p "$ds_dir" "$dash_dir"
runFileOp mkdir -p "$ds_dir" "$dash_dir"
# Prometheus datasource — reachable from the grafana container by the
# prometheus service name on the shared libreportal docker network.
sudo tee "$ds_dir/libreportal-prometheus.yml" >/dev/null <<'EOF'
runFileWrite "$ds_dir/libreportal-prometheus.yml" <<'EOF'
apiVersion: 1
datasources:
- name: Prometheus
@ -176,7 +176,7 @@ datasources:
EOF
# Dashboard provider — points Grafana at the gathered dashboards dir.
sudo tee "$dash_provider_dir/libreportal.yml" >/dev/null <<'EOF'
runFileWrite "$dash_provider_dir/libreportal.yml" <<'EOF'
apiVersion: 1
providers:
- name: LibrePortal
@ -192,23 +192,23 @@ EOF
# Gather each monitoring-enabled app's dashboard JSONs (prefixed with the
# app name to avoid filename clashes). Clear stale ones first.
sudo find "$dash_dir" -type f -name '*.json' -delete 2>/dev/null
runFileOp find "$dash_dir" -type f -name '*.json' -delete 2>/dev/null
local count=0 app_name app_dash f
for app_name in $(monitoringInstalledApps); do
app_dash="${containers_dir}${app_name}/resources/monitoring/grafana-dashboards"
if monitoringAppEnabled "$app_name" && [[ -d "$app_dash" ]]; then
for f in "$app_dash"/*.json; do
[[ -f "$f" ]] || continue
sudo cp "$f" "$dash_dir/${app_name}-$(basename "$f")"
runFileOp cp "$f" "$dash_dir/${app_name}-$(basename "$f")"
count=$((count + 1))
done
fi
done
sudo chmod -R a+rX "$prov" 2>/dev/null
runFileOp chmod -R a+rX "$prov" 2>/dev/null
if sudo docker ps --format '{{.Names}}' 2>/dev/null | grep -q '^grafana-service$'; then
local result=$(sudo docker restart grafana-service 2>&1)
if dockerCommandRun "docker ps --format '{{.Names}}'" "sudo" 2>/dev/null | grep -q '^grafana-service$'; then
local result=$(dockerCommandRun "docker restart grafana-service" "sudo" 2>&1)
checkSuccess "Restarted Grafana ($count dashboard(s) provisioned)"
else
isNotice "Grafana container not running — provisioning updated, applied on next start ($count dashboard(s))."