LibrePortal/scripts/webui/webui_install_systemd.sh
librelad d7c0d12314 harden(desudo): funnel firewall/ssh/socket/systemd system ops through runSystem
firewall_initial_setup + firewall_clear_rules (ufw/ufw-docker),
host_access.sh (sshd/-T/-t, /etc/ssh, authorized_keys, systemctl reload),
set_socket_permissions (docker socket test/chmod), and webui_install_systemd
(systemd unit tee + systemctl) -> runSystem. These stay real-root in both
modes and define part of the eventual scoped allowlist. Left the
'sudo -u <manager> crontab' run-as-manager lines for a dedicated pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 23:46:58 +01:00

75 lines
2.5 KiB
Bash
Executable File

#!/bin/bash
# LibrePortal Task Processor Systemd Service Setup
# Replaces crontabSetupTaskProcessor with systemd service
installLibrePortalWebUITaskService()
{
if [[ "$CFG_REQUIREMENT_WEBUI_SERVICE" == "true" ]]; then
local service_file="/etc/systemd/system/libreportal.service"
if [[ ! -f "$service_file" ]]; then
local task_processor_script="$install_scripts_dir/crontab/task/crontab_task_processor.sh"
local task_dir="$containers_dir/libreportal/frontend/data/tasks"
# Update TASK_DIR in the task processor script
if [ -f "$task_processor_script" ]; then
sed -i "s|TASK_DIR=\".*\"|TASK_DIR=\"$task_dir\"|g" "$task_processor_script"
chmod +x "$task_processor_script"
else
isNotice "Task processor script not found"
fi
# Rootless docker exposes the daemon at /run/user/<uid>/docker.sock and
# depends on XDG_RUNTIME_DIR being set. Systemd units don't inherit user
# bashrc, so without these Environment= lines the processor would fall
# back to /var/run/docker.sock (which rootless does not create) and any
# `docker …` call inside the task would fail. Rootful gets no extras —
# the default /var/run path is already correct.
local service_env_block=""
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
local libreportal_uid
libreportal_uid="$(id -u "$sudo_user_name")"
service_env_block="Environment=DOCKER_HOST=unix:///run/user/${libreportal_uid}/docker.sock
Environment=XDG_RUNTIME_DIR=/run/user/${libreportal_uid}"
fi
# Create systemd service file
runSystem tee "$service_file" > /dev/null <<EOF
[Unit]
Description=LibrePortal Task Processor
After=network.target
Wants=network.target
[Service]
Type=simple
User=$sudo_user_name
Group=$sudo_user_name
WorkingDirectory=$install_scripts_dir
ExecStart=$task_processor_script start_script
Restart=always
RestartSec=5
SyslogIdentifier=libreportal
${service_env_block}
# Security
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
# Remove from crontab if it exists
if sudo -u $sudo_user_name crontab -l 2>/dev/null | grep -q "task_processor.sh"; then
sudo -u $sudo_user_name crontab -l 2>/dev/null | grep -v "task_processor.sh" | sudo -u $sudo_user_name crontab -
isNotice "Removed task processor from crontab"
fi
# Reload systemd and enable service
runSystem systemctl daemon-reload
runSystem systemctl enable libreportal.service >/dev/null 2>&1
runSystem systemctl start libreportal.service
isSuccessful "LibrePortal task processor service setup."
fi
fi
}