librelad 053a620e22 fix(reliability): split local result=$(cmd) so $? survives for checkSuccess
'local result=$(cmd)' resets $? to 0 (the local builtin's own exit), so the
following checkSuccess always saw success regardless of cmd's real exit — the
mechanism that masked the de-sudo write failures. Split declaration from
assignment ('local result; result=$(cmd)') across all 235 active-code sites
(84 files) so the command's exit reaches checkSuccess. No behaviour change
beyond $? now being accurate (no set -e in runtime code; multi-line
assignments transform safely).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-31 03:09:25 +01:00

101 lines
4.1 KiB
Bash

#!/bin/bash
# Category : Security
# Description : CrowdSec - Intrusion Prevention (c/u/s/r/i):
#
# Host-installed agent (apt + systemd) — no Docker container. Host install
# logic lives in scripts/crowdsec_install_host.sh (installCrowdsecHost) beside
# this file; install registration uses the shared hostAppInstall helper
# (scripts/install/host_app.sh). uninstall/stop/restartCrowdsec (below) are the
# host-side hooks dockerUninstallApp / dockerStopApp / dockerRestartApp invoke.
installCrowdsec()
{
local config_variables="$1"
if [[ "$crowdsec" == *[cCtTuUsSrRiI]* ]]; then
dockerConfigSetupToContainer silent crowdsec;
initializeAppVariables "$CFG_CROWDSEC_APP_NAME";
fi
local app_name=$CFG_CROWDSEC_APP_NAME
if [[ "$crowdsec" == *[cC]* ]]; then
editAppConfig $app_name;
fi
# Uninstall / stop / restart are NOT dispatched here — the CLI and menu call
# dockerUninstallApp / dockerStopApp / dockerRestartApp directly. Those run
# the generic docker teardown (a no-op for a host app) and then invoke the
# uninstall/stop/restartCrowdsec hooks (bottom of this file) for the
# host-side work.
if [[ "$crowdsec" == *[iI]* ]]; then
installCrowdsecHost;
if command -v cscli >/dev/null 2>&1; then
# Register crowdsec as an installed host app — apps DB row + WebUI regen.
hostAppInstall "$app_name";
# Monitoring: gather crowdsec's scrape fragment + Grafana dashboards
# into Prometheus/Grafana. Run unconditionally — the refresh is
# self-correcting (adds when CFG_CROWDSEC_MONITORING=true, removes
# crowdsec's entry when it's been toggled off). No-ops with a notice
# when Prometheus/Grafana aren't installed.
monitoringRefreshAll;
else
isNotice "cscli missing — crowdsec host install did not complete. Skipping registration."
fi
fi
}
# Host-side uninstall, invoked by dockerUninstallApp's uninstall<App> hook.
# dockerUninstallApp already handles the generic teardown (data dir, DB rows,
# WebUI regen) — this does what the generic path can't: stopping + purging the
# apt packages and detaching the log bind-mounts.
uninstallCrowdsec()
{
((menu_number++))
echo ""
echo "---- $menu_number. Stopping CrowdSec host services."
echo ""
local result; result=$(runSystem systemctl disable --now crowdsec-firewall-bouncer 2>&1)
checkSuccess "Disabling firewall bouncer"
local result; result=$(runSystem systemctl disable --now crowdsec 2>&1)
checkSuccess "Disabling agent"
((menu_number++))
echo ""
echo "---- $menu_number. Removing CrowdSec packages."
echo ""
local result; result=$(runSystem DEBIAN_FRONTEND=noninteractive apt-get purge -y -q crowdsec crowdsec-firewall-bouncer-nftables </dev/null 2>&1)
checkSuccess "Purged packages"
local result; result=$(runSystem DEBIAN_FRONTEND=noninteractive apt-get autoremove -y -q </dev/null 2>&1)
checkSuccess "Removed orphaned dependencies"
crowdsecToggleLibrePortalLogMounts off
}
# Host-side stop, invoked by dockerStopApp's stop<App> hook. crowdsec ships no
# docker container, so dockerStopApp is a no-op — this stops the host agent +
# bouncer. The package stays installed; only Uninstall removes it.
stopCrowdsec()
{
isNotice "Stopping CrowdSec host services..."
local result; result=$(runSystem systemctl stop crowdsec-firewall-bouncer 2>&1)
checkSuccess "Stopped firewall bouncer"
local result; result=$(runSystem systemctl stop crowdsec 2>&1)
checkSuccess "Stopped agent"
}
# Host-side restart, invoked by dockerRestartApp's restart<App> hook. crowdsec
# ships no docker container, so dockerRestartApp is a no-op — this restarts the
# host agent + bouncer.
restartCrowdsec()
{
isNotice "Restarting CrowdSec host services..."
local result; result=$(runSystem systemctl restart crowdsec 2>&1)
checkSuccess "Restarted agent"
local result; result=$(runSystem systemctl restart crowdsec-firewall-bouncer 2>&1)
checkSuccess "Restarted firewall bouncer"
}