Bring the remaining deferred subsystems under the scoped sudoers, and drop
the one that's redundant.
Backup engines + app configs -> root-owned helpers (same pattern as
ownership/dns/ssh/socket/svc):
- scripts/system/libreportal-bininstall: install <restic|kopia> — does the
whole pkg-manager/signed-download install itself for a fixed, validated
engine name (no blanket sudo apt-get/install). restic_install/kopia_install
call it.
- scripts/system/libreportal-appcfg: {adguard-auth <user> <bcrypt>|
crowdsec-priority|owncloud-config <public> <host> <ip> <public_ip>} —
faithful ports of the AdGuard yaml / CrowdSec bouncer / ownCloud config.php
rewrites, fixed paths + validated args. adguard_auth/crowdsec_fix_priority/
owncloud_setup_config call it.
- run_privileged: runBinInstall / runAppCfg; init.sh installs + allowlists both.
Retire standalone (host-level) WireGuard — it's a duplicate of the
containerized containers/wireguard app (+ headscale mesh), its slirp4netns
speed rationale is largely moot with a better rootless net backend / typical
WAN-bound throughput, and it was the heaviest host-root subsystem (apt +
sysctl + iptables + /etc/wireguard), the worst fit for the rootless/
least-privilege direction:
- moved scripts/wireguard/ + manage_wireguard.sh + check_wireguard.sh to
scripts/unused/; dropped the install-path call, the Tools menu 'w' entry,
and the requirement check; removed the half-built libreportal-wg helper.
- generate_arrays.sh now also skips system/ (root-owned helpers, never
sourced); arrays regenerated (files_wireguard.sh pruned).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
60 lines
1.9 KiB
Bash
Executable File
60 lines
1.9 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
checkRequirements()
|
|
{
|
|
isHeader "Checking Requirements"
|
|
isNotice "Requirements are about to be installed."
|
|
isNotice "Edit the features config if you want to disable anything."
|
|
echo ""
|
|
|
|
checkRootRequirement;
|
|
checkCommandRequirement;
|
|
checkInstallTypeRequirement;
|
|
checkConfigRequirement;
|
|
checkPasswordsRequirement;
|
|
checkDatabaseRequirement;
|
|
checkDockerRequirement;
|
|
checkDockerComposeRequirement;
|
|
checkDockerRootlessRequirement;
|
|
checkDockerNetworkRequirement;
|
|
checkUFWRequirement;
|
|
checkUFWDRequirement;
|
|
checkManagerRequirement;
|
|
checkSSLCertsRequirement;
|
|
checkSwapfileRequirement;
|
|
checkCrontabRequirement;
|
|
checkWebUISystemdRequirement;
|
|
checkSuggestInstallsRequirement;
|
|
checkLibrePortalWebUIImageRequirement;
|
|
checkLibrePortalWebUIAppRequirement;
|
|
checkTraefikRequirement;
|
|
checkDockerSwitcherRequirement;
|
|
|
|
# `startPreInstall` already runs `startScan` at the end of its flow, so
|
|
# only call it again on the no-preinstall path. Otherwise every
|
|
# `libreportal run` that touches preinstall fires `webuiLibrePortalUpdate`
|
|
# twice (the lock file is removed at the end of each invocation, so the
|
|
# second call doesn't short-circuit — it does the full regen again).
|
|
if [[ "$preinstallneeded" -ne 0 ]]; then
|
|
startPreInstall;
|
|
else
|
|
startScan;
|
|
fi
|
|
|
|
# After load here
|
|
if [[ "$initial_command2" == "install" ]]; then
|
|
# Clear the install spam so the credentials are the first thing the
|
|
# user sees. The full transcript is preserved in $install_log_path.
|
|
# Stdout is teed to a log file (start.sh `exec > >(tee …)`), so we
|
|
# write the clear sequence straight to /dev/tty instead of relying
|
|
# on `[ -t 1 ]`, which is false under that redirect.
|
|
if [ -e /dev/tty ] && [ -t 0 ]; then
|
|
clear >/dev/tty 2>/dev/null || printf '\033c' >/dev/tty 2>/dev/null
|
|
fi
|
|
webuiDisplayLogins;
|
|
fi
|
|
|
|
if [[ "$initial_command2" == "terminal" ]]; then
|
|
resetToMenu;
|
|
fi
|
|
} |