librelad 98e1a0a05d refactor(apps): per-app post-install hooks + move gluetun/crowdsec logic into their apps
Replace the central app-name if-ladder in app_update_specifics.sh with a generic
dispatcher: each app ships containers/<app>/scripts/<app>_update_specifics.sh
defining appUpdateSpecifics_<app> (live-sourced by the container scan, dispatched
by `declare -F` — same pattern as tools). A hook may set shouldrestart=true. Apps
with no specifics ship no hook.

- Move the adguard/pihole (DNS updater), dashy (conf refresh), focalboard (nobody
  ownership + restart), and libreportal (webui regen) branches to per-app hooks.
- Move scripts/gluetun/gluetun_route_apps.sh -> containers/gluetun/scripts/
  (scripts/gluetun/ removed).
- Move scripts/install/install_crowdsec.sh -> containers/crowdsec/scripts/
  crowdsec_install_host.sh; fix the path note in crowdsec.sh.
- Regenerate arrays (moved files drop out; the per-app files are container-scanned,
  not arrayed).

Dispatch verified with stubs: adguard/pihole/dashy/focalboard/libreportal behave
identically to the old ladder (incl. shouldrestart propagation), apps without a
hook are a clean no-op. The CLI itself had no per-app branches — app-specific CLI
is already the (now fully modular) tools system.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-25 23:38:19 +01:00

101 lines
4.0 KiB
Bash

#!/bin/bash
# Category : Security
# Description : CrowdSec - Intrusion Prevention (c/u/s/r/i):
#
# Host-installed agent (apt + systemd) — no Docker container. Host install
# logic lives in scripts/crowdsec_install_host.sh (installCrowdsecHost) beside
# this file; install registration uses the shared hostAppInstall helper
# (scripts/install/host_app.sh). uninstall/stop/restartCrowdsec (below) are the
# host-side hooks dockerUninstallApp / dockerStopApp / dockerRestartApp invoke.
installCrowdsec()
{
local config_variables="$1"
if [[ "$crowdsec" == *[cCtTuUsSrRiI]* ]]; then
dockerConfigSetupToContainer silent crowdsec;
initializeAppVariables "$CFG_CROWDSEC_APP_NAME";
fi
local app_name=$CFG_CROWDSEC_APP_NAME
if [[ "$crowdsec" == *[cC]* ]]; then
editAppConfig $app_name;
fi
# Uninstall / stop / restart are NOT dispatched here — the CLI and menu call
# dockerUninstallApp / dockerStopApp / dockerRestartApp directly. Those run
# the generic docker teardown (a no-op for a host app) and then invoke the
# uninstall/stop/restartCrowdsec hooks (bottom of this file) for the
# host-side work.
if [[ "$crowdsec" == *[iI]* ]]; then
installCrowdsecHost;
if command -v cscli >/dev/null 2>&1; then
# Register crowdsec as an installed host app — apps DB row + WebUI regen.
hostAppInstall "$app_name";
# Monitoring: gather crowdsec's scrape fragment + Grafana dashboards
# into Prometheus/Grafana. Run unconditionally — the refresh is
# self-correcting (adds when CFG_CROWDSEC_MONITORING=true, removes
# crowdsec's entry when it's been toggled off). No-ops with a notice
# when Prometheus/Grafana aren't installed.
monitoringRefreshAll;
else
isNotice "cscli missing — crowdsec host install did not complete. Skipping registration."
fi
fi
}
# Host-side uninstall, invoked by dockerUninstallApp's uninstall<App> hook.
# dockerUninstallApp already handles the generic teardown (data dir, DB rows,
# WebUI regen) — this does what the generic path can't: stopping + purging the
# apt packages and detaching the log bind-mounts.
uninstallCrowdsec()
{
((menu_number++))
echo ""
echo "---- $menu_number. Stopping CrowdSec host services."
echo ""
local result=$(runSystem systemctl disable --now crowdsec-firewall-bouncer 2>&1)
checkSuccess "Disabling firewall bouncer"
local result=$(runSystem systemctl disable --now crowdsec 2>&1)
checkSuccess "Disabling agent"
((menu_number++))
echo ""
echo "---- $menu_number. Removing CrowdSec packages."
echo ""
local result=$(runSystem DEBIAN_FRONTEND=noninteractive apt-get purge -y -q crowdsec crowdsec-firewall-bouncer-nftables </dev/null 2>&1)
checkSuccess "Purged packages"
local result=$(runSystem DEBIAN_FRONTEND=noninteractive apt-get autoremove -y -q </dev/null 2>&1)
checkSuccess "Removed orphaned dependencies"
crowdsecToggleLibrePortalLogMounts off
}
# Host-side stop, invoked by dockerStopApp's stop<App> hook. crowdsec ships no
# docker container, so dockerStopApp is a no-op — this stops the host agent +
# bouncer. The package stays installed; only Uninstall removes it.
stopCrowdsec()
{
isNotice "Stopping CrowdSec host services..."
local result=$(runSystem systemctl stop crowdsec-firewall-bouncer 2>&1)
checkSuccess "Stopped firewall bouncer"
local result=$(runSystem systemctl stop crowdsec 2>&1)
checkSuccess "Stopped agent"
}
# Host-side restart, invoked by dockerRestartApp's restart<App> hook. crowdsec
# ships no docker container, so dockerRestartApp is a no-op — this restarts the
# host agent + bouncer.
restartCrowdsec()
{
isNotice "Restarting CrowdSec host services..."
local result=$(runSystem systemctl restart crowdsec 2>&1)
checkSuccess "Restarted agent"
local result=$(runSystem systemctl restart crowdsec-firewall-bouncer 2>&1)
checkSuccess "Restarted firewall bouncer"
}