LibrePortal/scripts/webui/webui_install_systemd.sh
librelad 014d8e5fcc refactor(de-sudo): funnel genuine system commands through runSystem
Foundation for a scoped sudoers: route every genuine system-admin command
(systemctl/ufw/ufw-docker/nft/apt/apt-get/pacman/sysctl/useradd/usermod/
service/wg/wg-quick/cscli/loginctl) through runSystem instead of raw sudo
across 28 active scripts. runSystem is 'sudo "$@"' so this is byte-identical
in every mode (safe on live installs) — it just collects all real-root use at
one chokepoint that will define the eventual /etc/sudoers.d allowlist.

Also: revert a crowdsec advice message the sweep wrongly rewrote (the admin
types sudo, not runSystem), and give crontab_check_processor.sh the same
startup bootstrap as the task processor — it runs standalone via cron and
already used runFileOp/runFileWrite (undefined there), so it was silently
broken; now it sources the helpers + docker-type config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 15:21:53 +01:00

91 lines
3.6 KiB
Bash
Executable File

#!/bin/bash
# LibrePortal Task Processor Systemd Service Setup
# Replaces crontabSetupTaskProcessor with systemd service.
#
# Idempotent: computes the desired unit for the CURRENT docker mode and only
# rewrites + daemon-reloads + restarts when it actually differs from what's on
# disk. So routine re-runs are no-ops (no needless restart that would kill an
# in-flight task), while a rooted<->rootless switch — which changes the env
# block — triggers exactly one rewrite + restart so the processor re-reads the
# new mode. Safe to call from install AND from the docker-type switcher.
installLibrePortalWebUITaskService()
{
[[ "$CFG_REQUIREMENT_WEBUI_SERVICE" == "true" ]] || return 0
local service_file="/etc/systemd/system/libreportal.service"
local task_processor_script="$install_scripts_dir/crontab/task/crontab_task_processor.sh"
local task_dir="$containers_dir/libreportal/frontend/data/tasks"
# Point the processor at the task dir (idempotent).
if [ -f "$task_processor_script" ]; then
sed -i "s|TASK_DIR=\".*\"|TASK_DIR=\"$task_dir\"|g" "$task_processor_script"
chmod +x "$task_processor_script"
else
isNotice "Task processor script not found"
fi
# Rootless docker exposes the daemon at /run/user/<uid>/docker.sock and depends
# on XDG_RUNTIME_DIR being set. Systemd units don't inherit user bashrc, so
# without these Environment= lines the processor would fall back to
# /var/run/docker.sock (which rootless does not create). The rootless daemon
# runs as the DOCKER INSTALL USER, so its socket lives in THAT user's runtime
# dir (matches dockerCommandRunInstallUser). Rooted gets no extras — the
# default /var/run path is already correct.
local service_env_block=""
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
local docker_install_uid
docker_install_uid="$(id -u "$CFG_DOCKER_INSTALL_USER")"
service_env_block="Environment=DOCKER_HOST=unix:///run/user/${docker_install_uid}/docker.sock
Environment=XDG_RUNTIME_DIR=/run/user/${docker_install_uid}"
fi
local desired
desired="$(cat <<EOF
[Unit]
Description=LibrePortal Task Processor
After=network.target
Wants=network.target
[Service]
Type=simple
User=$sudo_user_name
Group=$sudo_user_name
WorkingDirectory=$install_scripts_dir
ExecStart=$task_processor_script start_script
Restart=always
RestartSec=5
SyslogIdentifier=libreportal
${service_env_block}
# Security
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
)"
local current=""
[[ -f "$service_file" ]] && current="$(sudo cat "$service_file" 2>/dev/null)"
if [[ "$desired" != "$current" ]]; then
printf '%s\n' "$desired" | runSystem tee "$service_file" > /dev/null
runSystem systemctl daemon-reload
runSystem systemctl enable libreportal.service >/dev/null 2>&1
runSystem systemctl restart libreportal.service
isSuccessful "LibrePortal task processor service installed/updated ($CFG_DOCKER_INSTALL_TYPE)."
else
# Unit already correct — ensure it's enabled + running, without a restart.
runSystem systemctl enable libreportal.service >/dev/null 2>&1
runSystem systemctl is-active --quiet libreportal.service || runSystem systemctl start libreportal.service
isSuccessful "LibrePortal task processor service already up to date."
fi
# Drop the legacy crontab entry if present (superseded by the service).
if sudo -u "$sudo_user_name" crontab -l 2>/dev/null | grep -q "task_processor.sh"; then
sudo -u "$sudo_user_name" crontab -l 2>/dev/null | grep -v "task_processor.sh" | sudo -u "$sudo_user_name" crontab -
isNotice "Removed task processor from crontab"
fi
}