Convert the remaining ad-hoc 'sudo' calls across the data plane to the run_privileged helpers so every file op lands as the correct owner with no blanket root: - DB/configs (manager-owned): db_list_all_apps, delete_db_file, install_sqlite, cli_webui_commands -> runInstallOp - containers (dockerinstall-owned): scan_container_socket, delete_data, webui_task_files, webui_app_log, webui_config_patch, application_missing_variables, uninstall_app -> runFileOp/runFileWrite - genuine root: passwd, tailscale, ufw-docker, sysctl grep, systemd unit read, authorized_keys read, nobody chown -> runSystem - interactive editors and 'id -u': drop sudo entirely (run as caller) - owncloud/adguard container-UID config edits -> runSystem (funnel; docker-exec rework deferred) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
40 lines
1.5 KiB
Bash
Executable File
40 lines
1.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
setupHeadscaleLocalhost()
|
|
{
|
|
local local_type="$1"
|
|
if [[ "$local_type" == "local" ]]; then
|
|
local status=$(dockerCheckAppInstalled "headscale" "docker")
|
|
if [ "$status" == "installed" ]; then
|
|
setupHeadscaleGetHostname;
|
|
|
|
result=$(cd ~ && curl -fsSL https://tailscale.com/install.sh | sh)
|
|
checkSuccess "Setting up Headscale for localhost"
|
|
|
|
setupHeadscaleGenerateAuthKey;
|
|
|
|
result=$(runSystem tailscale up --login-server $headscale_live_hostname --authkey $headscale_preauthkey --force-reauth)
|
|
checkSuccess "Connecting $app_name to Headscale Server"
|
|
|
|
result=$(rm -rf $headscale_preauthkey_file)
|
|
checkSuccess "Clearing the temp key file."
|
|
|
|
# Showing Nodelist after install
|
|
headscaleclientlocal=n
|
|
headscalenodeslist=y
|
|
headscaleCommands;
|
|
headscalenodeslist=n
|
|
else
|
|
isSuccessful "Headscale is not installed, Unable to install."
|
|
fi
|
|
elif [[ "$local_type" == "remote" ]]; then
|
|
if setupHeadscaleCheckRemote; then
|
|
result=$(cd ~ && curl -fsSL https://tailscale.com/install.sh | sh)
|
|
checkSuccess "Setting up Headscale"
|
|
|
|
result=$(runSystem tailscale up --login-server https://$CFG_HEADSCALE_HOST --authkey $CFG_HEADSCALE_KEY --force-reauth)
|
|
checkSuccess "Connecting $app_name to $CFG_HEADSCALE_HOST Headscale Server"
|
|
fi
|
|
fi
|
|
}
|