LibrePortal/scripts/system/libreportal-bininstall
librelad cd4fd55a6d feat(desudo): helper-ize backup-engine + app-config installs; retire standalone WireGuard
Bring the remaining deferred subsystems under the scoped sudoers, and drop
the one that's redundant.

Backup engines + app configs -> root-owned helpers (same pattern as
ownership/dns/ssh/socket/svc):
- scripts/system/libreportal-bininstall: install <restic|kopia> — does the
  whole pkg-manager/signed-download install itself for a fixed, validated
  engine name (no blanket sudo apt-get/install). restic_install/kopia_install
  call it.
- scripts/system/libreportal-appcfg: {adguard-auth <user> <bcrypt>|
  crowdsec-priority|owncloud-config <public> <host> <ip> <public_ip>} —
  faithful ports of the AdGuard yaml / CrowdSec bouncer / ownCloud config.php
  rewrites, fixed paths + validated args. adguard_auth/crowdsec_fix_priority/
  owncloud_setup_config call it.
- run_privileged: runBinInstall / runAppCfg; init.sh installs + allowlists both.

Retire standalone (host-level) WireGuard — it's a duplicate of the
containerized containers/wireguard app (+ headscale mesh), its slirp4netns
speed rationale is largely moot with a better rootless net backend / typical
WAN-bound throughput, and it was the heaviest host-root subsystem (apt +
sysctl + iptables + /etc/wireguard), the worst fit for the rootless/
least-privilege direction:
- moved scripts/wireguard/ + manage_wireguard.sh + check_wireguard.sh to
  scripts/unused/; dropped the install-path call, the Tools menu 'w' entry,
  and the requirement check; removed the half-built libreportal-wg helper.
- generate_arrays.sh now also skips system/ (root-owned helpers, never
  sourced); arrays regenerated (files_wireguard.sh pruned).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 19:22:22 +01:00

77 lines
3.2 KiB
Bash

#!/bin/bash
# LibrePortal backup-engine installer helper — the only root-privileged install of
# the restic/kopia binaries the manager may trigger (they're installed on demand
# when a backup location is first set up). Installed root:root 0755 to
# /usr/local/sbin by init.sh. Self-contained: it does the WHOLE install itself
# (package manager or signed-release download) for a FIXED, validated engine name,
# so the scoped sudoers needn't grant blanket `sudo apt-get`/`sudo install`
# (both root-equivalent — install writes anywhere, apt runs maintainer scripts).
set -u
[[ $EUID -eq 0 ]] || { echo "libreportal-bininstall: must run as root" >&2; exit 1; }
action="${1:-}"
engine="${2:-}"
[[ "$action" == "install" ]] || { echo "usage: libreportal-bininstall install <restic|kopia>" >&2; exit 2; }
case "$engine" in
restic|kopia) ;;
*) echo "libreportal-bininstall: unknown engine '$engine'" >&2; exit 2 ;;
esac
arch=$(uname -m)
install_restic() {
command -v restic >/dev/null 2>&1 && return 0
if command -v apt-get >/dev/null 2>&1; then
apt-get update -qq >/dev/null 2>&1
if apt-get install -y restic >/dev/null 2>&1; then
restic self-update >/dev/null 2>&1 || true
return 0
fi
elif command -v dnf >/dev/null 2>&1; then
dnf install -y restic >/dev/null 2>&1 && return 0
elif command -v pacman >/dev/null 2>&1; then
pacman -S --noconfirm restic >/dev/null 2>&1 && return 0
fi
local a
case "$arch" in
x86_64) a=amd64 ;; aarch64) a=arm64 ;; armv7l) a=arm ;;
*) echo "libreportal-bininstall: unsupported arch '$arch'" >&2; return 1 ;;
esac
local tmp; tmp=$(mktemp -d)
if curl -sL "https://github.com/restic/restic/releases/latest/download/restic_linux_${a}.bz2" -o "$tmp/restic.bz2" \
&& bunzip2 "$tmp/restic.bz2" \
&& install -m 0755 "$tmp/restic" /usr/local/bin/restic; then
rm -rf "$tmp"; return 0
fi
rm -rf "$tmp"; echo "libreportal-bininstall: restic download failed" >&2; return 1
}
install_kopia() {
command -v kopia >/dev/null 2>&1 && return 0
local a
case "$arch" in
x86_64) a=x64 ;; aarch64) a=arm64 ;; armv7l) a=arm ;;
*) echo "libreportal-bininstall: unsupported arch '$arch'" >&2; return 1 ;;
esac
local version
version=$(curl -sL https://api.github.com/repos/kopia/kopia/releases/latest 2>/dev/null \
| grep -oE '"tag_name":[[:space:]]*"v[0-9.]+"' | head -1 | grep -oE '[0-9.]+')
[[ -n "$version" ]] || { echo "libreportal-bininstall: kopia version lookup failed" >&2; return 1; }
local url="https://github.com/kopia/kopia/releases/download/v${version}/kopia-${version}-linux-${a}.tar.gz"
local tmp; tmp=$(mktemp -d)
if curl -sL "$url" -o "$tmp/kopia.tgz" && tar xzf "$tmp/kopia.tgz" -C "$tmp"; then
local bin; bin=$(find "$tmp" -name kopia -type f -executable | head -1)
if [[ -n "$bin" ]] && install -m 0755 "$bin" /usr/local/bin/kopia; then
rm -rf "$tmp"; return 0
fi
fi
rm -rf "$tmp"; echo "libreportal-bininstall: kopia install failed" >&2; return 1
}
case "$engine" in
restic) install_restic ;;
kopia) install_kopia ;;
esac