librelad 43779a992b harden(desudo): backup engines (restic/kopia/borg) + crowdsec host helpers
- restic_install, crowdsec_update/verify_firewall/fix_priority: pure host
  ops (apt/cscli/nft/systemctl, /etc/crowdsec) -> runSystem.
- kopia_backup/borg_restore: ignore-file/target tee+chown+mkdir -> runFileOp/
  runFileWrite; kept the 'sudo -E -u dockerinstall' engine calls as-is —
  those already run as the unprivileged backup user (least-privilege; the
  scoped sudoers will permit (dockerinstall)).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 23:48:23 +01:00

41 lines
1.3 KiB
Bash

#!/bin/bash
appCrowdSecUpdate() {
isHeader "Update CrowdSec"
((menu_number++))
echo ""
echo "---- $menu_number. Updating apt package index."
echo ""
local result=$(runSystem apt-get update)
checkSuccess "apt-get update"
((menu_number++))
echo ""
echo "---- $menu_number. Upgrading CrowdSec packages."
echo ""
local result=$(runSystem apt-get install -y --only-upgrade crowdsec crowdsec-firewall-bouncer-nftables)
checkSuccess "Upgraded crowdsec + crowdsec-firewall-bouncer-nftables"
((menu_number++))
echo ""
echo "---- $menu_number. Refreshing hub collections."
echo ""
local result=$(runSystem cscli hub update)
checkSuccess "Refreshed hub index"
local result=$(runSystem cscli hub upgrade)
checkSuccess "Upgraded installed collections"
((menu_number++))
echo ""
echo "---- $menu_number. Reloading services."
echo ""
local result=$(runSystem systemctl reload crowdsec)
checkSuccess "Reloaded crowdsec agent"
local result=$(runSystem systemctl restart crowdsec-firewall-bouncer)
checkSuccess "Restarted crowdsec-firewall-bouncer"
isSuccessful "CrowdSec updated. Run 'crowdsec_verify_firewall' if you want to re-check nftables priorities."
menu_number=0
}