LibrePortal/scripts/app/containers/crowdsec/crowdsec_fix_priority.sh
librelad 43779a992b harden(desudo): backup engines (restic/kopia/borg) + crowdsec host helpers
- restic_install, crowdsec_update/verify_firewall/fix_priority: pure host
  ops (apt/cscli/nft/systemctl, /etc/crowdsec) -> runSystem.
- kopia_backup/borg_restore: ignore-file/target tee+chown+mkdir -> runFileOp/
  runFileWrite; kept the 'sudo -E -u dockerinstall' engine calls as-is —
  those already run as the unprivileged backup user (least-privilege; the
  scoped sudoers will permit (dockerinstall)).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 23:48:23 +01:00

40 lines
1.6 KiB
Bash

#!/bin/bash
appCrowdSecFixPriority() {
local cfg="/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml"
if [[ ! -f "$cfg" ]]; then
isNotice "Bouncer config not found at $cfg — is CrowdSec installed?"
return 1
fi
local target_priority="-100"
runSystem cp "$cfg" "${cfg}.bak.$(date +%Y%m%d-%H%M%S)"
checkSuccess "Backed up $cfg"
# nftables section in the yaml has ipv4: and ipv6: subsections; each may
# carry a priority: line. Set both to target_priority, inserting the key
# if it isn't present. We hand the file to a small awk pass so the YAML
# indentation is preserved.
runSystem awk -v p="$target_priority" '
BEGIN { in_v4=0; in_v6=0; v4_done=0; v6_done=0 }
/^[[:space:]]*ipv4:/ { in_v4=1; in_v6=0; print; next }
/^[[:space:]]*ipv6:/ { in_v6=1; in_v4=0; print; next }
/^[a-zA-Z]/ {
# Top-level key — close any open subsection. If we never saw
# priority inside the subsection, inject it now (rare).
in_v4=0; in_v6=0
}
in_v4 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v4_done=1 }
in_v6 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p); v6_done=1 }
{ print }
' "$cfg" | runSystem tee "${cfg}.new" >/dev/null
runSystem mv "${cfg}.new" "$cfg"
checkSuccess "Patched nftables priority to $target_priority in $cfg"
runSystem systemctl restart crowdsec-firewall-bouncer
checkSuccess "Restarted crowdsec-firewall-bouncer"
isSuccessful "Priority updated. Run 'crowdsec_verify_firewall' to confirm CrowdSec now runs before UFW."
}