Bring the remaining deferred subsystems under the scoped sudoers, and drop
the one that's redundant.
Backup engines + app configs -> root-owned helpers (same pattern as
ownership/dns/ssh/socket/svc):
- scripts/system/libreportal-bininstall: install <restic|kopia> — does the
whole pkg-manager/signed-download install itself for a fixed, validated
engine name (no blanket sudo apt-get/install). restic_install/kopia_install
call it.
- scripts/system/libreportal-appcfg: {adguard-auth <user> <bcrypt>|
crowdsec-priority|owncloud-config <public> <host> <ip> <public_ip>} —
faithful ports of the AdGuard yaml / CrowdSec bouncer / ownCloud config.php
rewrites, fixed paths + validated args. adguard_auth/crowdsec_fix_priority/
owncloud_setup_config call it.
- run_privileged: runBinInstall / runAppCfg; init.sh installs + allowlists both.
Retire standalone (host-level) WireGuard — it's a duplicate of the
containerized containers/wireguard app (+ headscale mesh), its slirp4netns
speed rationale is largely moot with a better rootless net backend / typical
WAN-bound throughput, and it was the heaviest host-root subsystem (apt +
sysctl + iptables + /etc/wireguard), the worst fit for the rootless/
least-privilege direction:
- moved scripts/wireguard/ + manage_wireguard.sh + check_wireguard.sh to
scripts/unused/; dropped the install-path call, the Tools menu 'w' entry,
and the requirement check; removed the half-built libreportal-wg helper.
- generate_arrays.sh now also skips system/ (root-owned helpers, never
sourced); arrays regenerated (files_wireguard.sh pruned).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
31 lines
1.1 KiB
Bash
31 lines
1.1 KiB
Bash
#!/bin/bash
|
|
|
|
authAdapter_adguard_setPassword() {
|
|
local user="$1" password="$2"
|
|
user="${user:-${CFG_ADGUARD_ADMIN_USER:-admin}}"
|
|
[[ -z "$password" ]] && password=$(generateRandomPassword)
|
|
|
|
local yaml="${containers_dir}adguard/conf/AdGuardHome.yaml"
|
|
[[ ! -f "$yaml" ]] && { isError "AdGuardHome.yaml not found at $yaml."; return 1; }
|
|
if ! command -v htpasswd >/dev/null 2>&1; then
|
|
isError "htpasswd is required to bcrypt the new password."
|
|
return 1
|
|
fi
|
|
|
|
local bcrypt
|
|
bcrypt=$(htpasswd -bnBC 10 "" "$password" | tr -d ':\n')
|
|
[[ -z "$bcrypt" ]] && { isError "bcrypt failed."; return 1; }
|
|
|
|
# The yaml is owned by the in-container uid, so the rewrite runs in the
|
|
# root-owned appcfg helper (fixed path, validated user + bcrypt).
|
|
if ! runAppCfg adguard-auth "$user" "$bcrypt"; then
|
|
isError "Could not update AdGuardHome.yaml (no users password line, or invalid input)."
|
|
return 1
|
|
fi
|
|
|
|
authPersistCfg adguard ADMIN_USER "$user"
|
|
authPersistCfg adguard ADMIN_PASSWORD "$password"
|
|
dockerComposeRestart adguard
|
|
isSuccessful "AdGuard admin set. User: $user — Password: $password"
|
|
}
|