LibrePortal/scripts/checks/check_requirements.sh
librelad cd4fd55a6d feat(desudo): helper-ize backup-engine + app-config installs; retire standalone WireGuard
Bring the remaining deferred subsystems under the scoped sudoers, and drop
the one that's redundant.

Backup engines + app configs -> root-owned helpers (same pattern as
ownership/dns/ssh/socket/svc):
- scripts/system/libreportal-bininstall: install <restic|kopia> — does the
  whole pkg-manager/signed-download install itself for a fixed, validated
  engine name (no blanket sudo apt-get/install). restic_install/kopia_install
  call it.
- scripts/system/libreportal-appcfg: {adguard-auth <user> <bcrypt>|
  crowdsec-priority|owncloud-config <public> <host> <ip> <public_ip>} —
  faithful ports of the AdGuard yaml / CrowdSec bouncer / ownCloud config.php
  rewrites, fixed paths + validated args. adguard_auth/crowdsec_fix_priority/
  owncloud_setup_config call it.
- run_privileged: runBinInstall / runAppCfg; init.sh installs + allowlists both.

Retire standalone (host-level) WireGuard — it's a duplicate of the
containerized containers/wireguard app (+ headscale mesh), its slirp4netns
speed rationale is largely moot with a better rootless net backend / typical
WAN-bound throughput, and it was the heaviest host-root subsystem (apt +
sysctl + iptables + /etc/wireguard), the worst fit for the rootless/
least-privilege direction:
- moved scripts/wireguard/ + manage_wireguard.sh + check_wireguard.sh to
  scripts/unused/; dropped the install-path call, the Tools menu 'w' entry,
  and the requirement check; removed the half-built libreportal-wg helper.
- generate_arrays.sh now also skips system/ (root-owned helpers, never
  sourced); arrays regenerated (files_wireguard.sh pruned).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 19:22:22 +01:00

60 lines
1.9 KiB
Bash
Executable File

#!/bin/bash
checkRequirements()
{
isHeader "Checking Requirements"
isNotice "Requirements are about to be installed."
isNotice "Edit the features config if you want to disable anything."
echo ""
checkRootRequirement;
checkCommandRequirement;
checkInstallTypeRequirement;
checkConfigRequirement;
checkPasswordsRequirement;
checkDatabaseRequirement;
checkDockerRequirement;
checkDockerComposeRequirement;
checkDockerRootlessRequirement;
checkDockerNetworkRequirement;
checkUFWRequirement;
checkUFWDRequirement;
checkManagerRequirement;
checkSSLCertsRequirement;
checkSwapfileRequirement;
checkCrontabRequirement;
checkWebUISystemdRequirement;
checkSuggestInstallsRequirement;
checkLibrePortalWebUIImageRequirement;
checkLibrePortalWebUIAppRequirement;
checkTraefikRequirement;
checkDockerSwitcherRequirement;
# `startPreInstall` already runs `startScan` at the end of its flow, so
# only call it again on the no-preinstall path. Otherwise every
# `libreportal run` that touches preinstall fires `webuiLibrePortalUpdate`
# twice (the lock file is removed at the end of each invocation, so the
# second call doesn't short-circuit — it does the full regen again).
if [[ "$preinstallneeded" -ne 0 ]]; then
startPreInstall;
else
startScan;
fi
# After load here
if [[ "$initial_command2" == "install" ]]; then
# Clear the install spam so the credentials are the first thing the
# user sees. The full transcript is preserved in $install_log_path.
# Stdout is teed to a log file (start.sh `exec > >(tee …)`), so we
# write the clear sequence straight to /dev/tty instead of relying
# on `[ -t 1 ]`, which is false under that redirect.
if [ -e /dev/tty ] && [ -t 0 ]; then
clear >/dev/tty 2>/dev/null || printf '\033c' >/dev/tty 2>/dev/null
fi
webuiDisplayLogins;
fi
if [[ "$initial_command2" == "terminal" ]]; then
resetToMenu;
fi
}