firewall_initial_setup + firewall_clear_rules (ufw/ufw-docker), host_access.sh (sshd/-T/-t, /etc/ssh, authorized_keys, systemctl reload), set_socket_permissions (docker socket test/chmod), and webui_install_systemd (systemd unit tee + systemctl) -> runSystem. These stay real-root in both modes and define part of the eventual scoped allowlist. Left the 'sudo -u <manager> crontab' run-as-manager lines for a dedicated pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
75 lines
2.5 KiB
Bash
Executable File
75 lines
2.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# LibrePortal Task Processor Systemd Service Setup
|
|
# Replaces crontabSetupTaskProcessor with systemd service
|
|
installLibrePortalWebUITaskService()
|
|
{
|
|
if [[ "$CFG_REQUIREMENT_WEBUI_SERVICE" == "true" ]]; then
|
|
local service_file="/etc/systemd/system/libreportal.service"
|
|
if [[ ! -f "$service_file" ]]; then
|
|
local task_processor_script="$install_scripts_dir/crontab/task/crontab_task_processor.sh"
|
|
local task_dir="$containers_dir/libreportal/frontend/data/tasks"
|
|
|
|
# Update TASK_DIR in the task processor script
|
|
if [ -f "$task_processor_script" ]; then
|
|
sed -i "s|TASK_DIR=\".*\"|TASK_DIR=\"$task_dir\"|g" "$task_processor_script"
|
|
chmod +x "$task_processor_script"
|
|
else
|
|
isNotice "Task processor script not found"
|
|
fi
|
|
|
|
# Rootless docker exposes the daemon at /run/user/<uid>/docker.sock and
|
|
# depends on XDG_RUNTIME_DIR being set. Systemd units don't inherit user
|
|
# bashrc, so without these Environment= lines the processor would fall
|
|
# back to /var/run/docker.sock (which rootless does not create) and any
|
|
# `docker …` call inside the task would fail. Rootful gets no extras —
|
|
# the default /var/run path is already correct.
|
|
local service_env_block=""
|
|
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
|
|
local libreportal_uid
|
|
libreportal_uid="$(id -u "$sudo_user_name")"
|
|
service_env_block="Environment=DOCKER_HOST=unix:///run/user/${libreportal_uid}/docker.sock
|
|
Environment=XDG_RUNTIME_DIR=/run/user/${libreportal_uid}"
|
|
fi
|
|
|
|
# Create systemd service file
|
|
runSystem tee "$service_file" > /dev/null <<EOF
|
|
[Unit]
|
|
Description=LibrePortal Task Processor
|
|
After=network.target
|
|
Wants=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=$sudo_user_name
|
|
Group=$sudo_user_name
|
|
WorkingDirectory=$install_scripts_dir
|
|
ExecStart=$task_processor_script start_script
|
|
Restart=always
|
|
RestartSec=5
|
|
SyslogIdentifier=libreportal
|
|
${service_env_block}
|
|
|
|
# Security
|
|
PrivateTmp=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
|
|
# Remove from crontab if it exists
|
|
if sudo -u $sudo_user_name crontab -l 2>/dev/null | grep -q "task_processor.sh"; then
|
|
sudo -u $sudo_user_name crontab -l 2>/dev/null | grep -v "task_processor.sh" | sudo -u $sudo_user_name crontab -
|
|
isNotice "Removed task processor from crontab"
|
|
fi
|
|
|
|
# Reload systemd and enable service
|
|
runSystem systemctl daemon-reload
|
|
runSystem systemctl enable libreportal.service >/dev/null 2>&1
|
|
runSystem systemctl start libreportal.service
|
|
|
|
isSuccessful "LibrePortal task processor service setup."
|
|
fi
|
|
fi
|
|
}
|