mirrors/raspiblitz
1
0
Fork 0
mirror of https://github.com/rootzoll/raspiblitz.git synced 2025-02-24 14:51:03 +01:00
Code Issues Projects Releases Packages Wiki Activity

make sure sudo for web api install actions

Browse source
This commit is contained in:
rootzoll 2022-06-29 10:08:52 +02:00
parent d0d3921073
commit 936457c5d1
1 changed files with 114 additions and 106 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

220
home.admin/config.scripts/blitz.web.api.sh
View file

@ -19,112 +19,6 @@ DEFAULT_GITHUB_USER="fusion44"
DEFAULT_GITHUB_REPO="blitz_api" DEFAULT_GITHUB_REPO="blitz_api"
DEFAULT_GITHUB_BRANCH="main" DEFAULT_GITHUB_BRANCH="main"
###################
# ON / INSTALL
###################
if [ "$1" = "1" ] || [ "$1" = "on" ]; then
if [ "$2" != "" ]; then
DEFAULT_GITHUB_USER="$2"
fi
if [ "$3" != "" ]; then
DEFAULT_GITHUB_REPO="$3"
fi
if [ "$4" != "" ]; then
DEFAULT_GITHUB_BRANCH="$4"
fi
echo "# INSTALL Web API ..."
# clean old source
rm -r /root/blitz_api 2>/dev/null
rm -r /home/blitzapi/blitz_api 2>/dev/null
# create user
adduser --disabled-password --gecos "" blitzapi
# sudo capability for manipulating passwords
/usr/sbin/usermod --append --groups sudo blitzapi
# access password hash and salt
/usr/sbin/usermod --append --groups admin blitzapi
# access lnd creds
/usr/sbin/usermod --append --groups lndadmin blitzapi
# access cln creds
/usr/sbin/usermod --append --groups bitcoin blitzapi
echo "# allowing user as part of the bitcoin group to RW RPC hook"
chmod 770 /home/bitcoin/.lightning/bitcoin
chmod 660 /home/bitcoin/.lightning/bitcoin/lightning-rpc
CLCONF="/home/bitcoin/.lightning/config"
if [ "$(cat ${CLCONF} | grep -c "^rpc-file-mode=0660")" -eq 0 ]; then
echo "rpc-file-mode=0660" | tee -a ${CLCONF}
fi
cd /home/blitzapi || exit 1
# git clone https://github.com/fusion44/blitz_api.git /home/blitzapi/blitz_api
if ! git clone https://github.com/${DEFAULT_GITHUB_USER}/${DEFAULT_GITHUB_REPO}.git /home/blitzapi/blitz_api; then
echo "error='git clone failed'"
exit 1
fi
cd blitz_api || exit 1
if ! git checkout ${DEFAULT_GITHUB_BRANCH}; then
echo "error='git checkout failed'"
exit 1
fi
if ! pip install -r requirements.txt --no-deps; then
echo "error='pip install failed'"
exit 1
fi
# build the config and set unique secret (its OK to be a new secret every install/upadte)
/home/admin/config.scripts/blitz.web.api.sh update-config
secret=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 64 ; echo '')
sed -i "s/^secret=.*/secret=${secret}/g" ./.env
# prepare systemd service
echo "
[Unit]
Description=BlitzBackendAPI
Wants=network.target
After=network.target mnt-hdd.mount
[Service]
WorkingDirectory=/home/blitzapi/blitz_api
# before every start update the config with latest credentials/settings
ExecStartPre=-/home/admin/config.scripts/blitz.web.api.sh update-config
ExecStart=/usr/bin/python -m uvicorn app.main:app --port 11111 --host=0.0.0.0 --root-path /api
User=blitzapi
Group=blitzapi
Type=simple
Restart=always
StandardOutput=journal
StandardError=journal
RestartSec=60
# Hardening
PrivateTmp=true
[Install]
WantedBy=multi-user.target
" | tee /etc/systemd/system/blitzapi.service
systemctl enable blitzapi
systemctl start blitzapi
# TODO: remove after experimental step (only have forward on nginx:80 /api)
ufw allow 11111 comment 'WebAPI Develop'
source <(/home/admin/_cache.sh export internet_localip)
# install info
echo "# the API is now running on port 11111 & doc available under:"
echo "# http://${internet_localip}/api/docs"
echo "# check for systemd: sudo systemctl status blitzapi"
echo "# check for logs: sudo journalctl -f -u blitzapi"
exit 0
fi
################### ###################
# UPDATE CONFIG # UPDATE CONFIG
################### ###################
@ -241,6 +135,120 @@ if [ "$1" = "update-config" ]; then
fi fi
# all other actions need to be sudo
if [ "$EUID" -ne 0 ]; then
echo "error='run as root'"
exit 1
fi
###################
# ON / INSTALL
###################
if [ "$1" = "1" ] || [ "$1" = "on" ]; then
if [ "$2" != "" ]; then
DEFAULT_GITHUB_USER="$2"
fi
if [ "$3" != "" ]; then
DEFAULT_GITHUB_REPO="$3"
fi
if [ "$4" != "" ]; then
DEFAULT_GITHUB_BRANCH="$4"
fi
echo "# INSTALL Web API ..."
# clean old source
rm -r /root/blitz_api 2>/dev/null
rm -r /home/blitzapi/blitz_api 2>/dev/null
# create user
adduser --disabled-password --gecos "" blitzapi
# sudo capability for manipulating passwords
/usr/sbin/usermod --append --groups sudo blitzapi
# access password hash and salt
/usr/sbin/usermod --append --groups admin blitzapi
# access lnd creds
/usr/sbin/usermod --append --groups lndadmin blitzapi
# access cln creds
/usr/sbin/usermod --append --groups bitcoin blitzapi
echo "# allowing user as part of the bitcoin group to RW RPC hook"
chmod 770 /home/bitcoin/.lightning/bitcoin
chmod 660 /home/bitcoin/.lightning/bitcoin/lightning-rpc
CLCONF="/home/bitcoin/.lightning/config"
if [ "$(cat ${CLCONF} | grep -c "^rpc-file-mode=0660")" -eq 0 ]; then
echo "rpc-file-mode=0660" | tee -a ${CLCONF}
fi
cd /home/blitzapi || exit 1
# git clone https://github.com/fusion44/blitz_api.git /home/blitzapi/blitz_api
if ! git clone https://github.com/${DEFAULT_GITHUB_USER}/${DEFAULT_GITHUB_REPO}.git /home/blitzapi/blitz_api; then
echo "error='git clone failed'"
exit 1
fi
cd blitz_api || exit 1
if ! git checkout ${DEFAULT_GITHUB_BRANCH}; then
echo "error='git checkout failed'"
exit 1
fi
if ! pip install -r requirements.txt --no-deps; then
echo "error='pip install failed'"
exit 1
fi
# build the config and set unique secret (its OK to be a new secret every install/upadte)
/home/admin/config.scripts/blitz.web.api.sh update-config
secret=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 64 ; echo '')
sed -i "s/^secret=.*/secret=${secret}/g" ./.env
# prepare systemd service
echo "
[Unit]
Description=BlitzBackendAPI
Wants=network.target
After=network.target mnt-hdd.mount
[Service]
WorkingDirectory=/home/blitzapi/blitz_api
# before every start update the config with latest credentials/settings
ExecStartPre=-/home/admin/config.scripts/blitz.web.api.sh update-config
ExecStart=/usr/bin/python -m uvicorn app.main:app --port 11111 --host=0.0.0.0 --root-path /api
User=blitzapi
Group=blitzapi
Type=simple
Restart=always
StandardOutput=journal
StandardError=journal
RestartSec=60
# Hardening
PrivateTmp=true
[Install]
WantedBy=multi-user.target
" | tee /etc/systemd/system/blitzapi.service
chown -R blitzapi:blitzapi /home/blitzapi/blitz_api
systemctl enable blitzapi
systemctl start blitzapi
# TODO: remove after experimental step (only have forward on nginx:80 /api)
ufw allow 11111 comment 'WebAPI Develop'
source <(/home/admin/_cache.sh export internet_localip)
# install info
echo "# the API is now running on port 11111 & doc available under:"
echo "# http://${internet_localip}/api/docs"
echo "# check for systemd: sudo systemctl status blitzapi"
echo "# check for logs: sudo journalctl -f -u blitzapi"
exit 0
fi
################### ###################
# UPDATE CODE # UPDATE CODE
################### ###################