make sure sudo for web api install actions

2025-02-24 06:48:00 +01:00 · 2022-06-29 10:08:52 +02:00 · 2022-06-29 10:08:52 +02:00 · 936457c5d1
commit 936457c5d1
parent d0d3921073
1 changed files with 114 additions and 106 deletions
--- a/home.admin/config.scripts/blitz.web.api.sh
+++ b/home.admin/config.scripts/blitz.web.api.sh
@ -19,112 +19,6 @@ DEFAULT_GITHUB_USER="fusion44"
 DEFAULT_GITHUB_REPO="blitz_api"
 DEFAULT_GITHUB_BRANCH="main"

-###################
-# ON / INSTALL
-###################
-if [ "$1" = "1" ] || [ "$1" = "on" ]; then
-
-  if [ "$2" != "" ]; then
-    DEFAULT_GITHUB_USER="$2"
-  fi
-
-  if [ "$3" != "" ]; then
-    DEFAULT_GITHUB_REPO="$3"
-  fi
-
-  if [ "$4" != "" ]; then
-    DEFAULT_GITHUB_BRANCH="$4"
-  fi
-
-  echo "# INSTALL Web API ..."
-  # clean old source
-  rm -r /root/blitz_api 2>/dev/null
-  rm -r /home/blitzapi/blitz_api 2>/dev/null
-
-  # create user
-  adduser --disabled-password --gecos "" blitzapi
-
-  # sudo capability for manipulating passwords
-  /usr/sbin/usermod --append --groups sudo blitzapi
-  # access password hash and salt
-  /usr/sbin/usermod --append --groups admin blitzapi
-  # access lnd creds
-  /usr/sbin/usermod --append --groups lndadmin blitzapi
-  # access cln creds
-  /usr/sbin/usermod --append --groups bitcoin blitzapi
-  echo "# allowing user as part of the bitcoin group to RW RPC hook"
-  chmod 770 /home/bitcoin/.lightning/bitcoin
-  chmod 660 /home/bitcoin/.lightning/bitcoin/lightning-rpc
-  CLCONF="/home/bitcoin/.lightning/config"
-  if [ "$(cat ${CLCONF} | grep -c "^rpc-file-mode=0660")" -eq 0 ]; then
-    echo "rpc-file-mode=0660" | tee -a ${CLCONF}
-  fi
-
-  cd /home/blitzapi || exit 1
-  # git clone https://github.com/fusion44/blitz_api.git /home/blitzapi/blitz_api
-  if ! git clone https://github.com/${DEFAULT_GITHUB_USER}/${DEFAULT_GITHUB_REPO}.git /home/blitzapi/blitz_api; then
-    echo "error='git clone failed'"
-    exit 1
-  fi
-  cd blitz_api || exit 1
-  if ! git checkout ${DEFAULT_GITHUB_BRANCH}; then
-    echo "error='git checkout failed'"
-    exit 1
-  fi
-  if ! pip install -r requirements.txt --no-deps; then
-    echo "error='pip install failed'"
-    exit 1
-  fi
-
-  # build the config and set unique secret (its OK to be a new secret every install/upadte)
-  /home/admin/config.scripts/blitz.web.api.sh update-config
-  secret=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 64 ; echo '')
-  sed -i "s/^secret=.*/secret=${secret}/g" ./.env
-
-  # prepare systemd service
-  echo "
-[Unit]
-Description=BlitzBackendAPI
-Wants=network.target
-After=network.target mnt-hdd.mount
-
-[Service]
-WorkingDirectory=/home/blitzapi/blitz_api
-# before every start update the config with latest credentials/settings
-ExecStartPre=-/home/admin/config.scripts/blitz.web.api.sh update-config
-ExecStart=/usr/bin/python -m uvicorn app.main:app --port 11111 --host=0.0.0.0 --root-path /api
-User=blitzapi
-Group=blitzapi
-Type=simple
-Restart=always
-StandardOutput=journal
-StandardError=journal
-RestartSec=60
-
-# Hardening
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target
-" | tee /etc/systemd/system/blitzapi.service
-
-  systemctl enable blitzapi
-  systemctl start blitzapi
-
-  # TODO: remove after experimental step (only have forward on nginx:80 /api)
-  ufw allow 11111 comment 'WebAPI Develop'
-
-  source <(/home/admin/_cache.sh export internet_localip)
-
-  # install info
-  echo "# the API is now running on port 11111 & doc available under:"
-  echo "# http://${internet_localip}/api/docs"
-  echo "# check for systemd:  sudo systemctl status blitzapi"
-  echo "# check for logs:     sudo journalctl -f -u blitzapi"
-
-  exit 0
-fi
-
 ###################
 # UPDATE CONFIG
 ###################
@ -241,6 +135,120 @@ if [ "$1" = "update-config" ]; then

 fi

+# all other actions need to be sudo
+if [ "$EUID" -ne 0 ]; then
+  echo "error='run as root'"
+  exit 1
+fi
+
+###################
+# ON / INSTALL
+###################
+if [ "$1" = "1" ] || [ "$1" = "on" ]; then
+
+  if [ "$2" != "" ]; then
+    DEFAULT_GITHUB_USER="$2"
+  fi
+
+  if [ "$3" != "" ]; then
+    DEFAULT_GITHUB_REPO="$3"
+  fi
+
+  if [ "$4" != "" ]; then
+    DEFAULT_GITHUB_BRANCH="$4"
+  fi
+
+  echo "# INSTALL Web API ..."
+  # clean old source
+  rm -r /root/blitz_api 2>/dev/null
+  rm -r /home/blitzapi/blitz_api 2>/dev/null
+
+  # create user
+  adduser --disabled-password --gecos "" blitzapi
+
+  # sudo capability for manipulating passwords
+  /usr/sbin/usermod --append --groups sudo blitzapi
+  # access password hash and salt
+  /usr/sbin/usermod --append --groups admin blitzapi
+  # access lnd creds
+  /usr/sbin/usermod --append --groups lndadmin blitzapi
+  # access cln creds
+  /usr/sbin/usermod --append --groups bitcoin blitzapi
+  echo "# allowing user as part of the bitcoin group to RW RPC hook"
+  chmod 770 /home/bitcoin/.lightning/bitcoin
+  chmod 660 /home/bitcoin/.lightning/bitcoin/lightning-rpc
+  CLCONF="/home/bitcoin/.lightning/config"
+  if [ "$(cat ${CLCONF} | grep -c "^rpc-file-mode=0660")" -eq 0 ]; then
+    echo "rpc-file-mode=0660" | tee -a ${CLCONF}
+  fi
+
+  cd /home/blitzapi || exit 1
+  # git clone https://github.com/fusion44/blitz_api.git /home/blitzapi/blitz_api
+  if ! git clone https://github.com/${DEFAULT_GITHUB_USER}/${DEFAULT_GITHUB_REPO}.git /home/blitzapi/blitz_api; then
+    echo "error='git clone failed'"
+    exit 1
+  fi
+  cd blitz_api || exit 1
+  if ! git checkout ${DEFAULT_GITHUB_BRANCH}; then
+    echo "error='git checkout failed'"
+    exit 1
+  fi
+  if ! pip install -r requirements.txt --no-deps; then
+    echo "error='pip install failed'"
+    exit 1
+  fi
+
+  # build the config and set unique secret (its OK to be a new secret every install/upadte)
+  /home/admin/config.scripts/blitz.web.api.sh update-config
+  secret=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 64 ; echo '')
+  sed -i "s/^secret=.*/secret=${secret}/g" ./.env
+
+  # prepare systemd service
+  echo "
+[Unit]
+Description=BlitzBackendAPI
+Wants=network.target
+After=network.target mnt-hdd.mount
+
+[Service]
+WorkingDirectory=/home/blitzapi/blitz_api
+# before every start update the config with latest credentials/settings
+ExecStartPre=-/home/admin/config.scripts/blitz.web.api.sh update-config
+ExecStart=/usr/bin/python -m uvicorn app.main:app --port 11111 --host=0.0.0.0 --root-path /api
+User=blitzapi
+Group=blitzapi
+Type=simple
+Restart=always
+StandardOutput=journal
+StandardError=journal
+RestartSec=60
+
+# Hardening
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+" | tee /etc/systemd/system/blitzapi.service
+
+  chown -R blitzapi:blitzapi /home/blitzapi/blitz_api
+
+  systemctl enable blitzapi
+  systemctl start blitzapi
+
+  # TODO: remove after experimental step (only have forward on nginx:80 /api)
+  ufw allow 11111 comment 'WebAPI Develop'
+
+  source <(/home/admin/_cache.sh export internet_localip)
+
+  # install info
+  echo "# the API is now running on port 11111 & doc available under:"
+  echo "# http://${internet_localip}/api/docs"
+  echo "# check for systemd:  sudo systemctl status blitzapi"
+  echo "# check for logs:     sudo journalctl -f -u blitzapi"
+
+  exit 0
+fi
+
 ###################
 # UPDATE CODE
 ###################