socker backend support
This commit is contained in:
Mateusz Gruszczyński
@@ -33,6 +33,7 @@ RT_PROXY_ALLOW_NET="${RTORRENT_SCGI_PROXY_ALLOW_NET:-127.0.0.1}"
|
||||
RT_PROXY_TARGET_NETWORK_EXPLICIT="${RTORRENT_SCGI_PROXY_TARGET_NETWORK+x}"
|
||||
RT_PROXY_TARGET_NETWORK="${RTORRENT_SCGI_PROXY_TARGET_NETWORK:-tcp}"
|
||||
RT_PROXY_TARGET_ADDRESS="${RTORRENT_SCGI_PROXY_TARGET_ADDRESS:-127.0.0.1:5000}"
|
||||
RT_PROXY_EXTRA_GROUPS="${RTORRENT_SCGI_PROXY_EXTRA_GROUPS:-}"
|
||||
RT_PROXY_BINARY_URL="${RTORRENT_SCGI_PROXY_BINARY_URL:-https://git.linuxiarz.pl/gru/rtorrent-scgi-proxy/raw/branch/master/dist/rtorrent-scgi-proxy-linux-amd64}"
|
||||
RT_PROXY_TARGET_URI="${RTORRENT_SCGI_PROXY_TARGET_URI:-/RPC2}"
|
||||
ASSUME_YES=0
|
||||
@@ -75,6 +76,7 @@ Options:
|
||||
--proxy-allow-net VALUE SCGI proxy ALLOW_NET. Default: 127.0.0.1.
|
||||
--proxy-target-network tcp|unix
|
||||
--proxy-target-address VALUE
|
||||
--proxy-extra-groups CSV Extra system groups for rtorrent-scgi-proxy, useful for Unix socket access.
|
||||
--skip-profile Do not create/update pyTorrent rTorrent profile.
|
||||
-h, --help Show this help.
|
||||
|
||||
@@ -160,6 +162,7 @@ parse_args() {
|
||||
--proxy-allow-net) RT_PROXY_ALLOW_NET="$2"; shift 2 ;;
|
||||
--proxy-target-network) RT_PROXY_TARGET_NETWORK="$2"; RT_PROXY_TARGET_NETWORK_EXPLICIT=1; shift 2 ;;
|
||||
--proxy-target-address) RT_PROXY_TARGET_ADDRESS="$2"; shift 2 ;;
|
||||
--proxy-extra-groups) RT_PROXY_EXTRA_GROUPS="$2"; shift 2 ;;
|
||||
--skip-profile) SKIP_PROFILE=1; shift ;;
|
||||
-h|--help) usage; exit 0 ;;
|
||||
*) fail "Unknown option: $1" ;;
|
||||
@@ -212,7 +215,9 @@ ask_configuration() {
|
||||
prompt PROFILE_NAME "pyTorrent profile name" "Local rTorrent"
|
||||
|
||||
if [[ -n "${RTORRENT_SOCKET}" ]]; then
|
||||
INSTALL_SCGI_PROXY="${INSTALL_SCGI_PROXY:-ask}"
|
||||
INSTALL_SCGI_PROXY="yes"
|
||||
RT_PROXY_TARGET_NETWORK="unix"
|
||||
RT_PROXY_TARGET_ADDRESS="${RTORRENT_SOCKET}"
|
||||
fi
|
||||
if [[ "${INSTALL_SCGI_PROXY}" == "ask" ]]; then
|
||||
prompt INSTALL_SCGI_PROXY "Install rtorrent-scgi-proxy for Unix socket backend? yes/no" "no"
|
||||
@@ -531,6 +536,46 @@ SERVICE
|
||||
systemctl restart "${SERVICE_NAME}"
|
||||
}
|
||||
|
||||
|
||||
grant_scgi_proxy_socket_access() {
|
||||
[[ "${INSTALL_SCGI_PROXY}" == "yes" ]] || return 0
|
||||
[[ "${RT_PROXY_TARGET_NETWORK}" == "unix" ]] || return 0
|
||||
local socket_path="${RT_PROXY_TARGET_ADDRESS}"
|
||||
[[ -n "${socket_path}" ]] || return 0
|
||||
|
||||
local groups="${RT_PROXY_EXTRA_GROUPS}"
|
||||
if [[ -S "${socket_path}" ]]; then
|
||||
local socket_group
|
||||
socket_group="$(stat -c '%G' "${socket_path}" 2>/dev/null || true)"
|
||||
if [[ -n "${socket_group}" && "${socket_group}" != "UNKNOWN" ]]; then
|
||||
groups="${groups:+${groups},}${socket_group}"
|
||||
chmod g+rw "${socket_path}" 2>/dev/null || true
|
||||
fi
|
||||
fi
|
||||
if [[ -n "${RTORRENT_USER:-}" ]] && getent group "${RTORRENT_USER}" >/dev/null 2>&1; then
|
||||
groups="${groups:+${groups},}${RTORRENT_USER}"
|
||||
fi
|
||||
if [[ -z "${groups}" ]] && getent group rtorrent >/dev/null 2>&1; then
|
||||
groups="rtorrent"
|
||||
fi
|
||||
|
||||
if [[ -n "${groups}" ]]; then
|
||||
local normalized="" group
|
||||
IFS=',' read -r -a _groups <<< "${groups}"
|
||||
for group in "${_groups[@]}"; do
|
||||
group="$(printf '%s' "${group}" | xargs)"
|
||||
[[ -n "${group}" ]] || continue
|
||||
getent group "${group}" >/dev/null 2>&1 || continue
|
||||
usermod -aG "${group}" "${RT_PROXY_USER}" || true
|
||||
case ",${normalized}," in
|
||||
*,${group},*) ;;
|
||||
*) normalized="${normalized:+${normalized},}${group}" ;;
|
||||
esac
|
||||
done
|
||||
RT_PROXY_EXTRA_GROUPS="${normalized}"
|
||||
fi
|
||||
}
|
||||
|
||||
install_scgi_proxy() {
|
||||
# Note: The proxy exposes a TCP SCGI endpoint for pyTorrent when rTorrent listens on a Unix socket.
|
||||
[[ "${INSTALL_SCGI_PROXY}" == "yes" ]] || return 0
|
||||
@@ -540,6 +585,7 @@ install_scgi_proxy() {
|
||||
[[ -x "${shell_path}" ]] || shell_path="/usr/bin/nologin"
|
||||
useradd --system --no-create-home --shell "${shell_path}" "${RT_PROXY_USER}"
|
||||
fi
|
||||
grant_scgi_proxy_socket_access
|
||||
curl -fL "${RT_PROXY_BINARY_URL}" -o /usr/local/bin/rtorrent-scgi-proxy
|
||||
chmod 0755 /usr/local/bin/rtorrent-scgi-proxy
|
||||
cat > /etc/rtorrent-scgi-proxy.env <<ENV
|
||||
@@ -567,7 +613,7 @@ Wants=network-online.target
|
||||
Type=simple
|
||||
User=${RT_PROXY_USER}
|
||||
Group=${RT_PROXY_USER}
|
||||
EnvironmentFile=/etc/rtorrent-scgi-proxy.env
|
||||
$(if [[ -n "${RT_PROXY_EXTRA_GROUPS}" ]]; then printf 'SupplementaryGroups=%s\n' "${RT_PROXY_EXTRA_GROUPS//,/ }"; fi)EnvironmentFile=/etc/rtorrent-scgi-proxy.env
|
||||
ExecStart=/usr/local/bin/rtorrent-scgi-proxy
|
||||
Restart=on-failure
|
||||
RestartSec=2
|
||||
@@ -575,7 +621,7 @@ RestartSec=2
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
ProtectHome=read-only
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectControlGroups=yes
|
||||
|
||||
Reference in New Issue
Block a user