fix init
This commit is contained in:
Mateusz Gruszczyński
@@ -25,6 +25,7 @@ PROXY_DOMAINS="${PYTORRENT_PROXY_DOMAINS:-}"
|
||||
CORS_ORIGINS="${PYTORRENT_SOCKETIO_CORS_ALLOWED_ORIGINS:-}"
|
||||
LOCAL_ORIGINS="${PYTORRENT_LOCAL_ORIGINS:-}"
|
||||
RTORRENT_SOCKET="${RTORRENT_SOCKET:-}"
|
||||
RTORRENT_USER="${RTORRENT_USER:-rtorrent}"
|
||||
INSTALL_SCGI_PROXY="${PYTORRENT_INSTALL_SCGI_PROXY:-ask}"
|
||||
RT_PROXY_USER="${RTORRENT_SCGI_PROXY_USER:-rtproxy}"
|
||||
RT_PROXY_LISTEN="${RTORRENT_SCGI_PROXY_LISTEN:-127.0.0.1:5050}"
|
||||
@@ -33,7 +34,6 @@ RT_PROXY_ALLOW_NET="${RTORRENT_SCGI_PROXY_ALLOW_NET:-127.0.0.1}"
|
||||
RT_PROXY_TARGET_NETWORK_EXPLICIT="${RTORRENT_SCGI_PROXY_TARGET_NETWORK+x}"
|
||||
RT_PROXY_TARGET_NETWORK="${RTORRENT_SCGI_PROXY_TARGET_NETWORK:-tcp}"
|
||||
RT_PROXY_TARGET_ADDRESS="${RTORRENT_SCGI_PROXY_TARGET_ADDRESS:-127.0.0.1:5000}"
|
||||
RT_PROXY_EXTRA_GROUPS="${RTORRENT_SCGI_PROXY_EXTRA_GROUPS:-}"
|
||||
RT_PROXY_BINARY_URL="${RTORRENT_SCGI_PROXY_BINARY_URL:-https://git.linuxiarz.pl/gru/rtorrent-scgi-proxy/raw/branch/master/dist/rtorrent-scgi-proxy-linux-amd64}"
|
||||
RT_PROXY_TARGET_URI="${RTORRENT_SCGI_PROXY_TARGET_URI:-/RPC2}"
|
||||
ASSUME_YES=0
|
||||
@@ -58,6 +58,7 @@ Options:
|
||||
--profile-name NAME pyTorrent profile name. Default: Local rTorrent.
|
||||
--scgi-url URL rTorrent SCGI URL. Default: scgi://127.0.0.1:5000.
|
||||
--rtorrent-socket PATH rTorrent Unix socket; can enable SCGI proxy setup.
|
||||
--rtorrent-user USER rTorrent system user/group for Unix socket access. Default: rtorrent.
|
||||
--auth enable|disable Enable pyTorrent authentication.
|
||||
--auth-provider local|proxy|tinyauth
|
||||
--auth-user USER Local auth user to create/update. Default: pytorrent.
|
||||
@@ -76,7 +77,6 @@ Options:
|
||||
--proxy-allow-net VALUE SCGI proxy ALLOW_NET. Default: 127.0.0.1.
|
||||
--proxy-target-network tcp|unix
|
||||
--proxy-target-address VALUE
|
||||
--proxy-extra-groups CSV Extra system groups for rtorrent-scgi-proxy, useful for Unix socket access.
|
||||
--skip-profile Do not create/update pyTorrent rTorrent profile.
|
||||
-h, --help Show this help.
|
||||
|
||||
@@ -144,6 +144,7 @@ parse_args() {
|
||||
--profile-name) PROFILE_NAME="$2"; shift 2 ;;
|
||||
--scgi-url) SCGI_URL="$2"; shift 2 ;;
|
||||
--rtorrent-socket) RTORRENT_SOCKET="$2"; shift 2 ;;
|
||||
--rtorrent-user) RTORRENT_USER="$2"; shift 2 ;;
|
||||
--auth) AUTH_MODE="$(bool_value "$2")"; shift 2 ;;
|
||||
--auth-provider) AUTH_PROVIDER="$2"; shift 2 ;;
|
||||
--auth-user) AUTH_USER="$2"; shift 2 ;;
|
||||
@@ -162,7 +163,6 @@ parse_args() {
|
||||
--proxy-allow-net) RT_PROXY_ALLOW_NET="$2"; shift 2 ;;
|
||||
--proxy-target-network) RT_PROXY_TARGET_NETWORK="$2"; RT_PROXY_TARGET_NETWORK_EXPLICIT=1; shift 2 ;;
|
||||
--proxy-target-address) RT_PROXY_TARGET_ADDRESS="$2"; shift 2 ;;
|
||||
--proxy-extra-groups) RT_PROXY_EXTRA_GROUPS="$2"; shift 2 ;;
|
||||
--skip-profile) SKIP_PROFILE=1; shift ;;
|
||||
-h|--help) usage; exit 0 ;;
|
||||
*) fail "Unknown option: $1" ;;
|
||||
@@ -215,9 +215,7 @@ ask_configuration() {
|
||||
prompt PROFILE_NAME "pyTorrent profile name" "Local rTorrent"
|
||||
|
||||
if [[ -n "${RTORRENT_SOCKET}" ]]; then
|
||||
INSTALL_SCGI_PROXY="yes"
|
||||
RT_PROXY_TARGET_NETWORK="unix"
|
||||
RT_PROXY_TARGET_ADDRESS="${RTORRENT_SOCKET}"
|
||||
INSTALL_SCGI_PROXY="${INSTALL_SCGI_PROXY:-ask}"
|
||||
fi
|
||||
if [[ "${INSTALL_SCGI_PROXY}" == "ask" ]]; then
|
||||
prompt INSTALL_SCGI_PROXY "Install rtorrent-scgi-proxy for Unix socket backend? yes/no" "no"
|
||||
@@ -537,43 +535,19 @@ SERVICE
|
||||
}
|
||||
|
||||
|
||||
grant_scgi_proxy_socket_access() {
|
||||
[[ "${INSTALL_SCGI_PROXY}" == "yes" ]] || return 0
|
||||
ensure_scgi_proxy_socket_access() {
|
||||
[[ "${RT_PROXY_TARGET_NETWORK}" == "unix" ]] || return 0
|
||||
local socket_path="${RT_PROXY_TARGET_ADDRESS}"
|
||||
[[ -n "${socket_path}" ]] || return 0
|
||||
|
||||
local groups="${RT_PROXY_EXTRA_GROUPS}"
|
||||
if [[ -S "${socket_path}" ]]; then
|
||||
local socket_group
|
||||
socket_group="$(stat -c '%G' "${socket_path}" 2>/dev/null || true)"
|
||||
if [[ -n "${socket_group}" && "${socket_group}" != "UNKNOWN" ]]; then
|
||||
groups="${groups:+${groups},}${socket_group}"
|
||||
chmod g+rw "${socket_path}" 2>/dev/null || true
|
||||
if getent group "${RTORRENT_USER}" >/dev/null 2>&1; then
|
||||
usermod -a -G "${RTORRENT_USER}" "${RT_PROXY_USER}" || true
|
||||
fi
|
||||
if [[ -n "${RT_PROXY_TARGET_ADDRESS}" ]]; then
|
||||
local socket_dir
|
||||
socket_dir="$(dirname "${RT_PROXY_TARGET_ADDRESS}")"
|
||||
if [[ -d "${socket_dir}" && "${socket_dir}" == /run/* ]]; then
|
||||
chgrp "${RTORRENT_USER}" "${socket_dir}" 2>/dev/null || true
|
||||
chmod g+rx "${socket_dir}" 2>/dev/null || true
|
||||
fi
|
||||
fi
|
||||
if [[ -n "${RTORRENT_USER:-}" ]] && getent group "${RTORRENT_USER}" >/dev/null 2>&1; then
|
||||
groups="${groups:+${groups},}${RTORRENT_USER}"
|
||||
fi
|
||||
if [[ -z "${groups}" ]] && getent group rtorrent >/dev/null 2>&1; then
|
||||
groups="rtorrent"
|
||||
fi
|
||||
|
||||
if [[ -n "${groups}" ]]; then
|
||||
local normalized="" group
|
||||
IFS=',' read -r -a _groups <<< "${groups}"
|
||||
for group in "${_groups[@]}"; do
|
||||
group="$(printf '%s' "${group}" | xargs)"
|
||||
[[ -n "${group}" ]] || continue
|
||||
getent group "${group}" >/dev/null 2>&1 || continue
|
||||
usermod -aG "${group}" "${RT_PROXY_USER}" || true
|
||||
case ",${normalized}," in
|
||||
*,${group},*) ;;
|
||||
*) normalized="${normalized:+${normalized},}${group}" ;;
|
||||
esac
|
||||
done
|
||||
RT_PROXY_EXTRA_GROUPS="${normalized}"
|
||||
fi
|
||||
}
|
||||
|
||||
install_scgi_proxy() {
|
||||
@@ -585,7 +559,7 @@ install_scgi_proxy() {
|
||||
[[ -x "${shell_path}" ]] || shell_path="/usr/bin/nologin"
|
||||
useradd --system --no-create-home --shell "${shell_path}" "${RT_PROXY_USER}"
|
||||
fi
|
||||
grant_scgi_proxy_socket_access
|
||||
ensure_scgi_proxy_socket_access
|
||||
curl -fL "${RT_PROXY_BINARY_URL}" -o /usr/local/bin/rtorrent-scgi-proxy
|
||||
chmod 0755 /usr/local/bin/rtorrent-scgi-proxy
|
||||
cat > /etc/rtorrent-scgi-proxy.env <<ENV
|
||||
@@ -603,6 +577,14 @@ MAX_CONTENT_BYTES=10485760
|
||||
ENV
|
||||
chmod 0600 /etc/rtorrent-scgi-proxy.env
|
||||
chown root:root /etc/rtorrent-scgi-proxy.env
|
||||
local supplementary_groups=""
|
||||
if [[ "${RT_PROXY_TARGET_NETWORK}" == "unix" ]] && getent group "${RTORRENT_USER}" >/dev/null 2>&1; then
|
||||
supplementary_groups="SupplementaryGroups=${RTORRENT_USER}"
|
||||
fi
|
||||
local protect_home="yes"
|
||||
if [[ "${RT_PROXY_TARGET_NETWORK}" == "unix" && "${RT_PROXY_TARGET_ADDRESS}" == /home/* ]]; then
|
||||
protect_home="read-only"
|
||||
fi
|
||||
cat > /etc/systemd/system/rtorrent-scgi-proxy.service <<SERVICE
|
||||
[Unit]
|
||||
Description=rTorrent SCGI proxy
|
||||
@@ -613,7 +595,8 @@ Wants=network-online.target
|
||||
Type=simple
|
||||
User=${RT_PROXY_USER}
|
||||
Group=${RT_PROXY_USER}
|
||||
$(if [[ -n "${RT_PROXY_EXTRA_GROUPS}" ]]; then printf 'SupplementaryGroups=%s\n' "${RT_PROXY_EXTRA_GROUPS//,/ }"; fi)EnvironmentFile=/etc/rtorrent-scgi-proxy.env
|
||||
${supplementary_groups}
|
||||
EnvironmentFile=/etc/rtorrent-scgi-proxy.env
|
||||
ExecStart=/usr/local/bin/rtorrent-scgi-proxy
|
||||
Restart=on-failure
|
||||
RestartSec=2
|
||||
@@ -621,7 +604,7 @@ RestartSec=2
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=read-only
|
||||
ProtectHome=${protect_home}
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectControlGroups=yes
|
||||
|
||||
Reference in New Issue
Block a user