diff --git a/conf/sudoers.conf b/conf/sudoers.conf new file mode 100644 index 0000000..cb80189 --- /dev/null +++ b/conf/sudoers.conf @@ -0,0 +1,3 @@ +Cmnd_Alias WIREGUARDSERVICE = /bin/systemctl restart wg-quick@wg0.service + +__USER__ ALL = NOPASSWD: WIREGUARDSERVICE diff --git a/conf/wireguard.service b/conf/wireguard.service index f2afa4d..7711fbf 100644 --- a/conf/wireguard.service +++ b/conf/wireguard.service @@ -4,4 +4,6 @@ After=network.target [Service] Type=oneshot +User=__APP__ +Group=__APP__ ExecStart=/bin/systemctl restart wg-quick@wg0.service diff --git a/scripts/backup b/scripts/backup index fae85a1..6fc9a1d 100644 --- a/scripts/backup +++ b/scripts/backup @@ -63,6 +63,7 @@ ynh_backup --src_path="/etc/logrotate.d/$app" ynh_backup --src_path="/etc/systemd/system/$app.service" ynh_backup --src_path=/etc/systemd/system/wireguard_ui.service ynh_backup --src_path=/etc/systemd/system/wireguard.path +ynh_backup --src_path="/etc/sudoers.d/${app}_ynh" #================================================= # BACKUP VARIOUS FILES diff --git a/scripts/install b/scripts/install index 2b3d54a..06f107e 100644 --- a/scripts/install +++ b/scripts/install @@ -114,6 +114,10 @@ ynh_script_progression --message="Configuring system user..." --weight=1 # Create a system user ynh_system_user_create --username=$app +# Ensure the system user has enough permissions +install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh +ynh_replace_string "__USER__" "${app}" /etc/sudoers.d/${app}_ynh + #================================================= # SPECIFIC SETUP #================================================= diff --git a/scripts/remove b/scripts/remove index 0c0fe93..0a11336 100644 --- a/scripts/remove +++ b/scripts/remove @@ -94,6 +94,15 @@ then ynh_exec_warn_less yunohost firewall disallow TCP $port_wg fi +#================================================= +# SPECIFIC REMOVE +#================================================= +# REMOVE VARIOUS FILES +#================================================= + +# Remove sudoers file +ynh_secure_remove --file="/etc/sudoers.d/${app}_ynh" + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index f825a58..e350e8e 100644 --- a/scripts/restore +++ b/scripts/restore @@ -68,6 +68,9 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei # Create the dedicated user (if not existing) ynh_system_user_create --username=$app +# Restore sudoers file +ynh_restore_file --origin_path="/etc/sudoers.d/${app}_ynh" + #================================================= # RESTORE USER RIGHTS #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 12791f6..40bd3e8 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -77,6 +77,12 @@ Now wireguard_ynh use a DKMS module allowing itself to be used with the stable k fi fi +# Add sudoers file if missing +if [ -f "/etc/sudoers.d/${app}_ynh" ]; then + install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh + ynh_replace_string "__USER__" "${app}" /etc/sudoers.d/${app}_ynh +fi + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #=================================================