fix(deploy): non-interactive restart in deploy.sh; restart-only sudoers rule

deploy.sh runs as fenja and called `sudo systemctl restart`, which prompted for fenja's (nonexistent) password and aborted the deploy. Use `sudo -n` so it never hangs: restart silently when the NOPASSWD rule is present, else print the manual restart command and exit non-zero. Drop sudo from the read-only status line. Narrow the documented sudoers rule to restart-only and create it via visudo. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 15:55:38 +02:00 · 2026-06-17 15:55:38 +02:00 · 505484124d
commit 505484124d
parent 0a62984e91
2 changed files with 28 additions and 6 deletions
--- a/DEPLOY.md
+++ b/DEPLOY.md
@ -161,14 +161,25 @@ sudo systemctl status bifrost-portal --no-pager
 curl -fsS http://127.0.0.1:4322/login >/dev/null && echo "app responding on 4322"
 ```

-Let `fenja` restart just this unit without a password (used by `deploy.sh`):
+Let `fenja` restart just this unit without a password (used by `deploy.sh`).
+`deploy.sh` runs as `fenja` and escalates only for the restart; reading status
+needs no sudo. Create the rule with `visudo` (validates syntax, sets perms):

 ```bash
-echo 'fenja ALL=(root) NOPASSWD: /usr/bin/systemctl restart bifrost-portal, /usr/bin/systemctl status bifrost-portal' \
-  | sudo tee /etc/sudoers.d/bifrost-portal
-sudo chmod 440 /etc/sudoers.d/bifrost-portal
+sudo visudo -f /etc/sudoers.d/bifrost-portal
 ```

+Add exactly this one line (a single-command allowlist — not general sudo):
+
+```
+fenja ALL=(root) NOPASSWD: /usr/bin/systemctl restart bifrost-portal
+```
+
+Verify: `sudo -l -U fenja | grep systemctl` shows only that command. If you'd
+rather keep sudo exclusively with admin users, skip this — `deploy.sh` will
+then stop before the restart and print the `sudo systemctl restart
+bifrost-portal` command for you to run as an admin.
+
 ## 7. nginx + TLS

 ```bash
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@ -39,10 +39,21 @@ echo "==> Applying database migrations -> $BIFROST_DB_PATH"
 node scripts/migrate.js

 echo "==> Restarting $SERVICE"
-sudo systemctl restart "$SERVICE"
+# Non-interactive: if fenja has the NOPASSWD rule for this unit it restarts
+# silently; otherwise we don't hang on a password prompt — we tell the
+# operator to restart as a sudo user.
+if sudo -n systemctl restart "$SERVICE" 2>/dev/null; then
+  echo "    restarted"
+else
+  echo "    !! could not restart without a password."
+  echo "    Run as a sudo user:  sudo systemctl restart $SERVICE"
+  echo "    (or grant fenja the NOPASSWD rule — see DEPLOY.md §6)"
+  exit 1
+fi

 echo "==> Waiting for health"
 sleep 2
-sudo systemctl --no-pager --lines=0 status "$SERVICE"
+# status is read-only — no sudo needed
+systemctl --no-pager --lines=0 status "$SERVICE" || true

 echo "==> Deploy complete: $(git rev-parse --short HEAD)"