diff --git a/DEPLOY.md b/DEPLOY.md index b6e8e06..caa5aa7 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -161,14 +161,25 @@ sudo systemctl status bifrost-portal --no-pager curl -fsS http://127.0.0.1:4322/login >/dev/null && echo "app responding on 4322" ``` -Let `fenja` restart just this unit without a password (used by `deploy.sh`): +Let `fenja` restart just this unit without a password (used by `deploy.sh`). +`deploy.sh` runs as `fenja` and escalates only for the restart; reading status +needs no sudo. Create the rule with `visudo` (validates syntax, sets perms): ```bash -echo 'fenja ALL=(root) NOPASSWD: /usr/bin/systemctl restart bifrost-portal, /usr/bin/systemctl status bifrost-portal' \ - | sudo tee /etc/sudoers.d/bifrost-portal -sudo chmod 440 /etc/sudoers.d/bifrost-portal +sudo visudo -f /etc/sudoers.d/bifrost-portal ``` +Add exactly this one line (a single-command allowlist — not general sudo): + +``` +fenja ALL=(root) NOPASSWD: /usr/bin/systemctl restart bifrost-portal +``` + +Verify: `sudo -l -U fenja | grep systemctl` shows only that command. If you'd +rather keep sudo exclusively with admin users, skip this — `deploy.sh` will +then stop before the restart and print the `sudo systemctl restart +bifrost-portal` command for you to run as an admin. + ## 7. nginx + TLS ```bash diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 62264b0..6bdaf06 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -39,10 +39,21 @@ echo "==> Applying database migrations -> $BIFROST_DB_PATH" node scripts/migrate.js echo "==> Restarting $SERVICE" -sudo systemctl restart "$SERVICE" +# Non-interactive: if fenja has the NOPASSWD rule for this unit it restarts +# silently; otherwise we don't hang on a password prompt — we tell the +# operator to restart as a sudo user. +if sudo -n systemctl restart "$SERVICE" 2>/dev/null; then + echo " restarted" +else + echo " !! could not restart without a password." + echo " Run as a sudo user: sudo systemctl restart $SERVICE" + echo " (or grant fenja the NOPASSWD rule — see DEPLOY.md §6)" + exit 1 +fi echo "==> Waiting for health" sleep 2 -sudo systemctl --no-pager --lines=0 status "$SERVICE" +# status is read-only — no sudo needed +systemctl --no-pager --lines=0 status "$SERVICE" || true echo "==> Deploy complete: $(git rev-parse --short HEAD)"