From 505484124d83257b35b60f6c83f2cf697a60bd00 Mon Sep 17 00:00:00 2001 From: Arlind Date: Wed, 17 Jun 2026 15:55:38 +0200 Subject: [PATCH] fix(deploy): non-interactive restart in deploy.sh; restart-only sudoers rule deploy.sh runs as fenja and called `sudo systemctl restart`, which prompted for fenja's (nonexistent) password and aborted the deploy. Use `sudo -n` so it never hangs: restart silently when the NOPASSWD rule is present, else print the manual restart command and exit non-zero. Drop sudo from the read-only status line. Narrow the documented sudoers rule to restart-only and create it via visudo. Co-Authored-By: Claude Opus 4.8 (1M context) --- DEPLOY.md | 19 +++++++++++++++---- scripts/deploy.sh | 15 +++++++++++++-- 2 files changed, 28 insertions(+), 6 deletions(-) diff --git a/DEPLOY.md b/DEPLOY.md index b6e8e06..caa5aa7 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -161,14 +161,25 @@ sudo systemctl status bifrost-portal --no-pager curl -fsS http://127.0.0.1:4322/login >/dev/null && echo "app responding on 4322" ``` -Let `fenja` restart just this unit without a password (used by `deploy.sh`): +Let `fenja` restart just this unit without a password (used by `deploy.sh`). +`deploy.sh` runs as `fenja` and escalates only for the restart; reading status +needs no sudo. Create the rule with `visudo` (validates syntax, sets perms): ```bash -echo 'fenja ALL=(root) NOPASSWD: /usr/bin/systemctl restart bifrost-portal, /usr/bin/systemctl status bifrost-portal' \ - | sudo tee /etc/sudoers.d/bifrost-portal -sudo chmod 440 /etc/sudoers.d/bifrost-portal +sudo visudo -f /etc/sudoers.d/bifrost-portal ``` +Add exactly this one line (a single-command allowlist — not general sudo): + +``` +fenja ALL=(root) NOPASSWD: /usr/bin/systemctl restart bifrost-portal +``` + +Verify: `sudo -l -U fenja | grep systemctl` shows only that command. If you'd +rather keep sudo exclusively with admin users, skip this — `deploy.sh` will +then stop before the restart and print the `sudo systemctl restart +bifrost-portal` command for you to run as an admin. + ## 7. nginx + TLS ```bash diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 62264b0..6bdaf06 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -39,10 +39,21 @@ echo "==> Applying database migrations -> $BIFROST_DB_PATH" node scripts/migrate.js echo "==> Restarting $SERVICE" -sudo systemctl restart "$SERVICE" +# Non-interactive: if fenja has the NOPASSWD rule for this unit it restarts +# silently; otherwise we don't hang on a password prompt — we tell the +# operator to restart as a sudo user. +if sudo -n systemctl restart "$SERVICE" 2>/dev/null; then + echo " restarted" +else + echo " !! could not restart without a password." + echo " Run as a sudo user: sudo systemctl restart $SERVICE" + echo " (or grant fenja the NOPASSWD rule — see DEPLOY.md §6)" + exit 1 +fi echo "==> Waiting for health" sleep 2 -sudo systemctl --no-pager --lines=0 status "$SERVICE" +# status is read-only — no sudo needed +systemctl --no-pager --lines=0 status "$SERVICE" || true echo "==> Deploy complete: $(git rev-parse --short HEAD)"