joh/project-bifrost-platform
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(deploy): non-interactive restart in deploy.sh; restart-only sudoers rule

Browse source 
deploy.sh runs as fenja and called `sudo systemctl restart`, which prompted
for fenja's (nonexistent) password and aborted the deploy. Use `sudo -n` so
it never hangs: restart silently when the NOPASSWD rule is present, else
print the manual restart command and exit non-zero. Drop sudo from the
read-only status line. Narrow the documented sudoers rule to restart-only
and create it via visudo.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Arlind 2026-06-17 15:55:38 +02:00
parent 0a62984e91
commit 505484124d
2 changed files with 28 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
DEPLOY.md
View file

@ -161,14 +161,25 @@ sudo systemctl status bifrost-portal --no-pager
curl -fsS http://127.0.0.1:4322/login >/dev/null && echo "app responding on 4322" curl -fsS http://127.0.0.1:4322/login >/dev/null && echo "app responding on 4322"
``` ```
Let `fenja` restart just this unit without a password (used by `deploy.sh`): Let `fenja` restart just this unit without a password (used by `deploy.sh`).
`deploy.sh` runs as `fenja` and escalates only for the restart; reading status
needs no sudo. Create the rule with `visudo` (validates syntax, sets perms):
```bash ```bash
echo 'fenja ALL=(root) NOPASSWD: /usr/bin/systemctl restart bifrost-portal, /usr/bin/systemctl status bifrost-portal' \ sudo visudo -f /etc/sudoers.d/bifrost-portal
| sudo tee /etc/sudoers.d/bifrost-portal
sudo chmod 440 /etc/sudoers.d/bifrost-portal
``` ```
Add exactly this one line (a single-command allowlist — not general sudo):
```
fenja ALL=(root) NOPASSWD: /usr/bin/systemctl restart bifrost-portal
```
Verify: `sudo -l -U fenja | grep systemctl` shows only that command. If you'd
rather keep sudo exclusively with admin users, skip this — `deploy.sh` will
then stop before the restart and print the `sudo systemctl restart
bifrost-portal` command for you to run as an admin.
## 7. nginx + TLS ## 7. nginx + TLS
```bash ```bash

15
scripts/deploy.sh
View file

@ -39,10 +39,21 @@ echo "==> Applying database migrations -> $BIFROST_DB_PATH"
node scripts/migrate.js node scripts/migrate.js
echo "==> Restarting $SERVICE" echo "==> Restarting $SERVICE"
sudo systemctl restart "$SERVICE" # Non-interactive: if fenja has the NOPASSWD rule for this unit it restarts
# silently; otherwise we don't hang on a password prompt — we tell the
# operator to restart as a sudo user.
if sudo -n systemctl restart "$SERVICE" 2>/dev/null; then
echo " restarted"
else
echo " !! could not restart without a password."
echo " Run as a sudo user: sudo systemctl restart $SERVICE"
echo " (or grant fenja the NOPASSWD rule — see DEPLOY.md §6)"
exit 1
fi
echo "==> Waiting for health" echo "==> Waiting for health"
sleep 2 sleep 2
sudo systemctl --no-pager --lines=0 status "$SERVICE" # status is read-only — no sudo needed
systemctl --no-pager --lines=0 status "$SERVICE" || true
echo "==> Deploy complete: $(git rev-parse --short HEAD)" echo "==> Deploy complete: $(git rev-parse --short HEAD)"