diff --git a/debian/DEBIAN/conffiles b/debian/DEBIAN/conffiles index 5e6c3c0..59b13f5 100644 --- a/debian/DEBIAN/conffiles +++ b/debian/DEBIAN/conffiles @@ -1 +1,2 @@ /etc/tgadmin/tgadmin.json +/etc/default/tgadmin diff --git a/debian/DEBIAN/postinst b/debian/DEBIAN/postinst index 12af7e5..c9ba7dc 100644 --- a/debian/DEBIAN/postinst +++ b/debian/DEBIAN/postinst @@ -4,6 +4,9 @@ set -euo pipefail PACKAGE_NAME="tgadmin" CONFIG_FILE="/etc/${PACKAGE_NAME}/tgadmin.json" SCHEMA_FILE="/usr/share/${PACKAGE_NAME}/db_schema.sql" +DEFAULTS_FILE="/etc/default/${PACKAGE_NAME}" +SYSTEMD_DROPIN_DIR="/etc/systemd/system/${PACKAGE_NAME}.service.d" +SYSTEMD_DROPIN_FILE="${SYSTEMD_DROPIN_DIR}/10-run-as.conf" DB_NAME="tgadmin" DB_USER="tgadmin" @@ -24,6 +27,63 @@ json_set() { jq "$1" "${CONFIG_FILE}" > "${tmp}" && mv "${tmp}" "${CONFIG_FILE}" } +resolve_service_identity() { + SERVICE_USER="${PACKAGE_NAME}" + SERVICE_GROUP="${PACKAGE_NAME}" + + if [ -f "${DEFAULTS_FILE}" ]; then + # shellcheck disable=SC1090 + . "${DEFAULTS_FILE}" + + if [ -n "${TGADMIN_SERVICE_USER:-}" ]; then + SERVICE_USER="${TGADMIN_SERVICE_USER}" + fi + if [ -n "${TGADMIN_SERVICE_GROUP:-}" ]; then + SERVICE_GROUP="${TGADMIN_SERVICE_GROUP}" + fi + fi + + if [ -z "${SERVICE_USER}" ] || [ -z "${SERVICE_GROUP}" ]; then + echo "ERROR: TGADMIN_SERVICE_USER and TGADMIN_SERVICE_GROUP must be non-empty." >&2 + exit 1 + fi +} + +ensure_service_account() { + if ! getent group "${SERVICE_GROUP}" >/dev/null; then + groupadd --system "${SERVICE_GROUP}" + fi + + if ! id -u "${SERVICE_USER}" >/dev/null 2>&1; then + useradd \ + --system \ + --gid "${SERVICE_GROUP}" \ + --no-create-home \ + --home-dir /nonexistent \ + --shell /usr/sbin/nologin \ + "${SERVICE_USER}" + fi +} + +configure_systemd_service_user() { + if ! command -v systemctl >/dev/null 2>&1; then + return + fi + + if ! systemctl list-unit-files "${PACKAGE_NAME}.service" >/dev/null 2>&1; then + return + fi + + mkdir -p "${SYSTEMD_DROPIN_DIR}" + cat > "${SYSTEMD_DROPIN_FILE}" <&2 fi - # Configuration rights — only root and the tgadmin group - chown root:${PACKAGE_NAME} "${CONFIG_FILE}" 2>/dev/null || chown root:root "${CONFIG_FILE}" + # Configuration rights — only root and the service group + chown "root:${SERVICE_GROUP}" "${CONFIG_FILE}" 2>/dev/null || chown root:root "${CONFIG_FILE}" chmod 0640 "${CONFIG_FILE}" ;; esac diff --git a/debian/DEBIAN/postrm b/debian/DEBIAN/postrm index 774f077..ac8b6a6 100644 --- a/debian/DEBIAN/postrm +++ b/debian/DEBIAN/postrm @@ -23,6 +23,8 @@ FLUSH PRIVILEGES; SQL fi rm -f "${CONFIG_FILE}" + rm -f "/etc/systemd/system/${PACKAGE_NAME}.service.d/10-run-as.conf" + rmdir --ignore-fail-on-non-empty "/etc/systemd/system/${PACKAGE_NAME}.service.d" rmdir --ignore-fail-on-non-empty "/etc/${PACKAGE_NAME}" ;; remove) diff --git a/debian/etc/default/tgadmin b/debian/etc/default/tgadmin new file mode 100644 index 0000000..3bea83a --- /dev/null +++ b/debian/etc/default/tgadmin @@ -0,0 +1,11 @@ +# Service identity used by postinst when configuring tgadmin.service. +# +# By default package runs daemon as the system account "tgadmin". +# Override only if you need a different existing or system account. +# +# Example: +# TGADMIN_SERVICE_USER=mybot +# TGADMIN_SERVICE_GROUP=mybot + +TGADMIN_SERVICE_USER=tgadmin +TGADMIN_SERVICE_GROUP=tgadmin diff --git a/debian/lib/systemd/system/tgadmin.service b/debian/lib/systemd/system/tgadmin.service new file mode 100644 index 0000000..fb3cd6f --- /dev/null +++ b/debian/lib/systemd/system/tgadmin.service @@ -0,0 +1,14 @@ +[Unit] +Description=TGAdmin Telegram moderation daemon +After=network-online.target mariadb.service mysql.service +Wants=network-online.target + +[Service] +Type=simple +ExecStart=/usr/bin/adminhelperd +Restart=on-failure +RestartSec=5 +NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target