Moved local dir to /opt/sys_config

Improved error logging and added function handling calls with log and return values
Improved check for matching sudo rule

system_setup/logon_script.sh

@@ -14,7 +14,7 @@ elog_add "Logging to File ${LOGFILE}"
 
 if [ "$EUID" -eq 0 ]; then
     elog_add "Error: Cannot run this script as root."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
 #TODO C: Check if Desktop is KDE/Plasma and support other Displays
@@ -22,51 +22,62 @@ fi
 kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo
 if [ $? -ne 0 ]; then
     elog_add "This script should be run in KDE- Desktop. The setup of kwriteconfig5 has failed. Please check, if you are using KDE."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
 #Copy current Version of Autostart-Entry
+rm -f "${HOME}/.config/autostart/logon_script.sh.desktop"
 cp "${SCRIPTPATH}/logon_script.sh.desktop" "${HOME}/.config/autostart"
 if [ $? -ne 0 ]; then
     elog_add "Failed to setup autostart- entry. Check your installation of these scripts."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
 # Mount the private Directory
-if [ ${IPAVAULTUSE} == "true" ]; then
-    ./mount_ecrypt_home.sh
-else
-    ./mount_nocrypt_home.sh
-fi
+elog_add_command "${SYSCONFIGPATH}/system_setup/mount_ecrypt_home.sh"
 if [ $? -ne 0 ]; then
     elog_add "Some Error when mounting private Directory, cannot continue. Your Data will not be available."
+    elog_add "The script was searched by SYSCONFIGPATH in directory ${SYSCONFIGPATH}, please check if your setup is correct."
     elog_add "If you want to redo this script here, execute ${SCRIPTPATH}/${SCRIPTNAME}"
-    echo "Press any key to continue"
-    read -n 1 -s -r
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
 #Get WEBDAV TOKEN from Nextcloud
 get_nc_token
+if [ $? -ne 0 ]; then
+    elog_add "Some Error when mounting private Directory, cannot continue. Your Data will not be available."
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
+fi
 elog_add "Successfully obtained Token for User ${DAVTOKEN_USER}"
 
 #Install Software
-elog_add "==="
-elog_add "Update and install client Software"
-# Without sudoers-rule for run without asking for password, it won't run and quit complaining about not askpass utilities found
-# Hint: To get this working, create a new ipa rule with options "!authenticate" and "setenv"
-# And also add the following sudo-rule: "^\/sys_config\/system_setup\/sync_client_software\.sh.*$"
-/usr/bin/sudo -A --preserve-env /sys_config/system_setup/sync_client_software.sh install 2>&1 | tee ${LOGFILE} -a | grep -v askpass
-INST_RET=$?
-INST_OUT=$( cat ${LOGFILE} )
-if [[ $INST_RET -ne 0 ]]; then
-    if [[ $INST_OUT == *"askpass"* ]]; then
-        elog_add "Not doing Software Updates, as your user is not allowed to execute the script without a password."
-        elog_add "If you want to change this, make a FreeIPA sudoers rule for the script sync_client_software.sh with !authenticate for you and become a member."
-    else
-        elog_add "*** Error executing software sync and install, please check your output! ***"
-        # TODO: This is not working due to the above Command. Redesign command to make it work
-        exit 1
+elog_add ""
+elog_add "Update and install client software"
+
+# First, check the sudo rule
+elog_add "Check the matching client rule:"
+#Somewhat strange sudo -l will ask for password instead of just checking if the rule can be found, so it needs -n to be silent
+# The behaviour will be:
+# If a matching rule with !authenticate is found, no passwd will be asked and retno is 0
+# If there is a rule matching with no !authenticate, then a password would be asked. This is prevented, so there will only be the
+# error "a password is needed" an retno is 1
+# If there is no sudo rule at all, it will only set retno to 1
+elog_add_command "/usr/bin/sudo -n -l ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
+if [[ $RETNO -ne 0 ]]; then
+    elog_add "Error was no $RETNO"
+    elog_add "No matching IPA rule found for this user, so the user is not allowed to install software, skipping this."
+    elog_add "If you want to change: Please check the sudo rules in ipa and your group membership."
+    elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
+    elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
+else
+    elog_add "Matching Sudo rule found."
+    elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install"
+    #ERRTXT=$( { /usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install > >(tee -a ${LOGFILE}); } 2>&1 )
+    #ERR=$?
+    if [[ $RETNO -ne 0 ]]; then
+        elog_add "Errorcode was $RETNO"
+        elog_add "Error executing software sync and install, please check your output!"
+        echo "Press any key to continue" && read -n 1 -s -r && exit 1
     fi
 fi
 

system_setup/logon_script.sh.desktop

@@ -1,19 +1,7 @@
 #!/usr/bin/env xdg-open
 [Desktop Entry]
-Comment[de_DE]=
-Comment=
-Exec=/usr/bin/konsole --fullscreen --hide-tabbar --hide-menubar -e /sys_config/system_setup/logon_script.sh
-GenericName[de_DE]=
-GenericName=
+Exec=/usr/bin/konsole --fullscreen --hide-tabbar --hide-menubar -e /opt/sys_config/system_setup/logon_script.sh
 Icon=application-x-shellscript
-MimeType=
-Name[de_DE]=logon_script.sh
 Name=logon_script.sh
-Path=/sys_config/system_setup
-StartupNotify=true
-Terminal=false
-TerminalOptions=
 Type=Application
 X-KDE-AutostartScript=true
-X-KDE-SubstituteUID=false
-X-KDE-Username=

system_setup/mount_ecrypt_home.sh

@@ -19,6 +19,22 @@ if [ $? -eq 0 ]; then
     exit 0
 fi
 
+if [ ${IPAVAULTUSE} == "false" ]; then
+    #No encryption configured, will warn, but will continue
+    echo "Warning: Encryption is turned off by configuration (IPAVAULTUSE is set to false)!"
+    echo "This makes your private data readable by anyone having access to the harddrive. Will continue, but this is not safe!"
+    echo
+    mkdir -p ${DECRYPTEDDATADIR}
+    RETNO=$?
+    if [ ${RETNO} -eq 0 ]; then
+        echo "Private Directory set to ${DECRYPTEDDATADIR}"
+    else
+        echo "Error setting up Directory ${DECRYPTEDDATADIR}"
+    fi
+    ENCKEY=""
+    exit ${RETNO}
+fi
+
 #Test for connectivity
 curl -I https://${SERVERFQDN_IPA}/ipa/session/json >/dev/null 2>&1
 if [ $? -ne 0 ]; then

system_setup/mount_nocrypt_home.sh

@@ -1,32 +0,0 @@
-#!/bin/sh
-# SPDX-FileCopyrightText: Daniel Pätzold
-# SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# 30.12.2025 - Currently, the basic Encryption- System of FreeIPA is NOT WORKING due to failing KRA- Install at FreeIPA
-# I created an Issue for that: https://github.com/dogtagpki/pki/issues/5242
-# So we will skip encryption completely!
-
-source $(dirname "$0")/setup_system.inc.sh
-EXECDIR=$(pwd)
-
-#Check if Directory is alread mounted
-grep ${DECRYPTEDDATADIR} /etc/mtab >/dev/null
-if [ $? -eq 0 ]; then
-    #Directory is already mounted
-    echo "It looks like the directory is already mounted. Not mounting again."
-    exit 0
-fi
-
-#Setup and use encrypted filesystem
-if [ ! -d "${DECRYPTEDDATADIR}" ]; then
-  #Key has been obtained, but no Directory was created till know
-  echo "First Setup of encryption: Creating new Directories now"
-  mkdir -p ${DECRYPTEDDATADIR}
-  if [ $? -eq 0 ]; then
-    echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
-    exit 0
-  else
-    echo "Errorcode ${RETAVAL}"
-    exit 1
-  fi
-fi

system_setup/setup_system.conf.dist

@@ -6,7 +6,7 @@ export TLDOMAIN=domain.tld
 export DOMAIN=clients.${TLDOMAIN}
 export SERVERFQDN_IPA=ipa.${TLDOMAIN} # Needs to be the IPA- Server
 export SERVERFQDN_NC=nextcloud.${TLDOMAIN}
-export SYSCONFIGPATH="/sys_config"
+export SYSCONFIGPATH="/opt/sys_config"
 export INSTALLDOCS="https://gitea.dtext.online/obel1x/fedora-OEMDRV/src/branch/main/README.md"
 export CLIENTADMINGROUP="clientadmins"
 
@@ -19,8 +19,8 @@ fi
 export FQDN=${HOSTNM}.${DOMAIN}
 
 #Additional Client-Software- Repository-Folder in Nextcloud (Shared Folder / Systemwide)
-export CLIENT_SOFTWARE_DST="/opt/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty
-export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software"
+export CLIENT_SOFTWARE_DST="/opt/sys_config/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty
+export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software" Set to the Nextcloud directory where the software should come from
 
 #Secure File Encryption
 #Needs a running KRA- Service on FreeIPA

system_setup/setup_system.inc.sh

@@ -14,11 +14,11 @@
 #    fi
 #    return 0
 #}
-if [ ! -f $(pwd)/setup_system.conf ]; then
+if [ ! -f $(dirname "$0")/setup_system.conf ]; then
     echo "System configuration not found. Please make a copy of setup_system.conf.dist, name it setup_system.conf and check the settings in it before running."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
-source $(pwd)/setup_system.conf
+source $(dirname "$0")/setup_system.conf
 
 #Check if the Data- Directory is encrypted
 check_data_isecrypted() {
@@ -32,11 +32,21 @@ check_data_isecrypted() {
 
 # Functions for logging
 elog_init() {
+    #Create a new logfile and put some text in it
     echo $@ | tee ${LOGFILE}
 }
 elog_add() {
+    #Append some text to the logile
     echo $@ | tee ${LOGFILE} -a
 }
+elog_add_command() {
+    #Run a command, capture all output (STD and ERR) to the logfile AND in variable RETTXT AND output to screen
+    #Returns the exit value of the command in $? and in RETNO
+    RETTXT=$( { $@ > >(tee -a ${LOGFILE}); } 2> >(tee -a ${LOGFILE}) )
+    RETNO=$?
+    echo "${RETTXT}"
+    return ${RETNO}
+}
 
 # Will set variable DAVTOKEN_USER and DAVTOKEN_PASS to the stored value or get a new one
 get_nc_token() {

system_setup/sync_client_software.sh

@@ -9,15 +9,15 @@ source $(dirname "$0")/setup_system.inc.sh
 #Check for root
 if [ "$EUID" -ne 0 ]; then
     echo "Error: Script requires root privileges. It should be executed via logon-script and not standalone."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
-    echo "Error: Script cannot be executed standalone and needs a prereserved environement from logon-script."
-    echo "To get executed without password prompt, use the NOPASSWD rule in sudo. In FreeIPA you can use the sudo-option !authenticate in the sudo rule."
-    echo "Additionally add the sudo command to the rule: ^\/sys_config\/system_setup\/sync_client_software\.sh.*$"
-    exit 1
+    echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environement from logon-script."
+    elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
+    elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
 #Check if Repository is defined