Moved local dir to /opt/sys_config

Improved error logging and added function handling calls with log and return values Improved check for matching sudo rule
2026-03-15 12:44:14 +01:00
parent 445c52fb27
commit 488f04d387
17 changed files with 307 additions and 83 deletions
@@ -0,0 +1 @@
 .sync_*.db
@@ -0,0 +1,79 @@
 #!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
 # Sofwareinstallation script for Nextcloud Desktop
 #
 echo "Setup Nextcloud- Sync"
 #Check for root
 if [ "$EUID" -ne 0 ]; then
    echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
    exit 1
 fi
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
    echo "Error: Script cannot be executed standalone and needs a prereserved Environment. Quit."
    exit 1
 fi
 #Check if Option is Configured to use Nextcloud Desktop Data- Sync
 if [ "${CLIENT_DATA_DST}." == "." ]; then
    echo "CLIENT_DATA_DST not set, skipping setup of Nextcloud Desktop sync of Data-Directory"
    exit 0
 fi
 #Local Vars
 BASECMD="/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=nextcloud com.nextcloud.desktopclient.nextcloud"
 SYNCCMD="$BASECMD --userid ${DAVTOKEN_USER} --apppassword ${DAVTOKEN_PASS} --localdirpath ${CLIENT_DATA_DST} --remotedirpath ${CLIENT_DATA_SRC} --serverurl https://${SERVERFQDN_NC}"
 SYNCCMD_HIDDENPW=$( echo "${SYNCCMD/${DAVTOKEN_PASS}/***HIDDEN***}" )
 #Check if Nextcloud was already setup
 if grep -q "localPath=${CLIENT_DATA_DST}" "/${SUDO_HOME}/.var/app/com.nextcloud.desktopclient.nextcloud/config/Nextcloud/nextcloud.cfg"; then
    SETUP_NEEDED="0"
 else
    SETUP_NEEDED="1"
 fi
 #Remove Nextcloud from autostart - if it was started befor the ecrypted mount, i will never sync and always throw an error that the local dir is missing
 if [ -f "$SUDO_HOME/.config/autostart/com.nextcloud.desktopclient.nextcloud.desktop" ]; then
  echo "Remove Autostart Nextcloud"
  rm $SUDO_HOME/.config/autostart/com.nextcloud.desktopclient.nextcloud.desktop
  #Stopping Nextcloud
  su -c "$BASECMD --quit 1>/dev/null 2>/dev/null" $SUDO_USER
  sleep 5
 fi
 if [ $SETUP_NEEDED = "0" ]; then
    echo "Nextcloud was already setup, skipping configure and starting Service"
    echo "If you want to reset, please delete the Folder [HOME]/.var/app/com.nextcloud.desktopclient.nextcloud manually."
    echo "Command: rm -ri ~/.var/app/com.nextcloud.desktopclient.nextcloud/"
    su -c "nohup ${BASECMD} 1>/dev/null 2>/dev/null &" $SUDO_USER
    exit $?
 fi
 #No check for installed Nextcloud needed, because it will be installed by calling script sync_client_software.sh
 echo "Syncing Files from remote ${CLIENT_DATA_SRC} to local ${CLIENT_DATA_DST}"
 if [ -d "${CLIENT_DATA_DST}" ]; then
    echo "Old unsynced Foler ${CLIENT_DATA_DST} was found, renaming to ${CLIENT_DATA_DST}_bak."
    mv "${CLIENT_DATA_DST}" "${CLIENT_DATA_DST}_bak"
 fi
 su -c "mkdir -p ${CLIENT_DATA_DST}" $SUDO_USER
 #Cleanup Nextcloud Configuration completely, while otherwise, the configure will not work
 echo "Remove $SUDO_HOME/.var/app/com.nextcloud.desktopclient.nextcloud"
 rm -rif "$SUDO_HOME/.var/app/com.nextcloud.desktopclient.nextcloud"
 #echo "Exec as $SUDO_USER: ${SYNCCMD}"
 echo "Exec as $SUDO_USER: ${SYNCCMD_HIDDENPW}"
 su -c "${SYNCCMD}" $SUDO_USER
 if [ $? -ne 0 ]; then
    echo "=========== !!! ========================"
    echo "Error: It looks like this did not work!"
    echo "Please check the above output!"
    exit 1
 fi
 # Now start Nextcloud
 su -c "nohup ${BASECMD} 1>/dev/null 2>/dev/null &" $SUDO_USER
 echo "Done Setup of Nextcloud."
@@ -0,0 +1,17 @@
 [Desktop Entry]
 Comment[de_DE]=
 Comment=
 Exec=/opt/sys_config/system_setup/mozilla_starter.sh firefox run
 GenericName[de_DE]=
 GenericName=
 Icon=firefox
 MimeType=
 Name[de_DE]=Firefox
 Name=Firefox
 Path=/opt/sys_config/system_setup
 StartupNotify=true
 Terminal=true
 TerminalOptions=
 Type=Application
 X-KDE-SubstituteUID=false
 X-KDE-Username=
@@ -0,0 +1,17 @@
 [Desktop Entry]
 Comment[de_DE]=
 Comment=
 Exec=/opt/sys_config/system_setup/mozilla_starter.sh thunderbird run
 GenericName[de_DE]=
 GenericName=
 Icon=thunderbird
 MimeType=
 Name[de_DE]=Thunderbird
 Name=Thunderbird
 Path=/opt/sys_config/system_setup
 StartupNotify=true
 Terminal=true
 TerminalOptions=
 Type=Application
 X-KDE-SubstituteUID=false
 X-KDE-Username=
@@ -0,0 +1,15 @@
 #!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
 # Sofwareinstallation script for Nextcloud Talk.
 #
 #Check for root
 if [ "$EUID" -ne 0 ]; then
    echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
    exit 1
 fi
 cp -n *.desktop $SUDO_HOME/Schreibtisch
 chown $SUDO_USER:$SUDO_USER $SUDO_HOME/Schreibtisch/*.desktop
@@ -0,0 +1 @@
 Nextcloud.Talk-linux-x64.flatpak
@@ -0,0 +1,10 @@
 [Desktop Entry]
 Categories=Network;InstantMessaging;Chat;VideoConference;
 Comment=Official desktop client for Nextcloud Talk
 Exec=/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=electron-wrapper --file-forwarding com.nextcloud.talk @@u %U @@
 GenericName=Video and Chat Communication
 Icon=com.nextcloud.talk
 Name=Nextcloud Talk
 StartupNotify=true
 Type=Application
 X-Flatpak=com.nextcloud.talk
@@ -0,0 +1,38 @@
 #!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
 # Sofwareinstallation script for Nextcloud Talk.
 #
 #Check for root
 if [ "$EUID" -ne 0 ]; then
    echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
    exit 1
 fi
 FILENAME="Nextcloud.Talk-linux-x64.flatpak"
 SCRIPTPATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 if [ ${SCRIPTPATH::2} == "//" ]; then
    SCRIPTPATH=${SCRIPTPATH:1}
 fi
 echo "Getting new Version online and saving File to ${SCRIPTPATH}/${FILENAME}"
 wget -q -P ${SCRIPTPATH} --timestamping https://github.com/nextcloud-releases/talk-desktop/releases/latest/download/${FILENAME}
 # Not needed: Package has no Version, but internal Commit should be automagically detected, see "flatpak list -d"
 #INSTINFO=$( /usr/bin/flatpak list --columns=app,version | grep com.nextcloud.talk )
 #Hint: If this fails, try to remove and Download the File again
 # Install or update Talk - always in Superuser- Mode
 # As User you may install Talk in userspace (with -u), but you cannot update the runtime org.freedesktop.Platform/x86_64/XX.YY
 # So it does not make any sense to install as user
 /usr/bin/flatpak install -y --or-update --noninteractive --bundle ${SCRIPTPATH}/${FILENAME} && echo Done Install of ${FILENAME}
 #TODO: Check if Talk is installed - if not, exit 1
 exit 0
 #Start App - is not working, always quits with that shell
 #nohup /usr/bin/flatpak run -u --branch=stable --arch=x86_64 --command=electron-wrapper --file-forwarding com.nextcloud.talk --background >/dev/null &
 #/usr/bin/flatpak run -u --branch=stable --arch=x86_64 --command=electron-wrapper --file-forwarding com.nextcloud.talk --background @@u %U @@ >/dev/null 2>&1 &
@@ -0,0 +1,7 @@
 Central Software installation script Repository
 Must be executed from script ../sync_client_software.sh
 The install script here will check for the right environment, and execute the install.sh script in each directory.
 Be sure to name the directories to get sorted the right way.
 E.g. you may use all base installations with directories beginning with numbers < 0100 and all additional apps with numbers > 0100
@@ -0,0 +1,46 @@
 #!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
 # Central sofwareinstallation script. Should be called from ""/sys_config/system_setup/sync_client_software.sh install"
 #
 if [ "$EUID" -ne 0 ] || [ "$SUDO_USER." == "." ]; then
    echo "Error: Script requires root privileges and a sudo environment."
    exit 1
 fi
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
    echo "Error: Script cannot be executed standalone and needs a prereserved environement from logon-script."
    echo "To get executed without password prompt, use the NOPASSWD rule in sudo. In FreeIPA you can use the sudo-option !authenticate in the sudo rule."
    echo "Additionally add the sudo command to the rule: ^\/sys_config\/system_setup\/sync_client_software\.sh.*$"
    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 echo "Installing additional Software."
 for DIR in $(ls -d /${SCRIPTPATH}/*/ | sort);     # list directories in the form "/tmp/dirname/"
 do
    DIR=${DIR%*/}      # remove the trailing "/"
    if [ -f "${DIR}/install.sh" ]; then
        echo "*** ==================== ***"
        echo "*** Installing ${DIR##*/} ***" # print everything after the final "/"
        cd ${DIR}
        ${DIR}/install.sh
        if [ $? -ne 0 ]; then
          echo "*** ==================== ***"
          echo "Some Error in script, will not continue. Please check."
          echo "Press any key to continue."
          read -n 1 -s -r
          cd ${SCRIPTPATH}
          exit 1
        fi
        echo "*** ==================== ***"
    fi
 done
 cd ${SCRIPTPATH}
 #Last, remove unused Flatpak- Runtimes and unused Data
 echo "Removing unused Flatpak- Data."
 flatpak uninstall --unused -y
 su -c "flatpak uninstall --delete-data -y" $SUDO_USER
 echo "Sucessfully Installed Software."
@@ -14,7 +14,7 @@ elog_add "Logging to File ${LOGFILE}"
 if [ "$EUID" -eq 0 ]; then
    elog_add "Error: Cannot run this script as root."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 #TODO C: Check if Desktop is KDE/Plasma and support other Displays
@@ -22,51 +22,62 @@ fi
 kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo
 if [ $? -ne 0 ]; then
    elog_add "This script should be run in KDE- Desktop. The setup of kwriteconfig5 has failed. Please check, if you are using KDE."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 #Copy current Version of Autostart-Entry
 rm -f "${HOME}/.config/autostart/logon_script.sh.desktop"
 cp "${SCRIPTPATH}/logon_script.sh.desktop" "${HOME}/.config/autostart"
 if [ $? -ne 0 ]; then
    elog_add "Failed to setup autostart- entry. Check your installation of these scripts."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 # Mount the private Directory
-if [ ${IPAVAULTUSE} == "true" ]; then
+elog_add_command "${SYSCONFIGPATH}/system_setup/mount_ecrypt_home.sh"
    ./mount_ecrypt_home.sh
 else
    ./mount_nocrypt_home.sh
 fi
 if [ $? -ne 0 ]; then
    elog_add "Some Error when mounting private Directory, cannot continue. Your Data will not be available."
    elog_add "The script was searched by SYSCONFIGPATH in directory ${SYSCONFIGPATH}, please check if your setup is correct."
    elog_add "If you want to redo this script here, execute ${SCRIPTPATH}/${SCRIPTNAME}"
-    echo "Press any key to continue"
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
    read -n 1 -s -r
    exit 1
 fi
 #Get WEBDAV TOKEN from Nextcloud
 get_nc_token
 if [ $? -ne 0 ]; then
    elog_add "Some Error when mounting private Directory, cannot continue. Your Data will not be available."
    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 elog_add "Successfully obtained Token for User ${DAVTOKEN_USER}"
 #Install Software
-elog_add "==="
+elog_add ""
-elog_add "Update and install client Software"
+elog_add "Update and install client software"
-# Without sudoers-rule for run without asking for password, it won't run and quit complaining about not askpass utilities found
+
-# Hint: To get this working, create a new ipa rule with options "!authenticate" and "setenv"
+# First, check the sudo rule
-# And also add the following sudo-rule: "^\/sys_config\/system_setup\/sync_client_software\.sh.*$"
+elog_add "Check the matching client rule:"
-/usr/bin/sudo -A --preserve-env /sys_config/system_setup/sync_client_software.sh install 2>&1 | tee ${LOGFILE} -a | grep -v askpass
+#Somewhat strange sudo -l will ask for password instead of just checking if the rule can be found, so it needs -n to be silent
-INST_RET=$?
+# The behaviour will be:
-INST_OUT=$( cat ${LOGFILE} )
+# If a matching rule with !authenticate is found, no passwd will be asked and retno is 0
-if [[ $INST_RET -ne 0 ]]; then
+# If there is a rule matching with no !authenticate, then a password would be asked. This is prevented, so there will only be the
-    if [[ $INST_OUT == *"askpass"* ]]; then
+# error "a password is needed" an retno is 1
-        elog_add "Not doing Software Updates, as your user is not allowed to execute the script without a password."
+# If there is no sudo rule at all, it will only set retno to 1
-        elog_add "If you want to change this, make a FreeIPA sudoers rule for the script sync_client_software.sh with !authenticate for you and become a member."
+elog_add_command "/usr/bin/sudo -n -l ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
-    else
+if [[ $RETNO -ne 0 ]]; then
-        elog_add "*** Error executing software sync and install, please check your output! ***"
+    elog_add "Error was no $RETNO"
-        # TODO: This is not working due to the above Command. Redesign command to make it work
+    elog_add "No matching IPA rule found for this user, so the user is not allowed to install software, skipping this."
-        exit 1
+    elog_add "If you want to change: Please check the sudo rules in ipa and your group membership."
    elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
    elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
 else
    elog_add "Matching Sudo rule found."
    elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install"
    #ERRTXT=$( { /usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install > >(tee -a ${LOGFILE}); } 2>&1 )
    #ERR=$?
    if [[ $RETNO -ne 0 ]]; then
        elog_add "Errorcode was $RETNO"
        elog_add "Error executing software sync and install, please check your output!"
        echo "Press any key to continue" && read -n 1 -s -r && exit 1
    fi
 fi
@@ -1,19 +1,7 @@
 #!/usr/bin/env xdg-open
 [Desktop Entry]
-Comment[de_DE]=
+Exec=/usr/bin/konsole --fullscreen --hide-tabbar --hide-menubar -e /opt/sys_config/system_setup/logon_script.sh
 Comment=
 Exec=/usr/bin/konsole --fullscreen --hide-tabbar --hide-menubar -e /sys_config/system_setup/logon_script.sh
 GenericName[de_DE]=
 GenericName=
 Icon=application-x-shellscript
 MimeType=
 Name[de_DE]=logon_script.sh
 Name=logon_script.sh
 Path=/sys_config/system_setup
 StartupNotify=true
 Terminal=false
 TerminalOptions=
 Type=Application
 X-KDE-AutostartScript=true
 X-KDE-SubstituteUID=false
 X-KDE-Username=
@@ -19,6 +19,22 @@ if [ $? -eq 0 ]; then
    exit 0
 fi
 if [ ${IPAVAULTUSE} == "false" ]; then
    #No encryption configured, will warn, but will continue
    echo "Warning: Encryption is turned off by configuration (IPAVAULTUSE is set to false)!"
    echo "This makes your private data readable by anyone having access to the harddrive. Will continue, but this is not safe!"
    echo
    mkdir -p ${DECRYPTEDDATADIR}
    RETNO=$?
    if [ ${RETNO} -eq 0 ]; then
        echo "Private Directory set to ${DECRYPTEDDATADIR}"
    else
        echo "Error setting up Directory ${DECRYPTEDDATADIR}"
    fi
    ENCKEY=""
    exit ${RETNO}
 fi
 #Test for connectivity
 curl -I https://${SERVERFQDN_IPA}/ipa/session/json >/dev/null 2>&1
 if [ $? -ne 0 ]; then
@@ -1,32 +0,0 @@
 #!/bin/sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
 # 30.12.2025 - Currently, the basic Encryption- System of FreeIPA is NOT WORKING due to failing KRA- Install at FreeIPA
 # I created an Issue for that: https://github.com/dogtagpki/pki/issues/5242
 # So we will skip encryption completely!
 source $(dirname "$0")/setup_system.inc.sh
 EXECDIR=$(pwd)
 #Check if Directory is alread mounted
 grep ${DECRYPTEDDATADIR} /etc/mtab >/dev/null
 if [ $? -eq 0 ]; then
    #Directory is already mounted
    echo "It looks like the directory is already mounted. Not mounting again."
    exit 0
 fi
 #Setup and use encrypted filesystem
 if [ ! -d "${DECRYPTEDDATADIR}" ]; then
  #Key has been obtained, but no Directory was created till know
  echo "First Setup of encryption: Creating new Directories now"
  mkdir -p ${DECRYPTEDDATADIR}
  if [ $? -eq 0 ]; then
    echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
    exit 0
  else
    echo "Errorcode ${RETAVAL}"
    exit 1
  fi
 fi
@@ -6,7 +6,7 @@ export TLDOMAIN=domain.tld
 export DOMAIN=clients.${TLDOMAIN}
 export SERVERFQDN_IPA=ipa.${TLDOMAIN} # Needs to be the IPA- Server
 export SERVERFQDN_NC=nextcloud.${TLDOMAIN}
-export SYSCONFIGPATH="/sys_config"
+export SYSCONFIGPATH="/opt/sys_config"
 export INSTALLDOCS="https://gitea.dtext.online/obel1x/fedora-OEMDRV/src/branch/main/README.md"
 export CLIENTADMINGROUP="clientadmins"
@@ -19,8 +19,8 @@ fi
 export FQDN=${HOSTNM}.${DOMAIN}
 #Additional Client-Software- Repository-Folder in Nextcloud (Shared Folder / Systemwide)
-export CLIENT_SOFTWARE_DST="/opt/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty
+export CLIENT_SOFTWARE_DST="/opt/sys_config/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty
-export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software"
+export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software" Set to the Nextcloud directory where the software should come from
 #Secure File Encryption
 #Needs a running KRA- Service on FreeIPA
@@ -14,11 +14,11 @@
 #    fi
 #    return 0
 #}
-if [ ! -f $(pwd)/setup_system.conf ]; then
+if [ ! -f $(dirname "$0")/setup_system.conf ]; then
    echo "System configuration not found. Please make a copy of setup_system.conf.dist, name it setup_system.conf and check the settings in it before running."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
-source $(pwd)/setup_system.conf
+source $(dirname "$0")/setup_system.conf
 #Check if the Data- Directory is encrypted
 check_data_isecrypted() {
@@ -32,11 +32,21 @@ check_data_isecrypted() {
 # Functions for logging
 elog_init() {
    #Create a new logfile and put some text in it
    echo $@ | tee ${LOGFILE}
 }
 elog_add() {
    #Append some text to the logile
    echo $@ | tee ${LOGFILE} -a
 }
 elog_add_command() {
    #Run a command, capture all output (STD and ERR) to the logfile AND in variable RETTXT AND output to screen
    #Returns the exit value of the command in $? and in RETNO
    RETTXT=$( { $@ > >(tee -a ${LOGFILE}); } 2> >(tee -a ${LOGFILE}) )
    RETNO=$?
    echo "${RETTXT}"
    return ${RETNO}
 }
 # Will set variable DAVTOKEN_USER and DAVTOKEN_PASS to the stored value or get a new one
 get_nc_token() {
@@ -9,15 +9,15 @@ source $(dirname "$0")/setup_system.inc.sh
 #Check for root
 if [ "$EUID" -ne 0 ]; then
    echo "Error: Script requires root privileges. It should be executed via logon-script and not standalone."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
-    echo "Error: Script cannot be executed standalone and needs a prereserved environement from logon-script."
+    echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environement from logon-script."
-    echo "To get executed without password prompt, use the NOPASSWD rule in sudo. In FreeIPA you can use the sudo-option !authenticate in the sudo rule."
+    elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
-    echo "Additionally add the sudo command to the rule: ^\/sys_config\/system_setup\/sync_client_software\.sh.*$"
+    elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
-    exit 1
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 #Check if Repository is defined