MALIO-DEV/Malio-ops
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat : sudoers bug (WIP)

Browse Source
This commit is contained in:
Mattéo Dunoyer
2026-03-17 15:14:52 +01:00
parent 122f53f804
commit b76b6613bf
3 changed files with 49 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
RebuildBdd/bootstrap-target-host.sh
View File

@@ -102,38 +102,6 @@ cleanup() {
}
trap cleanup EXIT
copy_file_to_remote_via_ssh() {
local local_file="$1"
local remote_final_path="$2"
local remote_mode="$3"
local remote_parent
local remote_tmp
[[ -f "$local_file" ]] || fail "fichier source introuvable : $local_file"
[[ -r "$local_file" ]] || fail "fichier source non lisible : $local_file"
remote_parent="$(dirname "$remote_final_path")"
remote_tmp="/tmp/bootstrap_copy.$$.$RANDOM.tmp"
ssh "${SSH_OPTS[@]}" "$REMOTE" "
set -euo pipefail
mkdir -p $(shell_quote "$remote_parent")
test -d $(shell_quote "$remote_parent")
test -w $(shell_quote "$remote_parent")
" >/dev/null 2>&1 || fail "dossier distant absent ou non inscriptible : $remote_parent"
ssh "${SSH_OPTS[@]}" "$REMOTE" "
set -euo pipefail
cat > $(shell_quote "$remote_tmp")
" < "$local_file" >/dev/null 2>&1 || fail "échec d'écriture temporaire distante : $remote_tmp"
ssh "${SSH_OPTS[@]}" "$REMOTE" "
set -euo pipefail
install -m $(shell_quote "$remote_mode") $(shell_quote "$remote_tmp") $(shell_quote "$remote_final_path")
rm -f $(shell_quote "$remote_tmp")
" >/dev/null 2>&1 || fail "échec d'installation distante : $remote_final_path"
}
TARGET_NAME="${CLI_TARGET:-${TARGET_NAME:-}}"
[[ -n "$TARGET_NAME" ]] || fail "target manquante"
@@ -231,6 +199,7 @@ to_bool_yes_no "$TARGET_BOOTSTRAP_ALLOW_PASSWORDLESS_SUDO_VALUE" >/dev/null || f
ALLOW_PASSWORDLESS_SUDO="$(to_bool_yes_no "$TARGET_BOOTSTRAP_ALLOW_PASSWORDLESS_SUDO_VALUE")"
require_cmd ssh
require_cmd scp
require_cmd python3
SSH_OPTS=(
@@ -322,17 +291,24 @@ EXCLUDED_RESTORE_ROLES=$(printf '%s\n' "$TARGET_EXCLUDED_RESTORE_ROLES_VALUE")
EOF
log "Copie du .env cible"
copy_file_to_remote_via_ssh "$TMP_ENV_FILE" "$TARGET_ENV_FILE_PATH" "600"
scp "${SSH_OPTS[@]}" "$TMP_ENV_FILE" "${REMOTE}:$(printf '%q' "$TARGET_ENV_FILE_PATH")" >/dev/null 2>&1 \
|| fail "échec de copie du .env cible"
REMOTE_SSH_DIR="$(dirname "$TARGET_SSH_KEY_VALUE")"
REMOTE_KNOWN_HOSTS="${REMOTE_SSH_DIR}/known_hosts"
log "Copie de la clé privée backup sur la cible"
copy_file_to_remote_via_ssh "$TARGET_BACKUP_SOURCE_SSH_PRIVATE_KEY_VALUE" "$TARGET_SSH_KEY_VALUE" "600"
scp "${SSH_OPTS[@]}" \
"$TARGET_BACKUP_SOURCE_SSH_PRIVATE_KEY_VALUE" \
"${REMOTE}:$(printf '%q' "$TARGET_SSH_KEY_VALUE")" >/dev/null 2>&1 \
|| fail "échec de copie de la clé privée backup"
if [[ -n "$TARGET_BACKUP_SOURCE_SSH_PUBLIC_KEY_VALUE" ]]; then
log "Copie de la clé publique backup sur la cible"
copy_file_to_remote_via_ssh "$TARGET_BACKUP_SOURCE_SSH_PUBLIC_KEY_VALUE" "${TARGET_SSH_KEY_VALUE}.pub" "644"
scp "${SSH_OPTS[@]}" \
"$TARGET_BACKUP_SOURCE_SSH_PUBLIC_KEY_VALUE" \
"${REMOTE}:$(printf '%q' "${TARGET_SSH_KEY_VALUE}.pub")" >/dev/null 2>&1 \
|| fail "échec de copie de la clé publique backup"
fi
REMOTE_SSH_PERMS_CMD="
@@ -421,8 +397,8 @@ fi
TMP_SUDOERS_FILE=\$(mktemp)
cat >\"\$TMP_SUDOERS_FILE\" <<EOF
${TARGET_RUNTIME_USER_VALUE} ALL=(root) NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/bin/systemctl
${TARGET_RUNTIME_USER_VALUE} ALL=(postgres) NOPASSWD: /usr/bin/psql
${TARGET_RUNTIME_USER_VALUE} ALL=(root) NOPASSWD: /usr/bin/true, /usr/bin/apt, /usr/bin/apt-get, /usr/bin/systemctl
${TARGET_RUNTIME_USER_VALUE} ALL=(postgres) NOPASSWD: /usr/bin/psql, /usr/bin/createdb, /usr/bin/dropdb, /usr/bin/pg_restore
EOF
chmod 440 \"\$TMP_SUDOERS_FILE\"
@@ -472,8 +448,8 @@ command -v sudo >/dev/null 2>&1 || {
echo 'sudo absent sur la cible' >&2
exit 1
}
sudo -n true >/dev/null 2>&1 || {
echo 'sudo -n indisponible' >&2
sudo -n /usr/bin/true >/dev/null 2>&1 || {
echo 'sudo -n root indisponible pour /usr/bin/true' >&2
exit 1
}
"
@@ -499,8 +475,8 @@ ssh "${SSH_OPTS[@]}" "$REMOTE" "$REMOTE_RUN_CHECK_PG_CMD" \
REMOTE_VALIDATE_SUDO_POSTGRES_CMD="
set -euo pipefail
sudo -n -u postgres true >/dev/null 2>&1 || {
echo 'sudo -n -u postgres indisponible après préparation PostgreSQL' >&2
sudo -n -u postgres /usr/bin/psql -d postgres -c 'SELECT 1;' >/dev/null 2>&1 || {
echo 'sudo -n -u postgres indisponible pour psql' >&2
exit 1
}
"