diff --git a/mkosi.extra/etc/sudoers.d/niver b/mkosi.extra/etc/sudoers.d/niver index 4471445..6e774f4 100644 --- a/mkosi.extra/etc/sudoers.d/niver +++ b/mkosi.extra/etc/sudoers.d/niver @@ -1 +1,2 @@ -php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/systemctl reload tor@niver,/usr/bin/chgrp ^sftpgo /srv/ht/[a-z]{1,128}$,/usr/bin/cat ^/var/lib/tor-instances/niver/keys/[a-z]{1,128}/hostname$ +php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/chgrp ^sftpgo /srv/ht/[a-z]{1,128}$ +php-niver ALL=(tor) NOPASSWD: /usr/bin/cat ^/var/lib/tor/keys/[a-z]{1,128}/hostname$ diff --git a/mkosi.extra/etc/tor/instances/niver/torrc b/mkosi.extra/etc/tor/torrc similarity index 100% rename from mkosi.extra/etc/tor/instances/niver/torrc rename to mkosi.extra/etc/tor/torrc diff --git a/mkosi.postinst b/mkosi.postinst index 782aa63..678e812 100755 --- a/mkosi.postinst +++ b/mkosi.postinst @@ -29,13 +29,11 @@ chown -R php-niver:sftpgo /srv/ht chmod -R u=rwX,g=rwX,o=rX /srv/ht if [[ $ID = "debian" ]]; then - chown -R php-niver:_tor-niver /etc/tor/instances/niver - chown -R _tor-niver:_tor-niver /var/lib/tor-instances/niver + chown -R php-niver:debian-tor /etc/tor else - chown -R php-niver:tor /etc/tor/instances/niver - chown -R tor:tor /var/lib/tor-instances/niver + chown -R php-niver:tor /etc/tor fi -chmod -R u=rwX,g=rX,o= /etc/tor/instances/niver +chmod -R u=rwX,g=rX,o= /etc/tor chmod u=rX,g=rX,o=rX /srv/php @@ -44,7 +42,7 @@ chmod -R u=rX,g=rX,o= /srv/php/errors chown -R php-niver:nginx /srv/php/niver chmod -R u=rX,g=rX,o=X /srv/php/niver -chmod -R u=rwX,g=,o= /srv/php/niver/db /srv/php/niver/niver.log +chmod -R u=rwX,g=,o= /srv/php/niver/db # Load configuration in Knot database sudo -u knot knotc conf-import /etc/knot/knot.conf @@ -69,22 +67,14 @@ display_errors = On extension = pdo_sqlite EOF -# Configure Tor properly +# Configure Tor if [[ $ID = "debian" ]]; then - cat >> /etc/tor/instances/niver/torrc << EOF -User _tor-niver -DataDirectory /var/lib/tor-instances/niver -EOF -fi - -if [[ $ID = "arch" ]]; then - ln -s /etc/tor/instances/niver/torrc /etc/tor/torrc - - cat >> /etc/tor/instances/niver/torrc << EOF -User tor -DataDirectory /var/lib/tor -EOF + sed -i 's/User tor/User debian-tor/' /etc/tor/torrc + sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/niver + sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/niver + sed -i 's/tor_service = "tor"/tor_service = "tor@default"/' /srv/php/niver/config.ini + sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/php/niver/config.ini fi # Start SystemD services at startup diff --git a/mkosi.prepare b/mkosi.prepare index 787dae9..f6ea500 100755 --- a/mkosi.prepare +++ b/mkosi.prepare @@ -13,11 +13,6 @@ if [[ $ID = "arch" ]]; then rm /etc/php/php-fpm.d/* fi -# Create dedicated Tor instance -if [[ $ID = "debian" ]]; then - tor-instance-create niver -fi - # Generate default self-signed TLS key pair openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt diff --git a/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf b/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf index a09fa28..9fb1d6a 100644 --- a/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf +++ b/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf @@ -1,3 +1,3 @@ [Service] ReadWritePaths=/etc/nginx/ht -ReadWritePaths=/etc/tor/instances/niver +ReadWritePaths=/etc/tor diff --git a/mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf b/mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf index b491542..c54060a 100644 --- a/mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf +++ b/mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf @@ -1,4 +1,3 @@ [Service] -ReadWritePaths=/var/lib/tor-instances/niver/ # To allow reloading service on Arch Linux CapabilityBoundingSet=CAP_KILL diff --git a/mkosi.skeleton/var/lib/tor-instances/niver/keys/.gitkeep b/mkosi.skeleton/var/lib/tor-instances/niver/keys/.gitkeep deleted file mode 100644 index e69de29..0000000