(bugfix) Grant service user backup and journal access

Update the native installer so the pobsync service user gets journal read access when the host exposes systemd-journal or adm groups. Apply ownership and private directory modes to the configured backup root, and reuse the existing environment backup root on reinstall so production updates do not fall back to /backups. Add a self-check for journal access and a host detail action that can prepare missing backup directories for existing host configurations.
2026-05-19 19:25:05 +02:00
parent 90f28410ce
commit ccacad3d37
8 changed files with 122 additions and 1 deletions
--- a/scripts/install-systemd
+++ b/scripts/install-systemd
@@ -12,6 +12,10 @@ SERVER_NAME=${POBSYNC_SERVER_NAME:-_}
 ALLOWED_HOSTS=${POBSYNC_ALLOWED_HOSTS:-localhost,127.0.0.1}
 CSRF_TRUSTED_ORIGINS=${POBSYNC_CSRF_TRUSTED_ORIGINS:-}
 BACKUP_ROOT=${POBSYNC_BACKUP_ROOT:-/backups}
+BACKUP_ROOT_EXPLICIT=0
+if [ -n "${POBSYNC_BACKUP_ROOT:-}" ]; then
+    BACKUP_ROOT_EXPLICIT=1
+fi
 WEB_BIND=${POBSYNC_WEB_BIND:-127.0.0.1:8010}
 FORCE_ENV=0
 INSTALL_OS_PACKAGES=1
@@ -55,6 +59,7 @@ while [ "$#" -gt 0 ]; do
            ;;
        --backup-root)
            BACKUP_ROOT=$2
+            BACKUP_ROOT_EXPLICIT=1
            shift 2
            ;;
        --allowed-hosts)
@@ -133,6 +138,16 @@ if [ "$(id -u)" -ne 0 ]; then
    exit 1
 fi

+if [ -f "$ENV_FILE" ] && [ "$FORCE_ENV" -ne 1 ] && [ "$BACKUP_ROOT_EXPLICIT" -ne 1 ]; then
+    set -a
+    # shellcheck disable=SC1090
+    . "$ENV_FILE"
+    set +a
+    if [ -n "${POBSYNC_BACKUP_ROOT:-}" ]; then
+        BACKUP_ROOT=$POBSYNC_BACKUP_ROOT
+    fi
+fi
+
 run_step() {
    label=$1
    shift
@@ -343,9 +358,18 @@ else
    note_step "Create service user" "OK"
 fi

+grant_journal_access() {
+    for group in systemd-journal adm; do
+        if getent group "$group" >/dev/null 2>&1; then
+            usermod -a -G "$group" "$SERVICE_USER"
+        fi
+    done
+}
+
+run_step "Grant journal access" grant_journal_access
 run_step "Prepare directories" mkdir -p /etc/pobsync /var/lib/pobsync /var/log/pobsync "$(dirname "$VENV_DIR")" "$APP_DIR" "$BACKUP_ROOT"
 run_step "Set state directory permissions" chown "$SERVICE_USER:$SERVICE_GROUP" /var/lib/pobsync /var/log/pobsync "$BACKUP_ROOT"
-run_step "Set private directory modes" chmod 0750 /var/lib/pobsync /var/log/pobsync
+run_step "Set private directory modes" chmod 0750 /var/lib/pobsync /var/log/pobsync "$BACKUP_ROOT"

 if [ "$SOURCE_DIR" != "$APP_DIR" ]; then
    run_step "Sync application files" rsync -a --delete \