(bugfix) Grant service user backup and journal access

Update the native installer so the pobsync service user gets journal read access when the host exposes systemd-journal or adm groups. Apply ownership and private directory modes to the configured backup root, and reuse the existing environment backup root on reinstall so production updates do not fall back to /backups. Add a self-check for journal access and a host detail action that can prepare missing backup directories for existing host configurations.
2026-05-19 19:25:05 +02:00
parent 90f28410ce
commit ccacad3d37
8 changed files with 122 additions and 1 deletions
--- a/src/pobsync_backend/self_check.py
+++ b/src/pobsync_backend/self_check.py
@@ -206,4 +206,24 @@ def _systemd_checks() -> list[SelfCheck]:
                active_state,
            )
        )
+    if shutil.which("journalctl") is not None:
+        result = subprocess.run(
+            ["journalctl", "--no-pager", "-n", "1", "-u", "pobsync-web.service"],
+            check=False,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+            text=True,
+            timeout=5,
+        )
+        journal_error = result.stderr.strip()
+        journal_denied = "No journal files were opened" in journal_error or "permission" in journal_error.lower()
+        has_journal_access = result.returncode == 0 and not journal_denied
+        checks.append(
+            SelfCheck(
+                "Journal access",
+                "ok" if has_journal_access else "failed",
+                "pobsync can read service logs." if has_journal_access else "pobsync cannot read service logs.",
+                journal_error,
+            )
+        )
    return checks