Change install log location and restrict permissions

.github/workflows/ci.yml

@@ -4,8 +4,8 @@ on:
   push:
 
 env:
-  GOLANGCI_LINT_VERSION: 'v1.46.2'
-  NFPM_VERSION: 'v2.18.0'
+  GOLANGCI_LINT_VERSION: 'v1.49.0'
+  NFPM_VERSION: 'v2.18.1'
 
 jobs:
   lint:

.nfpm.yaml

@@ -15,7 +15,7 @@ contents:
   - src: nginx-agent.conf
     dst: /etc/nginx-agent/nginx-agent.conf
     file_info:
-      mode: 0660
+      mode: 0640
   - src: ./scripts/packages/nginx-agent.service
     dst: /etc/systemd/system/nginx-agent.service
   - src: ./scripts/selinux/nginx_agent_selinux.8.gz

scripts/.local-nfpm.yaml

@@ -13,7 +13,7 @@ contents:
   - src: nginx-agent.conf
     dst: /etc/nginx-agent/nginx-agent.conf
     file_info:
-      mode: 0660
+      mode: 0640
   - src: ./scripts/packages/nginx-agent.service
     dst: /etc/systemd/system/nginx-agent.service
   - src: ./scripts/selinux/nginx_agent_selinux.8.gz

scripts/docker/alpine/Dockerfile

@@ -60,7 +60,7 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem \
         nginx-agent \
     " \
     && apk update \
-    && apk add $nginxPackages 
+    && apk add $nginxPackages
 
 # run the nginx and agent
 FROM install as runtime

scripts/packages/nginx-agent

@@ -21,7 +21,6 @@ status_cmd="status_agent"
 
 start_agent() {
     PATH=$PATH:/usr/local/sbin
-    mkdir -p /var/log/nginx-agent
     /usr/sbin/daemon -f -p ${pidfile} ${command} 
 }
 

scripts/packages/packager/local-entrypoint.sh

@@ -12,6 +12,7 @@ mkdir -p /staging/usr/local/etc/rc.d
 
 cp nginx-agent.conf /staging/usr/local/etc/nginx-agent
 cp scripts/packages/nginx-agent /staging/usr/local/etc/rc.d
+cp scripts/packages/preinstall.sh /staging/+PRE_INSTALL
 cp scripts/packages/postremove.sh /staging/+PRE_DEINSTALL
 cp scripts/packages/postinstall.sh /staging/+POST_INSTALL
 cp scripts/packages/plist /staging

scripts/packages/packager/signed-entrypoint.sh

@@ -16,6 +16,7 @@ mkdir -p staging/usr/local/etc/rc.d
 
 cp nginx-agent.conf staging/usr/local/etc/nginx-agent
 cp scripts/packages/nginx-agent staging/usr/local/etc/rc.d
+cp scripts/packages/preinstall.sh /staging/+PRE_INSTALL
 cp scripts/packages/postremove.sh staging/+PRE_DEINSTALL
 cp scripts/packages/postinstall.sh staging/+POST_INSTALL
 cp scripts/packages/plist staging

scripts/packages/postinstall.sh

@@ -18,166 +18,190 @@ AGENT_USER=$(id -nu)
 WORKER_USER=""
 AGENT_GROUP="nginx-agent"
 
-if command -v systemctl; then
-    printf "PostInstall: Reading NGINX systemctl unit file for user information\n"
-    nginx_unit_file=$(systemctl status nginx | grep -Po "\(\K\/.*service")
-    pid_file=$(grep -Po "PIDFile=\K.*$" "${nginx_unit_file}")
-
-    if [ ! -f "$pid_file" ]; then
-        echo "${pid_file} does not exist"
-    else
-        pidId=$(cat "${pid_file}")
-        nginx_user=$(ps --no-headers -u -p "${pidId}" | head -1 | awk '{print $1}')
+detect_nginx_users() {
+    if command -V systemctl >/dev/null 2>&1; then
+        printf "PostInstall: Reading NGINX systemctl unit file for user information\n"
+        nginx_unit_file=$(systemctl status nginx | grep -Po "\(\K\/.*service")
+        pid_file=$(grep -Po "PIDFile=\K.*$" "${nginx_unit_file}")
+
+        if [ ! -f "$pid_file" ]; then
+            printf "%s does not exist\n" "${pid_file}"
+        else
+            pidId=$(cat "${pid_file}")
+            nginx_user=$(ps --no-headers -u -p "${pidId}" | head -1 | awk '{print $1}')
+        fi
+
+        if [ ! "${nginx_user}" ]; then
+            printf "No NGINX user found\n"
+        fi
     fi
 
-    if [ ! "${nginx_user}" ]; then
-        printf "No NGINX user found\n"
-    fi
-fi
-
-if [ -z "${nginx_user}" ]; then
-    printf "PostInstall: Reading NGINX process information to determine NGINX user\n"
-    nginx_user=$(ps aux | grep "nginx: master process" | grep -v grep | head -1 | awk '{print $1}')
-
     if [ -z "${nginx_user}" ]; then
-        printf "No NGINX user found\n"
-    fi
-fi
+        printf "PostInstall: Reading NGINX process information to determine NGINX user\n"
+        nginx_user=$(ps aux | grep "nginx: master process" | grep -v grep | head -1 | awk '{print $1}')
 
-if [ "${nginx_user}" ]; then
-    echo "NGINX processes running as user '${nginx_user}'. nginx-agent will be configured to run as same user"
-    AGENT_USER=${nginx_user}
-else
-    echo "WARNING: No NGINX processes detected."
-fi
+        if [ -z "${nginx_user}" ]; then
+            printf "No NGINX user found\n"
+        fi
+    fi
 
-if [ -z "${worker_user}" ]; then
-    printf "PostInstall: Reading NGINX process information to determine NGINX user\n"
-    worker_user=$(ps aux | grep "nginx: worker process" | grep -v grep | head -1 | awk '{print $1}')
+    if [ "${nginx_user}" ]; then
+        echo "NGINX processes running as user '${nginx_user}'. nginx-agent will be configured to run as same user"
+        AGENT_USER=${nginx_user}
+    else
+        echo "WARNING: No NGINX processes detected."
+    fi
 
     if [ -z "${worker_user}" ]; then
-        printf "No NGINX worker user found\n"
-    fi
-fi
+        printf "PostInstall: Reading NGINX process information to determine NGINX user\n"
+        worker_user=$(ps aux | grep "nginx: worker process" | grep -v grep | head -1 | awk '{print $1}')
 
-if [ "${worker_user}" ]; then
-    echo "NGINX processes running as user '${worker_user}'. nginx-agent will try add that user to '${AGENT_GROUP}'"
-    WORKER_USER=${worker_user}
-else
-    echo "WARNING: No NGINX worker processes detected."
-fi
+        if [ -z "${worker_user}" ]; then
+            printf "No NGINX worker user found\n"
+        fi
+    fi
 
-if [ -z "${AGENT_USER}" ]; then
-    echo "\$USER not defined. Running as root"
-    USER=root
-    AGENT_USER=root
-fi
+    if [ "${worker_user}" ]; then
+        echo "NGINX processes running as user '${worker_user}'. nginx-agent will try add that user to '${AGENT_GROUP}'"
+        WORKER_USER=${worker_user}
+    else
+        echo "WARNING: No NGINX worker processes detected."
+    fi
 
-if [ "$(id -u)" = "0" ]; then
-    echo "Sudo permissions detected"
-else
-    echo "No sudo permission detected, please run as sudo"
-    exit 1
-fi
+    if [ -z "${AGENT_USER}" ]; then
+        echo "\$USER not defined. Running as root"
+        USER=root
+        AGENT_USER=root
+    fi
+}
 
-if [ -z "${AGENT_EXE}" ]; then
-    printf "Could not determine path to nginx-agent, using default...\n"
+ensure_sudo() {
+    if [ "$(id -u)" = "0" ]; then
+        echo "Sudo permissions detected"
+    else
+        echo "No sudo permission detected, please run as sudo"
+        exit 1
+    fi
+}
 
+ensure_agent_path() {
     if [ ! -f "${AGENT_EXE}" ]; then
         echo "nginx-agent not in default path, exiting..."
         exit 1
     fi
-fi
 
-printf "Found nginx-agent %s\n" "${AGENT_EXE}"
+    printf "Found nginx-agent %s\n" "${AGENT_EXE}"
+}
 
-if command -v systemctl; then
-    printf "PostInstall: Adding nginx-agent group %s\n" "${AGENT_GROUP}"
-    groupadd "${AGENT_GROUP}"
+create_agent_group() {
+    if command -V systemctl >/dev/null 2>&1; then
+        printf "PostInstall: Adding nginx-agent group %s\n" "${AGENT_GROUP}"
+        groupadd "${AGENT_GROUP}"
 
-    printf "PostInstall: Adding NGINX / agent user %s to group %s\n" "${AGENT_USER}" "${AGENT_GROUP}"
-    usermod -a -G "${AGENT_GROUP}" "${AGENT_USER}"
-    if [ "${WORKER_USER}" ]; then
-        printf "PostInstall: Adding NGINX Worker user %s to group %s\n" "${WORKER_USER}" "${AGENT_GROUP}"
-        usermod -a -G "${AGENT_GROUP}" "${WORKER_USER}"
+        printf "PostInstall: Adding NGINX / agent user %s to group %s\n" "${AGENT_USER}" "${AGENT_GROUP}"
+        usermod -a -G "${AGENT_GROUP}" "${AGENT_USER}"
+        if [ "${WORKER_USER}" ]; then
+            printf "PostInstall: Adding NGINX Worker user %s to group %s\n" "${WORKER_USER}" "${AGENT_GROUP}"
+            usermod -a -G "${AGENT_GROUP}" "${WORKER_USER}"
+        fi
     fi
-fi
-
-if [ "$ID" = "freebsd" ]; then
-    printf "PostInstall: Adding nginx-agent group %s\n" "${AGENT_GROUP}"
-    pw groupadd "${AGENT_GROUP}"
-
-    printf "PostInstall: Adding NGINX / agent user %s to group %s\n" "${AGENT_USER}" "${AGENT_GROUP}"
-    pw groupmod "${AGENT_GROUP}" -M "${AGENT_USER}"
-    if [ "${WORKER_USER}" ]; then
-        printf "PostInstall: Adding NGINX Worker user %s to group %s\n" "${WORKER_USER}" "${AGENT_GROUP}"
-        pw groupmod "${AGENT_GROUP}" -M "${WORKER_USER}"
-    fi
-fi
 
-if [ "$ID" = "alpine" ]; then
-    printf "PostInstall: Adding nginx-agent group %s\n" "${AGENT_GROUP}"
-    addgroup "${AGENT_GROUP}"
+    if [ "$ID" = "freebsd" ]; then
+        printf "PostInstall: Adding nginx-agent group %s\n" "${AGENT_GROUP}"
+        pw groupadd "${AGENT_GROUP}"
 
-    printf "PostInstall: Adding NGINX / agent user %s to group %s\n" "${AGENT_USER}" "${AGENT_GROUP}"
-    addgroup "${AGENT_USER}" "${AGENT_GROUP}"
-    if [ "${WORKER_USER}" ]; then
-        printf "PostInstall: Adding NGINX Worker user %s to group %s\n" "${WORKER_USER}" "${AGENT_GROUP}"
-        addgroup "${WORKER_USER}" "${AGENT_GROUP}"
+        printf "PostInstall: Adding NGINX / agent user %s to group %s\n" "${AGENT_USER}" "${AGENT_GROUP}"
+        pw groupmod "${AGENT_GROUP}" -M "${AGENT_USER}"
+        if [ "${WORKER_USER}" ]; then
+            printf "PostInstall: Adding NGINX Worker user %s to group %s\n" "${WORKER_USER}" "${AGENT_GROUP}"
+            pw groupmod "${AGENT_GROUP}" -M "${WORKER_USER}"
+        fi
     fi
-fi
-
-printf "PostInstall: Creating NGINX Agent run directory \n"
-mkdir -p "${AGENT_RUN_DIR}"
-
-printf "PostInstall: Modifying group ownership of NGINX Agent run directory \n"
-chown "${AGENT_USER}":"${AGENT_GROUP}" "${AGENT_RUN_DIR}"
-
-# Fill in data to unit file that's acquired post install
-if command -v systemctl; then
-    printf "PostInstall: Modifying NGINX Agent unit file with correct locations and user information\n"
-    EXE_CMD="s|\${AGENT_EXE}|${AGENT_EXE}|g"
-    sed -i -e $EXE_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
-
-    LOG_DIR_CMD="s|\${AGENT_LOG_DIR}|${AGENT_LOG_DIR}|g"
-    sed -i -e $LOG_DIR_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
-
-    RUN_DIR_CMD="s|\${AGENT_RUN_DIR}|${AGENT_RUN_DIR}|g"
-    sed -i -e $RUN_DIR_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
 
-    USER_CMD="s/\${AGENT_USER}/${AGENT_USER}/g"
-    sed -i -e $USER_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
+    if [ "$ID" = "alpine" ]; then
+        printf "PostInstall: Adding nginx-agent group %s\n" "${AGENT_GROUP}"
+        addgroup "${AGENT_GROUP}"
 
-    GROUP_CMD="s/\${AGENT_GROUP}/${AGENT_GROUP}/g"
-    sed -i -e $GROUP_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
-
-    printf "PostInstall: Reload the service unit from disk\n"
-    systemctl daemon-reload
-    printf "PostInstall: Unmask the service unit from disk\n"
-    systemctl unmask "${AGENT_UNIT_FILE}"
-    printf "PostInstall: Set the preset flag for the service unit\n"
-    systemctl preset "${AGENT_UNIT_FILE}"
-    printf "PostInstall: Set the enabled flag for the service unit\n"
-    systemctl enable "${AGENT_UNIT_FILE}"
-fi
+        printf "PostInstall: Adding NGINX / agent user %s to group %s\n" "${AGENT_USER}" "${AGENT_GROUP}"
+        addgroup "${AGENT_USER}" "${AGENT_GROUP}"
+        if [ "${WORKER_USER}" ]; then
+            printf "PostInstall: Adding NGINX Worker user %s to group %s\n" "${WORKER_USER}" "${AGENT_GROUP}"
+            addgroup "${WORKER_USER}" "${AGENT_GROUP}"
+        fi
+    fi
+}
+
+create_run_dir() {
+    printf "PostInstall: Creating NGINX Agent run directory \n"
+    mkdir -p "${AGENT_RUN_DIR}"
+
+    printf "PostInstall: Modifying group ownership of NGINX Agent run directory \n"
+    chown "${AGENT_USER}":"${AGENT_GROUP}" "${AGENT_RUN_DIR}"
+}
+
+update_unit_file() {
+    # Fill in data to unit file that's acquired post install
+    if command -V systemctl >/dev/null 2>&1; then
+        printf "PostInstall: Modifying NGINX Agent unit file with correct locations and user information\n"
+        EXE_CMD="s|\${AGENT_EXE}|${AGENT_EXE}|g"
+        sed -i -e $EXE_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
+
+        LOG_DIR_CMD="s|\${AGENT_LOG_DIR}|${AGENT_LOG_DIR}|g"
+        sed -i -e $LOG_DIR_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
+
+        RUN_DIR_CMD="s|\${AGENT_RUN_DIR}|${AGENT_RUN_DIR}|g"
+        sed -i -e $RUN_DIR_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
+
+        USER_CMD="s/\${AGENT_USER}/${AGENT_USER}/g"
+        sed -i -e $USER_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
+
+        GROUP_CMD="s/\${AGENT_GROUP}/${AGENT_GROUP}/g"
+        sed -i -e $GROUP_CMD ${AGENT_UNIT_LOCATION}/${AGENT_UNIT_FILE}
+
+        printf "PostInstall: Reload the service unit from disk\n"
+        systemctl daemon-reload
+        printf "PostInstall: Unmask the service unit from disk\n"
+        systemctl unmask "${AGENT_UNIT_FILE}"
+        printf "PostInstall: Set the preset flag for the service unit\n"
+        systemctl preset "${AGENT_UNIT_FILE}"
+        printf "PostInstall: Set the enabled flag for the service unit\n"
+        systemctl enable "${AGENT_UNIT_FILE}"
+    fi
 
-if [ "$ID" = "freebsd" ]; then
-    printf "PostInstall: Enabling NGINX Agent Service\n"
-    sysrc nginx_agent_enable=YES
-fi
+    if [ "$ID" = "freebsd" ]; then
+        printf "PostInstall: Enabling NGINX Agent Service\n"
+        sysrc nginx_agent_enable=YES
+    fi
+}
 
-echo "----------------------------------------------------------------------"
-echo " NGINX Agent package has been successfully installed."
-echo ""
-echo " Please follow the next steps to start the software:"
-if [ "$ID" = "freebsd" ]; then
-    echo "    sudo service nginx-agent start"
+summary() {
+    echo "----------------------------------------------------------------------"
+    echo " NGINX Agent package has been successfully installed."
     echo ""
-else
-    echo "    sudo systemctl start nginx-agent"
+    echo " Please follow the next steps to start the software:"
+    if [ "$ID" = "freebsd" ]; then
+        echo "    sudo service nginx-agent start"
+        echo ""
+    else
+        echo "    sudo systemctl start nginx-agent"
+        echo ""
+    fi
+    echo " Configuration settings can be adjusted here:"
+    echo "    ${BSD_HIER}/etc/nginx-agent/nginx-agent.conf"
     echo ""
-fi
-echo " Configuration settings can be adjusted here:"
-echo "    ${BSD_HIER}/etc/nginx-agent/nginx-agent.conf"
-echo ""
-echo "----------------------------------------------------------------------"
+    echo "----------------------------------------------------------------------"
+}
+
+#
+# Main body of the script
+#
+{
+    detect_nginx_users
+    ensure_sudo
+    ensure_agent_path
+    create_agent_group
+    create_run_dir
+    update_unit_file
+    summary
+}
+