Palmr: run services under low-priv user

- installing older version to test DB operations during upgrade
2025-08-04 12:55:46 -04:00 · 2025-08-04 12:55:46 -04:00 · 1f9db7d927
commit 1f9db7d927
parent 22fcede55a
2 changed files with 12 additions and 9 deletions
--- a/ct/palmr.sh
+++ b/ct/palmr.sh
@ -34,10 +34,10 @@ function update_script() {
    systemctl stop palmr-frontend palmr-backend
    msg_ok "Stopped Services"

-    msg_info "Updating ${APP}"
    cp /opt/palmr/apps/server/.env /opt/palmr.env
    rm -rf /opt/palmr
    fetch_and_deploy_gh_release "Palmr" "kyantech/Palmr" "tarball" "latest" "/opt/palmr"
+    msg_info "Updating ${APP}"
    PNPM="$(jq -r '.packageManager' /opt/palmr/package.json)"
    NODE_VERSION="20" NODE_MODULE="$PNPM" setup_nodejs
    cd /opt/palmr/apps/server
@ -55,6 +55,7 @@ function update_script() {
    mv ./.env.example ./.env
    $STD pnpm install
    $STD pnpm build
+    chown -R palmr:palmr "$PALMR_DIR" /opt/palmr
    msg_ok "Updated $APP"

    msg_info "Starting Services"
--- a/install/palmr-install.sh
+++ b/install/palmr-install.sh
@ -13,11 +13,7 @@ setting_up_container
 network_check
 update_os

-msg_info "Installing dependencies"
-$STD apt-get install -y yq
-msg_ok "Installed dependencies"
-
-fetch_and_deploy_gh_release "Palmr" "kyantech/Palmr" "tarball" "latest" "/opt/palmr"
+fetch_and_deploy_gh_release "Palmr" "kyantech/Palmr" "tarball" "v3.14-beta" "/opt/palmr"
 PNPM="$(jq -r '.packageManager' /opt/palmr/package.json)"
 NODE_VERSION="20" NODE_MODULE="$PNPM" setup_nodejs

@ -32,7 +28,7 @@ sed -e 's/_ENCRYPTION=true/_ENCRYPTION=false/' \
  -e "s/ENCRYPTION_KEY=.*$/ENCRYPTION_KEY=$PALMR_KEY/" \
  -e "s|file:.*$|file:$PALMR_DB\"|" \
  -e '/db"$/a\# Uncomment below when using reverse proxy\
-  # SECURE_SITE=true' \
+# SECURE_SITE=true' \
  .env.example >./.env
 $STD pnpm install
 $STD pnpm dlx prisma generate
@ -51,7 +47,9 @@ $STD pnpm install
 $STD pnpm build
 msg_ok "Configured palmr frontend"

-msg_info "Creating service files"
+msg_info "Creating user & services"
+useradd -d "$PALMR_DIR" -M -s /usr/sbin/nologin -U palmr
+chown -R palmr:palmr "$PALMR_DIR" /opt/palmr
 cat <<EOF >/etc/systemd/system/palmr-backend.service
 [Unit]
 Description=palmr Backend Service
@ -59,6 +57,8 @@ After=network.target

 [Service]
 Type=simple
+User=palmr
+Group=palmr
 WorkingDirectory=/opt/palmr_data
 ExecStart=/usr/bin/node /opt/palmr/apps/server/dist/server.js

@ -73,6 +73,8 @@ After=network.target palmr-backend.service

 [Service]
 Type=simple
+User=palmr
+Group=palmr
 WorkingDirectory=/opt/palmr/apps/web
 ExecStart=/usr/bin/pnpm start

@ -80,7 +82,7 @@ ExecStart=/usr/bin/pnpm start
 WantedBy=multi-user.target
 EOF
 systemctl enable -q --now palmr-backend palmr-frontend
-msg_ok "Created services"
+msg_ok "Created user & services"

 motd_ssh
 customize