From 1f9db7d927c4590fae2983341fcc0bba8eacaed2 Mon Sep 17 00:00:00 2001
From: vhsdream <punk.sand7393@fastmail.com>
Date: Mon, 4 Aug 2025 12:55:46 -0400
Subject: [PATCH] Palmr: run services under low-priv user

- installing older version to test DB operations during upgrade
---
 ct/palmr.sh              |  3 ++-
 install/palmr-install.sh | 18 ++++++++++--------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/ct/palmr.sh b/ct/palmr.sh
index 5872f971..ba94de6f 100644
--- a/ct/palmr.sh
+++ b/ct/palmr.sh
@@ -34,10 +34,10 @@ function update_script() {
     systemctl stop palmr-frontend palmr-backend
     msg_ok "Stopped Services"
 
-    msg_info "Updating ${APP}"
     cp /opt/palmr/apps/server/.env /opt/palmr.env
     rm -rf /opt/palmr
     fetch_and_deploy_gh_release "Palmr" "kyantech/Palmr" "tarball" "latest" "/opt/palmr"
+    msg_info "Updating ${APP}"
     PNPM="$(jq -r '.packageManager' /opt/palmr/package.json)"
     NODE_VERSION="20" NODE_MODULE="$PNPM" setup_nodejs
     cd /opt/palmr/apps/server
@@ -55,6 +55,7 @@ function update_script() {
     mv ./.env.example ./.env
     $STD pnpm install
     $STD pnpm build
+    chown -R palmr:palmr "$PALMR_DIR" /opt/palmr
     msg_ok "Updated $APP"
 
     msg_info "Starting Services"
diff --git a/install/palmr-install.sh b/install/palmr-install.sh
index 9d1d87c0..73c1ea56 100644
--- a/install/palmr-install.sh
+++ b/install/palmr-install.sh
@@ -13,11 +13,7 @@ setting_up_container
 network_check
 update_os
 
-msg_info "Installing dependencies"
-$STD apt-get install -y yq
-msg_ok "Installed dependencies"
-
-fetch_and_deploy_gh_release "Palmr" "kyantech/Palmr" "tarball" "latest" "/opt/palmr"
+fetch_and_deploy_gh_release "Palmr" "kyantech/Palmr" "tarball" "v3.14-beta" "/opt/palmr"
 PNPM="$(jq -r '.packageManager' /opt/palmr/package.json)"
 NODE_VERSION="20" NODE_MODULE="$PNPM" setup_nodejs
 
@@ -32,7 +28,7 @@ sed -e 's/_ENCRYPTION=true/_ENCRYPTION=false/' \
   -e "s/ENCRYPTION_KEY=.*$/ENCRYPTION_KEY=$PALMR_KEY/" \
   -e "s|file:.*$|file:$PALMR_DB\"|" \
   -e '/db"$/a\# Uncomment below when using reverse proxy\
-  # SECURE_SITE=true' \
+# SECURE_SITE=true' \
   .env.example >./.env
 $STD pnpm install
 $STD pnpm dlx prisma generate
@@ -51,7 +47,9 @@ $STD pnpm install
 $STD pnpm build
 msg_ok "Configured palmr frontend"
 
-msg_info "Creating service files"
+msg_info "Creating user & services"
+useradd -d "$PALMR_DIR" -M -s /usr/sbin/nologin -U palmr
+chown -R palmr:palmr "$PALMR_DIR" /opt/palmr
 cat <<EOF >/etc/systemd/system/palmr-backend.service
 [Unit]
 Description=palmr Backend Service
@@ -59,6 +57,8 @@ After=network.target
 
 [Service]
 Type=simple
+User=palmr
+Group=palmr
 WorkingDirectory=/opt/palmr_data
 ExecStart=/usr/bin/node /opt/palmr/apps/server/dist/server.js
 
@@ -73,6 +73,8 @@ After=network.target palmr-backend.service
 
 [Service]
 Type=simple
+User=palmr
+Group=palmr
 WorkingDirectory=/opt/palmr/apps/web
 ExecStart=/usr/bin/pnpm start
 
@@ -80,7 +82,7 @@ ExecStart=/usr/bin/pnpm start
 WantedBy=multi-user.target
 EOF
 systemctl enable -q --now palmr-backend palmr-frontend
-msg_ok "Created services"
+msg_ok "Created user & services"
 
 motd_ssh
 customize