diff --git a/ct/localagi.sh b/ct/localagi.sh index d1634ea02..65750dbea 100644 --- a/ct/localagi.sh +++ b/ct/localagi.sh @@ -68,21 +68,14 @@ function update_script() { msg_info "Setting ownership of /opt/localagi to localagi:localagi" chown -R localagi:localagi /opt/localagi || msg_warn "Failed to chown /opt/localagi" - # Ensure systemd unit has basic hardening; if not, rewrite it - if ! grep -q '^User=localagi' /etc/systemd/system/localagi.service 2>/dev/null || \ - ! grep -q '^NoNewPrivileges=true' /etc/systemd/system/localagi.service 2>/dev/null; then - msg_info "Installing hardened systemd unit for LocalAGI" - cat </etc/systemd/system/localagi.service -[Unit] -Description=LocalAGI Service -After=network.target - + # Ensure systemd unit has basic hardening via drop-in override + mkdir -p /etc/systemd/system/localagi.service.d + override_file=/etc/systemd/system/localagi.service.d/override.conf + if [[ ! -f "$override_file" ]]; then + msg_info "Creating systemd drop-in override for LocalAGI" + cat <"$override_file" [Service] -Type=simple -WorkingDirectory=/opt/localagi -EnvironmentFile=/opt/localagi/.env User=localagi -ExecStart=/usr/local/bin/localagi NoNewPrivileges=true PrivateTmp=true ProtectSystem=full @@ -90,14 +83,17 @@ ProtectHome=true AmbientCapabilities= StandardOutput=journal StandardError=journal -Restart=on-failure -RestartSec=5 - -[Install] -WantedBy=multi-user.target EOF systemctl daemon-reload - msg_ok "Installed systemd unit" + msg_ok "Installed systemd drop-in" + else + msg_info "Systemd drop-in exists; ensuring required directives" + for d in "User=localagi" "NoNewPrivileges=true" "PrivateTmp=true" "ProtectSystem=full" "ProtectHome=true" "AmbientCapabilities=" "StandardOutput=journal" "StandardError=journal"; do + if ! grep -q "^${d}" "$override_file" 2>/dev/null; then + echo "$d" >>"$override_file" + fi + done + systemctl daemon-reload fi if [[ "${env_backup_valid:-0}" == "1" && -n "${env_backup:-}" && -s "$env_backup" ]]; then diff --git a/install/localagi-install.sh b/install/localagi-install.sh index 2d914f1c9..797cd522d 100644 --- a/install/localagi-install.sh +++ b/install/localagi-install.sh @@ -76,17 +76,13 @@ chmod 755 /usr/local/bin/localagi || msg_warn "Failed to chmod /usr/local/bin/lo msg_ok "Built LocalAGI from source" msg_info "Creating Service" -cat </etc/systemd/system/localagi.service -[Unit] -Description=LocalAGI Service -After=network.target - +mkdir -p /etc/systemd/system/localagi.service.d +override_file=/etc/systemd/system/localagi.service.d/override.conf +if [[ ! -f "$override_file" ]]; then + msg_info "Creating systemd drop-in override for LocalAGI" + cat <"$override_file" [Service] -Type=simple -WorkingDirectory=/opt/localagi -EnvironmentFile=/opt/localagi/.env User=localagi -ExecStart=/usr/local/bin/localagi NoNewPrivileges=true PrivateTmp=true ProtectSystem=full @@ -94,16 +90,22 @@ ProtectHome=true AmbientCapabilities= StandardOutput=journal StandardError=journal -Restart=on-failure -RestartSec=5 - -[Install] -WantedBy=multi-user.target EOF -systemctl daemon-reload + systemctl daemon-reload +else + msg_info "Systemd drop-in exists; ensuring required directives" + # Ensure required directives present; add if missing + for d in "User=localagi" "NoNewPrivileges=true" "PrivateTmp=true" "ProtectSystem=full" "ProtectHome=true" "AmbientCapabilities=" "StandardOutput=journal" "StandardError=journal"; do + if ! grep -q "^${d}" "$override_file" 2>/dev/null; then + echo "$d" >>"$override_file" + fi + done + systemctl daemon-reload +fi + LOCALAGI_SERVICE_NEEDS_RECOVERY=1 systemctl enable -q --now localagi -msg_ok "Created Service" +msg_ok "Created Service (drop-in override)" if ! systemctl is-active -q localagi; then msg_error "Failed to start LocalAGI service"