From d0803f96d8adf980309501481711f8c94ad7bd4f Mon Sep 17 00:00:00 2001 From: John Doe Date: Wed, 4 Mar 2026 20:41:07 -0500 Subject: [PATCH] feat: enhance LocalAGI installation with user creation and service hardening --- frontend/public/json/localagi.json | 5 ++++ install/localagi-install.sh | 41 ++++++++++++++++++++++++++---- 2 files changed, 41 insertions(+), 5 deletions(-) diff --git a/frontend/public/json/localagi.json b/frontend/public/json/localagi.json index 44d6e18b1..e01439467 100644 --- a/frontend/public/json/localagi.json +++ b/frontend/public/json/localagi.json @@ -48,5 +48,10 @@ "text": "To use an external Ollama host, edit `/opt/localagi/.env` and set `LOCALAGI_LLM_API_URL=http://:11434/v1`, then restart LocalAGI with `systemctl restart localagi`.", "type": "info" } + , + { + "text": "The service runs as a dedicated system user `localagi` and the unit includes basic hardening (NoNewPrivileges, PrivateTmp, ProtectSystem).", + "type": "info" + } ] } diff --git a/install/localagi-install.sh b/install/localagi-install.sh index 7c79bea17..2d914f1c9 100644 --- a/install/localagi-install.sh +++ b/install/localagi-install.sh @@ -28,6 +28,11 @@ msg_ok "Installed Bun" fetch_and_deploy_gh_release "localagi" "mudler/LocalAGI" "tarball" "latest" "/opt/localagi" +if [[ ! -d /opt/localagi/webui/react-ui ]]; then + msg_error "Unexpected release layout: /opt/localagi/webui/react-ui not found" + exit 1 +fi + mkdir -p /opt/localagi/pool msg_info "Configuring LocalAGI" @@ -45,11 +50,29 @@ msg_ok "Configured LocalAGI" msg_info "Building LocalAGI from source" -cd /opt/localagi/webui/react-ui && - $STD bun install && - $STD bun run build && - cd /opt/localagi && - $STD go build -o /usr/local/bin/localagi +# Create dedicated system user to run the service +if ! id -u localagi >/dev/null 2>&1; then + msg_info "Creating system user 'localagi'" + useradd --system --no-create-home --shell /usr/sbin/nologin --home /opt/localagi localagi || \ + msg_warn "Failed to create 'localagi' user; continuing if it already exists" +fi + +# Ensure ownership and perms +chown -R localagi:localagi /opt/localagi || msg_warn "Failed to chown /opt/localagi" + +cd /opt/localagi/webui/react-ui || { msg_error "Missing webui/react-ui directory"; exit 1; } + +msg_info "Running bun install" +$STD bun install || { msg_error "bun install failed"; exit 1; } + +msg_info "Building web UI" +$STD bun run build || { msg_error "bun build failed"; exit 1; } + +cd /opt/localagi || { msg_error "Missing /opt/localagi"; exit 1; } + +msg_info "Building Go binary" +$STD go build -o /usr/local/bin/localagi || { msg_error "go build failed"; exit 1; } +chmod 755 /usr/local/bin/localagi || msg_warn "Failed to chmod /usr/local/bin/localagi" msg_ok "Built LocalAGI from source" msg_info "Creating Service" @@ -62,7 +85,15 @@ After=network.target Type=simple WorkingDirectory=/opt/localagi EnvironmentFile=/opt/localagi/.env +User=localagi ExecStart=/usr/local/bin/localagi +NoNewPrivileges=true +PrivateTmp=true +ProtectSystem=full +ProtectHome=true +AmbientCapabilities= +StandardOutput=journal +StandardError=journal Restart=on-failure RestartSec=5