feat: set ownership and perms for files, directories, binaries etc. #53 (#70)

Author: jchiarulli

cmd/install.go

@@ -94,7 +94,10 @@ var installCmd = &cobra.Command{
 		// Step 3: Configure the intrusion detection system
 		network.ConfigureIntrusionDetection()
 
-		// Setp 4: Create relay user
+		// Step 4: Configure Nginx
+		network.ConfigureNginx()
+
+		// Setp 5: Create relay user
 		spinner, _ := pterm.DefaultSpinner.Start(fmt.Sprintf("Checking if '%s' user exists...", relays.User))
 		if !users.UserExists(relays.User) {
 			spinner.UpdateText(fmt.Sprintf("Creating '%s' user...", relays.User))
@@ -105,118 +108,118 @@ var installCmd = &cobra.Command{
 		}
 
 		if selectedRelayOption == khatru_pyramid.RelayName {
-			// Step 5: Configure Nginx for HTTP
+			// Step 6: Configure Nginx for HTTP
 			khatru_pyramid.ConfigureNginxHttp(relayDomain)
 
-			// Step 6: Get SSL/TLS certificates
+			// Step 7: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 7: Configure Nginx for HTTPS
+				// Step 8: Configure Nginx for HTTPS
 				khatru_pyramid.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 8: Download and install the relay binary
+			// Step 9: Download and install the relay binary
 			khatru_pyramid.InstallRelayBinary(pubKey)
 
-			// Step 9: Set up the relay service
+			// Step 10: Set up the relay service
 			khatru_pyramid.SetupRelayService(relayDomain, pubKey, relayContact)
 
-			// Step 10: Show success messages
+			// Step 11: Show success messages
 			khatru_pyramid.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == nostr_rs_relay.RelayName {
-			// Step 5: Configure Nginx for HTTP
+			// Step 6: Configure Nginx for HTTP
 			nostr_rs_relay.ConfigureNginxHttp(relayDomain)
 
-			// Step 6: Get SSL/TLS certificates
+			// Step 7: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 7: Configure Nginx for HTTPS
+				// Step 8: Configure Nginx for HTTPS
 				nostr_rs_relay.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 8: Download and install the relay binary
+			// Step 9: Download and install the relay binary
 			nostr_rs_relay.InstallRelayBinary()
 
-			// Step 9: Set up the relay service
+			// Step 10: Set up the relay service
 			nostr_rs_relay.SetupRelayService(relayDomain, pubKey, relayContact, httpsEnabled)
 
-			// Step 10: Show success messages
+			// Step 11: Show success messages
 			nostr_rs_relay.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == strfry.RelayName {
-			// Step 5: Configure Nginx for HTTP
+			// Step 6: Configure Nginx for HTTP
 			strfry.ConfigureNginxHttp(relayDomain)
 
-			// Step 6: Get SSL/TLS certificates
+			// Step 7: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 7: Configure Nginx for HTTPS
+				// Step 8: Configure Nginx for HTTPS
 				strfry.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 8: Download and install the relay binary
+			// Step 9: Download and install the relay binary
 			strfry.InstallRelayBinary()
 
-			// Step 9: Set up the relay service
+			// Step 10: Set up the relay service
 			strfry.SetupRelayService(relayDomain, relayContact)
 
-			// Step 10: Show success messages
+			// Step 11: Show success messages
 			strfry.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == wot_relay.RelayName {
-			// Step 5: Configure Nginx for HTTP
+			// Step 6: Configure Nginx for HTTP
 			wot_relay.ConfigureNginxHttp(relayDomain)
 
-			// Step 6: Get SSL/TLS certificates
+			// Step 7: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 7: Configure Nginx for HTTPS
+				// Step 8: Configure Nginx for HTTPS
 				wot_relay.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 8: Download and install the relay binary
+			// Step 9: Download and install the relay binary
 			wot_relay.InstallRelayBinary(pubKey)
 
-			// Step 9: Set up the relay service
+			// Step 10: Set up the relay service
 			wot_relay.SetupRelayService(relayDomain, pubKey, relayContact, httpsEnabled)
 
-			// Step 10: Show success messages
+			// Step 11: Show success messages
 			wot_relay.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == khatru29.RelayName {
-			// Step 5: Configure Nginx for HTTP
+			// Step 6: Configure Nginx for HTTP
 			khatru29.ConfigureNginxHttp(relayDomain)
 
-			// Step 6: Get SSL/TLS certificates
+			// Step 7: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 7: Configure Nginx for HTTPS
+				// Step 8: Configure Nginx for HTTPS
 				khatru29.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 8: Download and install the relay binary
+			// Step 9: Download and install the relay binary
 			khatru29.InstallRelayBinary()
 
-			// Step 9: Set up the relay service
+			// Step 10: Set up the relay service
 			khatru29.SetupRelayService(relayDomain, privKey, relayContact)
 
-			// Step 10: Show success messages
+			// Step 11: Show success messages
 			khatru29.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == strfry29.RelayName {
-			// Step 5: Configure Nginx for HTTP
+			// Step 6: Configure Nginx for HTTP
 			strfry29.ConfigureNginxHttp(relayDomain)
 
-			// Step 6: Get SSL/TLS certificates
+			// Step 7: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 7: Configure Nginx for HTTPS
+				// Step 8: Configure Nginx for HTTPS
 				strfry29.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 8: Download and install the relay binary
+			// Step 9: Download and install the relay binary
 			strfry29.InstallRelayBinary()
 
-			// Step 9: Set up the relay service
+			// Step 10: Set up the relay service
 			strfry29.SetupRelayService(relayDomain, privKey, relayContact)
 
-			// Step 10: Show success messages
+			// Step 11: Show success messages
 			strfry29.SuccessMessages(relayDomain, httpsEnabled)
 		}
 

pkg/manager/apt.go

@@ -2,12 +2,14 @@ package manager
 
 import (
 	"fmt"
+	"os"
+	"os/exec"
+
 	"github.com/nodetec/rwz/pkg/relays/nostr_rs_relay"
 	"github.com/nodetec/rwz/pkg/relays/strfry"
 	"github.com/nodetec/rwz/pkg/relays/strfry29"
+	"github.com/nodetec/rwz/pkg/relays/wot_relay"
 	"github.com/pterm/pterm"
-	"os"
-	"os/exec"
 )
 
 // Function to check if a package is installed
@@ -46,7 +48,7 @@ func AptInstallPackages(selectedRelayOption string) {
 
 	packages := []string{"nginx", "certbot", "python3-certbot-nginx", "ufw", "fail2ban"}
 
-	if selectedRelayOption == nostr_rs_relay.RelayName || selectedRelayOption == strfry.RelayName || selectedRelayOption == strfry29.RelayName {
+	if selectedRelayOption == nostr_rs_relay.RelayName || selectedRelayOption == strfry.RelayName || selectedRelayOption == wot_relay.RelayName || selectedRelayOption == strfry29.RelayName {
 		packages = append(packages, "git")
 	}
 

pkg/network/certbot.go

@@ -2,13 +2,54 @@ package network
 
 import (
 	"fmt"
-	"github.com/nodetec/rwz/pkg/utils/files"
-	"github.com/pterm/pterm"
 	"os"
 	"os/exec"
 	"strings"
+
+	"github.com/nodetec/rwz/pkg/utils/directories"
+	"github.com/nodetec/rwz/pkg/utils/files"
+	"github.com/pterm/pterm"
 )
 
+func setDomainCertDirPerms(domainName string) {
+	DomainCertificateDirPath := fmt.Sprintf("%s/%s", CertificateDirPath, domainName)
+
+	if directories.DirExists(DomainCertificateDirPath) {
+		directories.SetPermissions(DomainCertificateDirPath, 0700)
+	}
+}
+
+func setDomainCertArchiveDirPerms(domainName string) {
+	DomainCertificateArchiveDirPath := fmt.Sprintf("%s/%s", CertificateArchiveDirPath, domainName)
+
+	if directories.DirExists(DomainCertificateArchiveDirPath) {
+		directories.SetPermissions(DomainCertificateArchiveDirPath, 0700)
+	}
+}
+
+func setDomainCertArchiveFilePerms(domainName string) {
+	FullchainArchiveFilePath := fmt.Sprintf("%s/%s/%s", CertificateArchiveDirPath, domainName, FullchainArchiveFile)
+	PrivkeyArchiveFilePath := fmt.Sprintf("%s/%s/%s", CertificateArchiveDirPath, domainName, PrivkeyArchiveFile)
+	ChainArchiveFilePath := fmt.Sprintf("%s/%s/%s", CertificateArchiveDirPath, domainName, ChainArchiveFile)
+	CertArchiveFilePath := fmt.Sprintf("%s/%s/%s", CertificateArchiveDirPath, domainName, CertArchiveFile)
+
+	if files.FileExists(FullchainArchiveFilePath) {
+		files.SetPermissions(FullchainArchiveFilePath, 0600)
+	}
+
+	if files.FileExists(PrivkeyArchiveFilePath) {
+		files.SetPermissions(PrivkeyArchiveFilePath, 0600)
+	}
+
+	if files.FileExists(ChainArchiveFilePath) {
+		files.SetPermissions(ChainArchiveFilePath, 0600)
+	}
+
+	if files.FileExists(CertArchiveFilePath) {
+		files.SetPermissions(CertArchiveFilePath, 0600)
+	}
+}
+
 // Function to get SSL/TLS certificates using Certbot
 func GetCertificates(domainName string) bool {
 	ThemeDefault := pterm.ThemeDefault
@@ -112,6 +153,10 @@ func GetCertificates(domainName string) bool {
 	if files.FileExists(fmt.Sprintf("%s/%s/%s", CertificateDirPath, domainName, FullchainFile)) &&
 		files.FileExists(fmt.Sprintf("%s/%s/%s", CertificateDirPath, domainName, PrivkeyFile)) &&
 		files.FileExists(fmt.Sprintf("%s/%s/%s", CertificateDirPath, domainName, ChainFile)) {
+		setDomainCertDirPerms(domainName)
+		setDomainCertArchiveDirPerms(domainName)
+		setDomainCertArchiveFilePerms(domainName)
+
 		certificateSpinner.Info("SSL/TLS certificates already exist.")
 		pterm.Println()
 		return true
@@ -134,6 +179,10 @@ func GetCertificates(domainName string) bool {
 		}
 	}
 
+	setDomainCertDirPerms(domainName)
+	setDomainCertArchiveDirPerms(domainName)
+	setDomainCertArchiveFilePerms(domainName)
+
 	certificateSpinner.Success("SSL/TLS certificates obtained successfully.")
 	return true
 }

pkg/network/constants.go

@@ -14,5 +14,11 @@ const CertificateDirPath = "/etc/letsencrypt/live"
 const FullchainFile = "fullchain.pem"
 const PrivkeyFile = "privkey.pem"
 const ChainFile = "chain.pem"
+const CertificateArchiveDirPath = "/etc/letsencrypt/archive"
+const FullchainArchiveFile = "fullchain1.pem"
+const PrivkeyArchiveFile = "privkey1.pem"
+const ChainArchiveFile = "chain1.pem"
+const CertArchiveFile = "cert1.pem"
+const NginxConfDirPath = "/etc/nginx/conf.d"
 const WWWDirPath = "/var/www"
 const AcmeChallengeDirPath = ".well-known/acme-challenge"

pkg/network/nginx.go

@@ -0,0 +1,19 @@
+package network
+
+import (
+	"github.com/nodetec/rwz/pkg/relays"
+	"github.com/nodetec/rwz/pkg/utils/directories"
+)
+
+// Function to configure Nginx
+func ConfigureNginx() {
+	if directories.DirExists(NginxConfDirPath) {
+		directories.SetPermissions(NginxConfDirPath, 0755)
+		directories.SetOwnerAndGroup(relays.NginxUser, relays.NginxUser, NginxConfDirPath)
+	}
+
+	if directories.DirExists(WWWDirPath) {
+		directories.SetPermissions(WWWDirPath, 0755)
+		directories.SetOwnerAndGroup(relays.NginxUser, relays.NginxUser, WWWDirPath)
+	}
+}

pkg/relays/constants.go

@@ -3,3 +3,4 @@ package relays
 const BinaryDestDir = "/usr/local/bin"
 const TmpDirPath = "/tmp"
 const User = "nostr"
+const NginxUser = "www-data"

pkg/relays/khatru29/constants.go

@@ -5,19 +5,20 @@ const BinaryName = "khatru29"
 const BinaryFilePath = "/usr/local/bin/khatru29"
 const NginxConfigFilePath = "/etc/nginx/conf.d/khatru29.conf"
 const DataDirPath = "/var/lib/khatru29"
+const ConfigDirPath = "/etc/khatru29"
 const ServiceName = "khatru29"
-const EnvFilePath = "/etc/systemd/system/khatru29.env"
+const EnvFilePath = "/etc/khatru29/khatru29.env"
 const EnvFileTemplate = `PORT="5577"
 DOMAIN="{{.Domain}}"
 RELAY_NAME="Khatru29"
 RELAY_PRIVKEY="{{.PrivKey}}"
-RELAY_DESCRIPTION="Khatru29 Nostr Relay"
+RELAY_DESCRIPTION="Khatru29 Relay"
 RELAY_CONTACT="{{.RelayContact}}"
 DATABASE_PATH="/var/lib/khatru29/db"
 `
 const ServiceFilePath = "/etc/systemd/system/khatru29.service"
 const ServiceFileTemplate = `[Unit]
-Description=Khatru29 Nostr Relay Service
+Description=Khatru29 Relay Service
 After=network.target
 
 [Service]

pkg/relays/khatru29/nginx_http.go

@@ -3,6 +3,7 @@ package khatru29
 import (
 	"fmt"
 	"github.com/nodetec/rwz/pkg/network"
+	"github.com/nodetec/rwz/pkg/relays"
 	"github.com/nodetec/rwz/pkg/utils/directories"
 	"github.com/nodetec/rwz/pkg/utils/files"
 	"github.com/nodetec/rwz/pkg/utils/systemd"
@@ -15,7 +16,9 @@ func ConfigureNginxHttp(domainName string) {
 
 	files.RemoveFile(NginxConfigFilePath)
 
+	directories.CreateDirectory(fmt.Sprintf("%s/%s", network.WWWDirPath, domainName), 0755)
 	directories.CreateDirectory(fmt.Sprintf("%s/%s/%s/", network.WWWDirPath, domainName, network.AcmeChallengeDirPath), 0755)
+	directories.SetOwnerAndGroup(relays.NginxUser, relays.NginxUser, fmt.Sprintf("%s/%s", network.WWWDirPath, domainName))
 
 	configContent := fmt.Sprintf(`map $http_upgrade $connection_upgrade {
     default upgrade;
@@ -84,6 +87,7 @@ server {
 `, domainName, network.AcmeChallengeDirPath, network.WWWDirPath, domainName, domainName, domainName)
 
 	files.WriteFile(NginxConfigFilePath, configContent, 0644)
+	files.SetOwnerAndGroup(relays.NginxUser, relays.NginxUser, NginxConfigFilePath)
 
 	systemd.RestartService("nginx")
 

pkg/relays/khatru29/nginx_https.go

@@ -3,6 +3,7 @@ package khatru29
 import (
 	"fmt"
 	"github.com/nodetec/rwz/pkg/network"
+	"github.com/nodetec/rwz/pkg/relays"
 	"github.com/nodetec/rwz/pkg/utils/files"
 	"github.com/nodetec/rwz/pkg/utils/systemd"
 	"github.com/pterm/pterm"
@@ -122,6 +123,7 @@ server {
 `, domainName, network.CertificateDirPath, domainName, network.FullchainFile, network.CertificateDirPath, domainName, network.PrivkeyFile, network.CertificateDirPath, domainName, network.ChainFile, domainName, network.AcmeChallengeDirPath, network.WWWDirPath, domainName, domainName)
 
 	files.WriteFile(NginxConfigFilePath, configContent, 0644)
+	files.SetOwnerAndGroup(relays.NginxUser, relays.NginxUser, NginxConfigFilePath)
 
 	systemd.ReloadService("nginx")