@ebowwa/seedinstallation 0.3.0 → 0.4.1

package/dist/systemd.js

@@ -1,186 +1,488 @@
-/**
- * Systemd service unit creation and management.
- * Works with both local and SSH contexts via ExecContext from sudo.ts.
- */
-// Re-export helpers
-async function exec(args, opts) {
-    const { sudo } = await import("./sudo.js");
-    return sudo(args, opts);
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: (newValue) => all[name] = () => newValue
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
+// sudo.ts
+var exports_sudo = {};
+__export(exports_sudo, {
+  writeFile: () => writeFile,
+  sudo: () => sudo,
+  serviceEnable: () => serviceEnable,
+  service: () => service,
+  pkgInstall: () => pkgInstall,
+  exec: () => exec
+});
+async function sudo(cmd, opts) {
+  const parts = Array.isArray(cmd) ? cmd : cmd.split(/\s+/);
+  const envPrefix = opts.env ? Object.entries(opts.env).map(([k, v]) => `${k}=${shellEscape(v)}`) : [];
+  const sudoCmd = ["sudo", ...envPrefix, ...parts];
+  return exec(sudoCmd, opts);
+}
+async function pkgInstall(packages, opts) {
+  const pm = opts.pm ?? "apt";
+  const envOverride = {
+    ...opts.env,
+    ...opts.nonInteractive !== false ? { DEBIAN_FRONTEND: "noninteractive" } : {}
+  };
+  await sudo(updateCmd[pm], { ...opts, env: envOverride, quiet: true });
+  return sudo([...installCmd[pm], ...packages], {
+    ...opts,
+    env: envOverride
+  });
 }
 async function writeFile(path, content, opts) {
-    const { writeFile: wf } = await import("./sudo.js");
-    return wf(path, content, opts);
-}
-// ---------------------------------------------------------------------------
-// Service creation
-// ---------------------------------------------------------------------------
-/**
- * Generate a systemd unit file content from options.
- */
-export function generateServiceUnit(name, opts) {
-    const lines = [];
-    // [Unit] section
-    lines.push("[Unit]");
-    lines.push(`Description=${opts.description}`);
-    if (opts.after?.length) {
-        lines.push(`After=${opts.after.join(" ")}`);
-    }
-    if (opts.wants?.length) {
-        lines.push(`Wants=${opts.wants.join(" ")}`);
-    }
-    lines.push("");
-    // [Service] section
-    lines.push("[Service]");
-    if (opts.type)
-        lines.push(`Type=${opts.type}`);
-    lines.push(`User=${opts.user ?? "root"}`);
-    if (opts.group)
-        lines.push(`Group=${opts.group}`);
-    lines.push(`WorkingDirectory=${opts.workingDirectory}`);
-    lines.push(`ExecStart=${opts.execStart}`);
-    if (opts.execStartPre?.length) {
-        opts.execStartPre.forEach((cmd, i) => {
-            lines.push(`ExecStartPre${i > 0 ? `=${i}` : ""}=${cmd}`);
-        });
-    }
-    if (opts.execStopPost?.length) {
-        opts.execStopPost.forEach((cmd, i) => {
-            lines.push(`ExecStopPost${i > 0 ? `=${i}` : ""}=${cmd}`);
-        });
-    }
-    if (opts.restart)
-        lines.push(`Restart=${opts.restart}`);
-    if (opts.restartSec)
-        lines.push(`RestartSec=${opts.restartSec}`);
-    if (opts.environment) {
-        Object.entries(opts.environment).forEach(([k, v]) => {
-            lines.push(`Environment="${k}=${v}"`);
-        });
-    }
-    if (opts.environmentFile) {
-        lines.push(`EnvironmentFile=${opts.environmentFile}`);
-    }
-    if (opts.standardOutput)
-        lines.push(`StandardOutput=${opts.standardOutput}`);
-    if (opts.standardError)
-        lines.push(`StandardError=${opts.standardError}`);
-    if (opts.nice !== undefined)
-        lines.push(`Nice=${opts.nice}`);
-    // Extras
-    if (opts.extras) {
-        lines.push("");
-        lines.push(opts.extras);
-    }
-    return lines.join("\n");
-}
-/**
- * Create and install a systemd service unit file.
- */
-export async function createServiceUnit(name, opts) {
-    const unitPath = `/etc/systemd/system/${name}.service`;
-    const content = generateServiceUnit(name, opts);
-    // Write unit file
-    const writeResult = await writeFile(unitPath, content, {
-        context: opts.context,
-        mode: "644",
-    });
-    if (!writeResult.ok) {
-        return writeResult;
-    }
-    // Reload systemd
-    await exec(["systemctl", "daemon-reload"], opts);
-    return {
-        ...writeResult,
-        unitPath,
-    };
+  const op = opts.append ? "-a" : "";
+  const teeCmd = `tee ${op} ${shellEscape(path)}`.trim();
+  const result = await execPipe(content, ["sudo", teeCmd], opts);
+  if (result.ok && opts.mode) {
+    await sudo(["chmod", opts.mode, path], opts);
+  }
+  if (result.ok && opts.owner) {
+    await sudo(["chown", opts.owner, path], opts);
+  }
+  return result;
+}
+async function service(name, action, opts) {
+  return sudo(["systemctl", action, name], opts);
+}
+async function serviceEnable(name, opts) {
+  return sudo(["systemctl", "enable", "--now", name], opts);
+}
+function buildSshPrefix(ctx) {
+  const parts = ["ssh", "-F", "/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null"];
+  if (ctx.keyPath)
+    parts.push("-i", ctx.keyPath);
+  else if (ctx.key)
+    parts.push("-i", ctx.key);
+  if (ctx.port)
+    parts.push("-p", String(ctx.port));
+  parts.push(`${ctx.user ?? "root"}@${ctx.host}`);
+  return parts;
 }
-// ---------------------------------------------------------------------------
-// Service control
-// ---------------------------------------------------------------------------
-/**
- * Enable a service to start on boot.
- */
-export async function enableService(name, opts) {
-    return exec(["systemctl", "enable", name], opts);
-}
-/**
- * Disable a service from starting on boot.
- */
-export async function disableService(name, opts) {
-    return exec(["systemctl", "disable", name], opts);
-}
-/**
- * Start a service.
- */
-export async function startService(name, opts) {
-    return exec(["systemctl", "start", name], opts);
-}
-/**
- * Stop a service.
- */
-export async function stopService(name, opts) {
-    return exec(["systemctl", "stop", name], opts);
-}
-/**
- * Restart a service.
- */
-export async function restartService(name, opts) {
-    return exec(["systemctl", "restart", name], opts);
-}
-/**
- * Reload a service (sends SIGHUP).
- */
-export async function reloadService(name, opts) {
-    return exec(["systemctl", "reload", name], opts);
-}
-/**
- * Get service status.
- */
-export async function getServiceStatus(name, opts) {
-    const result = await exec(["systemctl", "show", name, "--property=LoadState,ActiveState,SubState,MainPID,Description"], {
-        ...opts,
-        quiet: true,
+async function exec(args, opts) {
+  const ctx = opts.context ?? { type: "local" };
+  const finalArgs = ctx.type === "ssh" ? [...buildSshPrefix(ctx), args.map(shellEscape).join(" ")] : args;
+  const proc = Bun.spawn(finalArgs, {
+    stdout: "pipe",
+    stderr: "pipe",
+    timeout: opts.timeout ?? 30000
+  });
+  const exitCode = await proc.exited;
+  const stdout = opts.quiet ? "" : await new Response(proc.stdout).text();
+  const stderr = await new Response(proc.stderr).text();
+  return { stdout, stderr, exitCode, ok: exitCode === 0 };
+}
+async function execPipe(input, args, opts) {
+  const ctx = opts.context ?? { type: "local" };
+  if (ctx.type === "ssh") {
+    const sshPrefix = buildSshPrefix(ctx);
+    const remoteCmd = args.join(" ");
+    const fullArgs = [...sshPrefix, remoteCmd];
+    const proc2 = Bun.spawn(fullArgs, {
+      stdin: new TextEncoder().encode(input),
+      stdout: "pipe",
+      stderr: "pipe",
+      timeout: opts.timeout ?? 30000
     });
-    if (!result.ok) {
-        return { loaded: false, active: false, subState: "unknown", mainPid: 0, description: "" };
-    }
-    const parse = (key) => {
-        const match = result.stdout.match(new RegExp(`^${key}=(.+)$`, "m"));
-        return match?.[1]?.trim() ?? "";
+    const exitCode2 = await proc2.exited;
+    const stdout2 = opts.quiet ? "" : await new Response(proc2.stdout).text();
+    const stderr2 = await new Response(proc2.stderr).text();
+    return { stdout: stdout2, stderr: stderr2, exitCode: exitCode2, ok: exitCode2 === 0 };
+  }
+  const proc = Bun.spawn(["sh", "-c", args.join(" ")], {
+    stdin: new TextEncoder().encode(input),
+    stdout: "pipe",
+    stderr: "pipe",
+    timeout: opts.timeout ?? 30000
+  });
+  const exitCode = await proc.exited;
+  const stdout = opts.quiet ? "" : await new Response(proc.stdout).text();
+  const stderr = await new Response(proc.stderr).text();
+  return { stdout, stderr, exitCode, ok: exitCode === 0 };
+}
+function shellEscape(s) {
+  if (/^[a-zA-Z0-9._\-\/=:@]+$/.test(s))
+    return s;
+  return `'${s.replace(/'/g, "'\\''")}'`;
+}
+var installCmd, updateCmd;
+var init_sudo = __esm(() => {
+  installCmd = {
+    apt: ["apt-get", "install", "-y"],
+    dnf: ["dnf", "install", "-y"],
+    apk: ["apk", "add", "--no-cache"]
+  };
+  updateCmd = {
+    apt: ["apt-get", "update", "-qq"],
+    dnf: ["dnf", "check-update"],
+    apk: ["apk", "update"]
+  };
+});
+
+// systemd.ts
+async function exec2(args, opts) {
+  const { sudo: sudo2 } = await Promise.resolve().then(() => (init_sudo(), exports_sudo));
+  return sudo2(args, opts);
+}
+async function writeFile2(path, content, opts) {
+  const { writeFile: wf } = await Promise.resolve().then(() => (init_sudo(), exports_sudo));
+  return wf(path, content, opts);
+}
+var systemdCheckCache = null;
+async function hasSystemd(opts) {
+  if (systemdCheckCache) {
+    return systemdCheckCache;
+  }
+  const sudoOpts = opts ?? { context: { type: "local" } };
+  const whichResult = await exec2(["which", "systemctl"], {
+    ...sudoOpts,
+    quiet: true,
+    env: sudoOpts.env
+  });
+  if (!whichResult.ok || !whichResult.stdout.trim()) {
+    const result2 = {
+      available: false,
+      reason: "not_found",
+      message: "systemctl command not found - systemd is not installed or not in PATH"
+    };
+    systemdCheckCache = result2;
+    return result2;
+  }
+  const runningResult = await exec2(["systemctl", "is-system-running"], {
+    ...sudoOpts,
+    quiet: true,
+    env: sudoOpts.env
+  });
+  if (runningResult.ok && runningResult.stdout.trim() !== "") {
+    const result2 = {
+      available: true,
+      message: "systemd is available and running"
     };
-    return {
-        loaded: parse("LoadState") === "loaded",
-        active: parse("ActiveState") === "active",
-        subState: parse("SubState"),
-        mainPid: parseInt(parse("MainPID") || "0", 10),
-        description: parse("Description"),
+    systemdCheckCache = result2;
+    return result2;
+  }
+  const dirResult = await exec2(["test", "-d", "/run/systemd/system"], {
+    ...sudoOpts,
+    quiet: true,
+    env: sudoOpts.env
+  });
+  if (dirResult.ok) {
+    const result2 = {
+      available: true,
+      message: "systemd detected via /run/systemd/system (container environment)"
     };
+    systemdCheckCache = result2;
+    return result2;
+  }
+  const result = {
+    available: false,
+    reason: "not_running",
+    message: "systemd is not available on this system (container/initless environment)"
+  };
+  systemdCheckCache = result;
+  return result;
 }
-/**
- * Enable and start a service in one call.
- */
-export async function enableAndStartService(name, opts) {
-    return exec(["systemctl", "enable", "--now", name], opts);
-}
-/**
- * Check if a service exists.
- */
-export async function serviceExists(name, opts) {
-    const result = await exec(["systemctl", "list-unit-files", name + ".service"], {
-        ...opts,
-        quiet: true,
+function clearSystemdCache() {
+  systemdCheckCache = null;
+}
+function generateServiceUnit(name, opts) {
+  const lines = [];
+  lines.push("[Unit]");
+  lines.push(`Description=${opts.description}`);
+  if (opts.after?.length) {
+    lines.push(`After=${opts.after.join(" ")}`);
+  }
+  if (opts.wants?.length) {
+    lines.push(`Wants=${opts.wants.join(" ")}`);
+  }
+  lines.push("");
+  lines.push("[Service]");
+  if (opts.type)
+    lines.push(`Type=${opts.type}`);
+  lines.push(`User=${opts.user ?? "root"}`);
+  if (opts.group)
+    lines.push(`Group=${opts.group}`);
+  lines.push(`WorkingDirectory=${opts.workingDirectory}`);
+  lines.push(`ExecStart=${opts.execStart}`);
+  if (opts.execStartPre?.length) {
+    opts.execStartPre.forEach((cmd, i) => {
+      lines.push(`ExecStartPre${i > 0 ? `=${i}` : ""}=${cmd}`);
+    });
+  }
+  if (opts.execStopPost?.length) {
+    opts.execStopPost.forEach((cmd, i) => {
+      lines.push(`ExecStopPost${i > 0 ? `=${i}` : ""}=${cmd}`);
+    });
+  }
+  if (opts.restart)
+    lines.push(`Restart=${opts.restart}`);
+  if (opts.restartSec)
+    lines.push(`RestartSec=${opts.restartSec}`);
+  if (opts.environment) {
+    Object.entries(opts.environment).forEach(([k, v]) => {
+      lines.push(`Environment="${k}=${v}"`);
     });
-    return result.ok && result.stdout.includes(name);
-}
-/**
- * Get service logs via journalctl.
- */
-export async function getServiceLogs(name, opts) {
-    const args = ["journalctl", "-u", name, "-n", String(opts.lines ?? 100)];
-    if (opts.since)
-        args.push("--since", opts.since);
-    if (!opts.follow)
-        args.push("-n", String(opts.lines ?? 100));
-    const result = await exec(args, opts);
-    return result.stdout;
+  }
+  if (opts.environmentFile) {
+    lines.push(`EnvironmentFile=${opts.environmentFile}`);
+  }
+  if (opts.standardOutput)
+    lines.push(`StandardOutput=${opts.standardOutput}`);
+  if (opts.standardError)
+    lines.push(`StandardError=${opts.standardError}`);
+  if (opts.nice !== undefined)
+    lines.push(`Nice=${opts.nice}`);
+  if (opts.noNewPrivileges)
+    lines.push("NoNewPrivileges=true");
+  if (opts.privateTmp)
+    lines.push("PrivateTmp=true");
+  if (opts.protectSystem)
+    lines.push(`ProtectSystem=${opts.protectSystem}`);
+  if (opts.protectHome === true)
+    lines.push("ProtectHome=true");
+  else if (opts.protectHome)
+    lines.push(`ProtectHome=${opts.protectHome}`);
+  if (opts.readOnlyPaths?.length)
+    lines.push(`ReadOnlyPaths=${opts.readOnlyPaths.join(" ")}`);
+  if (opts.readWritePaths?.length)
+    lines.push(`ReadWritePaths=${opts.readWritePaths.join(" ")}`);
+  if (opts.restrictRealtime)
+    lines.push("RestrictRealtime=true");
+  if (opts.memoryDenyWriteExecute)
+    lines.push("MemoryDenyWriteExecute=true");
+  if (opts.protectKernelTunables)
+    lines.push("ProtectKernelTunables=true");
+  if (opts.protectKernelModules)
+    lines.push("ProtectKernelModules=true");
+  if (opts.protectControlGroups)
+    lines.push("ProtectControlGroups=true");
+  if (opts.restrictAddressFamilies?.length)
+    lines.push(`RestrictAddressFamilies=${opts.restrictAddressFamilies.join(" ")}`);
+  if (opts.deviceAllow?.length)
+    lines.push(`DeviceAllow=${opts.deviceAllow.join(" ")}`);
+  if (opts.devicePolicy)
+    lines.push(`DevicePolicy=${opts.devicePolicy}`);
+  if (opts.systemCallFilter?.length)
+    lines.push(`SystemCallFilter=${opts.systemCallFilter.join(" ")}`);
+  if (opts.restrictNamespaces === true)
+    lines.push("RestrictNamespaces=true");
+  else if (Array.isArray(opts.restrictNamespaces) && opts.restrictNamespaces.length > 0)
+    lines.push(`RestrictNamespaces=${opts.restrictNamespaces.join(" ")}`);
+  if (opts.personality)
+    lines.push(`Personality=${opts.personality}`);
+  if (opts.lockPersonality)
+    lines.push("LockPersonality=true");
+  if (opts.removeCapability?.length)
+    opts.removeCapability.forEach((cap) => lines.push(`RemoveCapability=${cap}`));
+  if (opts.capabilityBoundingSet?.length)
+    lines.push(`CapabilityBoundingSet=${opts.capabilityBoundingSet.join(" ")}`);
+  if (opts.ambientCapabilities?.length)
+    lines.push(`AmbientCapabilities=${opts.ambientCapabilities.join(" ")}`);
+  if (opts.privateDevices)
+    lines.push("PrivateDevices=true");
+  if (opts.protectKernelLogs)
+    lines.push("ProtectKernelLogs=true");
+  if (opts.extras) {
+    lines.push("");
+    lines.push(opts.extras);
+  }
+  return lines.join(`
+`);
+}
+async function createServiceUnit(name, opts) {
+  const unitPath = `/etc/systemd/system/${name}.service`;
+  const content = generateServiceUnit(name, opts);
+  const writeResult = await writeFile2(unitPath, content, {
+    context: opts.context,
+    mode: "644",
+    env: opts.env,
+    timeout: opts.timeout
+  });
+  if (!writeResult.ok) {
+    return writeResult;
+  }
+  await exec2(["systemctl", "daemon-reload"], opts);
+  return {
+    ...writeResult,
+    unitPath
+  };
+}
+async function enableService(name, opts) {
+  return exec2(["systemctl", "enable", name], opts);
+}
+async function disableService(name, opts) {
+  return exec2(["systemctl", "disable", name], opts);
+}
+async function startService(name, opts) {
+  return exec2(["systemctl", "start", name], opts);
+}
+async function stopService(name, opts) {
+  return exec2(["systemctl", "stop", name], opts);
+}
+async function restartService(name, opts) {
+  return exec2(["systemctl", "restart", name], opts);
+}
+async function reloadService(name, opts) {
+  return exec2(["systemctl", "reload", name], opts);
+}
+async function getServiceStatus(name, opts) {
+  const result = await exec2(["systemctl", "show", name, "--property=LoadState,ActiveState,SubState,MainPID,Description"], {
+    ...opts,
+    quiet: true
+  });
+  if (!result.ok) {
+    return { loaded: false, active: false, subState: "unknown", mainPid: 0, description: "" };
+  }
+  const parse = (key) => {
+    const match = result.stdout.match(new RegExp(`^${key}=(.+)$`, "m"));
+    return match?.[1]?.trim() ?? "";
+  };
+  return {
+    loaded: parse("LoadState") === "loaded",
+    active: parse("ActiveState") === "active",
+    subState: parse("SubState"),
+    mainPid: parseInt(parse("MainPID") || "0", 10),
+    description: parse("Description")
+  };
+}
+async function enableAndStartService(name, opts) {
+  return exec2(["systemctl", "enable", "--now", name], opts);
+}
+async function serviceExists(name, opts) {
+  const result = await exec2(["systemctl", "list-unit-files", name + ".service"], {
+    ...opts,
+    quiet: true
+  });
+  return result.ok && result.stdout.includes(name);
+}
+async function getServiceLogs(name, opts = {}) {
+  const args = ["journalctl", "-u", name, "-n", String(opts.lines ?? 100)];
+  if (opts.since)
+    args.push("--since", opts.since);
+  if (!opts.follow)
+    args.push("-n", String(opts.lines ?? 100));
+  const result = await exec2(args, opts);
+  return result.stdout;
+}
+var SECURITY_PRESETS = {
+  strict: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "strict",
+    protectHome: true,
+    readOnlyPaths: ["/"],
+    readWritePaths: [],
+    restrictRealtime: true,
+    memoryDenyWriteExecute: true,
+    protectKernelTunables: true,
+    protectKernelModules: true,
+    protectControlGroups: true,
+    restrictAddressFamilies: ["AF_UNIX", "AF_INET", "AF_INET6"],
+    devicePolicy: "closed",
+    deviceAllow: [],
+    restrictNamespaces: true,
+    privateDevices: true,
+    protectKernelLogs: true,
+    lockPersonality: true,
+    capabilityBoundingSet: []
+  },
+  standard: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "full",
+    protectHome: true,
+    restrictRealtime: true,
+    memoryDenyWriteExecute: true,
+    protectKernelTunables: true,
+    protectKernelModules: true,
+    protectControlGroups: true,
+    restrictAddressFamilies: ["AF_UNIX", "AF_INET", "AF_INET6"],
+    devicePolicy: "auto",
+    restrictNamespaces: true,
+    privateDevices: true,
+    capabilityBoundingSet: ["CAP_NET_BIND_SERVICE"]
+  },
+  network: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "full",
+    protectHome: true,
+    restrictRealtime: true,
+    protectKernelTunables: true,
+    protectKernelModules: true,
+    protectControlGroups: true,
+    restrictAddressFamilies: ["AF_UNIX", "AF_INET", "AF_INET6"],
+    devicePolicy: "auto",
+    privateDevices: true,
+    capabilityBoundingSet: ["CAP_NET_BIND_SERVICE"],
+    ambientCapabilities: ["CAP_NET_BIND_SERVICE"]
+  },
+  minimal: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "yes",
+    restrictRealtime: true
+  },
+  deviceAccess: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "full",
+    protectHome: true,
+    restrictRealtime: true,
+    memoryDenyWriteExecute: true,
+    protectKernelTunables: true,
+    protectKernelModules: true,
+    protectControlGroups: true,
+    devicePolicy: "auto",
+    restrictNamespaces: true,
+    privateDevices: false
+  }
+};
+function withSecurityPreset(preset, customOptions) {
+  return {
+    ...SECURITY_PRESETS[preset],
+    ...customOptions
+  };
+}
+async function safeSystemd(operation, options = {}) {
+  const { requireSystemd = true, onNoSystemd, context, env, timeout, quiet } = options;
+  const sudoOpts = context ? { context, env, timeout, quiet } : { context: { type: "local" }, env, timeout, quiet };
+  const check = await hasSystemd(sudoOpts);
+  if (!check.available) {
+    if (onNoSystemd) {
+      await onNoSystemd(check);
+    }
+    if (requireSystemd) {
+      throw new Error(`Systemd required but not available: ${check.message}`);
+    }
+    return;
+  }
+  return operation();
 }
+export {
+  withSecurityPreset,
+  stopService,
+  startService,
+  serviceExists,
+  safeSystemd,
+  restartService,
+  reloadService,
+  hasSystemd,
+  getServiceStatus,
+  getServiceLogs,
+  generateServiceUnit,
+  enableService,
+  enableAndStartService,
+  disableService,
+  createServiceUnit,
+  clearSystemdCache,
+  SECURITY_PRESETS
+};