@lamalibre/create-portlama 1.0.32 → 1.0.34

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamalibre/create-portlama",
-  "version": "1.0.32",
+  "version": "1.0.34",
   "description": "One-command setup for secure reverse tunnels with a management dashboard",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",

package/src/lib/service-config.js

@@ -74,30 +74,36 @@ portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart portlama-panel
 # --- nginx config test ---
 portlama ALL=(root) NOPASSWD: /usr/sbin/nginx -t
 
-# --- certbot: restrict certonly to --nginx only (prevents --manual-auth-hook) ---
-portlama ALL=(root) NOPASSWD: /usr/bin/certbot certonly --nginx *
-portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew
-portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --cert-name *
-portlama ALL=(root) NOPASSWD: /usr/bin/certbot certificates
-
-# --- openssl: restricted to PKI and Let's Encrypt paths ---
-portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/portlama/pki/* *
-portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/letsencrypt/live/* *
+# --- certbot: restrict to exact flag patterns used by the application ---
+portlama ALL=(root) NOPASSWD: /usr/bin/certbot certonly --nginx -d * --email * --agree-tos --non-interactive
+portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --non-interactive
+portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --cert-name * --non-interactive
+portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --cert-name * --force-renewal --non-interactive
+portlama ALL=(root) NOPASSWD: /usr/bin/certbot certificates --non-interactive
+
+# --- openssl: read-only operations (no trailing wildcards) ---
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/portlama/pki/* -serial -noout
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/portlama/pki/* -enddate -noout
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -checkend 86400 -noout -in /etc/letsencrypt/live/*
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/*
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/letsencrypt/live/* -enddate -noout
+# --- openssl: PKI generation and signing (trailing * for variable -subj CN) ---
+# Trust boundary: only @lamalibre/ scoped code runs as portlama user
 portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -req -in /etc/portlama/pki/* *
 portlama ALL=(root) NOPASSWD: /usr/bin/openssl genrsa -out /etc/portlama/pki/* *
 portlama ALL=(root) NOPASSWD: /usr/bin/openssl req -new -key /etc/portlama/pki/* *
-portlama ALL=(root) NOPASSWD: /usr/bin/openssl pkcs12 -export *
-
-# --- mv: restrict source to /tmp/ or known config paths ---
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/nginx/sites-available/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/systemd/system/chisel.service
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/systemd/system/authelia.service
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/systemd/system/portlama-panel.service
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/portlama/pki/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /usr/local/bin/chisel
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /usr/local/bin/authelia
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/authelia/*
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl pkcs12 -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 -out /etc/portlama/pki/*
+
+# --- mv: restrict source to known temp-file prefixes (no bare /tmp/*) ---
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/site-index-* /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/site-upload-* /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/invite-page-* /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/nginx-* /etc/nginx/sites-available/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/chisel-service-* /etc/systemd/system/chisel.service
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/authelia-service-* /etc/systemd/system/authelia.service
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/chisel-* /usr/local/bin/chisel
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/authelia-* /usr/local/bin/authelia
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/portlama-authelia-* /etc/authelia/*
 portlama ALL=(root) NOPASSWD: /usr/bin/mv /etc/portlama/pki/*.new /etc/portlama/pki/*
 portlama ALL=(root) NOPASSWD: /usr/bin/mv /etc/nginx/sites-available/*.bak /etc/nginx/sites-available/*
 
@@ -111,7 +117,7 @@ portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /etc/authelia/*
 portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /var/log/authelia
 portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /var/log/authelia/*
 portlama ALL=(root) NOPASSWD: /usr/bin/cat /etc/authelia/*
-portlama ALL=(root) NOPASSWD: /usr/local/bin/authelia storage *
+portlama ALL=(root) NOPASSWD: /usr/local/bin/authelia storage user totp generate *
 
 # --- Static site file operations under /var/www/portlama/ ---
 portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /var/www/portlama/*

package/src/tasks/panel.js

@@ -83,7 +83,7 @@ export function panelTasks(ctx, task) {
 
         subtask.output = 'Installing production dependencies...';
         try {
-          await execa('npm', ['install', '--production'], {
+          await execa('npm', ['install', '--production', '--ignore-scripts'], {
             cwd: serverDest,
           });
         } catch (err) {
@@ -94,6 +94,14 @@ export function panelTasks(ctx, task) {
 
         await execa('chown', ['-R', 'portlama:portlama', serverDest]);
 
+        // Create CLI symlink for portlama-reset-admin
+        const resetAdminSrc = join(serverDest, 'src', 'cli', 'reset-admin.js');
+        const resetAdminDest = '/usr/local/bin/portlama-reset-admin';
+        if (existsSync(resetAdminSrc)) {
+          await execa('chmod', ['+x', resetAdminSrc]);
+          await execa('ln', ['-sf', resetAdminSrc, resetAdminDest]);
+        }
+
         subtask.output = 'Panel server deployed';
       },
       rendererOptions: { persistentOutput: true },

package/src/tasks/redeploy.js

@@ -103,7 +103,7 @@ export function redeployTasks(ctx, task) {
 
         subtask.output = 'Installing production dependencies...';
         try {
-          await execa('npm', ['install', '--production'], {
+          await execa('npm', ['install', '--production', '--ignore-scripts'], {
             cwd: serverDest,
           });
         } catch (err) {
@@ -113,6 +113,15 @@ export function redeployTasks(ctx, task) {
         }
 
         await execa('chown', ['-R', 'portlama:portlama', serverDest]);
+
+        // Ensure CLI symlink for portlama-reset-admin
+        const resetAdminSrc = join(serverDest, 'src', 'cli', 'reset-admin.js');
+        const resetAdminDest = '/usr/local/bin/portlama-reset-admin';
+        if (existsSync(resetAdminSrc)) {
+          await execa('chmod', ['+x', resetAdminSrc]);
+          await execa('ln', ['-sf', resetAdminSrc, resetAdminDest]);
+        }
+
         subtask.output = 'Panel server updated';
       },
       rendererOptions: { persistentOutput: true },