@lamalibre/create-portlama 1.0.5 → 1.0.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamalibre/create-portlama",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "One-command setup for secure reverse tunnels with a management dashboard",
   "type": "module",
   "license": "MIT",

package/src/lib/service-config.js

@@ -0,0 +1,151 @@
+/**
+ * Shared systemd unit and sudoers content generators.
+ * Used by both the full installer (panel.js) and the redeploy flow (redeploy.js).
+ */
+
+/**
+ * Generate the portlama-panel systemd service unit content.
+ *
+ * @param {{ installDir: string, configDir: string }} ctx
+ * @returns {string}
+ */
+export function generateServiceUnit(ctx) {
+  return `[Unit]
+Description=Portlama Panel Server
+After=network.target
+
+[Service]
+Type=simple
+User=portlama
+Group=portlama
+WorkingDirectory=${ctx.installDir}/panel-server
+ExecStart=/usr/bin/node src/index.js
+Environment=NODE_ENV=production
+Environment=CONFIG_FILE=${ctx.configDir}/panel.json
+Restart=always
+RestartSec=5
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=portlama-panel
+
+# Security hardening
+# Note: NoNewPrivileges is intentionally omitted — the panel needs sudo
+# for provisioning (Chisel, Authelia, certbot, nginx, systemctl).
+# Access is restricted via fine-grained sudoers rules in /etc/sudoers.d/portlama.
+ProtectHome=true
+ReadWritePaths=${ctx.configDir} /var/www/portlama
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+`;
+}
+
+/**
+ * Generate the portlama sudoers file content.
+ *
+ * @returns {string}
+ */
+export function generateSudoersContent() {
+  const processUid = process.getuid?.() ?? 0;
+  const processGid = process.getgid?.() ?? 0;
+
+  return `# Portlama panel-server sudo rules
+# Allows the portlama user to manage specific services and run specific commands
+
+# --- systemctl: managed services ---
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start nginx
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl stop nginx
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl reload nginx
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start chisel
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl stop chisel
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart chisel
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start authelia
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl stop authelia
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart authelia
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl reload authelia
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl daemon-reload
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl enable certbot.timer
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start certbot.timer
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl enable chisel
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl enable authelia
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start portlama-panel
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl stop portlama-panel
+portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart portlama-panel
+
+# --- nginx config test ---
+portlama ALL=(root) NOPASSWD: /usr/sbin/nginx -t
+
+# --- certbot: restrict certonly to --nginx only (prevents --manual-auth-hook) ---
+portlama ALL=(root) NOPASSWD: /usr/bin/certbot certonly --nginx *
+portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew
+portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --cert-name *
+portlama ALL=(root) NOPASSWD: /usr/bin/certbot certificates
+
+# --- openssl: only specific subcommands (no blanket wildcard) ---
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 *
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl genrsa *
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl req *
+portlama ALL=(root) NOPASSWD: /usr/bin/openssl pkcs12 *
+
+# --- mv: restrict source to /tmp/ or known config paths ---
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/nginx/sites-available/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/systemd/system/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/portlama/pki/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /usr/local/bin/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/authelia/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /etc/portlama/pki/*.new /etc/portlama/pki/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mv /etc/nginx/sites-available/*.bak /etc/nginx/sites-available/*
+
+# --- cp: only within known paths ---
+portlama ALL=(root) NOPASSWD: /usr/bin/cp /etc/nginx/sites-available/* /etc/nginx/sites-available/*.bak
+portlama ALL=(root) NOPASSWD: /usr/bin/cp /etc/portlama/pki/* /etc/portlama/pki/*.bak
+
+# --- Authelia directories and file reads ---
+portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /etc/authelia
+portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /etc/authelia/*
+portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /var/log/authelia
+portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /var/log/authelia/*
+portlama ALL=(root) NOPASSWD: /usr/bin/cat /etc/authelia/*
+
+# --- Static site file operations under /var/www/portlama/ ---
+portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/chown -R www-data\\:www-data /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/chown www-data\\:www-data /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/chown ${processUid}\\:${processGid} /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod -R 755 /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/rm -rf /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/rm -f /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/find /var/www/portlama/*
+portlama ALL=(root) NOPASSWD: /usr/bin/du -sb /var/www/portlama/*
+
+# --- PKI file permissions ---
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod 600 /etc/portlama/pki/*
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /etc/portlama/pki/*
+portlama ALL=(root) NOPASSWD: /usr/bin/rm -f /etc/portlama/pki/*
+
+# --- nginx vhost file permissions and cleanup ---
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /etc/nginx/sites-available/*
+portlama ALL=(root) NOPASSWD: /usr/bin/rm -f /etc/nginx/sites-available/*
+portlama ALL=(root) NOPASSWD: /usr/bin/rm -f /etc/nginx/sites-enabled/*
+portlama ALL=(root) NOPASSWD: /usr/bin/ln -sf /etc/nginx/sites-available/* /etc/nginx/sites-enabled/*
+
+# --- systemd service file permissions ---
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /etc/systemd/system/*
+
+# --- chisel and authelia binary permissions ---
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod +x /usr/local/bin/chisel
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod +x /usr/local/bin/authelia
+
+# --- authelia config permissions ---
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod 600 /etc/authelia/*
+portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /etc/authelia/*
+
+# --- test file existence ---
+portlama ALL=(root) NOPASSWD: /usr/bin/test -f /etc/nginx/sites-available/*
+portlama ALL=(root) NOPASSWD: /usr/bin/test -r /etc/portlama/pki/*
+`;
+}

package/src/tasks/panel.js

@@ -4,6 +4,7 @@ import { existsSync } from 'node:fs';
 import { setTimeout as sleep } from 'node:timers/promises';
 import { fileURLToPath } from 'node:url';
 import { dirname, join } from 'node:path';
+import { generateServiceUnit, generateSudoersContent } from '../lib/service-config.js';
 
 /**
  * Panel deployment subtasks: system user, directories, server + client deploy,
@@ -220,35 +221,7 @@ export function panelTasks(ctx, task) {
     {
       title: 'Writing systemd service unit',
       task: async (_ctx, subtask) => {
-        const serviceUnit = `[Unit]
-Description=Portlama Panel Server
-After=network.target
-
-[Service]
-Type=simple
-User=portlama
-Group=portlama
-WorkingDirectory=${installDir}/panel-server
-ExecStart=/usr/bin/node src/index.js
-Environment=NODE_ENV=production
-Environment=CONFIG_FILE=${configDir}/panel.json
-Restart=always
-RestartSec=5
-StandardOutput=journal
-StandardError=journal
-SyslogIdentifier=portlama-panel
-
-# Security hardening
-# Note: NoNewPrivileges is intentionally omitted — the panel needs sudo
-# for provisioning (Chisel, Authelia, certbot, nginx, systemctl).
-# Access is restricted via fine-grained sudoers rules in /etc/sudoers.d/portlama.
-ProtectHome=true
-ReadWritePaths=${configDir} /var/www/portlama
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target
-`;
+        const serviceUnit = generateServiceUnit({ installDir, configDir });
         await writeFile(
           '/etc/systemd/system/portlama-panel.service',
           serviceUnit,
@@ -261,102 +234,7 @@ WantedBy=multi-user.target
     {
       title: 'Writing sudoers rules',
       task: async (_ctx, subtask) => {
-        const processUid = process.getuid?.() ?? 0;
-        const processGid = process.getgid?.() ?? 0;
-
-        const sudoersContent = `# Portlama panel-server sudo rules
-# Allows the portlama user to manage specific services and run specific commands
-
-# --- systemctl: managed services ---
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start nginx
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl stop nginx
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl reload nginx
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start chisel
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl stop chisel
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart chisel
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start authelia
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl stop authelia
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart authelia
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl reload authelia
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl daemon-reload
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl enable certbot.timer
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start certbot.timer
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl enable chisel
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl enable authelia
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl start portlama-panel
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl stop portlama-panel
-portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart portlama-panel
-
-# --- nginx config test ---
-portlama ALL=(root) NOPASSWD: /usr/sbin/nginx -t
-
-# --- certbot: restrict certonly to --nginx only (prevents --manual-auth-hook) ---
-portlama ALL=(root) NOPASSWD: /usr/bin/certbot certonly --nginx *
-portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew
-portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --cert-name *
-portlama ALL=(root) NOPASSWD: /usr/bin/certbot certificates
-
-# --- openssl: only specific subcommands (no blanket wildcard) ---
-portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 *
-portlama ALL=(root) NOPASSWD: /usr/bin/openssl genrsa *
-portlama ALL=(root) NOPASSWD: /usr/bin/openssl req *
-portlama ALL=(root) NOPASSWD: /usr/bin/openssl pkcs12 *
-
-# --- mv: restrict source to /tmp/ or known config paths ---
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/nginx/sites-available/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/systemd/system/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/portlama/pki/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /usr/local/bin/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/authelia/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /etc/portlama/pki/*.new /etc/portlama/pki/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mv /etc/nginx/sites-available/*.bak /etc/nginx/sites-available/*
-
-# --- cp: only within known paths ---
-portlama ALL=(root) NOPASSWD: /usr/bin/cp /etc/nginx/sites-available/* /etc/nginx/sites-available/*.bak
-portlama ALL=(root) NOPASSWD: /usr/bin/cp /etc/portlama/pki/* /etc/portlama/pki/*.bak
-
-# --- Static site file operations under /var/www/portlama/ ---
-portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /etc/authelia
-portlama ALL=(root) NOPASSWD: /usr/bin/mkdir -p /etc/authelia/*
-portlama ALL=(root) NOPASSWD: /usr/bin/chown -R www-data\\:www-data /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/chown www-data\\:www-data /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/chown ${processUid}\\:${processGid} /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod -R 755 /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/rm -rf /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/rm -f /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/find /var/www/portlama/*
-portlama ALL=(root) NOPASSWD: /usr/bin/du -sb /var/www/portlama/*
-
-# --- PKI file permissions ---
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod 600 /etc/portlama/pki/*
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /etc/portlama/pki/*
-portlama ALL=(root) NOPASSWD: /usr/bin/rm -f /etc/portlama/pki/*
-
-# --- nginx vhost file permissions and cleanup ---
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /etc/nginx/sites-available/*
-portlama ALL=(root) NOPASSWD: /usr/bin/rm -f /etc/nginx/sites-available/*
-portlama ALL=(root) NOPASSWD: /usr/bin/rm -f /etc/nginx/sites-enabled/*
-portlama ALL=(root) NOPASSWD: /usr/bin/ln -sf /etc/nginx/sites-available/* /etc/nginx/sites-enabled/*
-
-# --- systemd service file permissions ---
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /etc/systemd/system/*
-
-# --- chisel and authelia binary permissions ---
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod +x /usr/local/bin/chisel
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod +x /usr/local/bin/authelia
-
-# --- authelia config permissions ---
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod 600 /etc/authelia/*
-portlama ALL=(root) NOPASSWD: /usr/bin/chmod 644 /etc/authelia/*
-
-# --- test file existence ---
-portlama ALL=(root) NOPASSWD: /usr/bin/test -f /etc/nginx/sites-available/*
-portlama ALL=(root) NOPASSWD: /usr/bin/test -r /etc/portlama/pki/*
-`;
+        const sudoersContent = generateSudoersContent();
         const sudoersPath = '/etc/sudoers.d/portlama';
         await writeFile(sudoersPath, sudoersContent, { mode: 0o440 });
 

package/src/tasks/redeploy.js

@@ -4,6 +4,7 @@ import { existsSync } from 'node:fs';
 import { setTimeout as sleep } from 'node:timers/promises';
 import { fileURLToPath } from 'node:url';
 import { dirname, join } from 'node:path';
+import { generateServiceUnit, generateSudoersContent } from '../lib/service-config.js';
 
 /**
  * Read the installed panel-server's package.json version, or null if not found.
@@ -179,6 +180,34 @@ export function redeployTasks(ctx, task) {
       },
       rendererOptions: { persistentOutput: true },
     },
+    {
+      title: 'Updating systemd unit and sudoers',
+      task: async (_ctx, subtask) => {
+        subtask.output = 'Writing systemd service unit...';
+        const serviceUnit = generateServiceUnit({ installDir, configDir });
+        await writeFile(
+          '/etc/systemd/system/portlama-panel.service',
+          serviceUnit,
+        );
+
+        subtask.output = 'Writing sudoers rules...';
+        const sudoersContent = generateSudoersContent();
+        const sudoersPath = '/etc/sudoers.d/portlama';
+        await writeFile(sudoersPath, sudoersContent, { mode: 0o440 });
+
+        try {
+          await execa('visudo', ['-c', '-f', sudoersPath]);
+        } catch (error) {
+          await rm(sudoersPath, { force: true });
+          throw new Error(
+            `Sudoers validation failed — file removed for safety.\n${error.stderr || error.message}`,
+          );
+        }
+
+        subtask.output = 'Systemd unit and sudoers updated';
+      },
+      rendererOptions: { persistentOutput: true },
+    },
     {
       title: 'Reloading systemd and restarting panel',
       task: async (_ctx, subtask) => {

package/vendor/panel-server/src/lib/authelia.js

@@ -99,7 +99,7 @@ export async function installAuthelia() {
   }
 
   const asset = releaseInfo.assets?.find(
-    (a) => a.name.includes('linux-amd64') && a.name.endsWith('.tar.gz'),
+    (a) => a.name.includes('linux-amd64') && a.name.endsWith('.tar.gz') && !a.name.includes('musl'),
   );
 
   if (!asset) {