From e33fec535374fbd868b90573edc38256aa1d9b48 Mon Sep 17 00:00:00 2001 From: Vadym Samoilenko Date: Thu, 19 Mar 2026 19:17:09 +0000 Subject: [PATCH] Fix deploy.sh: run as normal user, sudo only for privileged ops Removes root check; uses sudo internally for apt/apache/ufw commands so git pull and docker commands run as the invoking user (with correct SSH keys and docker group membership). Co-Authored-By: Claude Sonnet 4.6 --- deploy.sh | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/deploy.sh b/deploy.sh index fc174e2..004a49d 100755 --- a/deploy.sh +++ b/deploy.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # DeckForge Production Deploy Script # Idempotent — safe to run multiple times -# Must run as root (needs apt, apache2, ufw) +# Run as normal user; script uses sudo internally for privileged operations set -euo pipefail # ── Colours ────────────────────────────────────────────────────────────────── @@ -10,10 +10,9 @@ info() { echo -e "${GREEN}[deploy]${NC} $*"; } warn() { echo -e "${YELLOW}[warn]${NC} $*"; } error() { echo -e "${RED}[error]${NC} $*" >&2; } -# ── Root check ──────────────────────────────────────────────────────────────── -if [[ $EUID -ne 0 ]]; then - error "This script must be run as root (sudo $0)" - exit 1 +# ── Sudo check (need it for apt/apache/ufw but NOT for git/docker) ──────────── +if ! sudo -n true 2>/dev/null; then + warn "This script needs sudo for apt/apache/ufw — you may be prompted for your password." fi SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" @@ -34,13 +33,13 @@ install_if_missing() { local cmd=$1; local pkg=${2:-$1} if ! command -v "$cmd" &>/dev/null; then info " Installing $pkg..." - apt-get install -y "$pkg" -qq + sudo apt-get install -y "$pkg" -qq else info " $cmd: OK" fi } -apt-get update -qq +sudo apt-get update -qq install_if_missing docker docker.io install_if_missing git git @@ -51,18 +50,18 @@ install_if_missing ufw ufw # Docker Compose plugin if ! docker compose version &>/dev/null 2>&1; then info " Installing docker-compose-plugin..." - apt-get install -y docker-compose-plugin -qq + sudo apt-get install -y docker-compose-plugin -qq fi # Apache2 if ! command -v apache2 &>/dev/null; then info " Installing apache2..." - apt-get install -y apache2 -qq + sudo apt-get install -y apache2 -qq fi # Enable required Apache modules info " Enabling Apache modules..." -a2enmod proxy proxy_http proxy_wstunnel headers rewrite -q +sudo a2enmod proxy proxy_http proxy_wstunnel headers rewrite -q # ───────────────────────────────────────────────────────────────────────────── # STEP 1.5: Port conflict check @@ -231,26 +230,26 @@ APACHE_CONF_DST="/etc/apache2/sites-available/deckforge.conf" sed \ -e "s/API_PORT/${API_PORT}/g" \ -e "s/WEB_PORT/${WEB_PORT}/g" \ - "$APACHE_CONF_SRC" > "$APACHE_CONF_DST" + "$APACHE_CONF_SRC" | sudo tee "$APACHE_CONF_DST" > /dev/null info " Written $APACHE_CONF_DST" # Disable default site on first install if [[ -L /etc/apache2/sites-enabled/000-default.conf ]]; then - a2dissite 000-default.conf -q || true + sudo a2dissite 000-default.conf -q || true info " Disabled 000-default.conf" fi -a2ensite deckforge.conf -q +sudo a2ensite deckforge.conf -q info " Enabled deckforge.conf" # Test Apache config before reloading -if apache2ctl configtest 2>&1 | grep -q "Syntax OK"; then - systemctl reload apache2 +if sudo apache2ctl configtest 2>&1 | grep -q "Syntax OK"; then + sudo systemctl reload apache2 info " Apache reloaded" else error "Apache config test failed — check $APACHE_CONF_DST" - apache2ctl configtest + sudo apache2ctl configtest exit 1 fi @@ -258,11 +257,11 @@ fi # STEP 11: UFW Firewall # ───────────────────────────────────────────────────────────────────────────── info "Step 11: Configuring UFW firewall..." -ufw default deny incoming -y 2>/dev/null || true -ufw default allow outgoing -y 2>/dev/null || true -ufw allow 22/tcp -ufw allow 80/tcp -ufw --force enable +sudo ufw default deny incoming -y 2>/dev/null || true +sudo ufw default allow outgoing -y 2>/dev/null || true +sudo ufw allow 22/tcp +sudo ufw allow 80/tcp +sudo ufw --force enable info " UFW enabled (22/tcp, 80/tcp allowed)" # ─────────────────────────────────────────────────────────────────────────────