#!/usr/bin/env bash # Rebuild and restart sandod itself to a target commit. # # Runs as ROOT, invoked by the oneshot unit `sando-update@.service` (the # sha is the instance name, passed here as $1). sandod cannot do this itself: # it runs User=sando with NoNewPrivileges + ProtectSystem=strict, so it can # neither write /usr/local/bin/sandod nor restart its own service. sandod only # *triggers* this unit (authorized for the sando user by a scoped polkit rule); # the actual privileged work lives here. # # Build runs as the unprivileged build user (the sando user already carries a # rustup toolchain at /srv/sando/.cargo/bin); only the install + restart run as # root. The build uses a dedicated checkout, never the operator's dev tree. # # Config via environment (defaults shown), set in the unit or /etc/sando/sando.env: # SANDO_SELF_UPDATE_DIR /srv/sando/self-update build checkout parent (build-user-owned) # SANDO_UPSTREAM_URL git@ssh.makenot.work:max/makenotwork.git # SANDO_BUILD_USER sando # SANDO_BIN /usr/local/bin/sandod install destination set -euo pipefail SHA="${1:-}" if [[ ! "$SHA" =~ ^[0-9a-f]{7,40}$ ]]; then echo "sando-self-update: refusing non-hex sha: '$SHA'" >&2 exit 2 fi SELF_DIR="${SANDO_SELF_UPDATE_DIR:-/srv/sando/self-update}" UPSTREAM_URL="${SANDO_UPSTREAM_URL:-git@ssh.makenot.work:max/makenotwork.git}" BUILD_USER="${SANDO_BUILD_USER:-sando}" BIN="${SANDO_BIN:-/usr/local/bin/sandod}" REPO_DIR="$SELF_DIR/MNW" BUILD_HOME="$(getent passwd "$BUILD_USER" | cut -d: -f6)" echo "sando-self-update: building sandod @ $SHA as $BUILD_USER" # Fetch + checkout + build, all as the unprivileged build user. The clone is # created once; thereafter we just fetch the new sha. Detached checkout so the # dedicated tree never carries a branch to drift. install -d -o "$BUILD_USER" -g "$BUILD_USER" "$SELF_DIR" runuser -u "$BUILD_USER" -- env \ HOME="$BUILD_HOME" \ PATH="$BUILD_HOME/.cargo/bin:/usr/local/bin:/usr/bin:/bin" \ bash -euo pipefail -c " if [[ ! -d '$REPO_DIR/.git' ]]; then git clone '$UPSTREAM_URL' '$REPO_DIR' fi cd '$REPO_DIR' git fetch --prune origin git checkout --detach '$SHA' cd sando/daemon cargo build --release --locked " NEW_BIN="$REPO_DIR/sando/daemon/target/release/sandod" [[ -x "$NEW_BIN" ]] || { echo "sando-self-update: build produced no binary at $NEW_BIN" >&2; exit 3; } # Install + restart as root. install is atomic (writes a temp then renames), so # a concurrent exec of $BIN never sees a half-written file. echo "sando-self-update: installing $NEW_BIN -> $BIN and restarting sandod" install -m 0755 "$NEW_BIN" "$BIN" systemctl restart sandod echo "sando-self-update: done ($SHA live)"