diff --git a/scripts/80-app.sh b/scripts/80-app.sh index bc4c587..257c4be 100644 --- a/scripts/80-app.sh +++ b/scripts/80-app.sh @@ -2,6 +2,50 @@ set -euo pipefail source ./lib.sh +# --- Helper: sicherer Frontend-Build als APP_USER --------------------------- +safe_frontend_build() { + echo "[i] Frontend build …" + + # Verzeichnisse & Rechte vorbereiten (Gruppen-sticky & ACL) + install -d -m 2775 -o "$APP_USER" -g "$APP_GROUP" \ + "${APP_DIR}/public/build" "${APP_DIR}/node_modules" "${APP_DIR}/.npm-cache" + + chown -R "$APP_USER":"$APP_GROUP" "${APP_DIR}" + find "${APP_DIR}" -type d -exec chmod 2775 {} \; + find "${APP_DIR}" -type f -exec chmod 664 {} \; + setfacl -R -m g:"$APP_GROUP":rwX -m d:g:"$APP_GROUP":rwX "${APP_DIR}" || true + + # Vite-/Build-Reste bereinigen (falls mal root dort gebaut hat) + rm -rf "${APP_DIR}/node_modules/.vite" "${APP_DIR}/public/build/"* 2>/dev/null || true + + # npm auf projektlokales Cache konfigurieren + sudo -u "$APP_USER" -H bash -lc "cat > ~/.npmrc <<'RC' +fund=false +audit=false +prefer-offline=true +cache=${APP_DIR}/.npm-cache +RC" + + # Node ggf. installieren + if ! command -v node >/dev/null 2>&1; then + curl -fsSL https://deb.nodesource.com/setup_22.x | bash - + apt-get install -y nodejs + fi + + # Dependencies + Build (als App-User) + if sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && (npm ci --no-audit --no-fund || npm install --no-audit --no-fund) && npm run build"; then + return 0 + fi + + echo "[!] Build fehlgeschlagen – Rechtefix + Clean + Retry …" + rm -rf "${APP_DIR}/node_modules/.vite" "${APP_DIR}/public/build/"* 2>/dev/null || true + chown -R "$APP_USER":"$APP_GROUP" "${APP_DIR}" + find "${APP_DIR}" -type d -exec chmod 2775 {} \; + find "${APP_DIR}" -type f -exec chmod 664 {} \; + + sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && npm run build" +} + relink_and_reload() { if [[ -d /etc/letsencrypt/renewal-hooks/deploy ]]; then run-parts /etc/letsencrypt/renewal-hooks/deploy || true @@ -247,20 +291,22 @@ sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan dns:tlsa:refresh | # --- Build Frontend (nur wenn nötig) ---------------------------------------- if [[ -f "${APP_DIR}/package.json" && ! -f "${APP_DIR}/public/build/manifest.json" ]]; then - if ! command -v node >/dev/null 2>&1; then - curl -fsSL https://deb.nodesource.com/setup_22.x | bash - - apt-get install -y nodejs - fi - sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && (npm ci --no-audit --no-fund || npm install)" - sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && (npm run build || npx --yes vite build)" + safe_frontend_build fi # --- Abschluss: Caches + Rechte + Reloads ----------------------------------- -sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache && php artisan optimize:clear" +sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache && php artisan optimize:clear" +# Konsistente Rechte/ACL für das gesamte App-Verzeichnis chown -R "$APP_USER":"$APP_GROUP" "$APP_DIR" -chmod -R u=rwX,g=rwX,o=rX "$APP_DIR" -install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" +find "$APP_DIR" -type d -exec chmod 2775 {} \; +find "$APP_DIR" -type f -exec chmod 664 {} \; +setfacl -R -m g:"$APP_GROUP":rwX -m d:g:"$APP_GROUP":rwX "$APP_DIR" || true -#relink_and_reload -#systemctl restart php*-fpm || true +# Laravel-Write-Dirs sicherstellen (mit setgid & ACL) +install -d -m 2775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" +chgrp -R www-data "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" || true +find "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" -type d -exec chmod 2775 {} \; || true +find "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" -type f -exec chmod 0664 {} \; || true +setfacl -R -m u:www-data:rwx,u:${APP_USER}:rwx "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" || true +setfacl -dR -m u:www-data:rwx,u:${APP_USER}:rwx "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" || true \ No newline at end of file diff --git a/scripts/update.sh b/scripts/update.sh index d46eab3..3d92338 100644 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -7,6 +7,9 @@ APP_DIR="${APP_DIR:-/var/www/mailwolt}" BRANCH="${BRANCH:-main}" # nur relevant bei UPDATE_MODE=branch MODE="${UPDATE_MODE:-tags}" # tags | branch ALLOW_DIRTY="${ALLOW_DIRTY:-0}" # 1 = Dirty-Working-Tree zulassen +export CI=1 +export NPM_CONFIG_FUND=false +export NPM_CONFIG_AUDIT=false # -------- Helper -------- as_app(){ sudo -u "$APP_USER" -H bash -lc "$*"; } @@ -137,10 +140,30 @@ if [[ $NEED_PHP_RESTART -eq 1 || $NEED_COMPOSER -eq 1 || $NEED_MIGRATIONS -eq 1 as_app "cd ${APP_DIR} && php artisan optimize:clear || true" fi +#if [[ $NEED_FRONTEND -eq 1 ]]; then +# echo "[i] Frontend build …" +# as_app "cd ${APP_DIR} && (npm ci --no-audit --no-fund || npm install)" +# as_app "cd ${APP_DIR} && npm run build" +#fi + +# -------- Frontend build (hardened) -------- if [[ $NEED_FRONTEND -eq 1 ]]; then - echo "[i] Frontend build …" - as_app "cd ${APP_DIR} && (npm ci --no-audit --no-fund || npm install)" - as_app "cd ${APP_DIR} && npm run build" + echo "[i] Frontend build (vite) …" + + # Preflight: Schreibrechte sicherstellen + as_app "mkdir -p ${APP_DIR}/public/build ${APP_DIR}/node_modules ${APP_DIR}/.vite" + chown -R "$APP_USER":"$APP_GROUP" "${APP_DIR}/public/build" "${APP_DIR}/node_modules" "${APP_DIR}/.vite" || true + chmod -R g+rwX "${APP_DIR}/public/build" "${APP_DIR}/node_modules" "${APP_DIR}/.vite" || true + + # Nicht-interaktive / leise npm-Runs + NPM_ENV="CI=1 NPM_CONFIG_FUND=false NPM_CONFIG_AUDIT=false npm_config_loglevel=warn" + + echo "[i] npm ci …" + as_app "cd ${APP_DIR} && ${NPM_ENV} npm ci --no-audit --no-fund --loglevel=warn --no-progress || \ + ${NPM_ENV} npm install --no-audit --no-fund --loglevel=warn --no-progress" + + echo "[i] npm run build …" + as_app "cd ${APP_DIR} && ${NPM_ENV} npm run build --silent --loglevel=warn" fi # -------- Dienste nur wenn nötig --------