#!/bin/bash set -e # ============================================================================= # Linux Patch Manager — Post-install script # ============================================================================= # Fully automated: apt install ./linux-patch-manager_X.X.X-1_amd64.deb # results in a running HTTPS service. The service generates and prints the # initial admin password to its journal on first startup. # # All steps are idempotent (safe to re-run on upgrade). # Migrations are handled by the application via sqlx on startup. # This script: system user, dirs, DB/role, config, JWT keys, CA + web TLS # cert, sqlx checksum repair (for upgrades from <= 1.1.7), services. # ============================================================================= RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' CYAN='\033[0;36m' NC='\033[0m' info() { echo -e "${GREEN}[INFO]${NC} $*"; } warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } error() { echo -e "${RED}[ERROR]${NC} $*" >&2; } DB_NAME="patch_manager" DB_USER="patch_manager" CONFIG_DIR="/etc/patch-manager" SERVICE_USER="patch-manager" # Secure temp file for passing the DB password between functions. # (Was a predictable, world-readable /tmp/.pm-db-password-new.) PM_TMP="$(umask 077 && mktemp /run/pm-postinst.XXXXXX)" cleanup() { rm -f "${PM_TMP}"; } trap cleanup EXIT # --------------------------------------------------------------------------- # PostgreSQL helpers — runuser instead of sudo (sudo is not guaranteed # to exist and is discouraged in maintainer scripts). # --------------------------------------------------------------------------- psql_run() { runuser -u postgres -- psql -v ON_ERROR_STOP=1 "$@" 2>/dev/null } psql_run_db() { runuser -u postgres -- psql -v ON_ERROR_STOP=1 -d "${DB_NAME}" "$@" 2>/dev/null } # --------------------------------------------------------------------------- # 1. Create service user (idempotent) # --------------------------------------------------------------------------- create_service_user() { if ! id "${SERVICE_USER}" &>/dev/null; then useradd --system --no-create-home --shell /usr/sbin/nologin \ --comment "Linux Patch Manager service account" "${SERVICE_USER}" info "Service user '${SERVICE_USER}' created." else info "Service user '${SERVICE_USER}' already exists." fi } # --------------------------------------------------------------------------- # 2. Create required directories (idempotent) # --------------------------------------------------------------------------- create_directories() { mkdir -p "${CONFIG_DIR}/ca" "${CONFIG_DIR}/certs" \ "${CONFIG_DIR}/jwt" "${CONFIG_DIR}/tls" \ /var/log/patch-manager /opt/patch-manager \ /var/backups/patch-manager chown -R "${SERVICE_USER}:${SERVICE_USER}" \ "${CONFIG_DIR}" /var/log/patch-manager /opt/patch-manager # Frontend assets stay root-owned and read-only: the service must not be # able to rewrite the JavaScript it serves (persistence vector if pm-web # is ever compromised). pm-web only reads these files. chown -R root:root /usr/share/patch-manager/frontend chmod -R a+rX /usr/share/patch-manager/frontend chmod 750 "${CONFIG_DIR}/ca" "${CONFIG_DIR}/jwt" chmod 700 /var/backups/patch-manager } # --------------------------------------------------------------------------- # 3. Wait for PostgreSQL to be ready (non-fatal failure is impossible here: # postgresql-16 is a hard dependency and its packaging starts the cluster, # but give it time on slow first boots). # --------------------------------------------------------------------------- wait_for_postgresql() { info "Waiting for PostgreSQL to be ready..." local i for ((i = 1; i <= 30; i++)); do if pg_isready -q 2>/dev/null; then info "PostgreSQL is ready." return 0 fi warn "PostgreSQL not ready yet (attempt ${i}/30), waiting 2s..." sleep 2 done error "PostgreSQL did not become ready after 60 seconds." return 1 } # --------------------------------------------------------------------------- # 4. Create PostgreSQL user, database, and grants (idempotent) # --------------------------------------------------------------------------- setup_database() { info "Setting up PostgreSQL database and user..." local db_password db_password=$(openssl rand -base64 48 | tr -dc 'A-Za-z0-9' | head -c 32) local role_exists role_exists=$(psql_run -t -A -c "SELECT 1 FROM pg_roles WHERE rolname='${DB_USER}'" 2>/dev/null || echo "") if [[ "${role_exists}" != "1" ]]; then psql_run -c "CREATE ROLE ${DB_USER} LOGIN PASSWORD '${db_password}';" info "PostgreSQL user '${DB_USER}' created." printf '%s' "${db_password}" > "${PM_TMP}" else info "PostgreSQL user '${DB_USER}' already exists." local config_file="${CONFIG_DIR}/config.toml" local existing_pw="" if [[ -f "${config_file}" ]]; then existing_pw=$(sed -n 's|^url = "postgres://[^:]*:\(.*\)@localhost.*"|\1|p' "${config_file}" | head -1) fi if [[ -n "${existing_pw}" && "${existing_pw}" != "CHANGEME" ]]; then psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${existing_pw}';" 2>/dev/null || true printf '%s' "${existing_pw}" > "${PM_TMP}" info "Synced DB password from existing config to PostgreSQL." else psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true printf '%s' "${db_password}" > "${PM_TMP}" info "Generated new DB password for existing user." fi fi local db_exists db_exists=$(psql_run -t -A -c "SELECT 1 FROM pg_database WHERE datname='${DB_NAME}'" 2>/dev/null || echo "") if [[ "${db_exists}" != "1" ]]; then psql_run -c "CREATE DATABASE ${DB_NAME} OWNER ${DB_USER};" info "Database '${DB_NAME}' created." else info "Database '${DB_NAME}' already exists, skipping creation." fi psql_run_db -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;" 2>/dev/null || true psql_run_db -c "GRANT ALL PRIVILEGES ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true psql_run_db -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};" 2>/dev/null || true psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON TABLES TO ${DB_USER};" 2>/dev/null || true psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON SEQUENCES TO ${DB_USER};" 2>/dev/null || true psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON FUNCTIONS TO ${DB_USER};" 2>/dev/null || true } # --------------------------------------------------------------------------- # 5. Repair sqlx migration checksums (upgrade from <= 1.1.7 only). # # Commit 4cac290 (v1.1.8) rewrote migrations 001/003/007/011/016 in place. # sqlx::migrate! validates the SHA-384 checksum recorded in _sqlx_migrations # against the embedded file on every startup, so any database migrated # before 1.1.8 fails with "migration N was previously applied but has been # modified" and pm-web crash-loops. # # The schema produced by old and new versions of these files is identical # (the rewrite only added IF-NOT-EXISTS guards), so it is safe to update the # recorded checksum to match the current embedded content. We only touch # rows whose checksum matches the known OLD value — fresh installs and # already-repaired databases are untouched. # # NEVER edit an applied migration again; append a new one instead. # --------------------------------------------------------------------------- repair_migration_checksums() { # Skip if the migrations table doesn't exist yet (fresh install). local has_table has_table=$(psql_run_db -t -A -c "SELECT to_regclass('public._sqlx_migrations') IS NOT NULL;" 2>/dev/null || echo "f") [[ "${has_table}" == "t" ]] || { info "No _sqlx_migrations table (fresh install) — checksum repair not needed."; return 0; } info "Checking for stale sqlx migration checksums (pre-1.1.8 databases)..." # version | old sha384 | new sha384 local repairs=( "1|3e7492a3fdedf177d0467b495717b1b3f75894cabbd57a8aa0a0fa2189bacb8832ce69f400356c5f717cc3cd87c47685|2828d99226ba5017e754a8a72bce4f7f6d5535172817c2ba90d8ea9b93ff488787ec840cf43cc0eca7e1f526c8a1c0ef" "3|097ed9107821f2de4dd3f18b1c1b25aa3110ca4134fe8c37b81049d064357266a8bae05e84edf163bb77a88335943640|e7b6d63f244764184f127234e5b7735c9ea9ee810bd465b06bc9c74370358b56061cec137b7afee91c5417211561164c" "7|f3218a5b94ae9e009655e66cd4808a7abebdfae81675bccfbb079567df192f95cd62eab3b6c4d60b06e8a7dcbb1d9297|95c087779e952333094e6d9e058aaa18dc8a898b480152ba7a6d780ccfd3c562525834ea49f19999b1266b0acb9b68e9" "11|5bb3dabf7caf0a7c31998e74b03b312d1867a948643084b9253acabe0388bc00831d2a157379eacae971298fa9bc481e|f07ac98ae905b9a9730ec302aafbcce3d56eacf80a8fb0904a9cfd0e7c36fdc38bb21129054d6f0765131ce6fa1cdc2e" "16|e5450925e570cbd522cf5edd6990f5e8e010466c494bc39484fcf72651037440083a104eea0d217d65c5625b91bfb514|11d77a7097fe3a212786c55cf5c0b64c44a792ce18ace665aec4336efee1544f41568c0ba4605b9daedbf4ac12e91e6f" ) local entry version old new updated for entry in "${repairs[@]}"; do IFS='|' read -r version old new <<< "${entry}" updated=$(psql_run_db -q -t -A -c \ "UPDATE _sqlx_migrations SET checksum = '\\x${new}'::bytea \ WHERE version = ${version} AND checksum = '\\x${old}'::bytea \ RETURNING version;" 2>/dev/null || echo "") if [[ -n "${updated}" ]]; then info "Repaired checksum for migration ${version}." fi done } # --------------------------------------------------------------------------- # 6. Write config.toml with DB URL # --------------------------------------------------------------------------- write_config() { local config_file="${CONFIG_DIR}/config.toml" local db_password="" [[ -s "${PM_TMP}" ]] && db_password=$(cat "${PM_TMP}") if [[ -f "${config_file}" ]]; then if grep -q 'CHANGEME' "${config_file}"; then if [[ -z "${db_password}" ]]; then db_password=$(openssl rand -base64 48 | tr -dc 'A-Za-z0-9' | head -c 32) psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true fi info "Replacing CHANGEME placeholder in existing config with real DB password." sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}" else info "Config file ${config_file} already exists with a real password, leaving it unchanged." return 0 fi else if [[ -z "${db_password}" ]]; then db_password=$(openssl rand -base64 48 | tr -dc 'A-Za-z0-9' | head -c 32) psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true fi info "Writing configuration file..." cp /usr/share/patch-manager/config.example.toml "${config_file}" sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}" fi chown "${SERVICE_USER}:${SERVICE_USER}" "${config_file}" chmod 640 "${config_file}" info "Configuration written to ${config_file}" } # --------------------------------------------------------------------------- # 7. Generate JWT keys (idempotent) # --------------------------------------------------------------------------- generate_jwt_keys() { if [[ ! -f "${CONFIG_DIR}/jwt/signing.pem" ]]; then info "Generating Ed25519 JWT signing key..." openssl genpkey -algorithm ed25519 -out "${CONFIG_DIR}/jwt/signing.pem" 2>/dev/null openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null chown "${SERVICE_USER}:${SERVICE_USER}" "${CONFIG_DIR}/jwt/signing.pem" "${CONFIG_DIR}/jwt/verify.pem" chmod 600 "${CONFIG_DIR}/jwt/signing.pem" chmod 644 "${CONFIG_DIR}/jwt/verify.pem" info "JWT keys generated." elif [[ ! -f "${CONFIG_DIR}/jwt/verify.pem" ]]; then info "Regenerating missing JWT verification key from existing signing key..." openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null chown "${SERVICE_USER}:${SERVICE_USER}" "${CONFIG_DIR}/jwt/verify.pem" chmod 644 "${CONFIG_DIR}/jwt/verify.pem" info "JWT verification key regenerated." else info "JWT keys already exist, skipping." fi } # --------------------------------------------------------------------------- # 8. Generate internal CA and CA-signed web TLS certificate (idempotent). # # This was previously only done by scripts/setup.sh, which the package does # not ship — so .deb installs had no /etc/patch-manager/tls/web.{crt,key}, # pm-web fell back to PLAIN HTTP on port 443, and the old HTTPS-only # health check could never pass. Generating these here makes the package # self-contained and HTTPS-by-default. # --------------------------------------------------------------------------- generate_tls_certs() { local ca_key="${CONFIG_DIR}/ca/ca.key" local ca_cert="${CONFIG_DIR}/ca/ca.crt" local tls_cert="${CONFIG_DIR}/tls/web.crt" local tls_key="${CONFIG_DIR}/tls/web.key" local tls_csr="${CONFIG_DIR}/tls/web.csr" if [[ ! -f "${ca_cert}" ]]; then info "Generating internal Certificate Authority (ECDSA P-256, 10-year validity)..." openssl ecparam -genkey -name prime256v1 -noout -out "${ca_key}" # Convert SEC1 → PKCS#8 (the Rust pm-ca crate only parses PKCS#8). openssl pkcs8 -topk8 -nocrypt -in "${ca_key}" -out "${ca_key}.tmp" && mv "${ca_key}.tmp" "${ca_key}" openssl req -new -x509 -key "${ca_key}" -out "${ca_cert}" \ -days 3650 \ -subj "/CN=Patch Manager Root CA/O=Patch Manager" \ -addext "basicConstraints=critical,CA:true" \ -addext "keyUsage=critical,keyCertSign,cRLSign" chown "${SERVICE_USER}:${SERVICE_USER}" "${ca_key}" "${ca_cert}" chmod 600 "${ca_key}" chmod 644 "${ca_cert}" info "Internal CA generated." else info "Internal CA already exists, skipping." fi if [[ ! -f "${tls_cert}" ]]; then info "Generating CA-signed web server certificate (valid 365 days)..." local fqdn short host_ip san fqdn=$(hostname -f 2>/dev/null || echo "localhost") short=$(hostname -s 2>/dev/null || echo "localhost") host_ip=$(ip -4 route get 1.1.1.1 2>/dev/null | awk '{print $7; exit}' || true) san="DNS:${fqdn},DNS:${short},DNS:localhost,IP:127.0.0.1,IP:::1" [[ -n "${host_ip}" ]] && san="${san},IP:${host_ip}" openssl ecparam -genkey -name prime256v1 -noout -out "${tls_key}" openssl req -new -key "${tls_key}" -out "${tls_csr}" \ -subj "/CN=${fqdn}/O=Patch Manager" \ -addext "subjectAltName=${san}" openssl x509 -req -in "${tls_csr}" -CA "${ca_cert}" -CAkey "${ca_key}" \ -CAcreateserial -days 365 -out "${tls_cert}" \ -extfile <(printf "subjectAltName=%s\nextendedKeyUsage=serverAuth\n" "${san}") rm -f "${tls_csr}" chown "${SERVICE_USER}:${SERVICE_USER}" "${tls_cert}" "${tls_key}" chmod 644 "${tls_cert}" chmod 600 "${tls_key}" info "CA-signed web server certificate generated for ${fqdn}." else info "TLS certificate already exists, skipping." fi } # --------------------------------------------------------------------------- # 9. Enable and start services # --------------------------------------------------------------------------- enable_and_start_services() { systemctl daemon-reload systemctl enable patch-manager.target 2>/dev/null || true systemctl enable patch-manager-web.service patch-manager-worker.service 2>/dev/null || true if systemctl is-active --quiet patch-manager.target 2>/dev/null; then info "Restarting patch-manager services (upgrade)..." systemctl restart patch-manager.target 2>/dev/null || true else info "Starting patch-manager services..." systemctl start patch-manager.target 2>/dev/null || true fi } # --------------------------------------------------------------------------- # 10. Verify the service came up — ADVISORY ONLY, never fails the install. # A failed probe prints diagnostics instead of leaving dpkg half-configured. # --------------------------------------------------------------------------- report_service_status() { info "Waiting up to 30s for pm-web to come up (migrations run on startup)..." local i for ((i = 1; i <= 30; i++)); do if curl -skf https://localhost:443/ >/dev/null 2>&1 || \ curl -skf https://localhost:8443/ >/dev/null 2>&1 || \ curl -sf http://localhost:443/ >/dev/null 2>&1 || \ curl -sf http://localhost:8443/ >/dev/null 2>&1; then echo "" echo -e "${CYAN}=================================================================${NC}" echo -e "${GREEN} Linux Patch Manager is up.${NC}" echo "" echo -e " Web UI: ${GREEN}https://$(hostname -f 2>/dev/null || echo localhost)/${NC}" echo -e " Username: ${GREEN}admin${NC}" echo -e " Password: generated on first startup — retrieve it with:" echo -e " ${YELLOW}journalctl -u patch-manager-web | grep -A2 'INITIAL ADMIN PASSWORD' | tail -3${NC}" echo "" echo -e " You will be forced to change it on first login." echo -e " The internal CA cert (for trusting the web UI) is at:" echo -e " ${CONFIG_DIR}/ca/ca.crt" echo -e "${CYAN}=================================================================${NC}" echo "" return 0 fi sleep 1 done warn "pm-web did not respond within 30s. The install itself succeeded;" warn "the service may still be starting, or it may have failed. Check:" warn " systemctl status patch-manager-web.service" warn " journalctl -u patch-manager-web -n 50" return 0 } # --------------------------------------------------------------------------- # 11. Install backup cron (idempotent) # --------------------------------------------------------------------------- install_backup_cron() { if ! crontab -l 2>/dev/null | grep -qF "backup.sh"; then (crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/backup.sh >> /var/log/patch-manager/backup.log 2>&1") | crontab - info "Nightly backup cron installed." fi } # ============================================================================= # Main # ============================================================================= case "$1" in configure) create_service_user create_directories wait_for_postgresql setup_database repair_migration_checksums write_config generate_jwt_keys generate_tls_certs enable_and_start_services report_service_status install_backup_cron info "Linux Patch Manager installation complete." ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 ;; esac exit 0