Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Write Prometheus textfile and Gitea bundles world-readable

Browse Source 
node-exporter runs as nobody:65534 inside its container and was
hitting node_textfile_scrape_error 1 on homelab.prom, because the
file was 0600 root:root (mktemp default). Set it to 0644 right
before the atomic mv. Bundle inhaltsidentisch zum Git-Repo, ohne
Secrets (.gitignore-abgedeckt) und nicht sensibler als die
uebrigen /mnt/user/backups/borg/dumps/latest/*.dump-Files, die
ebenfalls 0644 sind. So funktioniert auch der Nearline-Pull-Workflow
ueber SMB (docs/H_DRIVE_NEARLINE_PULL.md).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Micha
2026-05-27 20:41:07 +02:00
parent 0723eccca1
commit 0ae44bd797
2 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ops/borg-ui/scripts/gitea-bundle-mirror.sh
+10 -4
View File
@@ -4,6 +4,12 @@ set -eu
# Run this on the Unraid host. It creates verified git bundles for every bare
# Gitea repository so a Gitea outage does not make repo bootstrap depend on the
# Gitea application database.
#
# Bundles and their sha256 sidecars are written 0644 on purpose, so the
# Nearline-Pull-Workflow (docs/H_DRIVE_NEARLINE_PULL.md) kann sie ueber den
# SMB-Read-Share holen. Bundle-Inhalt = Git-Historie ohne Secrets (durch
# .gitignore abgedeckt) und nicht sensibler als die uebrigen Dumps unter
# /mnt/user/backups/borg/dumps/latest/, die ebenfalls 0644 sind.
SOURCE_ROOT="${SOURCE_ROOT:-/mnt/user/services/gitea/data/git/repositories}"
BUNDLE_ROOT="${BUNDLE_ROOT:-/mnt/user/backups/git-bundles/gitea}"
@@ -87,10 +93,10 @@ main() {
if git --git-dir="$repo" bundle create "$tmp" --all >/dev/null 2>&1 &&
git --git-dir="$repo" bundle verify "$tmp" >/dev/null 2>&1; then
chmod 600 "$tmp"
chmod 644 "$tmp"
rm -f "$target_tmp"
cp "$tmp" "$target_tmp"
chmod 600 "$target_tmp"
chmod 644 "$target_tmp"
mv "$target_tmp" "$target"
rm -f "$tmp"
git --git-dir="$repo" bundle verify "$target" >/dev/null 2>&1
@@ -98,7 +104,7 @@ main() {
cd "$target_dir"
sha256sum "$(basename "$target")" > "$(basename "$target").sha256.tmp"
)
chmod 600 "$target.sha256.tmp"
chmod 644 "$target.sha256.tmp"
mv "$target.sha256.tmp" "$target.sha256"
size_bytes="$(wc -c < "$target" | tr -d ' ')"
printf '%s\t%s\t%s\t%s\n' "$RUN_ID" "$rel" "${target#$BUNDLE_ROOT/}" "$size_bytes" >> "$manifest_tmp"
@@ -136,7 +142,7 @@ main() {
fi
} > "$report_tmp"
chmod 600 "$report_tmp" "$manifest_tmp"
chmod 644 "$report_tmp" "$manifest_tmp"
mv "$report_tmp" "$REPORT_PATH"
mv "$manifest_tmp" "$MANIFEST_PATH"
services/posture-check/export-prometheus-textfile.sh
+3
View File
@@ -104,6 +104,9 @@ PY
fi
} > "$tmp"
# 0644 statt mktemp-default 0600, damit der node-exporter-Textfile-Collector
# (laeuft als nobody:65534) die Datei lesen kann.
chmod 644 "$tmp"
mv "$tmp" "$OUTPUT_FILE"
trap - EXIT