From 0ae44bd797bdd8e48e6d9400782fcab58aeeca8f Mon Sep 17 00:00:00 2001
From: Micha <michideheld@gmx.de>
Date: Wed, 27 May 2026 20:41:07 +0200
Subject: [PATCH] Write Prometheus textfile and Gitea bundles world-readable

node-exporter runs as nobody:65534 inside its container and was
hitting node_textfile_scrape_error 1 on homelab.prom, because the
file was 0600 root:root (mktemp default). Set it to 0644 right
before the atomic mv. Bundle inhaltsidentisch zum Git-Repo, ohne
Secrets (.gitignore-abgedeckt) und nicht sensibler als die
uebrigen /mnt/user/backups/borg/dumps/latest/*.dump-Files, die
ebenfalls 0644 sind. So funktioniert auch der Nearline-Pull-Workflow
ueber SMB (docs/H_DRIVE_NEARLINE_PULL.md).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 ops/borg-ui/scripts/gitea-bundle-mirror.sh         | 14 ++++++++++----
 .../posture-check/export-prometheus-textfile.sh    |  3 +++
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/ops/borg-ui/scripts/gitea-bundle-mirror.sh b/ops/borg-ui/scripts/gitea-bundle-mirror.sh
index 44e86df..c8d8cfe 100644
--- a/ops/borg-ui/scripts/gitea-bundle-mirror.sh
+++ b/ops/borg-ui/scripts/gitea-bundle-mirror.sh
@@ -4,6 +4,12 @@ set -eu
 # Run this on the Unraid host. It creates verified git bundles for every bare
 # Gitea repository so a Gitea outage does not make repo bootstrap depend on the
 # Gitea application database.
+#
+# Bundles and their sha256 sidecars are written 0644 on purpose, so the
+# Nearline-Pull-Workflow (docs/H_DRIVE_NEARLINE_PULL.md) kann sie ueber den
+# SMB-Read-Share holen. Bundle-Inhalt = Git-Historie ohne Secrets (durch
+# .gitignore abgedeckt) und nicht sensibler als die uebrigen Dumps unter
+# /mnt/user/backups/borg/dumps/latest/, die ebenfalls 0644 sind.
 
 SOURCE_ROOT="${SOURCE_ROOT:-/mnt/user/services/gitea/data/git/repositories}"
 BUNDLE_ROOT="${BUNDLE_ROOT:-/mnt/user/backups/git-bundles/gitea}"
@@ -87,10 +93,10 @@ main() {
 
     if git --git-dir="$repo" bundle create "$tmp" --all >/dev/null 2>&1 &&
       git --git-dir="$repo" bundle verify "$tmp" >/dev/null 2>&1; then
-      chmod 600 "$tmp"
+      chmod 644 "$tmp"
       rm -f "$target_tmp"
       cp "$tmp" "$target_tmp"
-      chmod 600 "$target_tmp"
+      chmod 644 "$target_tmp"
       mv "$target_tmp" "$target"
       rm -f "$tmp"
       git --git-dir="$repo" bundle verify "$target" >/dev/null 2>&1
@@ -98,7 +104,7 @@ main() {
         cd "$target_dir"
         sha256sum "$(basename "$target")" > "$(basename "$target").sha256.tmp"
       )
-      chmod 600 "$target.sha256.tmp"
+      chmod 644 "$target.sha256.tmp"
       mv "$target.sha256.tmp" "$target.sha256"
       size_bytes="$(wc -c < "$target" | tr -d ' ')"
       printf '%s\t%s\t%s\t%s\n' "$RUN_ID" "$rel" "${target#$BUNDLE_ROOT/}" "$size_bytes" >> "$manifest_tmp"
@@ -136,7 +142,7 @@ main() {
     fi
   } > "$report_tmp"
 
-  chmod 600 "$report_tmp" "$manifest_tmp"
+  chmod 644 "$report_tmp" "$manifest_tmp"
   mv "$report_tmp" "$REPORT_PATH"
   mv "$manifest_tmp" "$MANIFEST_PATH"
 
diff --git a/services/posture-check/export-prometheus-textfile.sh b/services/posture-check/export-prometheus-textfile.sh
index b6b2740..d72be19 100755
--- a/services/posture-check/export-prometheus-textfile.sh
+++ b/services/posture-check/export-prometheus-textfile.sh
@@ -104,6 +104,9 @@ PY
   fi
 } > "$tmp"
 
+# 0644 statt mktemp-default 0600, damit der node-exporter-Textfile-Collector
+# (laeuft als nobody:65534) die Datei lesen kann.
+chmod 644 "$tmp"
 mv "$tmp" "$OUTPUT_FILE"
 trap - EXIT