Adds safe-reboot and safe-shutdown, removes all .sh extensions to scripts

2026-05-21 21:09:34 +02:00
parent f806bda21b
commit 9929a7055b
38 changed files with 91 additions and 44 deletions
@@ -3,4 +3,4 @@ Description=Copies the music from Nextcloud to Navidrome

 [Service]
 Type=oneshot
-ExecStart=/root/scripts/copy-music.sh
+ExecStart=/root/scripts/copy-music
@@ -3,4 +3,4 @@ Description=Move the completed torrents and jdownloader downloads to nextcloud

 [Service]
 Type=oneshot
-ExecStart=/root/scripts/move-downloads-nextcloud.sh
+ExecStart=/root/scripts/move-downloads-nextcloud
@@ -1 +1 @@
-homeassistant ALL=(ALL) NOPASSWD: /sbin/poweroff, /sbin/reboot, /sbin/shutdown
+homeassistant ALL=(ALL) NOPASSWD: /opt/bin/safe-reboot, /opt/bin/safe-shutdown
@@ -3,4 +3,4 @@ Description=Runs rclone to copy the NAS content to the parents NAS

 [Service]
 Type=oneshot
-ExecStart=/usr/bin/flock -n /run/rclone-parents.lock /root/scripts/rclone-parents.sh
+ExecStart=/usr/bin/flock -n /run/rclone-parents.lock /root/scripts/rclone-parents
@@ -0,0 +1,4 @@
+[Journal]
+SystemMaxUse=256M    # Maximum total journal size
+RuntimeMaxUse=128M   # Maximum journal size in temporary storage
+MaxFileSec=1month    # Maximum time to retain log files
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -o errexit -o pipefail -o noclobber -o nounset -o errtrace -o functrace
+
+users=(arr gitea homeassistant immich jdownloader kiwix komga navidrome nextcloud nginx pairdrop paperless pihole qbittorrent synapse wallabag)
+for user in "${users[@]}"; do
+  readarray -t units <<< "$(systemctl --user -M "${user}@" list-units | grep container | grep running | grep service | awk '{print $1}')" || true
+  if [[ "${#units[@]}" -gt 0 && -n "${units[0]:-}" ]]; then
+    systemctl --user -M "${user}@" stop "${units[@]}"
+  fi
+done
+systemctl reboot
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -o errexit -o pipefail -o noclobber -o nounset -o errtrace -o functrace
+
+users=(arr gitea homeassistant immich jdownloader kiwix komga navidrome nextcloud nginx pairdrop paperless pihole qbittorrent synapse wallabag)
+for user in "${users[@]}"; do
+  readarray -t units <<< "$(systemctl --user -M "${user}@" list-units | grep container | grep running | grep service | awk '{print $1}')" || true
+  if [[ "${#units[@]}" -gt 0 && -n "${units[0]:-}" ]]; then
+    systemctl --user -M "${user}@" stop "${units[@]}"
+  fi
+done
+
+systemctl poweroff
@@ -6,7 +6,7 @@ ConditionPathExists=!/var/lib/configure-firewalld

 [Service]
 Type=oneshot
-ExecStart=/opt/bin/configure-firewalld.sh
+ExecStart=/opt/bin/configure-firewalld
 ExecStartPost=/usr/bin/touch /var/lib/configure-firewalld
 RemainAfterExit=true

@@ -11,7 +11,7 @@ for user in "${users[@]}"; do
  chown -R "${user}:${user}" "/var/home/${user}"
  secrets_file="/var/home/${user}/.secrets"
  if [[ -f "${secrets_file}" ]];then
-    sudo -u "${user}" /opt/bin/add-secrets.sh "${secrets_file}"
+    sudo -u "${user}" /opt/bin/add-secrets "${secrets_file}"
  fi
  systemctl --user -M "${user}@" daemon-reload
  systemctl --user -M "${user}@" enable --now  "podman-auto-update.timer" || true
@@ -38,6 +38,6 @@ systemctl --user -M "wallabag@" enable "backup-database.timer"

 systemctl enable --now "podman-auto-update.timer" || true

-/opt/bin/add-secrets.sh /root/.secrets
+/opt/bin/add-secrets /root/.secrets
 systemctl daemon-reload
 systemctl start samba.service
@@ -7,7 +7,7 @@ ConditionPathExists=!/var/lib/quadlets-enabled

 [Service]
 Type=oneshot
-ExecStart=/opt/bin/enable-all-quadlets.sh
+ExecStart=/opt/bin/enable-all-quadlets
 ExecStartPost=/usr/bin/touch /var/lib/quadlets-enabled
 RemainAfterExit=true

@@ -30,6 +30,13 @@ passwd:
        - wheel
    - name: zero
 storage:
+  directories:
+    - path: /etc/systemd/journald.conf.d
+      mode: 0755
+      user:
+        name: root
+      group:
+        name: root
  disks:
    - device: /dev/disk/by-id/ata-WDC_WD120EFBX-68B0EN0_5QKYB19B
      wipe_table: false
@@ -62,21 +69,29 @@ storage:
        - compress=zstd:3
      with_mount_unit: true
  files:
-    - path: /opt/bin/enable-all-quadlets.sh
+    - path: /opt/bin/enable-all-quadlets
      contents:
-        local: init/enable-all-quadlets.sh
+        local: init/enable-all-quadlets
      mode: 0755
-    - path: /opt/bin/configure-firewalld.sh
+    - path: /opt/bin/configure-firewalld
      contents:
-        local: init/configure-firewalld.sh
+        local: init/configure-firewalld
      mode: 0755
-    - path: /opt/bin/add-secrets.sh
+    - path: /opt/bin/add-secrets
      contents:
-        local: files/add-secrets.sh
+        local: files/add-secrets
      mode: 0755
-    - path: /opt/bin/backup-postgres.sh
+    - path: /opt/bin/backup-postgres
      contents:
-        local: files/backup-postgres.sh
+        local: files/backup-postgres
+      mode: 0755
+    - path: /opt/bin/safe-reboot
+      contents:
+        local: files/safe-reboot
+      mode: 0755
+    - path: /opt/bin/safe-shutdown
+      contents:
+        local: files/safe-shutdown
      mode: 0755
    - path: /etc/containers/systemd/samba.container
      contents:
@@ -85,18 +100,18 @@ storage:
      mode: 0600
      contents:
        local: /home/root/.secrets
-    - path: /root/scripts/move-downloads-nextcloud.sh
+    - path: /root/scripts/move-downloads-nextcloud
      mode: 0755
      contents:
-        local: /home/root/move-downloads-nextcloud.sh
-    - path: /root/scripts/rclone-parents.sh
+        local: /home/root/move-downloads-nextcloud
+    - path: /root/scripts/rclone-parents
      mode: 0755
      contents:
-        local: /home/root/rclone-parents.sh
-    - path: /root/scripts/copy-music.sh
+        local: /home/root/rclone-parents
+    - path: /root/scripts/copy-music
      mode: 0755
      contents:
-        local: /home/root/copy-music.sh
+        local: /home/root/copy-music
    - path: /etc/ssh/sshd_config.d/99-custom
      mode: 0644
      contents:
@@ -106,6 +121,11 @@ storage:
      overwrite: true
      contents:
        local: files/smartd.conf
+    - path: /etc/systemd/journald.conf.d/rotation.conf
+      mode: 0644
+      overwrite: true
+      contents:
+        local: files/rotation.conf
    - path: /etc/sudoers.d/99-poweroff
      mode: 0644
      contents:
@@ -8,7 +8,7 @@ Requires=wallabag-redis.container
 [Container]
 AutoUpdate=registry
 ContainerName=wallabag
-Entrypoint=/custom-entrypoint.sh
+Entrypoint=/custom-entrypoint
 Environment=POSTGRES_DB=wallabag
 Environment=POSTGRES_USER=wallabag
 Environment=SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
@@ -35,7 +35,7 @@ StartWithPod=true
 Timezone=Europe/Zurich
 Volume=wallabag-data.volume:/var/www/wallabag/data
 Volume=wallabag-images.volume:/var/www/wallabag/web/assets/images
-Volume=/var/mnt/nas/containers/wallabag/storage/custom-entrypoint.sh:/custom-entrypoint.sh
+Volume=/var/mnt/nas/containers/wallabag/storage/custom-entrypoint:/custom-entrypoint

 [Service]
 Restart=always
@@ -3,4 +3,4 @@ Description=Backups the Gitea database

 [Service]
 Type=oneshot
-ExecStart=/opt/bin/backup-postgres.sh
+ExecStart=/opt/bin/backup-postgres
@@ -3,4 +3,4 @@ Description=Backups the Immich database

 [Service]
 Type=oneshot
-ExecStart=/opt/bin/backup-postgres.sh
+ExecStart=/opt/bin/backup-postgres
@@ -3,4 +3,4 @@ Description=Backups the Nextcloud database

 [Service]
 Type=oneshot
-ExecStart=/opt/bin/backup-postgres.sh
+ExecStart=/opt/bin/backup-postgres
@@ -3,4 +3,4 @@ Description=Pre-generates previews for Nextcloud

 [Service]
 Type=oneshot
-ExecStart=/var/home/nextcloud/pre-generate-preview.sh
+ExecStart=/var/home/nextcloud/pre-generate-preview
@@ -3,4 +3,4 @@ Description=Backups the paperless database

 [Service]
 Type=oneshot
-ExecStart=/opt/bin/backup-postgres.sh
+ExecStart=/opt/bin/backup-postgres
@@ -3,4 +3,4 @@ Description=Update the unbound root hints

 [Service]
 Type=oneshot
-ExecStart=/var/home/pihole/update-hints.sh
+ExecStart=/var/home/pihole/update-hints
@@ -3,4 +3,4 @@ Description=Update the unbound root entries

 [Service]
 Type=oneshot
-ExecStart=/var/home/pihole/update-root.sh
+ExecStart=/var/home/pihole/update-root
@@ -3,4 +3,4 @@ Description=Backups the Synapse database

 [Service]
 Type=oneshot
-ExecStart=/opt/bin/backup-postgres.sh
+ExecStart=/opt/bin/backup-postgres
@@ -3,4 +3,4 @@ Description=Update the DynDns entries

 [Service]
 Type=oneshot
-ExecStart=/var/home/tga/dyndns.sh
+ExecStart=/var/home/tga/dyndns
@@ -3,4 +3,4 @@ Description=Backups the Wallabag database

 [Service]
 Type=oneshot
-ExecStart=/opt/bin/backup-postgres.sh
+ExecStart=/opt/bin/backup-postgres
@@ -183,10 +183,10 @@ storage:
        name: nextcloud
      group:
        name: nextcloud
-    - path: /var/home/nextcloud/pre-generate-preview.sh
+    - path: /var/home/nextcloud/pre-generate-preview
      mode: 0755
      contents:
-        local: home/nextcloud/pre-generate-preview.sh
+        local: home/nextcloud/pre-generate-preview
      user:
        name: nextcloud
      group:
@@ -205,18 +205,18 @@ storage:
        name: pihole
      group:
        name: pihole
-    - path: /var/home/pihole/update-hints.sh
+    - path: /var/home/pihole/update-hints
      mode: 0755
      contents:
-        local: home/pihole/update-hints.sh
+        local: home/pihole/update-hints
      user:
        name: pihole
      group:
        name: pihole
-    - path: /var/home/pihole/update-root.sh
+    - path: /var/home/pihole/update-root
      mode: 0755
      contents:
-        local: home/pihole/update-root.sh
+        local: home/pihole/update-root
      user:
        name: pihole
      group:
@@ -29,10 +29,10 @@ storage:
        name: tga
      group:
        name: tga
-    - path: /var/home/tga/dyndns.sh
+    - path: /var/home/tga/dyndns
      mode: 0755
      contents:
-        local: home/tga/dyndns.sh
+        local: home/tga/dyndns
      user:
        name: tga
      group:
@@ -89,10 +89,10 @@ storage:
        name: wallabag
      group:
        name: wallabag
-    - path: /var/home/wallabag/custom-entrypoint.sh
+    - path: /var/home/wallabag/custom-entrypoint
      mode: 0755
      contents:
-        local: home/wallabag/custom-entrypoint.sh
+        local: home/wallabag/custom-entrypoint
      user:
        name: wallabag
      group: