deploy.sh: chown only pipekit.db, not the whole repo
Avoids stripping write access from the developer. The service only needs to own pipekit.db (runtime writes) and .venv (created as pipekit). Source code stays owned by whoever ran deploy.sh. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
f32706be01
commit
a3ff5337ee
19
deploy.sh
19
deploy.sh
@ -80,9 +80,16 @@ fi
|
||||
|
||||
# ── 3. Ownership ──────────────────────────────────────────────────────────────
|
||||
step "File ownership and permissions"
|
||||
echo " Setting $REPO_DIR → $SERVICE_NAME:$SERVICE_NAME (group-writable)"
|
||||
chown -R "$SERVICE_NAME:$SERVICE_NAME" "$REPO_DIR"
|
||||
chmod -R g+w "$REPO_DIR"
|
||||
# Only chown what the service needs to write at runtime.
|
||||
# Source code stays owned by the invoking user.
|
||||
DB_FILE="$REPO_DIR/pipekit.db"
|
||||
if [ -f "$DB_FILE" ]; then
|
||||
echo " $DB_FILE → $SERVICE_NAME"
|
||||
chown "$SERVICE_NAME:$SERVICE_NAME" "$DB_FILE"
|
||||
else
|
||||
echo " $DB_FILE not yet created (pipekit init will create it as $SERVICE_NAME)"
|
||||
fi
|
||||
echo " $VENV_DIR → $SERVICE_NAME (created/managed below)"
|
||||
echo " Done."
|
||||
|
||||
# ── 4. Venv + deps ────────────────────────────────────────────────────────────
|
||||
@ -135,6 +142,12 @@ fi
|
||||
|
||||
# ── 7. Schema init ────────────────────────────────────────────────────────────
|
||||
step "Database schema"
|
||||
DB_FILE="$REPO_DIR/pipekit.db"
|
||||
if [ ! -f "$DB_FILE" ]; then
|
||||
echo " Creating $DB_FILE owned by $SERVICE_NAME"
|
||||
touch "$DB_FILE"
|
||||
chown "$SERVICE_NAME:$SERVICE_NAME" "$DB_FILE"
|
||||
fi
|
||||
echo " Running pipekit init"
|
||||
sudo -u "$SERVICE_NAME" HOME=/nonexistent "$LAUNCHER" init
|
||||
echo " Done."
|
||||
|
||||
Loading…
Reference in New Issue
Block a user