refactor(install): simplify permissions and service setup

PromiseFru · PromiseFru · commit b194d40b7261 · 2026-04-16T16:23:48.000+01:00
diff --git a/INSTALL.md b/INSTALL.md
@@ -1,47 +1,63 @@
 # Installation Guide
 
-## Install Dependencies
+## Automated Installation
+
+```bash
+sudo ./install.sh
+```
+
+This will:
+
+- Install system dependencies
+- Clone repository to `/opt/relaysms/relaysms-vault`
+- Setup Python virtualenv
+- Compile gRPC protos
+- Download platform configurations
+- Generate security keys
+- Install and enable systemd services
+
+## Manual Installation
+
+### Install Dependencies
 
 ```bash
 sudo apt update
 sudo apt install -y python3 python3-pip python3-venv python3-dev \
-    libmysqlclient-dev git curl make openssl gettext-base
+    libmysqlclient-dev git curl make openssl
 ```
 
-## Clone Repository
+### Clone Repository
 
 ```bash
-sudo mkdir -p /opt/relaysms
 sudo git clone https://github.com/smswithoutborders/RelaySMS-Vault.git \
     /opt/relaysms/relaysms-vault
 cd /opt/relaysms/relaysms-vault
-sudo chown -R $USER:$USER /opt/relaysms/relaysms-vault
 ```
 
-## Setup Python Environment
+### Setup Python Environment
 
 ```bash
 python3 -m venv venv
 venv/bin/pip install --upgrade pip
 venv/bin/pip install -r requirements.txt
 ```
 
-## Build Application
+### Build Application
 
 ```bash
-source venv/bin/activate && make grpc-compile
-source venv/bin/activate && make download-platforms
+source venv/bin/activate
+make grpc-compile
+make download-platforms
 ```
 
-## Configure Environment
+### Configure Environment
 
 ```bash
 cp template.env .env
-# Edit .env as needed
 vim .env
 ```
 
-## Generate Security Keys
+### Generate Security Keys
 
 ```bash
 mkdir -p keys
@@ -51,119 +67,55 @@ openssl rand -base64 32 > keys/pepper.key
 openssl rand -base64 32 > keys/signing.key
 chmod 700 keys
 chmod 600 keys/*.key
+chmod 600 .env
 ```
 
-## Create Data Directory
+### Initialize Runtime
 
 ```bash
 mkdir -p data
-```
-
-## Runtime Setup
-
-```bash
-venv/bin/activate && set -a && source .env && set +a && make runtime-setup
+set -a && source .env && set +a
+make runtime-setup
 ```
 
 ### Install Services
 
 ```bash
-# Substitute user and group in service files
-export USER=$USER
-export GROUP=$(id -gn)
-for service in relaysms-vault.target relaysms-vault-rest.service relaysms-vault-grpc.service relaysms-vault-grpc-internal.service; do
-    envsubst < $service | sudo tee /etc/systemd/system/$service > /dev/null
-done
+sudo cp relaysms-vault.target relaysms-vault-*.service /etc/systemd/system/
 sudo systemctl daemon-reload
 sudo systemctl enable relaysms-vault.target
 ```
 
-### Set Permissions
-
-```bash
-sudo chown -R $USER:$USER /opt/relaysms/relaysms-vault
-chmod -R 750 /opt/relaysms/relaysms-vault
-chmod 700 /opt/relaysms/relaysms-vault/keys
-chmod 600 /opt/relaysms/relaysms-vault/keys/*.key
-chmod 600 /opt/relaysms/relaysms-vault/.env
-```
-
-### Start Services
+## Service Management
 
 ```bash
-sudo systemctl start relaysms-vault.target
+./manage.sh start       # Start all services
+./manage.sh stop        # Stop all services
+./manage.sh restart     # Restart all services
+./manage.sh status      # Check status
+./manage.sh logs        # View logs
+./manage.sh enable      # Enable on boot
+./manage.sh disable     # Disable on boot
+./manage.sh update      # Update installation
+./manage.sh uninstall   # Remove installation
 ```
 
-## Service Architecture
-
-- `relaysms-vault.target` - Main coordination target
-- `relaysms-vault-rest.service` - REST API (port 19000)
-- `relaysms-vault-grpc.service` - gRPC server (port 8000)
-- `relaysms-vault-grpc-internal.service` - Internal gRPC (port 8443)
-
 ## Configuration
 
 Edit `/opt/relaysms/relaysms-vault/.env`:
 
-```bash
-# Bind to localhost for reverse proxy, 0.0.0.0 for direct access
-HOST=127.0.0.1
-PORT=19000
-
-# Database (SQLite default, stored in data/ directory)
-SQLITE_DATABASE_PATH=data/vault.db
-
-# Keystore (cryptographic keys stored in data/ directory)
-KEYSTORE_PATH=data/keystore
-STATIC_X25519_KEYSTORE_PATH=data/keystore/static_x25519
-
-# Or use MySQL
-MYSQL_HOST=127.0.0.1
-MYSQL_USER=vault_user
-MYSQL_PASSWORD=secure_password
-MYSQL_DATABASE=relaysms_vault
-```
-
-## Service Management
-
-```bash
-# Using manage.sh
-./manage.sh start|stop|restart|status|logs|enable|disable
-
-# Direct systemd
-sudo systemctl start relaysms-vault.target
-sudo systemctl status relaysms-vault.target
-journalctl -u 'relaysms-vault*' -f
-```
-
-## Update
-
-```bash
-sudo systemctl stop relaysms-vault.target
-cd /opt/relaysms/relaysms-vault
-git pull
-venv/bin/pip install -r requirements.txt
-source venv/bin/activate && make grpc-compile
-sudo systemctl start relaysms-vault.target
-```
-
-## Uninstall
+## Services
 
-```bash
-sudo systemctl stop relaysms-vault.target
-sudo systemctl disable relaysms-vault.target
-sudo rm /etc/systemd/system/relaysms-vault*.{service,target}
-sudo systemctl daemon-reload
-sudo rm -rf /opt/relaysms/relaysms-vault
-```
+- `relaysms-vault-rest.service` - REST API (default port 19000)
+- `relaysms-vault-grpc.service` - gRPC server (port 8000)
+- `relaysms-vault-grpc-internal.service` - Internal gRPC (port 8443)
+- `relaysms-vault.target` - Service group
 
 ## File Locations
 
 - Installation: `/opt/relaysms/relaysms-vault/`
 - Configuration: `/opt/relaysms/relaysms-vault/.env`
 - Security keys: `/opt/relaysms/relaysms-vault/keys/`
-- Data directory: `/opt/relaysms/relaysms-vault/data/`
-  - Database: `/opt/relaysms/relaysms-vault/data/vault.db`
-  - Keystores: `/opt/relaysms/relaysms-vault/data/keystore/`
-- Services: `/etc/systemd/system/relaysms-vault.target` and `/etc/systemd/system/relaysms-vault*.service`
-- Logs: `journalctl -u relaysms-vault*`
+- Database: `/opt/relaysms/relaysms-vault/data/vault.db`
+- Keystores: `/opt/relaysms/relaysms-vault/data/keystore/`
+- Service files: `/etc/systemd/system/relaysms-vault*`
diff --git a/install.sh b/install.sh
@@ -6,8 +6,6 @@ INSTALL_DIR="/opt/relaysms/relaysms-vault"
 SERVICE_NAME="relaysms-vault"
 REPO_URL="https://github.com/smswithoutborders/RelaySMS-Vault.git"
 BRANCH="${BRANCH:-main}"
-USER="${SUDO_USER:-$(whoami)}"
-GROUP="$(id -gn $USER)"
 
 log() { echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1"; }
 error() {
@@ -32,7 +30,6 @@ clone_repository() {
   else
     mkdir -p "$(dirname "$INSTALL_DIR")"
     git clone -b "$BRANCH" "$REPO_URL" "$INSTALL_DIR" || error "Failed to clone"
-    chown -R "$USER:$GROUP" "$INSTALL_DIR"
   fi
 }
 
@@ -67,7 +64,6 @@ generate_keys() {
   for key in encryption hashing pepper signing; do
     [ -f "keys/$key.key" ] || openssl rand -base64 32 >"keys/$key.key"
   done
-  chown -R "$USER:$GROUP" keys
   chmod 700 keys
   chmod 600 keys/*.key
 }
@@ -83,17 +79,13 @@ install_systemd_service() {
   log "Installing systemd services"
   for service in relaysms-vault.target relaysms-vault-rest.service relaysms-vault-grpc.service relaysms-vault-grpc-internal.service; do
     [ -f "$service" ] || error "Service file $service not found"
-    envsubst <"$service" >/etc/systemd/system/$service || error "Failed to install $service"
+    cp "$service" /etc/systemd/system/$service || error "Failed to install $service"
   done
   systemctl daemon-reload && systemctl enable "$SERVICE_NAME.target" || error "Failed to enable services"
 }
 
 set_permissions() {
   log "Setting permissions"
-  chown -R "$USER:$GROUP" "$INSTALL_DIR"
-  chmod -R 750 "$INSTALL_DIR"
-  chmod 700 keys 2>/dev/null || true
-  chmod 600 keys/*.key 2>/dev/null || true
   chmod 600 .env 2>/dev/null || true
 }
 
diff --git a/manage.sh b/manage.sh
@@ -30,7 +30,7 @@ status)
   systemctl status relaysms-vault-rest relaysms-vault-grpc relaysms-vault-grpc-internal
   ;;
 logs)
-  journalctl -u 'relaysms-vault*' -f
+  journalctl -u relaysms-vault-rest -u relaysms-vault-grpc -u relaysms-vault-grpc-internal -f
   ;;
 enable)
   check_sudo
diff --git a/relaysms-vault-grpc-internal.service b/relaysms-vault-grpc-internal.service
@@ -4,8 +4,6 @@ After=network.target
 PartOf=relaysms-vault.target
 
 [Service]
-User=${USER}
-Group=${GROUP}
 WorkingDirectory=/opt/relaysms/relaysms-vault
 EnvironmentFile=/opt/relaysms/relaysms-vault/.env
 ExecStart=/opt/relaysms/relaysms-vault/venv/bin/python -u grpc_internal_server.py
diff --git a/relaysms-vault-grpc.service b/relaysms-vault-grpc.service
@@ -4,8 +4,6 @@ After=network.target
 PartOf=relaysms-vault.target
 
 [Service]
-User=${USER}
-Group=${GROUP}
 WorkingDirectory=/opt/relaysms/relaysms-vault
 EnvironmentFile=/opt/relaysms/relaysms-vault/.env
 ExecStart=/opt/relaysms/relaysms-vault/venv/bin/python -u grpc_server.py
diff --git a/relaysms-vault-rest.service b/relaysms-vault-rest.service
@@ -4,8 +4,6 @@ After=network.target
 PartOf=relaysms-vault.target
 
 [Service]
-User=${USER}
-Group=${GROUP}
 WorkingDirectory=/opt/relaysms/relaysms-vault
 EnvironmentFile=/opt/relaysms/relaysms-vault/.env
 ExecStart=/opt/relaysms/relaysms-vault/venv/bin/gunicorn -w 4 -b ${HOST}:${PORT} --log-level=info --access-logfile=- --threads 15 --timeout 30 app:app
