feat: use dedicated 'libretime' user

BREAKING CHANGE: The default `www-data` user has been replaced by a dedicated  `libretime` user to run the services. Be sure to change the ownership of the libretime files.

analyzer/README.md

@@ -23,16 +23,16 @@ rabbitmqctl set_permissions -p /airtime airtime .\* .\* .\*
 ## Usage
 
 This program must run as a user with permissions to write to your Airtime music library
-directory. For standard Airtime installations, run it as the www-data user:
+directory. For standard Airtime installations, run it as the libretime user:
 
 ```bash
-sudo -u www-data libretime-analyzer --daemon
+sudo -u libretime libretime-analyzer --daemon
 ```
 
 Or during development, add the --debug flag for more verbose output:
 
 ```bash
-sudo -u www-data libretime-analyzer --debug
+sudo -u libretime libretime-analyzer --debug
 ```
 
 To print usage instructions, run:

analyzer/install/systemd/libretime-analyzer.service

@@ -8,8 +8,8 @@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
 WorkingDirectory=@@WORKING_DIR@@/analyzer
 
 ExecStart=/usr/local/bin/libretime-analyzer
-User=libretime-analyzer
+User=libretime
-Group=libretime-analyzer
+Group=libretime
 Restart=always
 
 [Install]

api/README.md

@@ -64,7 +64,7 @@ cd /vagrant/api
 sudo pip3 install -e .
 
 sudo systemctl stop libretime-api
-sudo -u www-data LIBRETIME_DEBUG=True libretime-api runserver 0.0.0.0:8081
+sudo -u libretime LIBRETIME_DEBUG=True libretime-api runserver 0.0.0.0:8081
 ```
 
 ## 3rd Party Licences

api/install/systemd/libretime-api.service

@@ -16,8 +16,8 @@ ExecStart=/usr/bin/gunicorn \
         --bind 127.0.0.1:8081 \
         libretime_api.wsgi
 ExecReload=/bin/kill -s HUP $MAINPID
-User=libretime-api
+User=libretime
-Group=libretime-api
+Group=libretime
 Restart=always
 
 [Install]

docs/admin-manual/library.md

@@ -10,7 +10,7 @@ This page describe the available options to manage the LibreTime library.
 To scan a directory and import the files into the library, you can use the following command:
 
 ```bash
-sudo -u www-data libretime-api bulk_import --path PATH_THE_DIRECTORY_TO_SCAN
+sudo -u libretime libretime-api bulk_import --path PATH_THE_DIRECTORY_TO_SCAN
 ```
 
 See the command usage to get available options.

docs/admin-manual/setup/install.md

@@ -162,10 +162,10 @@ Feel free to run `./install --help` to get more details.
 
 #### Using hardware audio output
 
-If you plan to output analog audio directly to a mixing console or transmitter, the user running LibreTime (by default `www-data`) needs to be added to the `audio` user group using the command below:
+If you plan to output analog audio directly to a mixing console or transmitter, the user running LibreTime needs to be added to the `audio` user group using the command below:
 
 ```bash
-sudo adduser www-data audio
+sudo adduser libretime audio
 ```
 
 ### Setup
@@ -175,7 +175,7 @@ Once the installation is completed, edit the [configuration file](./configuratio
 Next, run the following commands to setup the database:
 
 ```bash
-sudo -u www-data libretime-api migrate
+sudo -u libretime libretime-api migrate
 ```
 
 Synchronize the new Icecast passwords into the database:

docs/admin-manual/setup/upgrade.md

@@ -36,7 +36,7 @@ Be sure to carefully read **all** the [releases notes](../../releases/README.md)
 Run the following command to apply the database migrations:
 
 ```bash
-sudo -u www-data libretime-api migrate
+sudo -u libretime libretime-api migrate
 ```
 
 ## Restart the services

docs/admin-manual/troubleshooting.md

@@ -49,7 +49,7 @@ On a common setup, to access LibreTime specific logs you should search for the f
 For some LibreTime services, you can set a higher log level using the `LIBRETIME_LOG_LEVEL` environment variable, or by running the service by hand and using a command line flag:
 
 ```bash
-sudo -u www-data libretime-analyzer --config /etc/libretime/config.yml --log-level debug
+sudo -u libretime libretime-analyzer --config /etc/libretime/config.yml --log-level debug
 ```
 
 The `/var/log/apache2/libretime.error.log` file contains logs from the web server.

docs/releases/unreleased.md

@@ -110,6 +110,21 @@ The worker service no longer uses a dedicated `celery` user to run. The old `cel
 sudo deluser celery
 ```
 
+### LibreTime user
+
+The LibreTime services now run using a dedicated `libretime` user instead of the default `www-data` user. Be sure to change the ownership of the LibreTime files:
+
+```bash
+# Configuration directory
+sudo chown -R libretime:libretime /etc/libretime
+# Logs directory
+sudo chown -R libretime:libretime /var/log/libretime
+# Runtime directory
+sudo chown -R libretime:libretime /var/lib/libretime
+# Storage directory
+sudo chown -R libretime:libretime /srv/libretime
+```
+
 ### New configuration schema
 
 The configuration schema was updated.

docs/user-manual/playout-history.md

@@ -311,7 +311,7 @@ sudo nano /etc/cron.d/libretime-schedule
 containing the line:
 
 ```
-* * * * * www-data /usr/local/bin/libretime-schedule.sh
+* * * * * libretime /usr/local/bin/libretime-schedule.sh
 ```
 
 The schedule server will now be serving the same show information as the LibreTime server, with a cache lifetime of one minute. You can adjust the cache lifetime by altering the frequency of the cron job that polls the LibreTime server.

install

@@ -98,7 +98,7 @@ EOF
 
 # Configuration
 # > User used to run LibreTime.
-LIBRETIME_USER=${LIBRETIME_USER:-"www-data"}
+LIBRETIME_USER=${LIBRETIME_USER:-"libretime"}
 # > Listen port for LibreTime.
 LIBRETIME_LISTEN_PORT=${LIBRETIME_LISTEN_PORT:-"80"}
 # > Public URL for LibreTime.
@@ -177,6 +177,8 @@ done
 PYTHON="python3"
 PIP="$PYTHON -m pip"
 
+DEFAULT_WEB_USER="www-data"
+
 # Paths
 CONFIG_DIR="/etc/libretime"
 CONFIG_FILEPATH="$CONFIG_DIR/config.yml"
@@ -394,6 +396,11 @@ prepare_packages_install
 install_packages git make
 make VERSION
 
+info "creating project user"
+if ! id "$LIBRETIME_USER" &> /dev/null; then
+  useradd --no-create-home --home-dir "$WORKING_DIR" "$LIBRETIME_USER"
+fi
+
 info "creating project directories"
 # TODO: Config dir should not be owned by www-data and should be readonly
 mkdir_and_chown "$LIBRETIME_USER" "$CONFIG_DIR"

installer/vagrant/debian.sh

@@ -6,6 +6,4 @@ DEBIAN_FRONTEND=noninteractive apt-get update --allow-releaseinfo-change
 DEBIAN_FRONTEND=noninteractive apt-get -y -qq install auto-apt-proxy
 
 # Install utils
-DEBIAN_FRONTEND=noninteractive apt-get -y -qq install alsa-utils vim
+DEBIAN_FRONTEND=noninteractive apt-get -y -qq install vim
-usermod -a -G audio vagrant
-usermod -a -G audio www-data

installer/vagrant/post-install.sh

@@ -15,3 +15,8 @@ systemctl restart postgresql.service
 # Setup rabbitmq management interface
 rabbitmq-plugins enable rabbitmq_management
 rabbitmqctl set_user_tags libretime administrator
+
+# Setup audio
+DEBIAN_FRONTEND=noninteractive apt-get -y -qq install alsa-utils
+usermod -a -G audio vagrant
+usermod -a -G audio libretime

playout/install/systemd/libretime-liquidsoap.service

@@ -8,8 +8,8 @@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
 WorkingDirectory=@@WORKING_DIR@@/playout
 
 ExecStart=/usr/local/bin/libretime-liquidsoap
-User=libretime-playout
+User=libretime
-Group=libretime-playout
+Group=libretime
 Restart=always
 
 [Install]

playout/install/systemd/libretime-playout.service

@@ -8,8 +8,8 @@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
 WorkingDirectory=@@WORKING_DIR@@/playout
 
 ExecStart=/usr/local/bin/libretime-playout
-User=libretime-playout
+User=libretime
-Group=libretime-playout
+Group=libretime
 Restart=always
 
 [Install]

worker/install/systemd/libretime-celery.service

@@ -14,8 +14,8 @@ ExecStart=/usr/bin/sh -c 'celery worker \
     --concurrency=1 \
     --loglevel=INFO \
     --logfile=$LIBRETIME_LOG_FILEPATH'
-User=libretime-worker
+User=libretime
-Group=libretime-worker
+Group=libretime
 Restart=always
 
 [Install]