Add install scripts

2026-01-05 13:53:25 +01:00
parent 004cc3a3ee
commit 776b56afc1
7 changed files with 473 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
 luxtools-client
 .vscode/
--- a/README.md
+++ b/README.md
@@ -49,6 +49,81 @@ Examples:
 ./luxtools-client -allow "$HOME"
 ```
 ## Install as a service
 The scripts below install (or update) the client as a service that starts automatically with the system.
 They assume the client binary already exists in the same folder as the scripts.
 During install/update, the scripts prompt you for the shared token (press Enter to keep the current token, if already configured).
 ### Linux (systemd)
 Install / update:
 ```bash
 ./install-linux.sh
 ```
 Optional flags:
 ```bash
 # Change listen address (still must be loopback)
 ./install-linux.sh --listen 127.0.0.1:9000
 # Restrict allowed folders (repeatable)
 ./install-linux.sh --allow "$HOME" --allow "/mnt/data"
 ```
 Uninstall:
 ```bash
 ./uninstall-linux.sh
 ```
 Keep token/config on uninstall:
 ```bash
 ./uninstall-linux.sh --keep-config
 ```
 Notes:
 - Installs to `/opt/luxtools-client/luxtools-client`
 - Creates `/etc/systemd/system/luxtools-client.service`
 - Stores config (including the generated token) in `/etc/luxtools-client/luxtools-client.env`
 ### Windows (Service)
 Run from an elevated (Administrator) Command Prompt.
 Install / update:
 ```bat
 install-windows.bat
 ```
 Optional flags:
 ```bat
 install-windows.bat --listen 127.0.0.1:9000
 ```
 Uninstall:
 ```bat
 uninstall-windows.bat
 ```
 Keep token/config on uninstall:
 ```bat
 uninstall-windows.bat --keep-config
 ```
 Notes:
 - Installs to `%ProgramFiles%\LuxtoolsClient\luxtools-client.exe`
 - Stores the generated token in `%ProgramData%\LuxtoolsClient\token.txt`
 ## API
 ### Auth
--- a/install-linux.sh
+++ b/install-linux.sh
@@ -0,0 +1,155 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SERVICE_NAME="luxtools-client"
 INSTALL_DIR="${HOME}/.local/share/${SERVICE_NAME}"
 BIN_PATH="${INSTALL_DIR}/${SERVICE_NAME}"
 CONFIG_DIR="${HOME}/.config/${SERVICE_NAME}"
 ENV_FILE="${CONFIG_DIR}/${SERVICE_NAME}.env"
 UNIT_DIR="${HOME}/.config/systemd/user"
 UNIT_FILE="${UNIT_DIR}/${SERVICE_NAME}.service"
 DEFAULT_LISTEN="127.0.0.1:8765"
 usage() {
  cat <<EOF
 Usage: $0 [--listen host:port] [--allow <path>]...
 Installs/updates ${SERVICE_NAME} as a systemd *user* service (runs under your current user).
 - Re-running updates the installed binary and restarts the service.
 - A stable token is stored in ${ENV_FILE} (created on first install).
 Options:
  --listen host:port   Listen address (default: ${DEFAULT_LISTEN})
  --allow PATH         Allowed path prefix (repeatable). If none, any path is allowed.
 EOF
 }
 if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
  usage
  exit 0
 fi
 SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
 SRC_BIN="${SCRIPT_DIR}/${SERVICE_NAME}"
 if [[ ! -f "$SRC_BIN" ]]; then
  echo "Missing binary next to script: ${SRC_BIN}" >&2
  echo "Build it first (e.g. 'go build -o ${SERVICE_NAME} .') and re-run." >&2
  exit 1
 fi
 LISTEN="${DEFAULT_LISTEN}"
 ALLOW_ARGS=""
 while [[ $# -gt 0 ]]; do
  case "$1" in
    --listen)
      LISTEN="${2:-}"
      shift 2
      ;;
    --allow)
      p="${2:-}"
      if [[ -n "$p" ]]; then
        # Note: this is inserted into a shell command in the systemd unit; we escape quotes.
        p_escaped=${p//\"/\\\"}
        ALLOW_ARGS+=" -allow \"${p_escaped}\""
      fi
      shift 2
      ;;
    *)
      echo "Unknown arg: $1" >&2
      usage
      exit 2
      ;;
  esac
 done
 mkdir -p "$INSTALL_DIR" "$CONFIG_DIR" "$UNIT_DIR"
 # Copy a fresh binary into a temp location, then atomically replace.
 TMP_BIN="$(mktemp -p /tmp ${SERVICE_NAME}.XXXXXX)"
 trap 'rm -f "$TMP_BIN"' EXIT
 cp "$SRC_BIN" "$TMP_BIN"
 chmod 0755 "$TMP_BIN" || true
 if [[ -f "$ENV_FILE" ]]; then
  # Preserve existing config (especially TOKEN).
  # shellcheck disable=SC1090
  source "$ENV_FILE" || true
 fi
 CURRENT_TOKEN="${TOKEN:-}"
 SUGGESTED_TOKEN=""
 if [[ -z "${CURRENT_TOKEN}" ]]; then
  if command -v openssl >/dev/null 2>&1; then
    SUGGESTED_TOKEN="$(openssl rand -base64 32 | tr '+/' '-_' | tr -d '=\n\r')"
  else
    SUGGESTED_TOKEN="$(head -c 32 /dev/urandom | base64 | tr '+/' '-_' | tr -d '=\n\r')"
  fi
 fi
 echo
 if [[ -n "${CURRENT_TOKEN}" ]]; then
  echo "A token is already configured. Press Enter to keep it, or paste a new one."
 else
  echo "No token configured yet. Press Enter to use a generated token, or paste your own."
 fi
 read -r -s -p "Token: " TOKEN_INPUT
 echo
 if [[ -n "${TOKEN_INPUT}" ]]; then
  TOKEN="${TOKEN_INPUT}"
 elif [[ -n "${CURRENT_TOKEN}" ]]; then
  TOKEN="${CURRENT_TOKEN}"
 else
  TOKEN="${SUGGESTED_TOKEN}"
 fi
 cat >"$ENV_FILE" <<EOF
 # ${SERVICE_NAME} environment
 # Keep this file to preserve your shared token across updates.
 LISTEN="${LISTEN}"
 TOKEN="${TOKEN}"
 ALLOW_ARGS="${ALLOW_ARGS}"
 EOF
 chmod 0640 "$ENV_FILE"
 # Best-effort tighten config perms for single-user token storage.
 chmod 0600 "$ENV_FILE" || true
 install -m 0755 -D "$TMP_BIN" "$BIN_PATH"
 cat >"$UNIT_FILE" <<'EOF'
 [Unit]
 Description=luxtools-client (local folder opener helper)
 [Service]
 Type=simple
 EnvironmentFile=%h/.config/luxtools-client/luxtools-client.env
 ExecStart=/bin/sh -lc '%h/.local/share/luxtools-client/luxtools-client -listen "$LISTEN" -token "$TOKEN" $ALLOW_ARGS'
 Restart=on-failure
 RestartSec=1
 NoNewPrivileges=true
 PrivateTmp=true
 [Install]
 WantedBy=default.target
 EOF
 systemctl --user daemon-reload
 systemctl --user enable "$SERVICE_NAME" >/dev/null
 systemctl --user restart "$SERVICE_NAME"
 echo
 echo "Installed/updated ${SERVICE_NAME}."
 echo "- Binary: ${BIN_PATH}"
 echo "- Unit:   ${UNIT_FILE}"
 echo "- Config: ${ENV_FILE}"
 echo "Token (set this in the plugin config): ${TOKEN}"
 echo
 echo "View logs with: journalctl --user -u ${SERVICE_NAME} -f"
 echo "If you want it to start at boot without logging in, enable lingering:"
 echo "  loginctl enable-linger $(whoami)"
--- a/install-windows.bat
+++ b/install-windows.bat
@@ -0,0 +1,112 @@
@echo off
 setlocal EnableExtensions EnableDelayedExpansion
 set "SERVICE_NAME=LuxtoolsClient"
 set "DISPLAY_NAME=luxtools-client"
 set "INSTALL_DIR=%ProgramFiles%\LuxtoolsClient"
 set "BIN_PATH=%INSTALL_DIR%\luxtools-client.exe"
 set "DATA_DIR=%ProgramData%\LuxtoolsClient"
 set "TOKEN_FILE=%DATA_DIR%\token.txt"
 set "LISTEN=127.0.0.1:8765"
 set "SCRIPT_DIR=%~dp0"
 set "SRC_EXE=%SCRIPT_DIR%luxtools-client.exe"
 rem Optional args:
 rem   --listen host:port
 if /I "%~1"=="-h" goto :usage
 if /I "%~1"=="--help" goto :usage
 :parse
 if "%~1"=="" goto :main
 if /I "%~1"=="--listen" (
  set "LISTEN=%~2"
  shift
  shift
  goto :parse
 )
 echo Unknown arg: %~1
 goto :usage
 :usage
 echo Usage: %~nx0 [--listen host:port]
 echo.
 echo Installs/updates %DISPLAY_NAME% as a Windows Service (auto-start).
 echo Re-running updates the installed binary and restarts the service.
 echo The token is stored in %TOKEN_FILE%.
 exit /b 2
 :main
 rem Require admin
 net session >nul 2>&1
 if not "%ERRORLEVEL%"=="0" (
  echo This script must be run as Administrator.
  exit /b 1
 )
 if not exist "%INSTALL_DIR%" mkdir "%INSTALL_DIR%" >nul 2>&1
 if not exist "%DATA_DIR%" mkdir "%DATA_DIR%" >nul 2>&1
 if not exist "%SRC_EXE%" (
  echo Missing binary next to script: %SRC_EXE%
  echo Build it first ^(e.g. "go build -o luxtools-client.exe ."^) and re-run.
  exit /b 1
 )
 set "CURRENT_TOKEN="
 if exist "%TOKEN_FILE%" (
  set /p CURRENT_TOKEN=<"%TOKEN_FILE%"
 )
 set "SUGGESTED_TOKEN="
 if "%CURRENT_TOKEN%"=="" (
  rem Generate a URL-safe-ish token; PowerShell is available on modern Windows.
  for /f "usebackq delims=" %%T in (`powershell -NoProfile -Command "$b=[byte[]]::new(32);[Security.Cryptography.RandomNumberGenerator]::Fill($b);[Convert]::ToBase64String($b).TrimEnd('=') -replace '\+','-' -replace '/','_'"`) do (
    set "SUGGESTED_TOKEN=%%T"
  )
 )
 echo.
 if not "%CURRENT_TOKEN%"=="" (
  echo A token is already configured. Press Enter to keep it, or type a new one.
 ) else (
  echo No token configured yet. Press Enter to use a generated token, or type your own.
 )
 set /p TOKEN_INPUT=Token: 
 if not "%TOKEN_INPUT%"=="" (
  set "TOKEN=%TOKEN_INPUT%"
 ) else (
  if not "%CURRENT_TOKEN%"=="" (
    set "TOKEN=%CURRENT_TOKEN%"
  ) else (
    set "TOKEN=%SUGGESTED_TOKEN%"
  )
 )
 >"%TOKEN_FILE%" (echo %TOKEN%)
 copy /Y "%SRC_EXE%" "%BIN_PATH%" >nul
 if not "%ERRORLEVEL%"=="0" exit /b 1
 set "BINPATH=\"%BIN_PATH%\" -listen %LISTEN% -token %TOKEN%"
 sc.exe query "%SERVICE_NAME%" >nul 2>&1
 if "%ERRORLEVEL%"=="0" (
  echo Updating existing service...
  sc.exe stop "%SERVICE_NAME%" >nul 2>&1
  sc.exe config "%SERVICE_NAME%" start= auto binPath= "%BINPATH%" DisplayName= "%DISPLAY_NAME%" >nul
 ) else (
  echo Creating service...
  sc.exe create "%SERVICE_NAME%" start= auto binPath= "%BINPATH%" DisplayName= "%DISPLAY_NAME%" >nul
 )
 sc.exe start "%SERVICE_NAME%" >nul 2>&1
 echo.
 echo Installed/updated %DISPLAY_NAME%.
 echo - Binary: %BIN_PATH%
 echo - Token:  %TOKEN%
 echo - Listen: %LISTEN%
 endlocal
 exit /b 0
--- a/main.go
+++ b/main.go
@@ -69,7 +69,10 @@ func main() {
 	mux.HandleFunc("/open", func(w http.ResponseWriter, r *http.Request) {
 		withCORS(w, r)
 		start := time.Now()
 		var rawPath string
 		if r.Method == http.MethodOptions {
 			log.Printf("/open preflight remote=%s origin=%q", r.RemoteAddr, r.Header.Get("Origin"))
 			w.WriteHeader(http.StatusNoContent)
 			return
 		}
@@ -82,18 +85,24 @@ func main() {
 			dec := json.NewDecoder(http.MaxBytesReader(w, r.Body, 32*1024))
 			dec.DisallowUnknownFields()
 			if err := dec.Decode(&req); err != nil {
 				log.Printf("/open bad-json remote=%s method=%s err=%v dur=%s", r.RemoteAddr, r.Method, err, time.Since(start))
 				writeJSON(w, http.StatusBadRequest, openResponse{OK: false, Message: "invalid json"})
 				return
 			}
 		default:
 			log.Printf("/open method-not-allowed remote=%s method=%s dur=%s", r.RemoteAddr, r.Method, time.Since(start))
 			writeJSON(w, http.StatusMethodNotAllowed, openResponse{OK: false, Message: "GET or POST required"})
 			return
 		}
 		rawPath = req.Path
 		log.Printf("/open request remote=%s method=%s ua=%q path=%q", r.RemoteAddr, r.Method, r.UserAgent(), rawPath)
 		if !checkToken(r, *token) {
 			// Allow token to be supplied via query string for GET fallback.
 			qt := strings.TrimSpace(r.URL.Query().Get("token"))
 			if qt == "" || !subtleStringEqual(qt, strings.TrimSpace(*token)) {
 				log.Printf("/open unauthorized remote=%s method=%s path=%q headerToken=%t queryToken=%t dur=%s", r.RemoteAddr, r.Method, rawPath, strings.TrimSpace(r.Header.Get("X-Filetools-Token")) != "", qt != "", time.Since(start))
 				writeJSON(w, http.StatusUnauthorized, openResponse{OK: false, Message: "unauthorized"})
 				return
 			}
@@ -101,19 +110,23 @@ func main() {
 		target, err := normalizePath(req.Path)
 		if err != nil {
 			log.Printf("/open bad-path remote=%s method=%s path=%q err=%v dur=%s", r.RemoteAddr, r.Method, rawPath, err, time.Since(start))
 			writeJSON(w, http.StatusBadRequest, openResponse{OK: false, Message: err.Error()})
 			return
 		}
 		if len(allowed) > 0 && !isAllowed(target, allowed) {
 			log.Printf("/open forbidden remote=%s method=%s path=%q normalized=%q dur=%s", r.RemoteAddr, r.Method, rawPath, target, time.Since(start))
 			writeJSON(w, http.StatusForbidden, openResponse{OK: false, Message: "path not allowed"})
 			return
 		}
 		if err := openFolder(target); err != nil {
 			log.Printf("/open open-failed remote=%s method=%s path=%q normalized=%q err=%v dur=%s", r.RemoteAddr, r.Method, rawPath, target, err, time.Since(start))
 			writeJSON(w, http.StatusInternalServerError, openResponse{OK: false, Message: err.Error()})
 			return
 		}
 		log.Printf("/open opened remote=%s method=%s path=%q normalized=%q dur=%s", r.RemoteAddr, r.Method, rawPath, target, time.Since(start))
 		if r.Method == http.MethodGet {
 			// For GET callers (image-ping), a 204 avoids console noise from non-image responses.
--- a/uninstall-linux.sh
+++ b/uninstall-linux.sh
@@ -0,0 +1,61 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SERVICE_NAME="luxtools-client"
 INSTALL_DIR="${HOME}/.local/share/${SERVICE_NAME}"
 CONFIG_DIR="${HOME}/.config/${SERVICE_NAME}"
 UNIT_FILE="${HOME}/.config/systemd/user/${SERVICE_NAME}.service"
 usage() {
  cat <<EOF
 Usage: $0 [--keep-config]
 Uninstalls ${SERVICE_NAME} systemd *user* service and removes installed files.
 Options:
  --keep-config   Keep ${CONFIG_DIR} (token/config) on disk.
 EOF
 }
 KEEP_CONFIG=0
 if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
  usage
  exit 0
 fi
 if [[ "${1:-}" == "--keep-config" ]]; then
  KEEP_CONFIG=1
 fi
 # Stop/disable user service if present (best-effort).
 systemctl --user stop "$SERVICE_NAME" >/dev/null 2>&1 || true
 systemctl --user disable "$SERVICE_NAME" >/dev/null 2>&1 || true
 systemctl --user reset-failed "$SERVICE_NAME" >/dev/null 2>&1 || true
 # Also stop/disable any leftover system-wide service from older installs.
 if systemctl list-unit-files 2>/dev/null | grep -q "^${SERVICE_NAME}\.service"; then
  if [[ ${EUID} -eq 0 ]]; then
    systemctl stop "$SERVICE_NAME" >/dev/null 2>&1 || true
    systemctl disable "$SERVICE_NAME" >/dev/null 2>&1 || true
    systemctl reset-failed "$SERVICE_NAME" >/dev/null 2>&1 || true
  elif command -v sudo >/dev/null 2>&1; then
    sudo systemctl stop "$SERVICE_NAME" >/dev/null 2>&1 || true
    sudo systemctl disable "$SERVICE_NAME" >/dev/null 2>&1 || true
    sudo systemctl reset-failed "$SERVICE_NAME" >/dev/null 2>&1 || true
  else
    echo "Note: a system service '${SERVICE_NAME}.service' exists; run with sudo to stop it." >&2
  fi
 fi
 rm -f "$UNIT_FILE"
 systemctl --user daemon-reload || true
 rm -rf "$INSTALL_DIR"
 if [[ $KEEP_CONFIG -eq 0 ]]; then
  rm -rf "$CONFIG_DIR"
 fi
 echo "Uninstalled ${SERVICE_NAME}."
 if [[ $KEEP_CONFIG -eq 1 ]]; then
  echo "Kept config directory: ${CONFIG_DIR}"
 fi
--- a/uninstall-windows.bat
+++ b/uninstall-windows.bat
@@ -0,0 +1,55 @@
@echo off
 setlocal EnableExtensions
 set "SERVICE_NAME=LuxtoolsClient"
 set "INSTALL_DIR=%ProgramFiles%\LuxtoolsClient"
 set "DATA_DIR=%ProgramData%\LuxtoolsClient"
 rem Optional args:
 rem   --keep-config
 set "KEEP_CONFIG=0"
 if /I "%~1"=="-h" goto :usage
 if /I "%~1"=="--help" goto :usage
 if /I "%~1"=="--keep-config" set "KEEP_CONFIG=1"
 goto :main
 :usage
 echo Usage: %~nx0 [--keep-config]
 echo.
 echo Uninstalls luxtools-client Windows Service and removes installed files.
 echo.
 echo Options:
 echo   --keep-config   Keeps %DATA_DIR% (token/config).
 exit /b 2
 :main
 net session >nul 2>&1
 if not "%ERRORLEVEL%"=="0" (
  echo This script must be run as Administrator.
  exit /b 1
 )
 sc.exe query "%SERVICE_NAME%" >nul 2>&1
 if "%ERRORLEVEL%"=="0" (
  sc.exe stop "%SERVICE_NAME%" >nul 2>&1
  rem Wait up to ~20s for the service to fully stop.
  for /L %%i in (1,1,20) do (
    sc.exe query "%SERVICE_NAME%" | findstr /I "STATE" | findstr /I "STOPPED" >nul 2>&1
    if "%ERRORLEVEL%"=="0" goto :stopped
    timeout /T 1 /NOBREAK >nul
  )
 :stopped
  sc.exe delete "%SERVICE_NAME%" >nul 2>&1
 )
 if exist "%INSTALL_DIR%" rmdir /S /Q "%INSTALL_DIR%" >nul 2>&1
 if "%KEEP_CONFIG%"=="0" (
  if exist "%DATA_DIR%" rmdir /S /Q "%DATA_DIR%" >nul 2>&1
 )
 echo Uninstalled luxtools-client.
 if "%KEEP_CONFIG%"=="1" echo Kept config directory: %DATA_DIR%
 endlocal
 exit /b 0