techadmin
cbdc9d6664
- #4: LXC/Container Drop-in (lxc-compat.conf) deaktiviert systemd-Hardening; Installer erkennt Container automatisch und bietet Drop-in an - #5: WorkingDirectory=/opt/pdf-ocr-hotfolder in Template-Unit ergänzt - #6: Installer bietet auf Debian 12 bei betroffenen GS-Versionen automatisch bookworm-backports Upgrade an (statt nur Warnung) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
298 lines
11 KiB
Bash
Executable File
298 lines
11 KiB
Bash
Executable File
#!/usr/bin/env bash
|
||
#
|
||
# PDF OCR Hotfolder — Installer / Instanz-Manager für Debian 12/13
|
||
#
|
||
# Basis-Installation erfolgt einmalig (Code, venv, systemd-Template-Unit).
|
||
# Danach werden Hotfolder-Instanzen verwaltet:
|
||
# - Beim Erstlauf: mindestens eine Instanz wird angelegt
|
||
# - Beim Folgelauf: bestehende Instanzen werden erkannt; neue können ergänzt werden
|
||
#
|
||
# Unterstützt lokale System-User und AD-User mit lokaler UID (SSSD/Winbind).
|
||
#
|
||
|
||
set -euo pipefail
|
||
|
||
RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; BLUE='\033[0;34m'; NC='\033[0m'
|
||
log_info() { echo -e "${GREEN}[INFO]${NC} $*"; }
|
||
log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
|
||
log_error() { echo -e "${RED}[ERROR]${NC} $*"; }
|
||
log_step() { echo -e "\n${BLUE}==>${NC} $*"; }
|
||
|
||
if [ "${EUID}" -ne 0 ]; then
|
||
log_error "Bitte als root ausführen: sudo ./install.sh"
|
||
exit 1
|
||
fi
|
||
|
||
INSTALL_DIR="/opt/pdf-ocr-hotfolder"
|
||
CONFIG_DIR="/etc/pdf-ocr-hotfolder"
|
||
DATA_ROOT="/var/lib/pdf-ocr-hotfolder"
|
||
LOG_DIR="/var/log/pdf-ocr-hotfolder"
|
||
SERVICE_TEMPLATE="pdf-ocr-hotfolder@.service"
|
||
DEFAULT_USER="pdfocr"
|
||
|
||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||
REPO_DIR="$SCRIPT_DIR"
|
||
|
||
if [ ! -f "$REPO_DIR/pdf_ocr_hotfolder/__init__.py" ]; then
|
||
log_error "Repo-Layout nicht erkannt. install.sh aus dem Repo ausführen."
|
||
exit 1
|
||
fi
|
||
|
||
# ============================================================
|
||
# Basis-Installation (idempotent)
|
||
# ============================================================
|
||
|
||
install_base() {
|
||
log_step "System-Pakete installieren"
|
||
apt-get update -qq
|
||
apt-get install -y --no-install-recommends \
|
||
python3 python3-venv python3-pip \
|
||
tesseract-ocr tesseract-ocr-deu tesseract-ocr-eng \
|
||
ghostscript qpdf unpaper pngquant \
|
||
icc-profiles-free ca-certificates curl
|
||
log_info "System-Pakete ok ✓"
|
||
|
||
# Ghostscript-Versions-Check (Issue #3 + Issue #6)
|
||
if command -v gs >/dev/null 2>&1; then
|
||
GS_VER="$(gs --version 2>/dev/null || echo 0.0)"
|
||
log_info "Ghostscript: $GS_VER"
|
||
case "$GS_VER" in
|
||
10.0.0|10.00.0|10.01.*|10.02.0)
|
||
echo
|
||
log_warn "═══════════════════════════════════════════════════════════════"
|
||
log_warn "Ghostscript $GS_VER ist vom PDF/A-Bug betroffen (10.0.0–10.02.0)."
|
||
log_warn "Mit pdfa_level + skip_text=true kann ocrmypdf KEINE PDFs verarbeiten."
|
||
log_warn "═══════════════════════════════════════════════════════════════"
|
||
echo
|
||
# Prüfe ob Debian bookworm (12) — Backports anbieten
|
||
if grep -q 'bookworm' /etc/os-release 2>/dev/null; then
|
||
read -r -p "Ghostscript via bookworm-backports upgraden? [J/n]: " UPGRADE_GS
|
||
UPGRADE_GS="${UPGRADE_GS:-J}"
|
||
if [[ "$UPGRADE_GS" =~ ^[JjYy]$ ]]; then
|
||
log_info "Aktiviere bookworm-backports..."
|
||
if ! grep -q 'bookworm-backports' /etc/apt/sources.list /etc/apt/sources.list.d/*.list 2>/dev/null; then
|
||
echo 'deb http://deb.debian.org/debian bookworm-backports main' \
|
||
> /etc/apt/sources.list.d/bookworm-backports.list
|
||
apt-get update -qq
|
||
fi
|
||
apt-get install -y -t bookworm-backports ghostscript
|
||
GS_VER_NEW="$(gs --version 2>/dev/null || echo '?')"
|
||
log_info "Ghostscript aktualisiert: $GS_VER → $GS_VER_NEW ✓"
|
||
else
|
||
log_warn "Workaround: In der Config [ocr].pdfa_level = \"\" setzen (Default ab v0.2.2)"
|
||
fi
|
||
else
|
||
log_warn "Kein Debian bookworm erkannt — manuelles Upgrade nötig."
|
||
log_warn "Workaround: In der Config [ocr].pdfa_level = \"\" setzen (Default ab v0.2.2)"
|
||
fi
|
||
echo
|
||
;;
|
||
esac
|
||
fi
|
||
|
||
# LXC/Container-Erkennung (Issue #4)
|
||
if systemd-detect-virt --container -q 2>/dev/null; then
|
||
VIRT_TYPE="$(systemd-detect-virt --container 2>/dev/null || echo 'container')"
|
||
log_warn "Container-Umgebung erkannt ($VIRT_TYPE)."
|
||
log_warn "systemd-Hardening kann in Containern fehlschlagen (Error 226/NAMESPACE)."
|
||
read -r -p "LXC-Kompatibilitäts-Drop-in installieren? [J/n]: " LXC_FIX
|
||
LXC_FIX="${LXC_FIX:-J}"
|
||
if [[ "$LXC_FIX" =~ ^[JjYy]$ ]]; then
|
||
local LXC_DROPIN_DIR="/etc/systemd/system/pdf-ocr-hotfolder@.service.d"
|
||
mkdir -p "$LXC_DROPIN_DIR"
|
||
cp "$REPO_DIR/systemd/lxc-compat.conf" "$LXC_DROPIN_DIR/lxc-compat.conf"
|
||
systemctl daemon-reload
|
||
log_info "LXC-Kompatibilitäts-Drop-in installiert ✓"
|
||
fi
|
||
fi
|
||
|
||
log_step "Default-User '$DEFAULT_USER' prüfen"
|
||
if id "$DEFAULT_USER" &>/dev/null; then
|
||
log_info "'$DEFAULT_USER' existiert bereits"
|
||
else
|
||
adduser --system --group --home "$DATA_ROOT" --shell /usr/sbin/nologin "$DEFAULT_USER"
|
||
log_info "System-User '$DEFAULT_USER' angelegt ✓"
|
||
fi
|
||
|
||
log_step "Verzeichnisse anlegen"
|
||
mkdir -p "$INSTALL_DIR" "$CONFIG_DIR" "$DATA_ROOT" "$LOG_DIR"
|
||
chown root:"$DEFAULT_USER" "$CONFIG_DIR"
|
||
chmod 750 "$CONFIG_DIR"
|
||
|
||
log_step "Code kopieren"
|
||
rm -rf "$INSTALL_DIR/pdf_ocr_hotfolder"
|
||
cp -r "$REPO_DIR/pdf_ocr_hotfolder" "$INSTALL_DIR/"
|
||
cp "$REPO_DIR/requirements.txt" "$INSTALL_DIR/"
|
||
cp "$REPO_DIR/VERSION" "$INSTALL_DIR/"
|
||
cp "$REPO_DIR/config.example.toml" "$INSTALL_DIR/"
|
||
echo "$REPO_DIR" > "$INSTALL_DIR/.repo_path"
|
||
|
||
log_step "Python venv"
|
||
if [ ! -d "$INSTALL_DIR/venv" ]; then
|
||
python3 -m venv "$INSTALL_DIR/venv"
|
||
fi
|
||
"$INSTALL_DIR/venv/bin/pip" install --upgrade pip -q
|
||
"$INSTALL_DIR/venv/bin/pip" install -r "$INSTALL_DIR/requirements.txt" -q
|
||
log_info "venv ok ✓"
|
||
|
||
log_step "systemd Template-Unit installieren"
|
||
cp "$REPO_DIR/systemd/$SERVICE_TEMPLATE" "/etc/systemd/system/$SERVICE_TEMPLATE"
|
||
systemctl daemon-reload
|
||
log_info "Template-Unit installiert ✓"
|
||
|
||
chown -R "$DEFAULT_USER":"$DEFAULT_USER" "$INSTALL_DIR" "$LOG_DIR"
|
||
}
|
||
|
||
# ============================================================
|
||
# Instanz-Verwaltung
|
||
# ============================================================
|
||
|
||
list_instances() {
|
||
find "$CONFIG_DIR" -maxdepth 1 -name '*.toml' -type f 2>/dev/null \
|
||
| sed 's|.*/||; s|\.toml$||' \
|
||
| sort
|
||
}
|
||
|
||
show_existing_instances() {
|
||
local instances
|
||
mapfile -t instances < <(list_instances)
|
||
if [ "${#instances[@]}" -eq 0 ]; then
|
||
log_info "Keine bestehenden Instanzen gefunden."
|
||
return
|
||
fi
|
||
echo
|
||
log_info "Bestehende Instanzen:"
|
||
for name in "${instances[@]}"; do
|
||
local active
|
||
active=$(systemctl is-active "pdf-ocr-hotfolder@${name}.service" 2>/dev/null || echo inactive)
|
||
printf " • %-30s [%s]\n" "$name" "$active"
|
||
done
|
||
echo
|
||
}
|
||
|
||
create_instance() {
|
||
echo
|
||
read -r -p "Instanz-Name (nur a-z, 0-9, -): " INST
|
||
if [[ ! "$INST" =~ ^[a-z0-9][a-z0-9-]*$ ]]; then
|
||
log_error "Ungültiger Name. Abbruch."
|
||
return 1
|
||
fi
|
||
if [ -f "$CONFIG_DIR/$INST.toml" ]; then
|
||
log_error "Instanz '$INST' existiert bereits. Abbruch."
|
||
return 1
|
||
fi
|
||
|
||
local default_base="$DATA_ROOT/$INST"
|
||
read -r -p "Basis-Pfad für Daten [$default_base]: " BASE
|
||
BASE="${BASE:-$default_base}"
|
||
|
||
read -r -p "Service-User [$DEFAULT_USER]: " SVC_USER
|
||
SVC_USER="${SVC_USER:-$DEFAULT_USER}"
|
||
|
||
local SVC_GROUP
|
||
if id "$SVC_USER" &>/dev/null; then
|
||
SVC_GROUP="$(id -gn "$SVC_USER")"
|
||
log_info "User '$SVC_USER' existiert (Gruppe: $SVC_GROUP)"
|
||
else
|
||
log_warn "User '$SVC_USER' existiert nicht."
|
||
read -r -p "Lokal als System-User anlegen? [J/n]: " CREATE_USER
|
||
CREATE_USER="${CREATE_USER:-J}"
|
||
if [[ "$CREATE_USER" =~ ^[JjYy]$ ]]; then
|
||
adduser --system --group --home "$BASE" --shell /usr/sbin/nologin "$SVC_USER"
|
||
SVC_GROUP="$SVC_USER"
|
||
log_info "User '$SVC_USER' angelegt ✓"
|
||
else
|
||
log_error "User muss existieren (z.B. via AD/SSSD). Abbruch."
|
||
return 1
|
||
fi
|
||
fi
|
||
|
||
log_info "Lege Datenverzeichnisse unter $BASE an..."
|
||
mkdir -p "$BASE"/{incoming,outgoing,working,error}
|
||
chown -R "$SVC_USER":"$SVC_GROUP" "$BASE"
|
||
|
||
log_info "Erstelle Config $CONFIG_DIR/$INST.toml..."
|
||
sed \
|
||
-e "s|/var/lib/pdf-ocr-hotfolder/incoming|$BASE/incoming|" \
|
||
-e "s|/var/lib/pdf-ocr-hotfolder/outgoing|$BASE/outgoing|" \
|
||
-e "s|/var/lib/pdf-ocr-hotfolder/working|$BASE/working|" \
|
||
-e "s|/var/lib/pdf-ocr-hotfolder/error|$BASE/error|" \
|
||
"$INSTALL_DIR/config.example.toml" > "$CONFIG_DIR/$INST.toml"
|
||
chown root:"$SVC_GROUP" "$CONFIG_DIR/$INST.toml"
|
||
chmod 640 "$CONFIG_DIR/$INST.toml"
|
||
|
||
# Drop-in für abweichenden Service-User
|
||
if [ "$SVC_USER" != "$DEFAULT_USER" ]; then
|
||
local DROPIN_DIR="/etc/systemd/system/pdf-ocr-hotfolder@${INST}.service.d"
|
||
mkdir -p "$DROPIN_DIR"
|
||
cat > "$DROPIN_DIR/user.conf" <<EOF
|
||
[Service]
|
||
User=$SVC_USER
|
||
Group=$SVC_GROUP
|
||
EOF
|
||
log_info "Drop-in für User '$SVC_USER' erstellt"
|
||
fi
|
||
|
||
systemctl daemon-reload
|
||
systemctl enable --now "pdf-ocr-hotfolder@${INST}.service"
|
||
sleep 1
|
||
if systemctl is-active --quiet "pdf-ocr-hotfolder@${INST}.service"; then
|
||
log_info "✅ Instanz '$INST' läuft"
|
||
else
|
||
log_warn "Instanz '$INST' läuft nicht. Logs: journalctl -u pdf-ocr-hotfolder@${INST}"
|
||
fi
|
||
|
||
echo
|
||
echo " Config: $CONFIG_DIR/$INST.toml"
|
||
echo " Eingang: $BASE/incoming"
|
||
echo " Ausgang: $BASE/outgoing"
|
||
echo " User: $SVC_USER ($SVC_GROUP)"
|
||
echo
|
||
}
|
||
|
||
# ============================================================
|
||
# Main
|
||
# ============================================================
|
||
|
||
echo
|
||
echo "=========================================="
|
||
echo " PDF OCR Hotfolder — Installer"
|
||
echo "=========================================="
|
||
|
||
if [ ! -d "$INSTALL_DIR/venv" ] || [ ! -f "/etc/systemd/system/$SERVICE_TEMPLATE" ]; then
|
||
log_step "Basis-Installation"
|
||
install_base
|
||
else
|
||
log_info "Basis-Installation bereits vorhanden ($INSTALL_DIR)"
|
||
log_info "Überspringe Basis-Setup (nutze update.sh für Code-Updates)"
|
||
fi
|
||
|
||
show_existing_instances
|
||
|
||
# Erste Instanz ist Pflicht, wenn noch keine vorhanden
|
||
mapfile -t existing < <(list_instances)
|
||
if [ "${#existing[@]}" -eq 0 ]; then
|
||
log_info "Lege erste Hotfolder-Instanz an."
|
||
create_instance || true
|
||
fi
|
||
|
||
while true; do
|
||
read -r -p "Weitere Instanz anlegen? [j/N]: " MORE
|
||
MORE="${MORE:-N}"
|
||
if [[ "$MORE" =~ ^[JjYy]$ ]]; then
|
||
create_instance || true
|
||
else
|
||
break
|
||
fi
|
||
done
|
||
|
||
echo
|
||
echo "=========================================="
|
||
echo " Fertig"
|
||
echo "=========================================="
|
||
show_existing_instances
|
||
echo " Logs: journalctl -u pdf-ocr-hotfolder@<instanz> -f"
|
||
echo " Neustart: systemctl restart pdf-ocr-hotfolder@<instanz>"
|
||
echo " Update: sudo ./update.sh"
|
||
echo
|