Conversation
Tighten security
WalkthroughAdds a Proxmox-specific NetAlertX installer: a Bash install script, NGINX site config, Python requirements, and a README. The installer provisions packages, clones the repo, configures NGINX/PHP-FPM, prepares TMPFS directories, optionally installs a systemd service (with fallback), and prints the access URL. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor User
participant Installer as "proxmox-install-netalertx.sh"
participant OS as "OS Package Manager"
participant Git as "GitHub Repo"
participant Nginx as "NGINX"
participant Systemd as "systemd (optional)"
participant App as "NetAlertX Launcher"
User->>Installer: run script (interactive or non-interactive)
Installer->>Installer: detect OS, IP, desired HTTP port
Installer->>OS: install packages (nginx, php, python, tools)
Installer->>Git: clone or update repo into /opt/netalertx
Installer->>Installer: create venv, pip install -r requirements.txt
Installer->>Installer: create tmpfs dirs, set permissions
Installer->>Nginx: install site config and reload
Installer->>Systemd: create & enable netalertx.service (if available)
alt systemd available
Systemd->>App: start service
App-->>Systemd: running
else no systemd
Installer->>App: launch in background (fallback)
App-->>Installer: running
end
Installer-->>User: print access URL (http://<IP>:<port>)
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches
🧪 Generate unit tests
📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (2)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🧹 Nitpick comments (10)
install/proxmox/netalertx.conf (2)
11-11: Remove commented-out code.The commented rewrite line suggests incomplete cleanup or experimentation. Remove it to maintain code clarity.
- #rewrite /app/(.*) / permanent;
13-13: Remove ineffective proxy_set_header directive.The
proxy_set_header X-Forwarded-Prefixdirective has no effect because this configuration does not include aproxy_passdirective. Onlyadd_headeris needed for direct client responses.add_header X-Forwarded-Prefix "/netalertx" always; - proxy_set_header X-Forwarded-Prefix "/netalertx";install/proxmox/requirements.txt (1)
1-26: Pin dependency versions for reproducible builds.The requirements file lacks version constraints, which can lead to unpredictable behavior when dependencies release breaking changes. Consider pinning versions or using version ranges (e.g.,
requests>=2.31.0,<3.0.0).Example:
-requests +requests>=2.31.0,<3.0.0 -flask +flask>=3.0.0,<4.0.0install/proxmox/README.md (1)
42-42: Add language identifiers to code blocks.Several code blocks are missing language specifiers, which improves syntax highlighting and readability.
Based on static analysis hints. Apply these changes:
-``` +```text Enter HTTP port for NetAlertX [20211] (auto-continue in 10s):```diff -``` +```text http://[SERVER_IP]:[PORT]```diff -``` +```bash ./start.netalertx.sh```diff -``` +```text /app/ # Main application directory ...Also applies to: 64-64, 139-139, 160-160 </blockquote></details> <details> <summary>install/proxmox/proxmox-install-netalertx.sh (6)</summary><blockquote> `102-109`: **Improve IP detection fallback chain.** The IP detection logic is good but could be more robust. Consider adding a fallback to common private network interfaces if all methods fail. ```diff SERVER_IP="$(ip -4 route get 1.1.1.1 2>/dev/null | awk '{for(i=1;i<=NF;i++) if ($i=="src") {print $(i+1); exit}}')" if [ -z "${SERVER_IP}" ]; then SERVER_IP="$(hostname -I 2>/dev/null | awk '{print $1}')" fi if [ -z "${SERVER_IP}" ]; then + SERVER_IP="$(ip -4 addr show | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | grep -v '127.0.0.1' | head -n1)" +fi +if [ -z "${SERVER_IP}" ]; then SERVER_IP="127.0.0.1" fi
138-152: Consider supporting more OS versions.The OS detection only handles Ubuntu 24.x and Debian 13. Document what happens on other versions or add explicit error handling.
if [ "${OS_ID}" = "ubuntu" ] && printf '%s' "${OS_VER}" | grep -q '^24'; then ... elif [ "${OS_ID}" = "debian" ] && printf '%s' "${OS_VER}" | grep -q '^13'; then ... +else + printf "%b\n" "${RED}[WARNING] ${RESET}Unsupported OS: ${OS_ID} ${OS_VER}" + printf "%b\n" "This installer supports Ubuntu 24.x and Debian 13 only." + printf "%b\n" "Installation may fail or produce unexpected results." + read -r -p "Continue anyway? [y/N]: " _continue + case "${_continue}" in + y|Y|yes|YES) ;; + *) echo "Aborting."; exit 1;; + esac fi
208-208: Improve process termination pattern.The
pkillpattern may be too narrow or too broad. Consider using a PID file approach or checking for a more specific process identifier.-# Stop any existing NetAlertX python server process (narrow pattern) -pkill -f "^python(3)?\s+.*${INSTALL_DIR}/server/?$" 2>/dev/null || true +# Stop any existing NetAlertX python server process +if [ -f "${INSTALL_DIR}/netalertx.pid" ]; then + kill "$(cat "${INSTALL_DIR}/netalertx.pid")" 2>/dev/null || true + rm -f "${INSTALL_DIR}/netalertx.pid" +fi +pkill -f "${INSTALL_DIR}/server" 2>/dev/null || trueUpdate the start script to create a PID file for safer process management.
297-299: Consider idempotent mount operations.The mount operations use
mountpoint -qto check before mounting, which is good. However, consider adding error handling if mounts fail, as tmpfs mounting can fail due to permission issues or system limitations.-mountpoint -q "${INSTALL_DIR}/log" || mount -t tmpfs -o noexec,nosuid,nodev tmpfs "${INSTALL_DIR}/log" -mountpoint -q "${INSTALL_DIR}/api" || mount -t tmpfs -o noexec,nosuid,nodev tmpfs "${INSTALL_DIR}/api" +if ! mountpoint -q "${INSTALL_DIR}/log"; then + mount -t tmpfs -o noexec,nosuid,nodev tmpfs "${INSTALL_DIR}/log" || { + printf "%b\n" "${RED}[ERROR] ${RESET}Failed to mount tmpfs at ${INSTALL_DIR}/log" + exit 1 + } +fi +if ! mountpoint -q "${INSTALL_DIR}/api"; then + mount -t tmpfs -o noexec,nosuid,nodev tmpfs "${INSTALL_DIR}/api" || { + printf "%b\n" "${RED}[ERROR] ${RESET}Failed to mount tmpfs at ${INSTALL_DIR}/api" + exit 1 + } +fi
307-307: Brace expansion may not work reliably.The brace expansion in
touch(line 307) may not be portable across all shell implementations, though it works in modern Bash. Consider expanding explicitly or using a loop for clarity.-touch "${INSTALL_DIR}/log/{app.log,execution_queue.log,app_front.log,app.php_errors.log,stderr.log,stdout.log,db_is_locked.log}" +for log_file in app.log execution_queue.log app_front.log app.php_errors.log stderr.log stdout.log db_is_locked.log; do + touch "${INSTALL_DIR}/log/${log_file}" +done
336-340: NGINX restart without reload option.The script performs a full NGINX restart (line 340), which interrupts active connections. Consider using
nginx -s reloadinstead for graceful configuration reload.nginx -t || { printf "%b\n" "--------------------------------------------------------------------------" printf "%b\n" "${RED}[ERROR] ${RESET}NGINX config test failed!" printf "%b\n" "--------------------------------------------------------------------------"; exit 1; } -/etc/init.d/nginx start +if systemctl is-active --quiet nginx 2>/dev/null || service nginx status >/dev/null 2>&1; then + nginx -s reload +else + /etc/init.d/nginx start +fi
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (4)
install/proxmox/README.md(1 hunks)install/proxmox/netalertx.conf(1 hunks)install/proxmox/proxmox-install-netalertx.sh(1 hunks)install/proxmox/requirements.txt(1 hunks)
🧰 Additional context used
🪛 markdownlint-cli2 (0.18.1)
install/proxmox/README.md
42-42: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
64-64: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
139-139: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
160-160: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🔇 Additional comments (6)
install/proxmox/proxmox-install-netalertx.sh (5)
1-10: LGTM! Excellent Bash safety practices.The script correctly uses
set -e,set -u,set -o pipefail, and sets a safeIFS. This provides strong error handling and prevents common Bash pitfalls.
14-20: LGTM! Proper terminal color handling.The color setup correctly checks for TTY and respects
NO_COLOR, following best practices for portable scripts.
247-252: Port availability check has TOCTOU race.Checking if the port is in use before NGINX starts is helpful but has a time-of-check-to-time-of-use race condition. The port could become available or occupied between the check and NGINX startup. Consider this a best-effort warning only.
The check is reasonable as-is for a warning, but document that NGINX startup validation (line 336) is the authoritative check.
273-280: Unreachable code due to set -e.If
update_vendors.shis missing (line 273 check fails), the subsequent error message (lines 276-278) is unreachable because the script would have already exited due toset -efrom the failedifcondition at line 273.# Run the update_vendors.sh script - if [ -f "${INSTALL_DIR}/back/update_vendors.sh" ]; then + if [ ! -f "${INSTALL_DIR}/back/update_vendors.sh" ]; then + printf "%b\n" "--------------------------------------------------------------------------" + printf "%b\n" " update_vendors.sh script not found in $INSTALL_DIR." + printf "%b\n" "--------------------------------------------------------------------------" + else "${INSTALL_DIR}/back/update_vendors.sh" - else - printf "%b\n" "--------------------------------------------------------------------------" - printf "%b\n" " update_vendors.sh script not found in $INSTALL_DIR." - printf "%b\n" "--------------------------------------------------------------------------" fiLikely an incorrect or invalid review comment.
111-111: Race condition in trap cleanup.The trap runs cleanup on EXIT, but the tmpfs mounts are created later (line 297-298). If the script fails before mounting, the trap will attempt to unmount non-existent mounts (which is handled by
|| true), but if the script succeeds and exits normally, the mounts persist. Consider removing the trap and documenting that tmpfs mounts are intentionally persistent for the service.-# Ensure tmpfs mounts are cleaned up on exit/failure -trap 'umount "${INSTALL_DIR}/log" 2>/dev/null || true; umount "${INSTALL_DIR}/api" 2>/dev/null || true' EXITIf tmpfs cleanup on service stop is desired, add unmount logic to the systemd service's
ExecStopdirective instead.Likely an incorrect or invalid review comment.
install/proxmox/netalertx.conf (1)
1-33: Verify PHP-FPM socket path
Confirm thatfastcgi_pass unix:/var/run/php/php-fpm.sock;aligns with the PHP-FPM socket on your target systems (Debian 13/Ubuntu 24 often use versioned sockets likephp8.4-fpm.sock).
There was a problem hiding this comment.
Actionable comments posted: 3
♻️ Duplicate comments (3)
install/proxmox/proxmox-install-netalertx.sh (3)
364-383: Use direct ExecStart; add PATH and graceful shutdown settings.Avoid login shells in systemd; set PATH predictably and improve stop behavior.
[Service] Type=simple User=www-data Group=www-data -ExecStart=/bin/bash -lc '/app/start.netalertx.sh' +ExecStart=/app/start.netalertx.sh WorkingDirectory=/app Restart=on-failure RestartSec=5 +Environment="PATH=/opt/myenv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +KillMode=mixed +TimeoutStopSec=30 StandardOutput=journal StandardError=journalIf you keep the URL message in the start script, also set:
Environment="PORT=${PORT}" "SERVER_IP=${SERVER_IP}"
185-187: Hardcoded feature branch; make repo/branch configurable with safe defaults.Cloning a non-default branch will break later. Default to upstream main, allow overrides.
+REPO_URL="${NETALERTX_REPO:-https://github.com/jokob-sk/NetAlertX.git}" +REPO_BRANCH="${NETALERTX_BRANCH:-main}" mkdir -p "$INSTALL_DIR" -git clone -b baremetal-installer https://github.com/jokob-sk/NetAlertX.git "$INSTALL_DIR/" #change after testing +git clone -b "${REPO_BRANCH}" "${REPO_URL}" "$INSTALL_DIR/"
342-355: start script references env vars that won’t exist later.SERVER_IP and PORT are exported only in the installer shell, not in future systemd sessions.
Minimal fix: remove the dynamic URL text to avoid undefined vars:
-echo -e "Starting NetAlertX - navigate to http://${SERVER_IP}:${PORT}" +echo -e "Starting NetAlertX"Or embed values at install-time:
-cat > "$INSTALL_DIR/start.netalertx.sh" << 'EOF' +cat > "$INSTALL_DIR/start.netalertx.sh" << EOF @@ -echo -e "Starting NetAlertX - navigate to http://${SERVER_IP}:${PORT}" +echo -e "Starting NetAlertX - navigate to http://${SERVER_IP}:${PORT}" @@ EOF
🧹 Nitpick comments (3)
install/proxmox/proxmox-install-netalertx.sh (3)
71-74: Set noninteractive mode before the first apt operations.Avoid prompts during the initial upgrade.
+# Avoid interactive apt prompts +export DEBIAN_FRONTEND=noninteractive # Getting up to date apt-get update -y apt-get upgrade -y @@ -export DEBIAN_FRONTEND=noninteractive +export DEBIAN_FRONTEND="${DEBIAN_FRONTEND:-noninteractive}" apt-get update -yAlso applies to: 123-126
334-340: Use systemctl when available; fall back to init scripts only if needed.Be consistent and avoid mixing service managers.
-#/etc/init.d/php8.4-fpm start -nginx -t || { +if command -v systemctl >/dev/null 2>&1; then + systemctl restart php8.4-fpm || true +else + /etc/init.d/php8.4-fpm start || true +fi +nginx -t || { printf "%b\n" "--------------------------------------------------------------------------" printf "%b\n" "${RED}[ERROR] ${RESET}NGINX config test failed!" printf "%b\n" "--------------------------------------------------------------------------"; exit 1; } -/etc/init.d/nginx start +if command -v systemctl >/dev/null 2>&1; then + systemctl restart nginx || true +else + /etc/init.d/nginx start || true +fi
294-303: Manage tmpfs with systemd mounts/tmpfiles for persistence and permissions.Mounts should survive installer exit and be recreated on boot; consider systemd .mount units and tmpfiles.d for files and permissions.
Example (outside this script):
- Create /etc/systemd/system/app-log.mount and app-api.mount with What=tmpfs.
- Create /etc/tmpfiles.d/netalertx.conf to create files/dirs with ownership and modes.
Also applies to: 306-310
|
bunnies finds did not really pertain to this setup. Thought it was good to go, but the log files are not being created. ugh. |
|
Should be good now! |
|
Thanks @JVKeller - merging |
|
Could you please al,so update the docs? https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md or create a separate .md file for proxmox if applicable? |
|
Ok. I'll take at look at it, probably on Monday.
…On Thu, Oct 2, 2025, 5:53 PM Jokob @netalertx ***@***.***> wrote:
*jokob-sk* left a comment (netalertx/NetAlertX#1212)
<#1212 (comment)>
Could you please al,so update the docs?
https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md or
create a separate .md file for proxmox if applicable?
—
Reply to this email directly, view it on GitHub
<#1212 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AG6GTYQTL3DAN42NXRO6IS33VWNFFAVCNFSM6AAAAACIEKPMGKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNRTGM2DIMJSGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
2 participants
Combined Ubuntu 24 and Debian 13 Installer.
Summary by CodeRabbit
New Features
Documentation