c56905d34f
Open-source AI data analyst platform extracted from internal repo. Includes data sync engine, Keboola adapter, Flask web portal, server deployment scripts, and configuration templates.
163 lines
10 KiB
Text
163 lines
10 KiB
Text
# Sudoers configuration for deploy user (Debian 12)
|
|
# Install with: sudo cp /opt/data-analyst/repo/server/sudoers-deploy /etc/sudoers.d/deploy
|
|
# Validate with: sudo visudo -cf /etc/sudoers.d/deploy
|
|
#
|
|
# Note: On Debian 12, core utils are in /usr/bin/ (not /bin/)
|
|
|
|
# Allow deploy user to manage server scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/bin/* /usr/local/bin/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 755 /usr/local/bin/*
|
|
|
|
# Allow deploy user to manage sudoers files
|
|
deploy ALL=(ALL) NOPASSWD: /usr/sbin/visudo -cf *
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/sudoers-* /etc/sudoers.d/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 440 /etc/sudoers.d/*
|
|
|
|
# Allow deploy user to manage application directory permissions
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R root\:data-ops /opt/data-analyst
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /opt/data-analyst/repo/.env
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 770 /opt/data-analyst
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R g+s /opt/data-analyst
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 640 /opt/data-analyst/repo/.env
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/tee /opt/data-analyst/repo/.env
|
|
|
|
# Allow deploy user to manage webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/webapp.service /etc/systemd/system/webapp.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl status webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-active webapp
|
|
|
|
# Allow deploy user to manage nginx
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload nginx
|
|
|
|
# Allow deploy user to write webapp env file
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/tee /opt/data-analyst/.env
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /opt/data-analyst/.env
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 640 /opt/data-analyst/.env
|
|
|
|
# Allow deploy user to manage scripts in /data/scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/scripts/* /data/scripts/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 755 /data/scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R padak\:data-ops /data/scripts
|
|
|
|
# Allow deploy user to manage documentation in /data/docs
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/docs
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/docs/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/docs/* /data/docs/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp -r /opt/data-analyst/repo/docs/* /data/docs/
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 775 /data/docs
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R padak\:data-ops /data/docs
|
|
|
|
# Allow deploy user to manage notifications directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/notifications
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown deploy\:data-ops /data/notifications
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /data/notifications
|
|
|
|
# Allow deploy user to manage notify-bot service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/notify-bot.service /etc/systemd/system/notify-bot.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl daemon-reload
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart notify-bot
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start notify-bot
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop notify-bot
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable notify-bot
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-active notify-bot
|
|
|
|
# Allow deploy (notify-bot) to list/run notification scripts as dataread group members only
|
|
# Used by /status "Run" button in Telegram via notify-scripts helper
|
|
deploy ALL=(%dataread) NOPASSWD: /usr/local/bin/notify-scripts
|
|
|
|
# Allow deploy user to manage ws-gateway service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/ws-gateway.service /etc/systemd/system/ws-gateway.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart ws-gateway
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start ws-gateway
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop ws-gateway
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable ws-gateway
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-active ws-gateway
|
|
|
|
# Allow deploy user to manage limits configuration
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/limits-users.conf /etc/security/limits.d/99-users.conf
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 644 /etc/security/limits.d/99-users.conf
|
|
|
|
# Allow deploy user to manage example notification scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/examples/notifications
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/examples/notifications/* /data/examples/notifications/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 755 /data/examples
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R padak\:data-ops /data/examples
|
|
|
|
# Allow deploy user to manage Jira data directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/src_data/raw/jira/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R root\:data-ops /data/src_data/raw/jira
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 2770 /data/src_data/raw/jira
|
|
|
|
# Allow deploy user to manage password auth directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/auth
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown www-data\:data-ops /data/auth
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /data/auth
|
|
|
|
# Allow deploy user to manage corporate memory directory and service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/corporate-memory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown deploy\:data-ops /data/corporate-memory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /data/corporate-memory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/corporate-memory.service /etc/systemd/system/corporate-memory.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/corporate-memory.timer /etc/systemd/system/corporate-memory.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable corporate-memory.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start corporate-memory.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop corporate-memory.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled corporate-memory.timer
|
|
|
|
# Allow deploy user to manage jira-sla-poll service and timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/jira-sla-poll.service /etc/systemd/system/jira-sla-poll.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/jira-sla-poll.timer /etc/systemd/system/jira-sla-poll.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable jira-sla-poll.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start jira-sla-poll.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop jira-sla-poll.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled jira-sla-poll.timer
|
|
|
|
# Allow deploy user to manage session-collector service and timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/user_sessions
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /data/user_sessions
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /data/user_sessions
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/session-collector.service /etc/systemd/system/session-collector.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/session-collector.timer /etc/systemd/system/session-collector.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable session-collector.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start session-collector.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop session-collector.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled session-collector.timer
|
|
|
|
# Allow deploy user to manage jira-consistency service and timers
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/jira-consistency.service /etc/systemd/system/jira-consistency.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/jira-consistency.timer /etc/systemd/system/jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/jira-consistency-deep.timer /etc/systemd/system/jira-consistency-deep.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/touch /opt/data-analyst/logs/jira-consistency.log
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /opt/data-analyst/logs/jira-consistency.log
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 664 /opt/data-analyst/logs/jira-consistency.log
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable jira-consistency-deep.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start jira-consistency-deep.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop jira-consistency-deep.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled jira-consistency-deep.timer
|
|
|
|
# Allow deploy user to manage data staging directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /tmp/data_analyst_staging
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /tmp/data_analyst_staging
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /tmp/data_analyst_staging
|
|
|
|
# Allow deploy user to manage ACLs for Jira attachments
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -m g\:dataread\:rx /data/src_data/raw/jira/attachments
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -d -m g\:dataread\:rx /data/src_data/raw/jira/attachments
|
|
|
|
# Allow deploy user to manage ACLs for private parquet directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -m g\:data-private\:rx /data/src_data/parquet/private/
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -d -m g\:data-private\:rx /data/src_data/parquet/private/
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -x g\:dataread /data/src_data/parquet/private/
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -d -x g\:dataread /data/src_data/parquet/private/
|
|
|
|
# Allow deploy user to add itself to dataread group (for socket group ownership)
|
|
deploy ALL=(ALL) NOPASSWD: /usr/sbin/usermod -a -G dataread deploy
|