From d07a83deed967904399190a9aeb516c957eab8f8 Mon Sep 17 00:00:00 2001
From: Je Xia <i@jex.me>
Date: Fri, 3 Jan 2025 08:55:40 +0800
Subject: [PATCH] scripts: Fix systemd config (#975)

---
 scripts/deploy-ci.sh | 6 +++---
 scripts/deploy.sh    | 9 +++++++--
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/scripts/deploy-ci.sh b/scripts/deploy-ci.sh
index e42d34cd9..d1900867e 100755
--- a/scripts/deploy-ci.sh
+++ b/scripts/deploy-ci.sh
@@ -45,7 +45,6 @@ ssh d.esm.sh << EOF
       exit 1
     fi
     mkdir /etc/esmd
-    chown esm:esm /etc/esmd
     echo "[Unit]" >> \$servicefile
     echo "Description=esm.sh service" >> \$servicefile
     echo "After=network.target" >> \$servicefile
@@ -54,7 +53,9 @@ ssh d.esm.sh << EOF
     echo "Type=simple" >> \$servicefile
     echo "ExecStart=/usr/local/bin/esmd --config=\$configfile" >> \$servicefile
     echo "WorkingDirectory=/esm" >> \$servicefile
-    echo "USER=esm" >> \$servicefile
+    echo "Group=esm" >> \$servicefile
+    echo "User=esm" >> \$servicefile
+    echo "AmbientCapabilities=CAP_NET_BIND_SERVICE" >> \$servicefile
     echo "Restart=always" >> \$servicefile
     echo "RestartSec=5" >> \$servicefile
     echo "Environment=\"ESMDIR=/esm\"" >> \$servicefile
@@ -72,7 +73,6 @@ ssh d.esm.sh << EOF
   else
     echo "{}" >> \$configfile
   fi
-  chown esm:esm \$configfile
 
   if [ "$RESET_ON_DEPLOY" == "yes" ]; then
     mkdir -p /tmp/.esm
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index 6e30bbe74..d28e80251 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -82,6 +82,10 @@ ssh -p $sshPort ${user}@${host} << EOF
     fi
     addgroup esm
     adduser --ingroup esm --no-create-home --disabled-login --disabled-password --gecos "" esm
+    if [ "\$?" != "0" ]; then
+      echo "Failed to add user 'esm'"
+      exit 1
+    fi
     echo "[Unit]" >> \$servicefile
     echo "Description=esm.sh service" >> \$servicefile
     echo "After=network.target" >> \$servicefile
@@ -92,13 +96,14 @@ ssh -p $sshPort ${user}@${host} << EOF
       mkdir -p /etc/esmd
       rm -f \$configfile
       echo "$config" >> \$configfile
-      chown -R esm:esm /etc/esmd
       echo "ExecStart=/usr/local/bin/esmd --config=\$configfile" >> \$servicefile
     else
       echo "ExecStart=/usr/local/bin/esmd" >> \$servicefile
     fi
     echo "WorkingDirectory=/esm" >> \$servicefile
-    echo "USER=esm" >> \$servicefile
+    echo "Group=esm" >> \$servicefile
+    echo "User=esm" >> \$servicefile
+    echo "AmbientCapabilities=CAP_NET_BIND_SERVICE" >> \$servicefile
     echo "Restart=always" >> \$servicefile
     echo "RestartSec=5" >> \$servicefile
     echo "Environment=\"ESMDIR=/esm\"" >> \$servicefile