fix(rackula): install Bun outside /root so hardened service unit can exec it (#15540)

rackula-api.service ships with ProtectHome=true and
ExecStart=/usr/local/bin/bun. With BUN_INSTALL=/root/.bun the symlink
resolves into /root, which is masked in the unit's mount namespace, so
the service fails with status=203/EXEC and crash-loops. Use /opt/bun
instead, matching yubal and gitea-mirror.

Also drop the unused BUN_VERSION/BUN_VARIANT block (bun.sh/install
takes the version as a positional arg and detects avx2/baseline
itself, so the env vars were dead code) and restore the msg_ok
"Installed Bun" / msg_info "Setting up Rackula" pair.


Claude-Session: https://claude.ai/code/session_011sGajwSQGg1vd6m2AC6Byq

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Gareth Evans
2026-07-01 23:32:50 -07:00
committed by GitHub
parent dcac3e0870
commit c0492134af
+8 -11
View File
@@ -19,19 +19,16 @@ msg_ok "Installed Dependencies"
msg_info "Installing Bun"
ensure_dependencies unzip ca-certificates
BUN_VERSION="${BUN_VERSION:-1.3.14}"
case "$(uname -m)" in
x86_64) grep -q avx2 /proc/cpuinfo && BUN_VARIANT="x64" || BUN_VARIANT="x64-baseline" ;;
aarch64) BUN_VARIANT="aarch64" ;;
*)
msg_error "Unsupported architecture: $(uname -m)"
exit 1
;;
esac
export BUN_INSTALL="/root/.bun"
# rackula-api.service ships with ProtectHome=true, so the bun binary must live
# outside /root; /opt/bun matches yubal and gitea-mirror
export BUN_INSTALL="/opt/bun"
curl -fsSL https://bun.sh/install | $STD bash
ln -sf /root/.bun/bin/bun /usr/local/bin/bun
ln -sf /opt/bun/bin/bun /usr/local/bin/bun
msg_ok "Installed Bun"
fetch_and_deploy_gh_release "rackula" "RackulaLives/Rackula" "prebuild" "latest" "/opt/rackula" "rackula-lxc-*.tar.gz"
msg_info "Setting up Rackula"
mkdir -p /opt/rackula/data /etc/nginx/snippets
SECURITY_HEADERS_SRC="/opt/rackula/config/security-headers.conf"