feat: add nginx reload and validation wrappers with sudo permissions

2025-12-22 17:18:36 +08:00
parent 6e85bda13f
commit 5cffb0a519
7 changed files with 323 additions and 13 deletions
--- a/apps/agent/src/commands/reload.rs
+++ b/apps/agent/src/commands/reload.rs
@@ -93,6 +93,17 @@ impl ReloadCommand {
        }

        // reload the running nginx master process (no -c) so it reloads its configured main config
-        run_cmd("nginx", &["-s", "reload"], 10).await
+        // Prefer the restricted sudo wrapper if available, fall back to direct nginx reload.
+        // TODO: allow configuring the path to the wrapper
+        match run_cmd("sudo", &["-n", "/usr/local/sbin/yanpm-nginx-reload"], 10).await {
+            Ok(res) => Ok(res),
+            Err(e) => {
+                error!(
+                    "sudo reload wrapper failed, falling back to direct nginx reload: {}",
+                    e
+                );
+                run_cmd("nginx", &["-s", "reload"], 10).await
+            }
+        }
    }
 }