Work in progress

install_portmaster_to_var.sh

#!/usr/bin/env bash
set -e # Exit on error

if [ "$EUID" -ne 0 ]; then
	echo "To ensure correct permissions, this script must be run as root."
	exit 1
fi

install_location="/var/lib/safing-portmaster" # Must not include trailing slash

echo "-> Creating Portmaster program directory at '${install_location}'"
mkdir -p "${install_location}"

echo "-> Creating Portmaster exports directory at '${install_location}/exports'"
mkdir -p "${install_location}/exports/share/applications"
mkdir -p "${install_location}/exports/share/icons"
mkdir -p "${install_location}/exports/units"

temp_dir=$(mktemp -d)


echo "-> Downloading 'portmaster-start'"
wget -q --show-progress -O "$temp_dir/portmaster-start" https://updates.safing.io/latest/linux_amd64/start/portmaster-start
echo "-> Downloading 'portmaster.service'"
wget -q --show-progress -O "$temp_dir/portmaster.service" https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster.service
echo "-> Downloading 'portmaster.desktop'"
wget -q --show-progress -O "$temp_dir/portmaster.desktop" https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster.desktop
echo "-> Downloading 'portmaster_notifier.desktop'"
wget -q --show-progress -O "$temp_dir/portmaster_notifier.desktop" https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster_notifier.desktop
echo "-> Downloading 'portmaster_logo.png'"
wget -q --show-progress -O "$temp_dir/portmaster_logo.png" https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster_logo.png


echo "-> Patching paths in 'portmaster.service'"
sed -i "s|/opt/safing/portmaster|${install_location}|g" "$temp_dir/portmaster.service"
echo "-> Patching paths in 'portmaster.desktop'"
sed -i "s|/opt/safing/portmaster|${install_location}|g" "$temp_dir/portmaster.desktop"
echo "-> Patching paths in 'portmaster_notifier.desktop'"
sed -i "s|/opt/safing/portmaster|${install_location}|g" "$temp_dir/portmaster_notifier.desktop"


echo "-> Installing 'portmaster-start' and setting security context"
install -m 0755 "$temp_dir/portmaster-start" "${install_location}/portmaster-start"
chcon -t bin_t "${install_location}/portmaster-start"
echo "-> Installing 'portmaster.service'"
install -m 0644 "$temp_dir/portmaster.service" "${install_location}/exports/units/portmaster.service"
echo "-> Installing 'portmaster.desktop'"
install -m 0644 "$temp_dir/portmaster.desktop" "${install_location}/exports/share/applications/portmaster.desktop"
echo "-> Installing 'portmaster_notifier.desktop'"
install -m 0644 "$temp_dir/portmaster_notifier.desktop" "${install_location}/exports/share/applications/portmaster_notifier.desktop"
echo "-> Installing 'portmaster_logo.png' (as 'portmaster.png')"
install -m 0644 "$temp_dir/portmaster_logo.png" "${install_location}/exports/share/icons/portmaster.png"

echo "-> Running 'portmaster-start update' to download Portmaster data"
"${install_location}/portmaster-start" update --data="${install_location}"

echo "-> (Workaround) Moving 'portmaster.service' to '/etc/systemd/system' and reverse-symlinking it since systemd wants units on the same filesystem"
mv "${install_location}/exports/units/portmaster.service" /etc/systemd/system/portmaster.service
ln -s /etc/systemd/system/portmaster.service "${install_location}/exports/units/portmaster.service"

echo "-> Enabling 'portmaster' service"
systemctl daemon-reload
systemctl enable "portmaster.service"

echo "-> Creating 'portmaster_notifier' autostart"
ln -s "${install_location}/exports/share/applications/portmaster_notifier.desktop" /etc/xdg/autostart/portmaster_notifier.desktop

echo "-> Adding '$install_location' to \$XDG_DATA_DIRS to show desktop entries (applies after next login)"
echo "XDG_DATA_DIRS=$install_location/exports/share:\$XDG_DATA_DIRS" >/etc/profile.d/zzz-portmaster-to-xdg-data-dirs.sh # We prepend 'zzz' since profile.d scripts aren't numbered on Fedora, and we want to run after any other scripts that modify XDG_DATA_DIRS.

echo "-> Removing '${temp_dir}'"
rm -rf "$temp_dir"

echo "-> Done, Portmaster and its tray/notifier application will start with the next boot."

install_location="/var/lib/safing-portmaster" # Must not include trailing slash

How about using realpath "$install_location" or even checking if the variable is defined to a non-empty string if the user could update the location? 🤔

Potentially, the script could also accept a CLI argument (e.g. ./install_portmaster_to_var.sh /some/custom/path)? Then, install_location could be defined as "$1-/var/lib/safing-portmaster".

And beside -e, you should also consider addig -u and -o piefail to set (i.e. set -euo pipefail):

• -e to exit on error;
• -u to treat undefined variables as errors;
• -o pipefail to fail on piped command errors.

However, beware that -u can cause you troubles if you want to use an undefined variable, however, the fix is easy: use ${potentially_undefined_var-}, i.e. append - to the variable name within ${}. This makes sure that any variable which must be defined and is undefined will cause an error, however, any variable which can be undefined won’t.

Moreover, you download files from https://raw.githubusercontent.com/safing/portmaster-packaging/master/*, i.e. from the master branch of the safing/portmaster-packaging. While it could work as expected, as those files should not receive many updates, however, IMHO it would be safer to get them from the same version (commit) as the portmaster-start is. YMMV. Moreover, in the repository’s README.md, there is a note to [c]heck out the main project repository safing/portmaster. Why does the script not download the files from https://github.com/safing/portmaster/tree/develop/packaging/linux? 🤔 That said, in the latter repository, I could not find portmaster_notifier.desktop and portmaster_logo.png. Note: I haven’t updated this yet due to missing files in the other repository, however we could use GitHub API to get the latest release metadata (see the docs) and query it using jq.

Also, I prefer using curl instead of wget (which I usually don’t have installed), therefore, it might be a good idea to check which of the two is installed (if none, throw an error). Then, create a function to download the files.

I also added --now switch to systemctl enable --now portainer.

We could also remove the need of creating a temporary folder, as we should be able to patch the files in their final location (and use chmod to change their permissions) without any issues, however, I didn’t change it.

Below is my updated version of the script (without the two change proposals above with a note I did not change).

Updated file

#!/usr/bin/env bash

# Install Portmaster to a custom location

# src: https://gist.github.com/WinkelCode/dffeb181a4c7903cbc463169324f61b8

# Dependencies:
#
#	- Either `curl` or `wget`;
# - Bash 4+;
# - GNU coreutils (for `basename`, `chcon`, `install`, `ln`, `mkdir`, `mktemp`, `mv`, `realpath`, `rm`);
# - GNU `sed`;
# - SystemD;

# Note: The script was tested with GNU dependencies, but it might work with other implementations too.

set -euo pipefail

if [ "$EUID" -ne 0 ]; then
	echo 'To ensure correct permissions, this script must be run as root.'
	exit 1
fi

if ! download_program="$(command -v curl || command -v wget)"; then
	echo 'You need to have installed either curl or wget.'
	exit 2
fi

# Download a file from a given URL to a specified location using either `curl` or `wget`
#
# Arguments:
#	 $1: URL to download the file from
#	 $2: Location where the file should be saved
download() {
	local url="$1"
	local location="$2"
	
	case "$(basename "$download_program")" in
		curl) "$download_program" -o "$location" "$url" ;;
		wget) "$download_program" -q --show-progress -O "$location" "$url" ;;
	esac
}

# User variables
install_location="${1-/var/lib/safing-portmaster}" # Must not include trailing slash

# Internal variables
install_location="$(realpath "$install_location")"
temp_dir="$(mktemp -d)"

echo "-> Creating Portmaster folder structure under '$install_location'"
mkdir -p "$install_location"/exports/{share/{applications,icons},units}

echo "-> Downloading 'portmaster-start'"
download https://updates.safing.io/latest/linux_amd64/start/portmaster-start "$temp_dir/portmaster-start"

echo "-> Downloading 'portmaster.service'"
download https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster.service "$temp_dir/portmaster.service"

echo "-> Downloading 'portmaster.desktop'"
download https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster.desktop "$temp_dir/portmaster.desktop"

echo "-> Downloading 'portmaster_notifier.desktop'"
download https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster_notifier.desktop "$temp_dir/portmaster_notifier.desktop"

echo "-> Downloading 'portmaster_logo.png'"
download https://raw.githubusercontent.com/safing/portmaster-packaging/master/linux/portmaster_logo.png "$temp_dir/portmaster_logo.png"

echo "-> Patching paths in 'portmaster.service'"
sed -i "s|/opt/safing/portmaster|$install_location|g" "$temp_dir/portmaster.service"

echo "-> Patching paths in 'portmaster.desktop'"
sed -i "s|/opt/safing/portmaster|$install_location|g" "$temp_dir/portmaster.desktop"

echo "-> Patching paths in 'portmaster_notifier.desktop'"
sed -i "s|/opt/safing/portmaster|$install_location|g" "$temp_dir/portmaster_notifier.desktop"

echo "-> Installing 'portmaster-start' and setting security context"
install -m 0755 "$temp_dir/portmaster-start" "$install_location/portmaster-start"
chcon -t bin_t "$install_location/portmaster-start"

echo "-> Installing 'portmaster.service'"
install -m 0644 "$temp_dir/portmaster.service" "$install_location/exports/units/portmaster.service"

echo "-> Installing 'portmaster.desktop'"
install -m 0644 "$temp_dir/portmaster.desktop" "$install_location/exports/share/applications/portmaster.desktop"

echo "-> Installing 'portmaster_notifier.desktop'"
install -m 0644 "$temp_dir/portmaster_notifier.desktop" "$install_location/exports/share/applications/portmaster_notifier.desktop"

echo "-> Installing 'portmaster_logo.png' (as 'portmaster.png')"
install -m 0644 "$temp_dir/portmaster_logo.png" "$install_location/exports/share/icons/portmaster.png"

echo "-> Running 'portmaster-start update' to download Portmaster data"
"$install_location/portmaster-start" update --data="$install_location"

echo "-> (Workaround) Moving 'portmaster.service' to '/etc/systemd/system' and reverse-symlinking it since systemd wants units on the same filesystem"
mv "$install_location/exports/units/portmaster.service" /etc/systemd/system/portmaster.service
ln -s /etc/systemd/system/portmaster.service "$install_location/exports/units/portmaster.service"

echo "-> Enabling 'portmaster' service"
systemctl daemon-reload
systemctl enable --now portmaster

echo "-> Creating 'portmaster_notifier' autostart"
ln -s "$install_location/exports/share/applications/portmaster_notifier.desktop" /etc/xdg/autostart/portmaster_notifier.desktop

echo "-> Adding '$install_location' to \$XDG_DATA_DIRS to show desktop entries (applies after next login)"
# Note: We prepend 'zzz-' since profile.d scripts aren't numbered on Fedora, and we want to run after any other scripts that modify XDG_DATA_DIRS.
echo "XDG_DATA_DIRS=$install_location/exports/share:\$XDG_DATA_DIRS" > /etc/profile.d/zzz-portmaster-to-xdg-data-dirs.sh

echo "-> Removing '$temp_dir'"
rm -rf "$temp_dir"

echo '-> Done, Portmaster and its tray/notifier application will start with the next boot.'

I have one question.
I heard (I'm not sure, I never had to try this myself yet) that, when you go from Silverblue 24 to Silverblue 25, you have to uninstall your layered packages, and then reinstall them after the upgrade.
how does this go with Portmaster? Because, after installing it with this script, it's... not listed in my layered packages list. It's also not recognized by the software center. It's only visible in my app library and the "apps" section in settings.
is it known whether we need to reinstall it between major version upgrades?

Silverblue 24 to Silverblue 25

Are you talking about Fedora Version 24??! Fedora is on Version 41 already, I hope you aren't saying you've never updated.

uninstall your layered packages, and then reinstall them after the upgrade.

In my experience updating since Fedora version 39, I could rebase to newer versions without uninstalling layered packages. To rebase(update) to new versions of Fedoara Silverblue see this doc

how does this go with Portmaster?

Portmaster is installed through a different mechanism not through any package manager, so it's expected that it doesn't show in your layered packages. The script essentially puts the apps files in local folders and tells your system to run it at boot and put it in your apps list.
In my experience, when you rebase to new versions Portmaster continues to run just fine.
PS Portmaster updates itself, but I've found that it doesn't delete old update downloads.

Fix Update file pile-ups which use up storage:

• Make backup of whole portmaster directory

sudo cp -r /var/lib/safing-portmaster/ /var/home/user/Desktop/Portmaster_backup/

• disconnect internet and shutdown portmaster

• Copy only the latest update files from the update directories eg:
  sudo cp -r /var/lib/safing-portmaster/updates/all/intel/geoip/geoipv6_v20231201-0-1.mmdb /var/home/user/Desktop/Portmaster_backup/

• remove the whole folder from the original directory:
  sudo rm -r /var/lib/safing-portmaster/updates/all/intel/geoip/
  copy your copy of the latest file back into the directory

sudo cp -r /var/home/user/Desktop/Portmaster_backup/geoip/ /var/lib/safing-portmaster/updates/all/i
ntel/

• This directory also has the biggest files to remove, do the same for it:

/var/lib/safing-portmaster/updates/linux_amd64/

Are you talking about Fedora Version 24??! Fedora is on Version 41 already, I hope you aren't saying you've never updated.

no haha, I just said 24 as a random example number.

In my experience updating since Fedora version 39, I could rebase to newer versions without uninstalling layered packages. To rebase(update) to new versions of Fedoara Silverblue see this doc

oh okay, thanks

how does this go with Portmaster?

Portmaster is installed through a different mechanism not through any package manager, so it's expected that it doesn't show in your layered packages. The script essentially puts the apps files in local folders and tells your system to run it at boot and put it in your apps list. In my experience, when you rebase to new versions Portmaster continues to run just fine. PS Portmaster updates itself, but I've found that it doesn't delete old update downloads.

thanks for the advice, I'll probably avoid changing anything just in case haha

I think some OS or linux apps don't have proper app ID's attached to them. THey shouldn't be from you browser though.

just in case this info is important as feedback, I noticed that my preinstalled Firefox' connections are also present in "Other connections". I'm not sure whether they are doubled from the "Firefox" app category, or perhaps they were moved from there. Their amount is almost the same as in "Firefox" (for example, if "Firefox" has 58 connections, "Other connections" has around 50 or 54, and so on). I don't notice any bugs or problems yet though.

This script was mentioned in ublue forum by @breathless19, it seems there is some issue with the latest version of Bazzite?

On a related note, is it possible to bake this into an image instead? I have my image builder repo, if there could be any errors, I'd rather shift the risk there than on my local machine.