move secure image enabling from a button into a script

people don't read and lock themselves out of the image too often
this change means they can only secure the image if they already have
console access which is required to disable it

Author: wiedehopf

src/modules/adsb-feeder/filesystem/root/opt/adsb/adsb-setup/app.py

@@ -262,8 +262,12 @@ def list_value_by_tags(tags, idx):
             self._d.env_by_tags("rbthermalhack").value = ""
 
         # Ensure secure_image is set the new way if before the update it was set only as env variable
-        if self._d.is_enabled("secure_image"):
+        if self._d.is_enabled("secure_image") and not self.check_secure_image():
             self.set_secure_image()
+        # set secure_image env variable in case it is not set
+        if not self._d.is_enabled("secure_image") and self.check_secure_image():
+            self.set_secure_image()
+
         self._d.env_by_tags("pack")._value_call = self.pack_im
         self._other_aggregators = {
             "adsbhub--submit": ADSBHub(self._system),
@@ -3489,8 +3493,6 @@ def update(self):
                         timeout=30,
                     )
                     self._d.env_by_tags("acarshub_data_path").value = "/run/acars_data"
-                if key == "secure_image":
-                    self.set_secure_image()
                 if allow_insecure and key == "toggle_hotspot":
                     self.toggle_hotspot()
                 if key == "no_config_link":

src/modules/adsb-feeder/filesystem/root/opt/adsb/adsb-setup/templates/systemmgmt.html

@@ -74,27 +74,16 @@ <h5 class="mt-3">The feeder system is secured</h5>
   </div>
   <div class="col-12 col-lg-6 {% if is_enabled('secure_image') %} d-none {% endif %}">
     <h5 class="mt-3">Secure Feeder System</h5>
-    <form method="POST" onsubmit="show_spinner(); return true;">
       <div class="row align-items-center">
         <div class="col-8">
-          <label for="secure_image">
-            Attempt to make it somewhat harder for someone on the local
-            network to gain access to the image. Of course, anyone with
-            physical access to the feeder hardware can circumvent the
-            protection attempted here. Make sure you have an SSH key or
-            password set up and tested before doing this, or you will
-            permanently lock yourself out of this image.
-            Also disables the wifi hotspot which allows for wifi
-            configuration when there is no network connectivity.
-          </label>
-        </div>
-        <div class="col-4">
-          <button type="submit" class="btn btn-primary mx-auto w-100" name="secure_image" value="go">
-            SSH is working.<br>Secure the image.
-          </button>
+          Attempt to make it somewhat harder for someone on the local network to gain access to the
+          image. Of course, anyone with physical access to the feeder hardware can circumvent the
+          protection attempted here. Also disables the wifi hotspot which allows for wifi
+          configuration when there is no network connectivity.
+          To enable this option, log in locally or via SSH and run this command:
+          /opt/adsb/scripts/secure-image-enable.sh
         </div>
       </div>
-    </form>
   </div>
   <div class="col-12 col-lg-6 {% if is_enabled('secure_image') %} d-none {% endif %}">
     <h5 class="mt-3">Web Authentication</h5>

src/modules/adsb-feeder/filesystem/root/opt/adsb/scripts/secure-image-enable.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+
+# this needs to run as root
+if [ "$(id -u)" != "0" ] ; then
+    echo "this command requires superuser privileges - please run as sudo bash $0"
+    exit 1
+fi
+
+systemctl stop adsb-setup
+
+TMP="$(mktemp config.json.XXXX)"
+JSON="/opt/adsb/config/config.json"
+jq < "$JSON" '."AF_IS_SECURE_IMAGE" = true' > "$TMP" && mv "$TMP" "$JSON"
+sed -i '/_ADSBIM_STATE_IS_SECURE_IMAGE=.*/d' /opt/adsb/config/.env
+touch /opt/adsb/adsb.im.secure_image
+
+systemctl restart adsb-setup
+
+echo "----------------------"
+echo "Secure Image ENABLED!"
+echo "----------------------"