diff --git a/.gitignore b/.gitignore index fd1cd62..86e3e8a 100644 --- a/.gitignore +++ b/.gitignore @@ -29,21 +29,8 @@ tapir-cli dnstapir-cli version.go -# Ignore rpm build directory and related stuff -*.tar.gz -*.src.rpm -#rpm/ -#!rpm/SOURCES/tapir-renew.service -#!rpm/SOURCES/tapir-renew.timer -#!rpm/SOURCES/tapir-cli.yaml -#!rpm/SPECS/tapir-cli.spec - -# Ignore deb build directory and related stuff -*.deb -deb/ -!deb/DEBIAN/control.in -!deb/DEBIAN/postinst -!deb/DEBIAN/postrm - # Ignore built stuff out/ +*.tar.gz +*.rpm +*.deb diff --git a/Makefile b/Makefile index 0dd3322..c911090 100644 --- a/Makefile +++ b/Makefile @@ -57,13 +57,14 @@ srpm: tarball test -z "$(outdir)" || cp $(OUT)/$(PROG)-$(RPM_VERSION)-*.src.rpm "$(outdir)" rpm: srpm - rpmbuild --recompile --define "%_topdir $(OUT)/rpm" --undefine=dist $(OUT)/$(PROG)-$(RPM_VERSION)-*.src.rpm + rpmbuild --rebuild --define "%_topdir $(OUT)/rpm" --undefine=dist $(OUT)/$(PROG)-$(RPM_VERSION)-*.src.rpm + cp $(OUT)/rpm/RPMS/*/$(PROG)-$(RPM_VERSION)-*.rpm $(OUT) + test -z "$(outdir)" || cp $(OUT)/$(PROG)-$(RPM_VERSION)-*.rpm "$(outdir)" deb: build cp -r deb $(OUT) mkdir -p $(OUT)/deb/usr/bin mkdir -p $(OUT)/deb/etc/dnstapir/certs - mkdir -p $(OUT)/deb/usr/lib/systemd/system cp $(OUT)/$(PROG) $(OUT)/deb/usr/bin sed -e "s/@@VERSION@@/$(DEB_VERSION)/g" $(OUT)/deb/DEBIAN/control.in > $(OUT)/deb/DEBIAN/control dpkg-deb -b $(OUT)/deb/ $(OUT)/$(PROG)-$(DEB_VERSION).deb diff --git a/deb/DEBIAN/postrm b/deb/DEBIAN/postrm new file mode 100755 index 0000000..36f797e --- /dev/null +++ b/deb/DEBIAN/postrm @@ -0,0 +1,10 @@ +#!/bin/bash +set -e + +case "$1" in + remove) + ;; + purge) + rm -rf /etc/dnstapir/ + ;; +esac diff --git a/deb/usr/lib/systemd/system/dnstapir-renew.service b/deb/usr/lib/systemd/system/dnstapir-renew.service new file mode 100644 index 0000000..4fd5d97 --- /dev/null +++ b/deb/usr/lib/systemd/system/dnstapir-renew.service @@ -0,0 +1,13 @@ +[Unit] +Description=DNS TAPIR Edge Certificate Renewal +After=network-online.target + +[Service] +Type=oneshot +User=dnstapir-renew +Group=dnstapir +ExecStart=/usr/bin/dnstapir-cli --standalone renew \ + --renew-datakey /etc/dnstapir/certs/datakey-priv.json \ + --renew-cacert-out /etc/dnstapir/certs/ca.crt \ + --renew-clientkey /etc/dnstapir/certs/tls.key \ + --renew-clientcert-out /etc/dnstapir/certs/tls.crt diff --git a/deb/usr/lib/systemd/system/dnstapir-renew.timer b/deb/usr/lib/systemd/system/dnstapir-renew.timer new file mode 100644 index 0000000..a8b1ca3 --- /dev/null +++ b/deb/usr/lib/systemd/system/dnstapir-renew.timer @@ -0,0 +1,14 @@ +[Unit] +Description=Renew DNS TAPIR mTLS certificate every week +ConditionPathExists=/etc/dnstapir/certs/datakey-priv.json +ConditionPathExists=/etc/dnstapir/certs/ca.crt +ConditionPathExists=/etc/dnstapir/certs/tls.key +ConditionPathExists=/etc/dnstapir/certs/tls.crt + +[Timer] +OnCalendar=weekly +AccuracySec=1h +RandomizedDelaySec=100min + +[Install] +WantedBy=timers.target diff --git a/rpm/SOURCES/dnstapir-renew.sysusers.conf b/rpm/SOURCES/dnstapir-renew.sysusers.conf new file mode 100644 index 0000000..b99ad44 --- /dev/null +++ b/rpm/SOURCES/dnstapir-renew.sysusers.conf @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +u dnstapir-renew -:dnstapir "DNS TAPIR Edge Certificate Renewal" /etc/dnstapir - +g dnstapir - diff --git a/rpm/SPECS/dnstapir-cli.spec.in b/rpm/SPECS/dnstapir-cli.spec.in index 658f644..1fc3a94 100644 --- a/rpm/SPECS/dnstapir-cli.spec.in +++ b/rpm/SPECS/dnstapir-cli.spec.in @@ -1,6 +1,13 @@ # Disable building of debug packages %global debug_package %{nil} +# Handle backwards compat for sysuser creation +%if (0%{?fedora} && 0%{?fedora} < 42) || (0%{?rhel} && 0%{?rhel} <= 10) || (0%{?suse_version} && 0%{?suse_version} < 1660) +%bcond_without sysusers_compat +%else +%bcond_with sysusers_compat +%endif + Name: dnstapir-cli Version: @@VERSION@@ Release: 1%{?dist} @@ -11,14 +18,21 @@ URL: https://www.github.com/dnstapir/cli Source0: %{name}.tar.gz Source1: dnstapir-renew.service Source2: dnstapir-renew.timer +Source3: dnstapir-renew.sysusers.conf BuildRequires: git BuildRequires: golang +%if %{with sysusers_compat} && 0%{?suse_version} +Provides: user(dnstapir-renew) +Provides: group(dnstapir) +%endif + + %description DNS TAPIR EDGE ClI Tool for managing an EDGE deployment -%{!?_unitdir: %define _unitdir /usr/lib/systemd/system/} -%{!?_sysusersdir: %define _sysusersdir /usr/lib/sysusers.d/} +%{!?_unitdir: %define _unitdir /usr/lib/systemd/system} +%{!?_sysusersdir: %define _sysusersdir /usr/lib/sysusers.d} %prep %setup -n %{name} @@ -35,6 +49,10 @@ DESTDIR=%{buildroot}%{_bindir} make install install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir} install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir} +# Users and Groups +install -m 0644 -D %{SOURCE3} %{buildroot}%{_sysusersdir}/dnstapir-renew.conf + + %files %attr(0770,root,dnstapir) %dir %{_sysconfdir}/dnstapir %attr(0770,root,dnstapir) %dir %{_sysconfdir}/dnstapir/certs @@ -42,10 +60,13 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir} %attr(0660,-,dnstapir) %ghost %{_sysconfdir}/dnstapir/dnstapir-cli.yaml %attr(0644,root,dnstapir) %{_unitdir}/dnstapir-renew.service %attr(0644,root,dnstapir) %{_unitdir}/dnstapir-renew.timer +%attr(0644,root,root) %{_sysusersdir}/dnstapir-renew.conf +%if %{with sysusers_compat} %pre /usr/bin/getent group dnstapir || /usr/sbin/groupadd -r dnstapir /usr/bin/getent passwd dnstapir-renew || /usr/sbin/useradd -r -d /etc/dnstapir -G dnstapir -s /sbin/nologin dnstapir-renew +%endif %post